Book A Meeting
Contact Us

FinHub Data Processing Appendix

FinHub Data Processing Appendix (hereinafter referred to as “DPA”) is an integral part of FinHub Customer Agreement, concluded between FinHub’s respective contracting party and the Client, and is considered as an integral part of the other agreements for provision of services concluded between FinHub’s contracting party and the Client, uploaded on https://finhub.cloud.

1. Scope

        For the purposes of this Data Processing Appendix:

1.1 “Controller” is any legal or natural person, alone or joined with others, that determines the purposes of any personal data and the meaning of processing it. In the context of this DPA, the Controller is the Client.

1.2 “Processor” is any legal or natural person, who processes personal data on behalf of a data controller. In the context of this DPA, the Processor is FinHub on the behalf of the Client and the Client as processor of Customer Data.

1.3 Laws governing personal data protection mean any effective national or international legal act applicable to the Controller or Processor for the purpose of regulating their activities of personal data processing during the period of provision of services, including, as applicable, the General Data Protection Regulation (GDPR).

1.4 Notwithstanding clause 1.2, FinHub is a “Controller” under applicable data protection law in respect of FinHub use of personal data in connection with the applicable services to conduct KYC, CDD and other checks as part of the process of accepting a client, comply with any legal and/or regulatory requirements to which FinHub from time to time, and prevent fraud or financial crimes. For avoidance of confusion with exception of clause 3 below, the provisions of this DPA do not apply to Parties in relation to FinHub use of personal information.

1.5 In the context of this DPA the Processor will process Client personal data on behalf of Client to provide the Client with the services. The processor is endorsed to process Client personal data solely in connection with the following:

  • For the provision of services in accordance with the concluded agreements.
  • For provision of any processing required under applicable national laws and international acts.
  • If applicable, in accordance with the instructions given by the Client, to transfer personal data processed by the Processor to payment processors and banking partners.
  • To enable the Processor to comply with any other instructions provided by the Client.

2. Data processing purpose and duration

2.1 The Processor undertakes to process the personal data with the purpose of fulfilling its obligations under this DPA and the other agreements for provision of services concluded between FinHub and the Client. The functions performed by the Processor are described in detail in the concluded agreements and other related to the services documents.

2.2 The Processor cannot process the personal data for purposes incompatible with the purpose of using the personal data as set forth in clause 2.1 of this DPA.

2.3 The Parties hereby agree and declare that the processing operations of the personal data performed by the Processor are mandatory for the Controller in order to ensure the proper performance of the DPA and other additional agreements, its compliance with the Laws governing personal data protection, and herewith the Parties agree with the requirements on the protection of the personal data and the technical and organizational measures to be applied due to the cooperation between the Parties.

2.4 The Processor has the right to process the personal data for no longer than agreements for the respective services are valid (including the transitional period according to clause 24.2 of FinHub Customer Agreement). Upon the termination of the Agreement and expiry of the transitional period, this DPA will be terminated as well. Upon termination of the agreements mentioned above, the Processor will cease the personal data processing on behalf of the Controller.

2.5 The Processor must ensure that all employees of the Processor or other individuals who are involved by the Processor in processing the personal data are familiar with and comply with the provisions of this DPA.

 

3. Processor’s obligations and warranties.

3.1 The Processor will process personal data only based on written instructions (including an electronic format) transferred by the Controller. Initial instructions of the Controller in connection with the data subjects, time limits of the processing of personal data, objectives, procedure and categories of data subjects entrenched in Schedule 1 and Schedule 2 to this Data processing appendix. The Processor will immediately inform the Controller if, in its opinion, an instruction of the Controller infringes data protection regulations.

3.2 When processing personal data under the Agreement the Processor will ensure the compliance with the obligations applicable to the Processor under the Laws governing personal data processing. The Processor will agree with all future amendments to the Agreement which will be binding to implement the mandatory changes in requirements laid down in the legislation governing the protection of the processing of personal data.

3.3 The Processor will help the Controller to implement the obligations arising from laws governing personal data protection, including, but not limited to the Controller’s obligation to give effect to the rights of the data subject of access to personal data, request to alter, erase, suspend the processing of personal data, etc. In all cases, the Processor must ensure that the data correction or deletion actions initiated by the Controller (such as the removal of the data subject from the system) are immediately implemented in the Processor’s information or other system, except for the purpose of data archiving and backup and storage purposes, both if this is not in conflict with the Controller’s written instructions.

3.4 The Processor shall refrain from actions which would force the Controller to act against the requirements laid down in the Laws governing personal data protection.

3.5 The Processor will not transfer or otherwise disclose personal data, or any other information related to the processing of personal data to any other third party, except its authorized employees, consultants and sub-processors. The Processor will immediately notify the Controller of the situations, where due to the performance of the obligations established in the laws governing personal data protection the Processor is obliged to disclose personal data processed on behalf of the Controller. When disclosing the data due to the performance of the obligation imposed by the law, the Processor will request the third party to preserve the confidentiality of personal data.

3.6 The Processor will, upon the Controller’s request, provide the Controller with all information on the personal data processed on behalf of the Controller, including the exact location of the personal data storage.

3.7 The Processor will notify the Controller, with a reasonable notice period, each time the location of the personal data storage is expected to be changed.

3.8 The Controller has the right to carry out a data protection impact assessment to evaluate the measures envisaged by the Processor to address the risks of processing personal data and other risks to the rights and freedoms of the data subjects. The Processor is obliged to cooperate with the Controller when the Controller decides to carry out a data protection impact assessment. If the Processor has already carried out the data protection impact assessment, the Processor must provide all information related to that data protection impact assessment.

3.9 The Processor warrants and undertakes that:

       3.9.1 will have in place appropriate technical and organizational measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected and in compliance with the requirements of the Laws governing personal data protection and the Controller’s written instructions.

       3.9.2 it will appoint and make available to the Controller a contact person within its organization, authorized to respond to enquiries concerning processing of the personal data, and will cooperate in good faith with the Controller, the data subject and the authorized authority under the Laws governing personal data protection concerning all such enquiries within a reasonable time frame.

      3.9.3 upon the reasonable request of the Controller, it will make available its data processing facilities, data files and documentation needed for processing to reviewing, auditing and/or certifying by the Controller (or any independent or impartial inspection agents or auditors, selected by the Controller and not reasonably objected by the Processor) to ascertain compliance with the warranties and undertakings in these clauses, with reasonable notice and during regular business hours.

 

4. Controllers’ obligations, representations and warranties.

4.1 The Controller warrants and will ensure that during all validity term of the agreements for the provision of services all personal data transferred to Processor is processed on a lawful basis, is accurate, complete and does not infringe upon the rights of data subjects, and Controller’s instructions on data processing comply with the Laws governing personal data protection.

 

5. Sub-processor

5.1 Any Sub-Processor for the processing of personal data transferred by the Controller will be considered as material subcontractors. Prior to engaging a new Sub-Processor or replacing the existing Sub-Processor, the relevant procedure for the material subcontractors must be followed.

5.2 The Controller will have the right to request the Processor to perform an audit of the respective Sub-Processor or obtain a confirmation that such audit was performed, or, if applicable, to request to provide a report of a Sub-Processor’s audit performed by a third party, in order to ensure that this particular Sub-Processor satisfies the requirements of the Laws governing personal data protection and the concluded agreements.

5.3 The Processor will ensure that all Sub-Processors approved by the Controller undertake, in writing, to follow the laws governing personal data protection and the rules on the processing of personal data established in the Data processing appendix.

 

6. Transfers of personal data to third countries

6.1 The Processor will not, without prior written consent of the Controller, transfer personal data outside the European Economic Area (the EEA).

6.2 Having received the Controller’s consent to transfer personal data, the Processor will prioritize sending the data only with the application of the standard contractual clauses (approved by the European Commission). The standard contractual clauses may not apply if sub-processors in third countries are:

  • recognized by the European Commission as providing an adequate level of protection for personal data; or
  • Covered by a suitable framework recognized by the relevant authorities or courts as providing adequate protection for personal data, including binding corporate rules.
  • The Controller has the right to withdraw the consent regarding the transfer of personal data to third countries for a reasonable reason. In this case, the Processor will immediately stop the transfer and, at the request of the Controller, will submit a written confirmation of this fact.

 

7. Information security and confidentiality

7.1 The Processor will take appropriate technical and organizational measures to ensure security of the processed personal data. The Processor will, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

7.2 The Processor is ensuring that when processing personal data, at least the following measures are applied:

  • The Processor’s premises containing hardware and portable information storages storing personal data will be locked when unmonitored to ensure protection against unauthorized use of personal data.
  • Established process for testing restoration of personal data from storages.
  • Access to personal data will be granted only to the persons who need personal data to carry out their functions. User codes and passwords will be unique and not accessible to the unauthorized staff. The Processor will ensure that the history of connections to personal data and of actions performed upon the personal data is stored. The Processor will store the said data and will provide such data at the request of the Controller.
  • In the event where external personal data transfer channels are used, where they are not controlled by the Processor, the use of technical measures ensuring the authorization of connection to communications networks and encryption of transferred data will be ensured.
  • Established process to safely destroy and repair equipment that contained personal data.

7.3 The Processor will take all actions to help the Controller in the event of a data security breach to mitigate the adverse effects of the breach, and to immediately notify the Controller of any incidents related to personal data and of unauthorized access to personal data.

7.4 The Processor undertakes to take all reasonable steps to assist the Controller in minimizing the negative outcomes in the event of a breach of personal data. The Processor will immediately and, in any case, within 24 hours of becoming aware, notify the Controller of any incident related to personal data, personal data breach, and/or unauthorized access to personal data. Notification regarding the breach of personal data must contain the following information: the nature and type of the breach (the personal data or categories of data and approximate number of data affected or likely to be affected; the categories of the personal data subjects and approximate number of data subjects affected or likely to be affected), the time of breach, the date or period of the breach, the likely consequences of the breach, the contact details of the Processor’s responsible person, the steps taken or proposed by the Processor in order to eliminate the breach of personal data, including, where appropriate, measures to reduce potential negative consequences. If and to the extent it is not possible to provide the information simultaneously, the information may be provided in stages without unnecessary additional delay.

7.5 The Processor will ensure that access to personal data will be granted only to such employees of the Processor who need access to ensure the performance of the Processor’s obligations under the concluded agreements.

7.6 The Parties agree that in the event of a data security breach, they will put best effort and will cooperate with each other and provide all necessary information and Data of each other and the supervising authorities.

7.7 Location of the personal data will be at the data centers of the Service Provider at 63 Shipchenski prohod blvd., 1000 Sofia, Bulgaria and 79 Madarski konnik str., 9930 Kaspichan, Republic of Bulgaria (EUROPEAN UNION)

7.8 In addition to the primary data storage services provided under this Agreement, the Processor offers an optional Persistent Lawyer Personal Data Storage Free Function. This function enables the Platform User to independently store and retain personal data securely, free as per Pricing in Portal, for extended periods as required by legal, regulatory, or professional obligations. This function is only available for specific modules within the platform, as designated by the Processor. The availability of this function does not extend to all platform features, and the Processor reserves the right to determine and update the modules where this functionality is enabled. The Platform User is solely responsible for managing, storing, and retaining personal data within the applicable modules, ensuring compliance with relevant data protection laws. The Processor shall implement appropriate technical and organizational measures to maintain the security, integrity, and confidentiality of such stored data but shall not actively monitor, control, or process the data beyond the agreed-upon storage services. Both parties acknowledge that the Platform User is responsible for determining the necessity and duration of data retention under this function. The Processor assumes no liability for any legal or regulatory consequences arising from the Platform User’s use of the Persistent Lawyer Personal Data Storage Free Function.

 

8. Expiration of the Data Processing Appendix

8.1 The DPA will apply if the Processor is processing the personal data on behalf of the Controller.

8.2 The Controller will be entitled to immediately terminate the validity of the concluded agreements and the DPA, and to prohibit the Processor to further process personal data, where the Processor fails to fulfil the obligations established in the DPA, including but not limited to, failure to follow the Controller’s written (including an electronic format) instructions and inconsistencies with the laws governing the personal data protection.

 

9. Measures to be taken upon completion of the processing of personal data

9.1 After the expiry of the concluded agreements and/or the DPA, the Processor shall, at the Controller’s discretion, notify the Processor of in writing, return or destroy personal data received from the Controller on the grounds of the concluded agreements and this DPA. The Processor will ensure that the Sub-Processor(s) carry out the same actions.

9.2 At the request of the Controller, the Processor will provide the Controller with a list of measures taken in assurance of the appropriate termination of the processing of personal data.

 

 

10. Liability

10.1 Where the Processor has failed to comply with this DPA, the Controller will notify the Processor thereof in writing. Following the confirmation of the Processor’s or Sub-Processor’s failure to comply with the provisions of this DPA, the Controller will grant the Processor the right to fully remedy the infringement within 30 calendar days (notice period). Where the infringement is not fully remedied, the Controller will be entitled to terminate the concluded agreements without notice.

10.2 If the Processor infringes the General Data Processing Regulation by determining the purposes and means of processing, the Processor will be a controller in respect of that processing.

10.3 Any clauses of this DPA in any way will not be considered as reducing the obligations applicable to the Processor under the Laws governing personal data protection.

 

 

 

Schedule 1

 

This Schedule 1 includes details of the processing of personal data as required by art. 28 (3) of the General Data Protection Regulation

 

1. Definition of personal data

“Personal data” will have the meaning given to it in the General Data Protection Regulation and will include the categories of personal data as set forth in the DPA, Schedule 1 and Schedule 2.

2. Purposes of the Processing

Personal data will be processed for the following purposes: to provide services under the concluded agreements and otherwise to fulfil the obligations under the concluded agreements.

3. Categories of data subject.

The Parties agree on the processing of personal data of the following data subjects:

  • Past, current and future/potential Client’s customers/end-users.
  • Past, current natural persons related to Client’s customers/end-users; Legal representatives (for example, those acting under power of attorney).
  • Other natural persons involved in transactions with Client’s customers/end-users.
  • Past and current Client’s employees and other representatives

 

4. Processed personal data

The Parties agree on the processing of personal data of past and current Client’s employees and other representatives:

  • Identification data – full name, surname, position at the Client’s company
  • Contact data – email address, telephone number
  • Technologies identifiers and access data (log-in details, such as usernames, email address, password data and restore data, IP address, MAC address)
  • Action history and activities in systems (technical server logs, correspondence with Client support and information which the Client elects to send to FinHub for processing under the DPA)
  • Assignment of rights in the system data (roles, assignments of rights – permissions)

The processed categories of personal data (excluding past and current Client’s employees and other representatives) covered by this assignment are listed in Schedule 2.

Sensitive personal data (if applicable): may contain sensitive personal data. FinHub does not intentionally process any sensitive personal data (including special categories of personal data) unless the Client or its customers/end users in its sole discretion include such type of data in the content submitted to FinHub. The Client, in its capacity as Controller, will be regarded as solely responsible for ensuring that such processing of sensitive personal data (including special categories of personal data) be lawful and in accordance with applicable data protection legislation.

 

5. Nature of data processing

The nature of processing involves collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

 

6. Duration of data processing

The duration is during the validity of the concluded agreements or until deletion of all Client’s data by FinHub with this DPA.

 

The Parties acknowledge and agree that, in the performance of the services pursuant to the concluded agreements, FinHub in the capacity as a Processor acting on behalf of the Client, under Client’s instructions and direction will store Client’s production environment logs. Parties agree that Client’s production environment logs are stored on remote storage for 10 (ten) years after collection, as determined by the Client’s sole discretion.

 

Schedule 2

Personal data

 

The categories of personal data (excluding past and current Client’s employees and other representatives) that FinHub may process under the concluded agreements and this DPA include the following:

  • Given name
  • Middle name
  • Surname
  • Personal ID (personal code or other personal identification code)
  • Nationality
  • Country that issued ID document or personal identification code
  • Date of birth
  • City of birth
  • Country of birth
  • District/Province (county) of birth
  • Document number
  • Document type
  • Country of tax residence
  • Taxpayer identification number
  • Company name, in the case of the company’s name consists of natural person name and/or surname
  • Company code
  • Company code issuer
  • ID document issuer
  • Client ID
  • Client ID (Company)
  • Address
  • Country
  • County
  • City
  • Street
  • Flat
  • Postcode
  • Mobile phone number
  • Email
  • IBAN/Account number
  • Bank BIC
  • Transaction purpose
  • Transaction amount
  • Member codes
  • Enforcement order number (case number in case of bailiffs), restriction document date

 

Action history and activities in systems data:

Technical server logs, correspondence with Client support and files which the Client elects to send to FinHub for processing under this DPA

Client Categories

Connectors

Company

Recourses

Contact Us

Facebook Instagram
Copyright © 2025 FinHub • Member of SEPA Cyber Tech Group • All Rights Reserved
Legal
Terms of Services
Privacy Policy