Legal

Data Processing Addendum

Updated April 2026

This Data Processing Addendum ("DPA") supplements the OpenSettle Terms of Service and applies to the processing of Personal Data governed by the EU GDPR, UK GDPR, Swiss FADP, and applicable U.S. state privacy laws.

OpenSettle acts as a Processor and you act as the Controller of Personal Data you submit to the Service.

We process Personal Data only on your documented instructions, unless required to do otherwise by applicable law. We implement appropriate technical and organizational measures to protect Personal Data; the current measures are described in our platform security audit (available on request — email security@opensettle.io) and in our Incident Response policy at /legal/incident-response.

Sub-processors are listed at /legal/subprocessors. You will be notified at least 30 days before any change.

International transfers are made under the 2021 EU Standard Contractual Clauses and the UK Addendum, as applicable.

This document is the current published version of the policy. Outside-counsel review is in progress and revisions will be announced on this page. For operational questions, contact support@opensettle.io.