Data processing addendum

This DPA forms part of the Spendbox Terms of Service and applies whenever Spendbox processes personal data on your behalf as a data processor.

We sign DPAs with all customers automatically — no countersignature required.

You are the data controller; Spendbox is the data processor. We process personal data only on your documented instructions.

We will not transfer personal data outside the region you've selected without your written consent.

AWS — hosting, encrypted storage, regional residency.

Stripe — payment processing, billing.

Postmark — transactional email delivery.

Sentry — error monitoring (PII scrubbed).

We notify you 30 days before adding a new sub-processor and offer the right to terminate without penalty.

TLS 1.3 in transit, AES-256 at rest, field-level encryption for sensitive content.

Annual penetration testing by independent third parties.

Mandatory MFA for all employees with production access.

Quarterly access reviews and least-privilege defaults.

We support you in responding to data subject requests within 30 days. Self-service export and deletion are available in the app.

If you receive a request you can't fulfil yourself, write to dpo@spendbox.co.

We will notify you without undue delay (within 24 hours) of becoming aware of a personal data breach affecting your data.

Notification will include the nature of the breach, data affected, likely consequences and remediation steps.

Upon termination, we will delete or return all personal data within 30 days, at your option.

You can request a full export at any time during the term, in CSV or JSON.