Transmute · Legal
Data Processing Addendum
Version 1.0 · Effective: July 14, 2026 · Last updated: July 14, 2026
This Data Processing Addendum (the "DPA") forms part of the Transmute Terms of Service (the "Terms") between 403 Finance, Inc., a Delaware corporation with offices at 1111B S Governors Ave, Ste 92573, Dover, DE 19904, USA ("403 Finance," "we," "us," or "our"), and the Customer that has accepted the Terms ("Customer," "you," or "your"). It governs our processing of personal data contained in Message Content that you submit to the Service, and it sets out the data-protection obligations of each party. Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms.
This DPA is a legal document, not a description of features. Where it describes how the Service behaves, it does so to fix that behavior as a binding processing commitment.
1. Incorporation and Precedence
(a) Automatic incorporation. This DPA is incorporated into and forms part of the Terms and is binding on all Customers, without the need for a separate signature. It takes effect on the same date that the Terms take effect between you and us, and it applies for as long as we process personal data contained in Message Content on your behalf.
(b) Countersignable execution copy. If your procurement process requires a signed data processing agreement, you may request a countersignable execution copy of this DPA by emailing legal@403fin.io. The two versions are identical in substance; the incorporated DPA governs whether or not a separate copy is signed, and executing a separate copy neither expands nor reduces either party's rights and obligations under this DPA.
(c) Precedence. This DPA supplements the Terms. In the event of a conflict between this DPA and the remainder of the Terms with respect to the processing of personal data, this DPA prevails to the extent of that conflict. A signed enterprise agreement and its order form, where one applies to your use of the Service, continue to take precedence in accordance with Section 21 of the Terms. The order of precedence within the data-protection documents themselves is stated in Section 15 of this DPA.
2. Definitions and Roles
(a) Data-protection law. "Data Protection Law" means all laws and regulations applicable to the processing of personal data under the Terms, including, as applicable: Regulation (EU) 2016/679 (the "GDPR"); the GDPR as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018 (the "UK GDPR"); the Swiss Federal Act on Data Protection (the "FADP"); and the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (the "CCPA/CPRA").
(b) GDPR terms incorporated. The terms "controller," "processor," "data subject," "personal data," "processing," "personal data breach," "special categories of personal data," and "supervisory authority" have the meanings given to them in the GDPR, and the equivalent meanings given to any corresponding terms under the UK GDPR, the FADP, and, where the context requires, the CCPA/CPRA.
(c) Roles of the parties. With respect to personal data contained in Message Content:
(i) where you determine the purposes and means of the processing for your own account, you are the controller and we are your processor; and
(ii) where you process that personal data on behalf of, and on the documented instructions of, one or more third-party controllers (for example, where you are yourself a processor providing services to your own customers), you are a processor and we are your sub-processor. In that case, you represent and warrant that you have the authorization of the relevant controller to appoint us, and to give us the instructions set out in the Terms and this DPA, on that controller's behalf, and your instructions to us must be consistent with your obligations to that controller.
(d) Scope of our role. We are a controller only in respect of the limited personal data we process for our own purposes as described in our Privacy Policy — namely portal-account and billing-identity data, and Usage Metadata — and not in respect of personal data contained in Message Content, which we process solely as your processor or sub-processor. This DPA governs the processing in which we act as processor or sub-processor. The processing in which we act as controller is governed by our Privacy Policy.
(e) References to Customer. Where this DPA imposes an obligation on, or grants a right to, the "controller" and you act as a processor for a third-party controller, that obligation or right is read as applying between you and us, and you remain responsible to your controller for the corresponding obligations under your own arrangements.
3. Processing Instructions
(a) Documented instructions. We process personal data contained in Message Content only on your documented instructions, including with regard to international transfers, unless we are required to process it by a law to which we are subject; in that case, we will inform you of that legal requirement before processing, unless that law prohibits informing you on important grounds of public interest. Your complete and final documented instructions are: (i) the Terms; (ii) this DPA; and (iii) the API calls and configuration settings you make through the Service. You may issue additional instructions consistent with the Terms; where an additional instruction is outside the scope of, or inconsistent with, the Service as documented, we are not obliged to act on it, and we may charge for, or decline, any instruction that we are not otherwise required by law to perform.
(b) Statelessness as processing behavior. Our documented processing behavior is stateless. We process Message Content in memory to serve your request, and we do not persist or log message bodies, except for exactly two purposes:
(i) Idempotency response cache. To make retried requests safe, we maintain a short-lived idempotency response cache keyed by a hash of the request body; raw request bodies are never stored. Entries have a maximum time-to-live of twenty-four (24) hours and are held on an encrypted volume in production.
(ii) Asynchronous batch job store. To serve asynchronous batch jobs, we maintain a batch job store in which inputs and results are stored only as AES-256-GCM-encrypted ciphertext. Inputs are purged on completion of the batch item. Results are retained for a default of one hour and for no longer than a customer-configurable maximum of twenty-four (24) hours, and purge is available on demand.
Outside these two purposes, personal data contained in Message Content is not written to durable storage and is not logged. This behavior is a binding commitment for the term of the Terms, and Section 5 addresses non-degradation.
(c) Metadata. We generate and retain Usage Metadata about your use of the Service, as described in the Terms and in Annex II. Usage Metadata excludes Message Content and Output.
(d) Notice of infringing instruction. We will inform you without undue delay if, in our reasonable opinion, an instruction infringes Data Protection Law. In that case, we may suspend performance of the affected instruction (without liability) until you confirm, withdraw, or amend it, and nothing in this Section obliges us to carry out an instruction we reasonably believe to be unlawful.
4. Personnel and Confidentiality
(a) Authorization and need-to-know. We limit access to personal data contained in Message Content to those of our personnel who require access to perform the Terms, and we authorize access only to the extent necessary for that purpose. Given the stateless architecture described in Section 3, no persistent copy of Message Content exists for personnel to access outside the transient processing and the two encrypted, time-limited stores described above; administrative access to those stores is restricted to authorized personnel.
(b) Confidentiality undertakings. Each person we authorize to process personal data contained in Message Content is bound by an obligation of confidentiality, whether by a written agreement or by a statutory or professional duty of confidence, and that obligation survives the end of that person's engagement with us.
(c) Training. We take reasonable steps to ensure that persons authorized to process personal data are aware of their confidentiality and data-protection obligations and of the security measures in Annex II that are relevant to their role.
5. Security
(a) Technical and organizational measures. We implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to data subjects. Those measures are described in Annex II (Technical and Organisational Measures).
(b) No degradation. We may update or modify the measures in Annex II from time to time, provided that any such update or modification does not materially reduce the overall level of security of the Service during the term.
(c) Evaluation. We periodically test, assess, and evaluate the effectiveness of our technical and organizational measures, and we take account of the risks presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
6. Sub-Processing
(a) General authorization. You provide a general written authorization for us to engage sub-processors to process personal data contained in Message Content, subject to this Section. Every sub-processor we engage is bound by a written contract that imposes data-protection obligations that are, in substance, no less protective than those in this DPA, in particular the obligation to implement appropriate technical and organizational measures.
(b) Current list. Our current sub-processors are set out in the published Sub-Processor List available at 403fin.io/transmute/legal/subprocessors, which is incorporated into this DPA as Annex III and is the living record of our sub-processors. Annex III distinguishes sub-processors that process or transit Message Content from those that process only portal-account and billing personal data.
(c) Notice of changes. We will give you at least fifteen (15) days' advance notice before we add or replace a sub-processor, by updating the published Sub-Processor List and by notifying subscribers to the sub-processor change notification mechanism described in Annex III. You are responsible for subscribing to that mechanism to receive notice.
(d) Emergency replacement. Where a sub-processor must be replaced urgently — including where that sub-processor terminates or suspends its service to us, becomes insolvent, or gives rise to a security concern — we may appoint the replacement sub-processor before giving the advance notice in Section 6(c). In that case, we will notify you of the replacement without undue delay and in any event no later than five (5) business days after the appointment, and your objection right under Section 6(e) applies from the date of that notice.
(e) Objection. You may object to the addition or replacement of a sub-processor on reasonable, good-faith data-protection grounds by notifying us in writing at legal@403fin.io within the notice period. On receipt of your objection, the parties will work together in good faith to resolve it, which may include our describing additional safeguards or, where feasible, offering a means of using the affected Service without the new sub-processor.
(f) Termination and refund on unresolved objection. If the parties cannot resolve your objection within a reasonable period, you may terminate the Service affected by the new sub-processor by written notice, and, by way of a narrow exception to the no-refund rule in Section 7 of the Terms, we will refund the prepaid, unused fees attributable to the terminated Service, calculated as the lesser of (i) the portion attributable to the unelapsed part of your then-current subscription period and (ii) the portion attributable to the unconsumed part of your included entitlement for that period. Overage fees are not refundable. This termination-and-refund right is your sole and exclusive remedy for an unresolved sub-processor objection.
(g) Liability for sub-processors. Where a sub-processor fails to fulfil its data-protection obligations in respect of the processing it performs for us, we remain liable to you for the performance of that sub-processor's obligations to the same extent we would be liable if we performed those obligations ourselves.
7. Data-Subject Rights Assistance
(a) Honest limitation. By design, we cannot search for, retrieve, or identify individual data subjects within Message Content, because Message Content is not retained beyond the transient processing and the two encrypted, time-limited stores described in Section 3, none of which is indexed by data subject. We therefore have no standing store of Message Content against which to run a data-subject search after the applicable retention window (at most twenty-four hours) has elapsed.
(b) Assistance we provide. Taking into account the nature of the processing, we assist you by appropriate technical and organizational measures, insofar as this is possible, to respond to requests from data subjects to exercise their rights under Data Protection Law. In practice, that assistance consists of: (i) the purge-on-demand capabilities of the Service, which let you cause any batch input or result then held for you to be deleted (via DELETE /v1/jobs/{id} or the equivalent purge parameter); (ii) responding to your requests concerning the portal-account and billing-identity data we hold about your authorized users, as described in our Privacy Policy; and (iii) other reasonable cooperation you may require to respond to a data-subject request that relates to our processing, to the extent we are able to provide it.
(c) Redirection. If we receive a request directly from a data subject that relates to personal data contained in Message Content, we will not respond to that request other than to acknowledge receipt where required, and we will, without undue delay and where lawful, direct the data subject to you or forward the request to you so that you may respond.
8. Personal-Data Breach
(a) Notification. We will notify you without undue delay after we become aware of a personal data breach affecting personal data contained in Message Content that we process on your behalf, and in any event we will aim to notify you no later than seventy-two (72) hours after becoming aware of it.
(b) Contents of notice. Our notification will, to the extent then known and taking into account the information available to us, describe: (i) the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and of personal data records concerned; (ii) the name and contact details of a point of contact from whom more information can be obtained; (iii) the likely consequences of the personal data breach; and (iv) the measures we have taken or propose to take to address the breach, including, where appropriate, measures to mitigate its possible adverse effects. Where we cannot provide all of this information at once, we may provide it in phases without undue further delay.
(c) No admission. Our notification of, or response to, a personal data breach is not, and will not be construed as, an acknowledgment by us of any fault or liability in respect of the breach.
(d) Your responsibility for regulatory notice. As controller (or as processor for your own controller), you are responsible for any notification to a supervisory authority or to affected data subjects that Data Protection Law requires of you, and for determining whether such notification is required. We will provide the reasonable assistance described in Section 9 in connection with those obligations.
9. Data Protection Impact Assessments and Prior Consultation
(a) Assistance. Taking into account the nature of the processing and the information available to us, we provide you with reasonable assistance with: (i) data protection impact assessments you are required to carry out under Article 35 of the GDPR (or the equivalent provision of the UK GDPR or FADP); and (ii) prior consultations with a supervisory authority under Article 36 of the GDPR (or the equivalent provision). In the ordinary course, this assistance is satisfied by the information in this DPA, in Annex II, and in the Security Overview.
(b) Excessive requests. The assistance in this Section, and in Section 7, is provided at your cost where your requests are excessive, in particular because of their repetitive character or because they call for effort disproportionate to the assistance we are able to provide given the stateless architecture. We will tell you in advance if we consider a request to be excessive and, where practicable, provide an estimate of the charge before we incur it.
10. Deletion and Return
(a) Deletion by architecture. Deletion and return of personal data contained in Message Content occur automatically as a function of the architecture. Message Content processed for synchronous requests exists only in request-scoped memory and is not retained. Idempotency cache entries expire within their twenty-four (24) hour maximum time-to-live. Batch inputs are purged on completion of the batch item, and batch results are retained for at most twenty-four (24) hours (default one hour), in each case subject to purge on demand. Because Message Content is returned to you as Output in the ordinary course of each request, no separate return step is required.
(b) On termination. On termination or expiration of the Terms, your right to access the Service ends and your API Credentials are revoked, and any Message Content or Output then held in the idempotency cache or the batch job store is purged in the ordinary course within the applicable time-to-live windows described in Section 3 (each no longer than twenty-four (24) hours), or sooner on your request.
(c) Certification. On your written request made within thirty (30) days after termination, we will certify in writing that Message Content held for you in the idempotency cache and the batch job store has been deleted in accordance with this Section.
(d) Portal and account data. Personal data that we process as a controller — portal-account data and billing-identity data — is handled in accordance with our Privacy Policy and applicable law. Because we do not currently offer a self-service account-deletion endpoint, deletion of your account is operator-assisted through support@403fin.io, as described in the Terms.
(e) Usage Metadata. We retain Usage Metadata after termination as permitted by Article 28(3)(g) of the GDPR and for the purpose of complying with statutory bookkeeping and recordkeeping obligations. Usage Metadata is body-free and excludes Message Content and Output.
11. Audits
(a) Information ordinarily sufficient. We make available to you the information necessary to demonstrate compliance with the obligations in Article 28 of the GDPR (and the equivalent obligations under the UK GDPR and FADP). In the ordinary course, that obligation is satisfied by: (i) this DPA; (ii) the Security Overview; (iii) our responses to reasonable security questionnaires you submit; and (iv) any third-party attestations we may hold, when and to the extent we hold them.
(b) No standing certification claim. We do not represent that we hold a SOC 2 report, an ISO 27001 certificate, or any other third-party attestation, and nothing in this Section should be read as such a representation. Where we describe such a control framework, we describe our readiness against it, and we will make an attestation available under this Section only if and when we actually obtain it.
(c) On-site and remote audits. We will contribute to audits and inspections, including on-site and remote audits, only where such an audit is required by Data Protection Law for a regulated Customer, or is mandated by a supervisory authority with jurisdiction over you or us. Any such audit is subject to the following conditions: (i) it may be conducted no more than once in any twelve (12) month period, except where a supervisory authority requires otherwise or following a personal data breach; (ii) you give us at least thirty (30) days' prior written notice; (iii) it is conducted during normal business hours, in a manner that does not unreasonably disrupt our operations; (iv) it is conducted at your cost; (v) you and any third-party auditor are bound by confidentiality obligations; and (vi) it does not extend to any data, systems, or information of our other customers, or to any information the disclosure of which would breach our obligations to third parties or compromise the security of the Service.
12. International Transfers
(a) Processing location. We process and host personal data contained in Message Content in the European Union — edge processing and container compute with Cloudflare in Frankfurt, Germany, and metadata and encrypted batch ciphertext with Neon on Amazon Web Services in the eu-central-1 (Frankfurt) region. EU processing is a product commitment. Day-to-day administrative access to the production environment occurs from the United Kingdom. For personal data protected by the GDPR, that access is covered by the European Commission's adequacy decision for the United Kingdom, which permits transfers of such data to the United Kingdom without an additional transfer mechanism. As a safeguard for any residual administrative access from the United States, the EU Standard Contractual Clauses described in this Section remain incorporated and apply to any such transfer.
(b) EU Standard Contractual Clauses. For any restricted transfer of personal data protected by the GDPR that is not covered by an adequacy decision — including any residual administrative access from the United States — the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914 (the "EU SCCs") are incorporated into this DPA by reference and apply, with the following selections:
(i) Module. Where you are a controller and we are your processor, Module Two (controller to processor) applies. Where you are a processor acting for a third-party controller and we are your sub-processor, Module Three (processor to processor) applies mutatis mutandis, and the third-party controller is a beneficiary of the clauses as provided in them.
(ii) Clause 7 (docking clause). The optional docking clause does not apply.
(iii) Clause 9 (sub-processors). Option 2 (general written authorization) applies, with a minimum notice period of fifteen (15) days for changes of sub-processor, consistent with Section 6 of this DPA.
(iv) Clause 11 (redress). The optional independent-dispute-resolution language does not apply.
(v) Clause 17 (governing law). The EU SCCs are governed by the law of Ireland.
(vi) Clause 18 (forum and jurisdiction). Disputes arising from the EU SCCs are resolved before the courts of Ireland.
(vii) Annexes. The information required by the Annexes to the EU SCCs is supplied by Annex I (parties and description of processing), Annex II (technical and organizational measures), and Annex III (sub-processors) of this DPA.
(c) UK transfers. For any restricted transfer of personal data protected by the UK GDPR, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner (the "UK IDTA Addendum") is incorporated into this DPA by reference. The EU SCCs as completed in this Section form the "Approved EU SCCs" for the purposes of the UK IDTA Addendum; Table 1 (parties), Table 2 (selected clauses and modules), Table 3 (appendix information, being Annexes I to III of this DPA), and Table 4 (ending the addendum when the approved addendum changes) are completed by reference to the corresponding provisions and Annexes of this DPA, with the importer and exporter as identified in Annex I. Either party may end the UK IDTA Addendum as provided in it if the approved addendum changes in a way that has more than a minimal effect on that party.
(d) Swiss transfers. For any restricted transfer of personal data protected by the FADP, the EU SCCs apply with the following adaptations: (i) references to the GDPR are read as references to the FADP to the extent the processing is subject to the FADP; (ii) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (the "FDPIC"); (iii) the term "member state" is read so as not to deprive data subjects in Switzerland of the right to bring proceedings in their place of habitual residence; and (iv) the EU SCCs also protect the data of legal entities to the extent the FADP so requires, until the entry into force of any FADP amendment removing that protection.
(e) Precedence of transfer clauses. If there is any conflict between this DPA and the EU SCCs, the UK IDTA Addendum, or the Swiss adaptations, the relevant transfer mechanism prevails to the extent of the conflict as it applies to the transfer it governs.
13. CCPA/CPRA Service-Provider Terms
(a) Service-provider status. To the extent we process personal information (as defined in the CCPA/CPRA) contained in Message Content on your behalf, we act as a "service provider" and you act as a "business," and this Section applies in addition to the rest of this DPA.
(b) No sale or sharing. We do not sell or share personal information within the meaning of the CCPA/CPRA. We do not retain, use, or disclose personal information for any purpose other than the specific purpose of performing the Service under the Terms, or as otherwise permitted by the CCPA/CPRA, and in particular not for any commercial purpose other than providing the Service. We do not combine the personal information we process for you with personal information we receive from, or on behalf of, any other person, except as the CCPA/CPRA permits a service provider to do.
(c) Certification. We certify that we understand the restrictions in this Section and will comply with them.
(d) Flow-down. We impose obligations equivalent to those in this Section on any sub-processor we engage that qualifies as a service provider or contractor with respect to the personal information we process for you.
(e) Assistance. We provide you with reasonable assistance to respond to verifiable consumer requests under the CCPA/CPRA, subject to the same design limitation described in Section 7.
14. Liability
(a) As between the parties. Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitation of liability in Section 17 of the Terms, and any reference in that Section to liability arising out of or relating to the Terms is deemed to include liability arising out of or relating to this DPA. Accordingly, each party's liability arising out of or relating to this DPA, including for any breach of its data-protection obligations, is subject to the limitation of liability in Section 17 of the Terms, without limiting the rights of data subjects preserved under Section 14(b).
(b) Data-subject rights preserved. Nothing in the Terms or this DPA limits or excludes any liability of either party to a data subject, or the rights of a data subject, under the EU SCCs, the UK IDTA Addendum, the Swiss adaptations, or Data Protection Law, and no provision of the Terms limiting liability applies as against a data subject exercising third-party-beneficiary rights under those clauses.
15. Term and Order of Precedence
(a) Term. This DPA takes effect together with the Terms and remains in effect for as long as we process personal data contained in Message Content on your behalf. Provisions that by their nature should survive — including Sections 8 (as to a breach occurring during the term), 10, 11, 13, and 14, and the transfer mechanisms in Section 12 as they apply to transfers made during the term — survive termination.
(b) Order of precedence within the data-protection documents. In the event of a conflict among the data-protection documents, the following order of precedence applies, from highest to lowest: (i) the EU SCCs, the UK IDTA Addendum, and the Swiss adaptations, each as to the transfer it governs; (ii) this DPA (including its Annexes); (iii) the remainder of the Terms; and (iv) the Privacy Policy and the Security Overview, which are informational and do not override this DPA. A signed enterprise agreement and its order form take precedence as provided in Section 21 of the Terms.
Annex I — Parties and Description of Processing
A. Parties
(a) Data exporter (Customer). The Customer identified in the account and, where applicable, in an Order or countersigned execution copy of this DPA. The data exporter is the controller of personal data contained in Message Content, or a processor acting on behalf of one or more third-party controllers. Contact: the account owner's email address on file. Activities relevant to the transfer: submission of Message Content to the Service for conversion, normalization, or validation, and receipt of the resulting Output.
(b) Data importer (403 Finance). 403 Finance, Inc., 1111B S Governors Ave, Ste 92573, Dover, DE 19904, USA. Contact: legal@403fin.io (data-protection matters) and privacy@403fin.io (privacy inquiries). Activities relevant to the transfer: providing the Transmute hosted conversion, normalization, and validation Service, with EU hosting and day-to-day administrative access from the United Kingdom and any residual administrative access from the United States, as described in Section 12. The data importer acts as processor (Module Two) or, where the exporter is itself a processor, as sub-processor (Module Three).
B. Description of Processing
(a) Categories of data subjects. The personal data transferred concerns the following categories of data subjects:
- the Customer's clients and their counterparties, and the authorized representatives of each, who appear as parties to the financial messages the Customer submits (for example, payers, payees, ordering and beneficiary parties, and their agents);
- the Customer's personnel and other authorized users who administer the Customer's account through the portal.
(b) Categories of personal data. The personal data transferred comprises:
- within transient Message Content: names, account identifiers (including IBANs and BICs), postal and other addresses, transaction amounts, references, and free-text remittance information contained in the financial messages the Customer submits;
- portal contact data: the email address and name of the Customer's authorized users;
- billing identity data, which is held at Stripe as described in the Sub-Processor List, and of which our systems retain only Stripe customer and subscription identifiers.
(c) Special categories of personal data. The Service is not intended to process special categories of personal data. Such data is not solicited and is not required for the Service to function. It could, however, appear incidentally in the free-text remittance or narrative fields of a financial message, because those fields accept unstructured text that the Customer controls. The Customer is instructed not to submit special categories of personal data in Message Content, and any incidental special-category data present in Message Content is subject to the same transient, non-retained processing and the same technical and organizational measures as all other Message Content.
(d) Frequency of the transfer. Continuous, on a request-by-request basis, for as long as the Customer uses the Service.
(e) Nature and purpose of the processing. Conversion, normalization, and validation of financial messages between SWIFT MT and ISO 20022 formats, and the generation of the corresponding Output and Usage Metadata, in each case to provide the Service to the Customer on the Customer's instructions. We do not use Message Content for any purpose other than providing the Service.
(f) Retention. Retention mirrors the Service's retention schedule:
| Data | Retention |
|---|---|
| Synchronous request Message Content and Output | Request-scoped memory only; not retained after the response is returned |
| Idempotency response cache (keyed by request-body hash; raw bodies never stored) | Maximum 24 hours (time-to-live) |
| Batch job inputs (AES-256-GCM ciphertext) | Purged on completion of the batch item |
| Batch job results (AES-256-GCM ciphertext) | Default 1 hour; customer-configurable maximum 24 hours; purge on demand |
| Usage Metadata (body-free) | Life of the business relationship plus statutory bookkeeping periods; reviewed periodically |
| Tenant configuration | Life of the tenant; deleted on the Customer's instruction |
| Portal-account data (email, name) | Handled per the Privacy Policy; deleted on operator-assisted account deletion |
(g) Transfers to sub-processors. The subject matter, nature, and duration of the processing performed by sub-processors are described in the Sub-Processor List incorporated as Annex III.
(h) Competent supervisory authority. For the EU SCCs, the competent supervisory authority is determined in accordance with Clause 13 of the EU SCCs by reference to the data exporter's establishment or, where the exporter is not established in the EEA, its EU representative or the member state in which the data subjects are located. For the UK, the competent authority is the UK Information Commissioner. For Switzerland, the competent authority is the FDPIC.
(i) EU and UK representatives. An EU representative (and, where required, a UK representative) are being arranged as part of launch; details will be published upon appointment.
Annex II — Technical and Organisational Measures
The following measures are the technical and organizational measures we maintain for the Service. Each is a factual, checkable statement of current behavior; none describes an aspiration or a control we do not operate.
(a) Stateless processing. Message Content is processed in request-scoped memory and is not persisted or logged, except for the two purposes described in Section 3(b): the idempotency response cache (keyed by request-body hash; raw bodies never stored; maximum 24-hour time-to-live; encrypted volume in production) and the asynchronous batch job store (AES-256-GCM ciphertext only; inputs purged on completion; results default 1 hour, maximum 24 hours, purge on demand).
(b) Encryption of stored payloads. Batch job inputs and results are stored only as AES-256-GCM-encrypted ciphertext. Plaintext Message Content is not written to durable storage.
(c) Encryption in transit. Connections to the Service are secured with TLS version 1.2 or higher.
(d) Credential handling. API keys, OAuth client secrets, and session and magic-link tokens are stored only as sha256 hashes. Secret credential values are displayed once, at creation, and are never recoverable thereafter.
(e) Body-free observability. Application logs are provably free of message bodies; this property is enforced by an automated test in the continuous-integration pipeline. Metrics and traces are likewise body-free, and distributed tracing is opt-in.
(f) Tenant isolation. Data is isolated per tenant, and quotas and rate limits are enforced as a per-tenant aggregate across all of a tenant's API Credentials and OAuth clients.
(g) Minimized signup telemetry. Anti-abuse signup telemetry stores salted-and-peppered sha256 hashes of IP addresses; raw IP addresses are not stored.
(h) Rapid containment. Credentials can be revoked, and access thereby cut off, within approximately sixty (60) seconds; OAuth client access can be cut off within approximately fifteen (15) minutes; the batch-store sealing key can be rotated and the batch store purged as part of incident containment.
(i) Incident response. We operate a documented incident-response process with a severity ladder (SEV1 through SEV4) and defined containment mechanics, including the credential-revocation, key-rotation, and batch-purge measures above.
(j) Access control. Administrative access to production systems is restricted to authorized personnel on a need-to-know basis and is used only as necessary to operate and support the Service.
(k) EU hosting. Production processing and storage are located in the European Union (Cloudflare, Frankfurt; Neon on AWS eu-central-1, Frankfurt). Day-to-day administrative access occurs from the United Kingdom, covered for EU personal data by the European Commission's adequacy decision for the United Kingdom; any residual administrative access from the United States is covered by the EU SCCs, as described in Section 12.
(l) Backups. Backups of durable storage contain metadata only; they do not contain plaintext Message Content, and any batch ciphertext they contain remains encrypted and subject to the same retention windows.
Annex III — Sub-Processors
The list of our sub-processors is the published Transmute Sub-Processor List, available at 403fin.io/transmute/legal/subprocessors, which is incorporated into this DPA as this Annex III and is the living record of our sub-processors. The Sub-Processor List identifies each sub-processor, the processing it performs, the categories of data involved, its location, and the transfer mechanism that applies, and it distinguishes sub-processors that process or transit Message Content from those that process only portal-account and billing personal data. Changes to the Sub-Processor List are governed by Section 6 of this DPA.
Change History
| Version | Date | Summary |
|---|---|---|
| 1.0 | July 14, 2026 | Initial release |