Data Processing Agreement (DPA)
If you use SpenzaBook for your business, you record information about your customers and suppliers — names, balances, transaction notes. Under data protection laws like the GDPR and India's DPDP Act, that makes you the data controller (or data fiduciary) for that information, and Spenzaa your processor. This DPA describes how we handle that responsibility. It forms part of our Terms & Conditions for business users.
1. Roles
You decide what data to record about your contacts and why — you are the controller. We process it only to provide the Service — we are the processor. For your own account data (your email, your subscription), we are the controller as described in our Privacy Policy.
2. What we process on your behalf
- Contact names and (optional) phone numbers you attach to ledgers
- Transaction entries, balances, notes and bill attachments
- Reminder delivery records (what was sent, when)
3. Our commitments as your processor
- We process this data only on your instructions (i.e., to operate the features you use) — never for advertising, profiling or resale;
- Everyone at Spenzaa with access is bound by confidentiality obligations;
- We apply the security measures in section 4;
- We help you respond to requests from your customers to access or delete their data;
- We delete or return the data when you delete your account;
- We make information available to demonstrate compliance, and we'll tell you if we believe an instruction violates data protection law.
4. Security measures
256-bit AES encryption at rest, TLS 1.3 in transit, role-based access controls with audited access, multi-factor authentication for internal systems, isolated per-ledger visibility (only you and the relevant contact can see a ledger), and tested backup and recovery procedures.
5. Subprocessors
We use a small number of vetted infrastructure providers (cloud hosting, message delivery for reminders) under written agreements imposing equivalent obligations. A current list is available on request at help@spenzaa.com. We'll notify account owners before adding a subprocessor that handles ledger data, giving you an opportunity to object.
6. Breach notification
If a personal data breach affects data we process for you, we will notify you without undue delay and no later than 72 hours after becoming aware of it, with enough detail for you to meet your own notification duties.
7. International transfers
Where data moves across borders, we rely on appropriate safeguards (such as Standard Contractual Clauses for EU data). Primary data storage regions are documented in your account settings.
8. Getting a signed copy
Need an executed DPA for your compliance records or a vendor review? Email help@spenzaa.com with "DPA request" and your business details, and we'll send a countersigned copy.