Buksort
HrvatskiEnglish|Download PDF

Data Processing Agreement

Last updated: March 12, 2026

This Data Processing Agreement ("Agreement") is drawn up in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation — GDPR) and the Croatian Act on the Implementation of the General Data Protection Regulation (OG 42/18). This Agreement governs the processing of personal data carried out by the Processor on behalf of the Controller in the provision of the Buksort service.

1. Parties

Controller: The user who registers on the Buksort platform and creates an organization ("Controller" or "User").

Processor:

Design for people d.o.o.
Koludrovac 24, 21217 Kaštel Štafilić, Republic of Croatia
OIB (Tax ID): 61866718443
Email: hello@designforpeople.agency

The Controller and the Processor are collectively referred to as the "Parties" and individually as a "Party".

2. Subject and Duration of Processing

The subject of this Agreement is the processing of personal data carried out by the Processor on behalf of the Controller for the purpose of providing the Buksort service — a platform for matching bank transactions with invoices and managing financial documentation.

The processing of personal data shall last for the duration of the Controller's use of the Buksort service, i.e., until the termination of the contractual relationship between the Parties, unless a longer retention period is prescribed by applicable law (e.g., tax regulations — 7 years).

3. Nature and Purpose of Processing

The Processor processes personal data solely for the purpose of providing the Buksort service, which includes:

  • Authentication and user account management
  • Storage and processing of bank statements (camt.053 XML format)
  • Automatic transaction categorization
  • Matching transactions with invoices and receipts
  • Storage and display of invoices and receipts (PDF files)
  • Merchant name normalization via artificial intelligence (merchant names only, no financial data)
  • Scanning labeled email via Gmail integration (metadata only, with explicit user consent)
  • Sending transactional notifications via email
  • Background data processing (scheduled jobs)

4. Types of Personal Data

The Processor processes the following categories of personal data on behalf of the Controller:

  • Identification data: name, email address, Google profile (if using OAuth login)
  • Organizational data: company name, OIB (tax ID), IBAN, bank name
  • Financial data: transaction data from bank statements (date, amount, currency, direction, merchant name, merchant IBAN, transaction reference, masked card number)
  • Documentation: PDF files of invoices and receipts
  • Communication data: email metadata from Gmail integration (sender, subject, date, attachment names)
  • Technical data: IP addresses, HTTP headers, authentication session cookies

5. Categories of Data Subjects

The personal data processed relates to the following categories of data subjects:

  • Platform users: organization owners and accountants who use the Buksort service
  • Employees and associates of the Controller: individuals whose data appears in bank statements and invoices
  • Business partners of the Controller: suppliers, customers, and other third parties whose data appears in financial documentation

6. Processor Obligations

The Processor undertakes to:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by EU or Member State law to which the Processor is subject
  • Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Take all measures required pursuant to Article 32 GDPR (security of processing)
  • Respect the conditions referred to in paragraphs 2 and 4 of Article 28 GDPR for engaging another processor (sub-processor)
  • Taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures in fulfilling the Controller's obligation to respond to requests for exercising data subject rights
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR
  • At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services relating to processing and delete existing copies unless EU or Member State law requires storage of the personal data
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections

7. Sub-processors

The Controller grants general written authorization to the Processor for engaging the sub-processors listed in the table below. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Controller the opportunity to object to such changes.

Sub-processorPurposeData ProcessedLocationTransfer Basis
Supabase Inc.Database, Auth, StorageAll user data, invoices, transactionsEU (Frankfurt)Intra-EEA; SCCs
Vercel Inc.Application hostingHTTP request data, cookies, IPsUS + global edgeEU SCCs + DPF
Google LLC (Gemini API)Merchant name normalizationMerchant name strings onlyUS/EUEU SCCs + DPF
Resend Inc.Transactional emailEmail addresses, notification contentUSEU SCCs
Trigger.dev Ltd.Background job processingJob payloads (IDs, references)CloudSCCs per ToS
Cloudflare Inc.DNS, email workerIP addresses, DNS queries, email metadataGlobal edgeIntra-EEA + SCCs

8. International Transfers

Transfers of personal data to third countries (outside the EU/EEA) are carried out exclusively on the basis of:

  • An adequacy decision of the European Commission (EU-U.S. Data Privacy Framework, July 10, 2023)
  • Standard Contractual Clauses (SCCs) of the European Commission, adopted by Implementing Decision (EU) 2021/914

The primary database (Supabase) is located in the EU region (eu-central-1, Frankfurt). The Processor ensures that all sub-processors processing data outside the EEA have appropriate safeguards in accordance with Chapter V of the GDPR.

9. Security Measures

The Processor implements the following technical and organizational measures for the protection of personal data in accordance with Article 32 GDPR:

  • Encryption: TLS/HTTPS for data in transit; AES-256 for data at rest in the database
  • Access control: Row Level Security (RLS) at the database level — users can only access data belonging to their own organizations
  • Authentication: Magic link or Google OAuth — no passwords are stored
  • File access: Time-limited signed URLs (1-hour expiry)
  • AI restrictions: Strict separation — financial data (amounts, dates, IBANs, OIBs, invoice contents) is never sent to external AI services
  • Authorization: Authentication and organization membership verification for every server action
  • OAuth tokens: Gmail OAuth tokens are stored encrypted in the database
  • Access logging: The system logs access to personal data for audit purposes

10. Data Subject Rights

The Processor assists the Controller in fulfilling the obligation to respond to data subject requests for exercising their rights under Chapter III of the GDPR, including:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction of processing (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)

The Processor shall, without undue delay, notify the Controller of any request received directly from a data subject, without responding to the request itself, unless authorized to do so by the Controller.

11. Breach Notification

The Processor shall, without undue delay and no later than 48 hours after becoming aware, notify the Controller of any personal data breach. The notification shall include:

  • A description of the nature of the personal data breach
  • The categories and approximate number of data subjects affected
  • The categories and approximate number of personal data records affected
  • The name and contact details of the data protection officer or other contact point
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any personal data breach.

12. Data Return and Deletion

Upon termination of the provision of processing services, the Processor shall, at the choice of the Controller:

  • Return all personal data to the Controller in a machine-readable format (JSON/CSV) and delete existing copies, or
  • Delete all personal data and confirm the deletion to the Controller

Exception: The Processor may retain personal data to the extent required by applicable EU or Member State law (e.g., tax regulations — 7-year retention period pursuant to the Croatian Accounting Act, OG 78/15). In such cases, the Processor shall ensure the confidentiality of retained data and process it solely for the purpose of fulfilling the legal obligation.

13. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Audits shall be conducted with at least 30 days' prior written notice, during regular business hours, and shall not unreasonably disrupt the Processor's operations. The Controller shall bear the costs of the audit, unless the audit reveals a material breach by the Processor.

14. Liability

Each Party shall be liable for damage caused by processing that infringes the GDPR in accordance with Article 82 GDPR. The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to the lawful instructions of the Controller.

The Processor's liability under this Agreement shall be limited to direct damages and shall not exceed the total amount of fees paid by the Controller to the Processor in the 12 months preceding the event giving rise to the liability.

15. Final Provisions

  • This Agreement is an integral part of the Buksort Terms of Service and enters into force upon the Controller's registration on the Buksort platform.
  • In the event of a conflict between this Agreement and the Terms of Service, the provisions of this Agreement shall prevail with respect to the processing of personal data.
  • The Processor shall notify the Controller of any material amendments to this Agreement at least 30 days before they take effect.
  • This Agreement shall be governed by the laws of the Republic of Croatia. All disputes shall be subject to the jurisdiction of the competent court in Split.
  • Contact for any questions regarding this Agreement: hello@designforpeople.agency