Data Processing Agreement (DPA)

Last updated: 22 April 2026

This Data Processing Agreement under Art. 28 GDPR (hereinafter "DPA") governs the processing of personal data by us in connection with use of the Harriet Application. By accepting the Beta Terms you also agree to this DPA.

1. Parties

Controller ("Customer"): You as a Beta user of the Harriet Application — to the extent that you introduce personal data of your own or of others (e.g. data of your customers, suppliers or employees contained in receipts or bank exports) into the Application.

Processor:

Mario Deubler
Schödlbergergasse 16/53
1220 Vienna, Austria
Email: hello@harriet.tax

2. Subject and duration

The subject of processing is the provision of the services described in the Beta Terms and the T&Cs, in particular the storage and processing of uploaded receipts, bank data, OCR-extracted content and tax values and classifications derived from this data. The duration corresponds to the duration of your Beta participation, plus the deletion and return periods governed in section 9.

3. Nature and purpose of processing, categories of data, data subjects

Nature and purpose: storage, reading (OCR), classification into tax categories, calculation of tax-relevant values, preparation of the E/A bookkeeping and the E1a annex, optional release to a tax advisory firm.

Categories of data: master data of the Customer, content of uploaded receipts (incl. any contained personal data of third parties such as names, addresses, bank details, amounts), bank exports with transaction data, derived classifications and calculations, authentication and session data.

Data subjects: the Customer themselves and, where applicable, natural persons whose data is contained in receipts or bank data introduced by the Customer (e.g. customers, suppliers, employees).

4. Bound by instructions

We process personal data exclusively within the scope of the agreements in place and according to documented instructions of the Customer. Acceptance of the Beta Terms, the T&Cs and this DPA forms the initial instruction. Further or differing instructions must be issued in text form to hello@harriet.tax. If, in our opinion, an instruction is unlawful, we will inform the Customer without delay.

5. Confidentiality

All persons involved in data processing are committed to confidentiality, unless they are already subject to an appropriate statutory duty of confidentiality.

6. Technical and organisational measures (Art. 32 GDPR)

We implement appropriate technical and organisational measures to ensure a level of protection appropriate to the risk. These include in particular:

  • Encryption of data transmission via TLS
  • Restriction of access to personal data to authorised persons, with individual accounts and logged access
  • User authentication via Supabase Auth
  • Hosting of database and file storage in the EU region (Frankfurt) at Supabase
  • Row-Level-Security rules at the database layer for workspace separation
  • Pseudonymisation in web analytics data (PostHog)
  • Regular backups by our processors
  • Protection against unauthorised access through standard security measures of our hosting and infrastructure providers (Vercel, Supabase, Cloudflare)

A detailed description of the measures is available on request. During the Beta phase, measures may evolve; material changes will be documented.

7. Sub-processors

The Customer agrees to the engagement of the following sub-processors. We contractually oblige our sub-processors to comply with the GDPR and to data protection and security standards equivalent to ours.

  • Vercel Inc. (hosting of the Application) — USA. Transfer based on the EU-US Data Privacy Framework or Standard Contractual Clauses.
  • Supabase Inc. (database, authentication, storage) — EU region (Frankfurt). Any administrative/support access from the USA based on Standard Contractual Clauses.
  • Mistral AI SAS (OCR and classification) — France, processing in the EU. Mistral does not contractually use API content for training.
  • Proton AG (email via Proton Mail) — Switzerland. Transfer based on the European Commission's adequacy decision pursuant to Art. 45 GDPR.
  • Cloudflare Inc. (CDN/proxy for web analytics) — USA. Transfer based on the EU-US Data Privacy Framework.
  • PostHog Inc. (web analytics, EU cloud, optional, only with consent) — EU.

We will inform the Customer of intended changes to the list of sub-processors with appropriate advance notice by email or by updating this list. The Customer may object to the change for good cause; in that case we are entitled to terminate the contractual relationship with reasonable notice.

8. Support with data subject rights and obligations

We support the Customer, as far as possible and taking into account the nature of processing, in fulfilling requests from data subjects under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection) as well as the obligations under Art. 32–36 GDPR (security, breach notification, data protection impact assessments, consultation with the supervisory authority). Requests from data subjects sent directly to us are forwarded to the Customer without delay.

9. Personal data breach notification

We notify the Customer of personal data breaches without delay, no later than 72 hours after becoming aware of them, with all available information they require to fulfil their own notification obligations under Art. 33/34 GDPR.

10. Return and deletion after end of contract

After termination of Beta participation — irrespective of the reason for termination — we delete the personal data processed on the Customer's behalf within 90 days, unless statutory retention obligations require otherwise. On request we will provide the data in advance in a structured, commonly used and machine-readable format. Backups are overwritten as part of our sub-processors' retention cycles.

11. Evidence and audits

On request we provide the Customer, to a reasonable extent, with the information necessary to demonstrate compliance with this DPA. On-site audits are possible by prior agreement and subject to legitimate confidentiality interests; in lieu of an on-site audit we may provide audit reports of our sub-processors or self-assessments.

12. Liability

The liability of the parties is governed by statutory provisions, in particular Art. 82 GDPR. Internally, each party bears its own responsibility resulting from its own breaches of duty.

13. Final provisions

Austrian law applies. The place of jurisdiction is Vienna, to the extent permitted by law. In case of conflict between this DPA and other agreements between the parties, the provisions of this DPA prevail with respect to data protection.

This version of the DPA (v1, dated 22 April 2026) takes effect with acceptance of the Beta Terms. A versioned record of your consent is stored in the Application.