Data Processing Agreement
Last Updated: March 2026
This Data Processing Agreement (the "DPA") is incorporated by reference into the Terms and Conditions of Fides IT, trading as Utisha, and forms an integral part of those Terms. By accepting the Terms and Conditions, the Controller also accepts the terms of this DPA.
Processor: Fides IT, trading as Utisha Registered in Amsterdam, the Netherlands Chamber of Commerce (KvK): 57282196 Privacy contact: privacy@utisha.com DPA contact: dpa@utisha.com
Controller: The accounting or bookkeeping firm that has agreed to the Terms and Conditions for use of the Utisha platform to process financial documents on behalf of its clients.
The Processor and the Controller are collectively referred to as the "Parties."
Article 1. Definitions
1.1. "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, together with any applicable national implementing legislation, including the Dutch UAVG.
1.2. "Personal Data," "Processing," "Data Subject," "Personal Data Breach," and "Supervisory Authority" have the meanings given to them in the GDPR.
1.3. "Services" means the Utisha platform for processing financial documents in preparation for quarterly VAT returns, available as a managed cloud service or a self-hosted deployment.
1.4. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller. The current list of Sub-processors is set out in Annex 3.
1.5. "Automated Processing" means the processing of financial documents using AI technology — specifically, the automated analysis, extraction, classification and reconciliation of invoices and bank statements via a large language model (LLM). Automated processing is used solely as an aid for the accountant; the accountant takes all final decisions after human review.
Article 2. Subject Matter and Duration
2.1. This DPA governs the conditions under which the Processor processes Personal Data on behalf of and under instruction from the Controller, in the course of providing the Services.
2.2. The subject matter of the processing is the processing of financial documents — including invoices, credit notes and bank statements — for the purpose of preparing quarterly VAT returns for the Controller's clients. These documents contain Personal Data of the categories described in Articles 4 and 5.
2.3. This DPA is in force for the duration of the subscription agreement as set out in the Terms and Conditions. It ends when the subscription ends for any reason, subject to any provisions regarding statutory retention periods in Article 11.
Article 3. Nature and Purpose of Processing
3.1. The Processor processes Personal Data solely for the following purposes, as further described in Annex 1:
(a) Document extraction: Reading and extracting data from submitted invoices, credit notes and bank statements (including MT940 and CAMT.053 files), including via optical character recognition (OCR) for scanned documents of limited quality;
(b) Automated classification: Automated classification of transactions to VAT categories (1a, 1b, 1c, 1d, 2a, 3a, 3b, 3c, 4a, 4b, 5b) and suggestions of ledger accounts based on extracted document content, using AI technology;
(c) Bank reconciliation: Automatic matching of bank statement lines to invoices and ledger entries;
(d) Exact Online integration: Forwarding accountant-approved entries to the Controller's Exact Online accounting package.
3.2. The Processor does not process Personal Data for any other purpose. Processing for model training or AI improvement is expressly prohibited, as further regulated in Article 13.
3.3. All outputs generated by automated processing are advisory only. The accountant reviews and approves all AI outputs before any entry is finalised or forwarded to Exact Online. No decisions are taken without human review.
Article 4. Categories of Personal Data
4.1. In the course of providing the Services, the Processor processes the following categories of Personal Data on behalf of the Controller:
(a) Identification data: Names of natural persons and contact persons, addresses (business and correspondence), company names;
(b) Financial data: IBAN numbers, invoice amounts (including VAT), bank balances, transaction data (amount, date, description, counterparty), ledger entries;
(c) Tax identification numbers: VAT numbers, Chamber of Commerce (KvK) numbers;
(d) Contact data: Email addresses and phone numbers, where appearing on invoices or in the portal;
(e) Usage data: Portal login timestamps, document upload date and time, IP address at login, user actions in the platform (audit log data).
4.2. The Processor does not process special categories of Personal Data as referred to in Article 9 GDPR, unless such data is unexpectedly present in documents submitted by the Controller. The Controller is responsible for identifying such situations and informing the Processor.
Article 5. Categories of Data Subjects
5.1. The following categories of Data Subjects are subject to processing:
(a) Clients of the Controller (end users): Entrepreneurs and SMEs with a service agreement with the Controller for VAT return preparation, to the extent their Personal Data appears on invoices, bank statements or in the client portal;
(b) Employees of the Controller's clients: Employees and contact persons of the Controller's clients, to the extent their names, email addresses or phone numbers appear on invoices, bank statements or in the portal;
(c) Suppliers and customers of the Controller's clients: Natural persons acting as suppliers or customers of the client, whose name, address, IBAN number or contact details appear on an invoice or bank statement;
(d) Contact persons at the Controller: Contact persons at the Controller itself, to the extent their data is processed for user management of the Platform.
Article 6. Obligations of the Processor
6.1. Processing only on instruction. The Processor processes Personal Data solely on the basis of documented instructions from the Controller, unless a legal obligation requires otherwise. In such cases, the Processor will inform the Controller before processing, unless prohibited by law.
6.2. Confidentiality. The Processor ensures that all persons authorised to process Personal Data have committed to confidentiality or are subject to an appropriate statutory obligation of confidentiality.
6.3. Security. The Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex 2. These measures are reviewed at least annually.
6.4. Sub-processors. The Processor engages Sub-processors only in accordance with the procedure in Article 7. The current list of approved Sub-processors is set out in Annex 3. The Processor imposes obligations on Sub-processors that are at least equivalent to those set out in this DPA.
6.5. Assistance with Data Subject rights. The Processor assists the Controller in meeting obligations to respond to Data Subject rights requests under Articles 15 to 22 GDPR. Any request received directly by the Processor will be forwarded to the Controller promptly.
6.6. Assistance with DPIA. The Processor assists the Controller in conducting a Data Protection Impact Assessment (DPIA) under Article 35 GDPR where required, including by providing relevant information about processing activities, security measures and Sub-processors.
6.7. Deletion or return after termination. Following termination of the Services, the Processor will, at the Controller's choice, delete or return all Personal Data and delete existing copies, unless statutory law requires retention. The Processor provides written confirmation of deletion within 30 days of service termination. The fiscal retention obligation under Article 11 applies separately.
6.8. Information and audit. The Processor makes available all information needed to demonstrate compliance with this DPA and cooperates with audits as described in Article 10.
6.9. Notification of conflicting instructions. If the Processor considers that an instruction from the Controller infringes the GDPR or applicable data protection law, the Processor will promptly inform the Controller and may suspend the instruction until the Controller confirms or withdraws it.
Article 7. Sub-processors
7.1. By accepting this DPA, the Controller grants general written authorisation for the Sub-processors listed in Annex 3, as permitted under Article 28(2) GDPR.
7.2. The Processor will give the Controller at least 30 days' written notice before any intended change to Sub-processors, including adding new Sub-processors or replacing existing ones.
7.3. The Controller may object to a proposed change within 30 days of receiving notice. Objections must be in writing with reasons, sent to dpa@utisha.com.
7.4. If the Controller objects in time and the Parties do not reach a resolution within 30 days of the objection, either Party may terminate this DPA to the extent it relates to the relevant processing activity. Termination on this basis gives no right to damages.
7.5. The Processor imposes data protection obligations on each Sub-processor that are at least equivalent to those in this DPA. The Processor remains fully liable to the Controller for Sub-processor performance.
7.6. Annex 3 specifies which Sub-processors apply conditionally depending on deployment type (managed cloud vs. self-hosted).
Article 8. International Data Transfers
8.1. The Processor does not transfer Personal Data to countries outside the European Economic Area (EEA). All Sub-processors listed in Annex 3 process Personal Data within the EU/EEA.
8.2. AWS Bedrock processes data in EU region eu-central-1 (Frankfurt, Germany). Google Cloud Vertex AI processes data in EU region europe-west1 (Belgium). Microsoft Azure Document Intelligence processes data in EU region West Europe (Amsterdam). Hetzner Online GmbH operates within Germany. No data leaves the EEA for any processing activity.
8.3. In a self-hosted deployment with self_hosted_only LLM routing, no Personal Data leaves the Controller's own infrastructure for AI processing. The transfer provisions regarding AWS Bedrock do not apply in that configuration.
8.4. Should any future change create a transfer outside the EEA, the Processor will ensure appropriate safeguards under Article 46 GDPR are in place before the transfer begins, and will follow the Sub-processor change procedure in Article 7.
Article 9. Data Breach Notification
9.1. The Processor will notify the Controller without undue delay — targeting within 24 hours — after becoming aware of a Personal Data Breach affecting data submitted by the Controller.
9.2. The notification will include, to the extent available at the time: the nature of the breach; the categories and approximate number of Data Subjects and records affected; the contact point for further information; the likely consequences; and the measures taken or proposed to address the breach.
9.3. Where not all information is available at the time of initial notification, the Processor will provide it as soon as possible without further delay.
9.4. The Processor assists the Controller with its notification obligation to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) under Article 33 GDPR (72-hour deadline) and, where applicable, with communication to affected Data Subjects under Article 34 GDPR.
Article 10. Audit Rights
10.1. The Processor makes available all information necessary to demonstrate compliance with Article 28 GDPR and cooperates with audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
10.2. The Controller gives the Processor at least 30 days' written notice of a planned audit, stating the purpose, scope and proposed date.
10.3. Audits take place during normal business hours and are carried out with minimal disruption. Unless a breach or regulatory obligation requires otherwise, the Controller is entitled to one audit per calendar year.
10.4. Audit costs are borne by the Controller, unless the audit reveals breaches attributable to the Processor.
10.5. Any third-party auditor must sign a confidentiality agreement with the Processor before the audit begins.
Article 11. Data Retention and Deletion
11.1. Financial documents (invoices, credit notes, bank statements, ledger entries, extraction results and audit logs) that form part of the fiscal administration are retained for the statutory fiscal retention period under Article 52 of the Dutch General Tax Act (AWR): seven years from the end of the financial year to which the data relates.
11.2. After the fiscal retention period expires, all retained data is permanently deleted, unless a separate statutory obligation requires longer retention.
11.3. On request, the Processor makes retained data available in a standard export format, so the Controller or its successor can fulfil any fiscal inspection obligations.
11.4. Non-fiscal Personal Data is deleted or returned within 30 days of service termination, with written confirmation.
Article 12. Obligations of the Controller
12.1. The Controller warrants that:
(a) it has a valid legal basis for processing Personal Data under this DPA (performance of contract, Article 6(1)(b) GDPR);
(b) it has properly informed Data Subjects in accordance with Articles 13 and 14 GDPR, including about the engagement of the Processor and the Sub-processors listed in Annex 3;
(c) it maintains a record of processing activities as required by Article 30(1) GDPR;
(d) all instructions given to the Processor are lawful and consistent with the GDPR;
(e) it promptly informs the Processor of any changes to the nature or scope of processing that may affect the Processor's obligations.
12.2. The Controller indemnifies the Processor against claims from Data Subjects, supervisory authorities or third parties arising from the Controller's failure to comply with this Article.
Article 13. Automated Processing and AI Provisions
13.1. Absolute prohibition on training data use. Personal Data processed under this DPA is not used in any way for training, fine-tuning or otherwise improving AI models — neither by the Processor nor by any Sub-processor. This prohibition is absolute and applies regardless of whether data is in anonymised or pseudonymised form.
13.2. Contractual enforcement with Sub-processors. The Processor enforces the training prohibition contractually with Sub-processors involved in automated processing:
AWS Bedrock (Amazon Web Services EMEA SARL): Under the AWS Service Terms and AWS Data Processing Addendum, customer data processed via AWS Bedrock is not used to train AI models. Processing occurs within EU region
eu-central-1(Frankfurt). Data does not leave the EU.Google Cloud Vertex AI (Google Cloud EMEA Limited): Under the Google Cloud Data Processing Addendum (§5.2), customer data processed via Vertex AI is not used to train AI models. Processing occurs within EU region
europe-west1(Belgium). Data does not leave the EU.Microsoft Azure Document Intelligence: Under Microsoft's data processing terms, customer data processed via Azure Document Intelligence is not used to train Microsoft models.
13.3. What is sent to AI providers. For automated processing, the Processor sends only the textual content of documents (invoice lines, descriptions, bank statement lines) to the AI providers (AWS Bedrock or Google Cloud Vertex AI). The following is expressly not sent: portal passwords or authentication tokens; data belonging to other clients of the Controller; internal administrative data not part of the document being processed.
13.4. What AI providers return. The AI provider returns only structured classification results (VAT category, ledger account, reconciliation match). No document content is stored beyond the duration of the API call.
13.5. Human oversight. All outputs from automated processing are advisory only. The accountant reviews and approves every AI output before any entry is finalised or forwarded to Exact Online.
13.6. Migration obligation. If a Sub-processor involved in automated processing changes or announces a change to its policy on using customer data for model training, the Processor will notify the Controller in writing without delay and complete migration to a compliant alternative Sub-processor within 90 days of the announcement or effective date of the change. Until migration is complete, the Processor suspends the relevant automated processing, unless the Controller agrees in writing to continue.
13.7. Right to manual processing. The Controller may at any time request that specific documents or document categories be processed without AI technology (manual processing). The Processor will honour this request within a reasonable time. If manual processing involves substantially greater effort, the Processor may charge accordingly based on the rates agreed in the Terms and Conditions.
Article 14. Self-Hosted Deployment
14.1. The Platform is available as a self-hosted deployment where LLM routing can be set to self_hosted_only. In this configuration, all processing — including automated processing — is performed exclusively by local AI models (such as Ollama or vLLM) running within the Controller's own infrastructure.
14.2. With self_hosted_only routing, no Personal Data leaves the Controller's infrastructure for AI processing. In that case, AWS Bedrock and Google Cloud Vertex AI as listed in Annex 3 do not apply to the Controller's processing activities.
14.3. Exact Online (Exact Group B.V.) is an independent data controller with which the Controller maintains a direct contractual relationship. Utisha acts as a pass-through and processes data in Exact solely on the Controller's instruction using the API authorisation provided by the Controller.
14.4. In a self-hosted deployment where the Controller runs the entire infrastructure — including databases, object storage and application servers — within its own environment, Hetzner Online GmbH as Sub-processor does not apply. The Controller is then responsible for the security of its own infrastructure.
Article 15. Liability
15.1. The liability of the Parties under this DPA is governed by the Terms and Conditions.
15.2. GDPR-specific liability rules — in particular Article 82 GDPR — apply in full, even where the Terms and Conditions might otherwise limit liability to a lower level.
15.3. Where both Parties are liable for damage caused by processing, they are jointly and severally liable to the Data Subject, with internal apportionment according to the degree of responsibility of each Party.
Article 16. Governing Law and Jurisdiction
16.1. This DPA is governed by the laws of the Netherlands.
16.2. Disputes arising from this DPA are submitted to the exclusive jurisdiction of the competent courts in Amsterdam, in accordance with the jurisdiction clause in the Terms and Conditions.
Article 17. Miscellaneous
17.1. This DPA replaces any previously concluded data processing agreements between the Parties covering the same processing activities.
17.2. Amendments to this DPA are valid only if agreed in writing. Utisha may unilaterally amend this DPA where necessary due to changes in the GDPR, implementing legislation, supervisory guidance or changes to the Services, giving at least 30 days' written notice. If the Controller objects, the procedure in Article 7.4 applies by analogy.
17.3. If any provision of this DPA is invalid or unenforceable, the remaining provisions remain in effect. The Parties will replace any invalid provision with one that most closely reflects the original intent.
Annex 1: Description of Processing
| Aspect | Description |
|---|---|
| Subject matter | Processing of financial documents (invoices, credit notes, bank statements) for quarterly VAT return preparation for the Controller's clients |
| Purpose | (1) Automated extraction of transaction data from invoices and bank statements; (2) classification to VAT category and ledger account suggestion; (3) bank reconciliation by matching bank statement lines to invoices; (4) forwarding approved entries to Exact Online |
| Nature | Automated processing using AI technology (OCR, extraction and classification via large language model), followed by human review and approval by the accountant |
| Categories of Personal Data | Names, addresses, company names, IBAN numbers, invoice amounts, bank balances, transaction data, VAT numbers, KvK numbers, email addresses, phone numbers, portal login timestamps, document upload timestamps, platform audit log data |
| Categories of Data Subjects | (1) Clients of the Controller (entrepreneurs and SMEs); (2) employees of clients, where named on documents; (3) suppliers and customers of clients, where named on invoices or bank statements; (4) contact persons at the Controller |
| Duration | The subscription term as set out in the Terms and Conditions, plus the seven-year fiscal retention period under AWR Article 52 for financial documents |
| Processing location | Primary: EU (Hetzner Online GmbH, Gunzenhausen, Germany) for managed hosting. Automated processing: EU (AWS Bedrock, eu-central-1, Frankfurt, Germany; Google Cloud Vertex AI, europe-west1, Belgium). For self-hosted deployments: the Controller's own infrastructure. No data is transferred outside the EEA. |
Annex 2: Technical and Organisational Measures
The Processor applies the following measures to ensure an appropriate level of security. These are reviewed at least annually.
Encryption
| Measure | Detail |
|---|---|
| Data at rest | All integration credentials and sensitive configuration data are encrypted with AES-256-GCM. Document storage uses server-side encryption. |
| Data in transit | All communication uses TLS 1.3 exclusively. HTTP connections are automatically redirected to HTTPS. |
| Backups | Backups are stored encrypted; encryption keys are managed by the Processor and not accessible to external parties. |
Access Control
| Measure | Detail |
|---|---|
| Identity management | Keycloak Single Sign-On (SSO) with OpenID Connect (OIDC) for all platform users. |
| Roles and permissions | Role-based access control (RBAC) with five roles: platform-admin, group-admin, contributor, viewer, auditor. Least-privilege principle. |
| Multi-tenant isolation | Strict data separation per organisation via orgId filtering in all database queries. One Controller's data is not accessible from another Controller's context. |
| Staff access | Access to client data limited to staff on a need-to-know basis, recorded in the access register. |
Authentication
| Measure | Detail |
|---|---|
| Token verification | JWT verification on every authenticated API request. |
| CSRF protection | Cross-Site Request Forgery protection via the X-Requested-With header on all state-changing requests. |
Logging and Audit
| Measure | Detail |
|---|---|
| Platform audit log | Full audit trail of all platform actions, including creation, modification and approval of processing results, with timestamp, user and action. |
| AI transaction log | Logging of all automated processing transactions (document type, model, result, timestamp) for EU AI Act compliance and internal audit. |
| Retention | Audit logs are retained for the duration of the fiscal retention obligation (7 years) using immutable logging. |
Infrastructure
| Measure | Detail |
|---|---|
| Hosting | Managed hosting via Hetzner Online GmbH, Gunzenhausen, Germany (EU). All production data is stored within the EU. |
| Container security | Docker containers run as non-root user. Official base images with regular updates. |
| Network segmentation | Internal services are not directly reachable from the internet; all traffic routes through Traefik as reverse proxy. |
Vulnerability Management
| Severity | Response time |
|---|---|
| Critical (CVSS ≥ 9.0) | Within 24 hours of discovery |
| High (CVSS 7.0–8.9) | Within 72 hours of discovery |
| Medium (CVSS 4.0–6.9) | Within 30 days |
Backups
Automated daily backups of all production data (database and object storage), stored encrypted at a location separate from the production environment. Backup restorability is tested at least quarterly.
Annex 3: Approved Sub-processors
Last updated: March 2026
| Sub-processor | Location | Purpose | No-training guarantee | Applies when |
|---|---|---|---|---|
| Amazon Web Services EMEA SARL (AWS Bedrock) | EU — eu-central-1 (Frankfurt, DE) |
Automated processing: document extraction, VAT classification, ledger account suggestions, bank reconciliation via large language models | Yes — customer data is not used for model training (AWS Service Terms and Data Processing Addendum) | Managed/cloud deployment only. Not applicable with self_hosted_only routing. |
| Google Cloud EMEA Limited (Vertex AI) | EU — europe-west1 (Belgium) |
Automated processing: document extraction, VAT classification, ledger account suggestions, bank reconciliation via large language models (Gemini) | Yes — customer data is not used for model training (Google Cloud Data Processing Addendum, §5.2) | Managed/cloud deployment only. Not applicable with self_hosted_only routing. |
| Microsoft Corporation (Azure Document Intelligence) | EU — West Europe (Amsterdam, NL) | OCR pre-processing of scanned documents | Yes — customer data is not used to train Microsoft models | Where OCR functionality is used |
| Hetzner Online GmbH | DE (Gunzenhausen / Nuremberg) | Infrastructure hosting: servers, databases, object storage | N/A — infrastructure only | Managed hosting by the Processor only. Not applicable in self-hosted deployments. |
Note on Exact Online: Exact Group B.V. (Exact Online) is not a Sub-processor of Utisha. The Controller maintains a direct contractual relationship with Exact as an independent data controller. Utisha acts as a pass-through using the API authorisation provided by the Controller.
Sub-processor change procedure:
The Processor will give at least 30 days' written notice of any planned Sub-processor change (adding, replacing or materially changing a Sub-processor). Notice is given by email to the address registered with the Controller's account and via a notification in the platform dashboard.
The Controller may object in writing within 30 days of receiving notice, addressed to dpa@utisha.com. If no resolution is reached within a further 30 days, either Party may terminate this DPA in respect of the affected processing activity.
For questions about this DPA, contact: dpa@utisha.com