Data Processing Agreement
Last updated: November 16, 2025
Our commitment to GDPR compliance and responsible data processing for B2B and Enterprise customers.
About This Agreement
This Data Processing Agreement (DPA) establishes the terms under which Chedr FinanceAI, Inc. processes personal data on behalf of our B2B and Enterprise customers in compliance with the General Data Protection Regulation (GDPR), specifically Article 28.
As a data processor, we are committed to implementing appropriate technical and organizational measures to ensure the security and confidentiality of your data. This DPA forms an integral part of our Service Agreement and reflects our dedication to the highest standards of data protection.
For questions about this DPA or to request a signed copy, please contact our legal team at legal@chedr.ai
1. Introduction
1.1 Purpose
This Data Processing Agreement ("DPA") forms part of the agreement between Chedr FinanceAI, Inc. ("Chedr," "Processor," "we," or "us") and you, the customer ("Controller," "you," or "your"), governing the processing of Personal Data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") Article 28.
1.2 GDPR Article 28 Compliance
This DPA establishes the required contractual terms under GDPR Article 28, ensuring that Chedr processes Personal Data only on documented instructions from the Controller and implements appropriate technical and organizational measures to protect Personal Data.
1.3 Applicability
This DPA applies to all processing of Personal Data by Chedr on behalf of the Controller in connection with the provision of our Services. In the event of any conflict between this DPA and the main Service Agreement, this DPA shall prevail with respect to data protection matters.
2. Definitions
2.1 Controller
The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In this DPA, "Controller" refers to you, the customer.
2.2 Processor
A natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller. In this DPA, "Processor" refers to Chedr FinanceAI, Inc.
2.3 Personal Data
Any information relating to an identified or identifiable natural person ("Data Subject"). This includes but is not limited to: names, email addresses, financial account information, transaction data, IP addresses, and any other information that can directly or indirectly identify an individual.
2.4 Processing
Any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.
2.5 Data Subject
An identified or identifiable natural person whose Personal Data is processed by Chedr on behalf of the Controller.
2.6 Subprocessor
Any third party engaged by Chedr to process Personal Data on behalf of the Controller.
3. Scope of Processing
3.1 Subject Matter
Chedr processes Personal Data to provide AI-powered financial management services, including transaction categorization, tax optimization, financial forecasting, and related services as described in the Service Agreement.
3.2 Duration
Personal Data will be processed for the duration of the Service Agreement and retained in accordance with our data retention policies, unless earlier deletion is requested by the Controller or required by applicable law.
3.3 Nature and Purpose
The processing involves automated analysis of financial transactions, account data, and related information for the purpose of providing financial insights, tax optimization recommendations, and automated financial management services.
3.4 Categories of Data
Personal Data processed includes: (a) contact information (name, email, phone), (b) financial account information and credentials, (c) transaction data and account balances, (d) tax-related information, (e) device and usage information, and (f) communications with Chedr.
3.5 Categories of Data Subjects
Data Subjects include: (a) individual customers of Controller, (b) employees or contractors of Controller who use the Services, and (c) authorized users designated by Controller.
4. Data Processor Obligations
4.1 Processing Instructions
Chedr shall process Personal Data only on documented instructions from the Controller, unless required to do so by European Union or Member State law. If Chedr believes an instruction violates GDPR or other data protection laws, it will immediately inform the Controller.
4.2 Confidentiality
Chedr ensures that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is restricted to personnel who require access to perform their duties.
4.3 Security Measures
Chedr implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 5 (Security Measures) of this DPA.
4.4 Subprocessor Engagement
Chedr may engage Subprocessors only with prior written authorization from the Controller. A current list of authorized Subprocessors is maintained in Section 6 of this DPA and at https://chedr.ai/subprocessors.
4.5 International Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), Chedr shall ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or other valid transfer mechanisms.
4.6 Assistance with Controller Obligations
Chedr shall, taking into account the nature of processing, assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests for exercising Data Subject rights under Chapter III of GDPR.
5. Security Measures
5.1 Encryption
All Personal Data is encrypted at rest using AES-256-GCM encryption with unique initialization vectors and authentication tags. Data in transit is protected using TLS 1.3 with perfect forward secrecy. Encryption keys are stored separately from encrypted data and managed through a secure key management system.
5.2 Access Controls
Chedr implements role-based access control (RBAC) with the principle of least privilege. Multi-factor authentication is required for all personnel accessing production systems. Access logs are maintained and regularly reviewed for anomalous activity.
5.3 SOC 2 Type II Certification
Chedr maintains SOC 2 Type II certification, demonstrating our commitment to security, availability, processing integrity, confidentiality, and privacy. Annual audits are conducted by independent third-party auditors, and reports are available to customers upon request.
5.4 Network Security
Infrastructure is protected by firewalls, intrusion detection systems, and network segmentation. Regular vulnerability scans and penetration testing are conducted to identify and remediate security weaknesses.
5.5 Data Minimization
Chedr collects and processes only the minimum Personal Data necessary to provide the Services. Automated data retention policies ensure Personal Data is not retained longer than necessary for the purposes for which it was collected.
5.6 Employee Training
All personnel receive regular security and privacy training, including GDPR awareness, secure coding practices, and incident response procedures. Background checks are conducted for personnel with access to Personal Data.
5.7 Physical Security
Data centers operated by our infrastructure providers (AWS) maintain industry-leading physical security controls, including 24/7 monitoring, biometric access controls, and redundant power and cooling systems.
6. Subprocessors
6.1 Authorized Subprocessors
Chedr engages the following Subprocessors to assist in providing the Services. Each Subprocessor is bound by written agreements imposing data protection obligations no less protective than those in this DPA.
6.2 Cloud Infrastructure
Amazon Web Services (AWS) - Provides secure cloud hosting infrastructure in US and EU regions. AWS is certified under ISO 27001, SOC 2, and complies with GDPR requirements. Data residency can be configured to meet Controller requirements.
6.3 Payment Processing
Stripe, Inc. - Processes payment information for subscription billing. Stripe is PCI DSS Level 1 certified and GDPR compliant. Payment card data is processed directly by Stripe and never stored on Chedr servers.
6.4 Analytics
PostHog, Inc. - Provides privacy-focused product analytics. PostHog is GDPR compliant and offers EU data residency. Personal Data is minimized and pseudonymized where possible.
6.5 Banking Connectivity
Plaid, Inc. - Facilitates secure connections to financial institutions. Plaid is SOC 2 Type II certified and GDPR compliant. Financial credentials are encrypted and tokenized.
6.6 Subprocessor Changes
Chedr will provide at least 30 days' notice before adding or replacing Subprocessors by updating the list at https://chedr.ai/subprocessors and notifying the Controller via email. Controllers may object to new Subprocessors within 14 days of notification.
7. Data Subject Rights
7.1 Assistance with Requests
Chedr shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under GDPR (access, rectification, erasure, restriction, data portability, objection).
7.2 Technical Assistance
Chedr will provide reasonable technical assistance to enable the Controller to respond to Data Subject requests within the required timeframes (generally 30 days under GDPR).
7.3 Data Access and Portability
Chedr provides self-service tools within the Services that enable Data Subjects to access and export their Personal Data in machine-readable formats (JSON, CSV).
7.4 Data Deletion
Upon Controller request or Data Subject request (as directed by Controller), Chedr will delete Personal Data within 30 days. Deletion is performed securely to prevent recovery, and confirmation is provided to the Controller.
7.5 Rectification and Restriction
Controllers can update or correct Personal Data through the Services interface. Where processing must be restricted pending verification, Chedr will implement technical controls to prevent further processing.
8. Data Breach Notification
8.1 Notification Timeline
Chedr shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting the Controller's data.
8.2 Breach Information
The notification will include: (a) description of the nature of the breach, including categories and approximate number of Data Subjects and records affected, (b) name and contact details of the data protection officer or other contact point, (c) description of likely consequences of the breach, and (d) measures taken or proposed to address the breach and mitigate its effects.
8.3 Investigation and Remediation
Chedr will promptly investigate all suspected breaches, take reasonable steps to remediate the cause, and implement measures to prevent recurrence. The Controller will be kept informed of investigation progress.
8.4 Controller Notification Obligations
Chedr acknowledges that the Controller is responsible for complying with breach notification obligations to supervisory authorities and Data Subjects under GDPR Articles 33 and 34. Chedr will provide reasonable cooperation and assistance.
8.5 Incident Response Plan
Chedr maintains a documented incident response plan that is tested annually. The plan includes procedures for detection, containment, investigation, notification, and remediation of security incidents.
9. Audits and Compliance
9.1 Audit Rights
Chedr shall make available to the Controller all information necessary to demonstrate compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
9.2 Audit Procedure
The Controller may conduct audits upon reasonable written notice (at least 30 days). Audits shall be conducted during normal business hours and in a manner that does not unreasonably interfere with Chedr's operations. Audits are limited to once per year unless required by a supervisory authority.
9.3 SOC 2 Reports
In lieu of on-site audits, Chedr may provide its current SOC 2 Type II report, which demonstrates compliance with security and privacy controls. Controllers may rely on this report to satisfy audit requirements.
9.4 Audit Costs
The Controller shall bear all costs associated with audits, including auditor fees and any costs incurred by Chedr in facilitating the audit. Chedr may charge reasonable fees for audit support exceeding 8 hours per year.
9.5 Remediation
If an audit reveals non-compliance with this DPA, Chedr shall implement a remediation plan within a reasonable timeframe (generally 30-90 days depending on severity) and provide evidence of remediation to the Controller.
10. Term and Termination
10.1 Term
This DPA shall remain in effect for as long as Chedr processes Personal Data on behalf of the Controller, which shall be for the duration of the Service Agreement.
10.2 Data Return and Deletion
Upon termination or expiration of the Service Agreement, Chedr shall, at the Controller's choice, delete or return all Personal Data to the Controller and delete existing copies, unless European Union or Member State law requires storage of the Personal Data.
10.3 Deletion Certification
Chedr will provide written certification to the Controller confirming secure deletion of all Personal Data within 30 days of termination. Deletion logs and verification procedures are available upon request.
10.4 Retention for Legal Purposes
If applicable law requires Chedr to retain certain Personal Data, Chedr will inform the Controller of such requirements and continue to protect such Personal Data in accordance with this DPA until legally permissible deletion.
10.5 Survival
The confidentiality, audit, and limitation of liability provisions of this DPA shall survive termination for a period of 7 years or the applicable statute of limitations, whichever is longer.
Enterprise customers can request a signed and executed copy of this DPA by contacting legal@chedr.ai. We recommend reviewing our SOC 2 Type II report and subprocessor list to ensure alignment with your compliance requirements.
Contact Information
For questions about this DPA, to request a signed copy, or to exercise your rights as a Controller, please contact:
DPA Requests:legal@chedr.ai
Data Protection Officer: dpo@chedr.ai
Address: Chedr FinanceAI, Inc., 123 Financial District, San Francisco, CA 94105
Download DPA
Get a PDF copy of our Data Processing Agreement