Data Processing Addendum

1. Definitions

• “Personal Data” means any information relating to an identified or identifiable natural person (a “Consumer”), including but not limited to name, Social Security Number (SSN), date of birth, address, telephone number, account information, and payment history.
• “Sensitive Personal Data” means Social Security Numbers, financial account numbers, and any data classified as sensitive under applicable law.
• “Processing” means any operation performed on Personal Data, including collection, recording, storage, adaptation, retrieval, use, disclosure, transmission, erasure, or destruction.
• “Security Incident” means any confirmed unauthorized access, acquisition, use, or disclosure of Personal Data.
• “Subprocessor” means any third party engaged by Processor to process Personal Data on behalf of Controller.

2. Roles & Scope

1. Controller. Client is the data controller (or “business” under CCPA) with respect to Personal Data. Client determines the purposes and means of processing.
2. Processor. Service Provider acts as a data processor (or “service provider” under CCPA), processing Personal Data only on Client’s behalf and in accordance with Client’s documented instructions.
3. Processing Purpose. Processor will process Personal Data solely to perform the Services described in the Agreement, including: (a) ingesting consumer credit data; (b) validating and transforming data into Metro 2 Format; (c) transmitting data to credit Bureaus; (d) managing consumer disputes; (e) maintaining audit trails; and (f) providing related analytics and reporting.
4. Categories of Personal Data. The following categories of Personal Data may be processed:
   • Consumer identifiers (name, SSN, date of birth)
   • Contact information (address, telephone, email)
   • Financial data (account numbers, balances, payment history, credit limits, payment ratings)
   • Employment information (employer name, address, when applicable)
   • Dispute-related correspondence and documentation

3. Processing Instructions & Restrictions

1. Processor will process Personal Data only in accordance with Controller’s documented instructions and the Agreement. Processor will not (a) sell Personal Data; (b) retain, use, or disclose Personal Data for any purpose other than performing the Services; or (c) combine Personal Data with data from other sources except as necessary to perform the Services.
2. If Processor believes an instruction from Controller infringes applicable data protection law, Processor will promptly notify Controller before executing the instruction.
3. Processor will ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.

4. Security Measures

Processor implements and maintains the following technical and organizational security measures to protect Personal Data:

1. Encryption. AES-256 encryption at rest for all stored Personal Data, including database contents and backups. TLS 1.2 or higher for all data in transit. SFTP with encrypted credentials for Bureau file transmissions.
2. Access Controls. Role-based access control (RBAC) with least-privilege principles. Row-level security (RLS) ensuring strict data segregation between clients. Multi-factor authentication (MFA) for all administrative access. API key authentication with hashed key storage and per-company scoping.
3. SSN Protection. Social Security Numbers are stored in an encrypted vault with automatic redaction in audit logs, application logs, and error reporting. SSNs are never stored in plaintext.
4. Monitoring. Automated security monitoring with alerting for anomalous access patterns, failed authentication attempts, and data exfiltration indicators.
5. Vulnerability Management. Regular dependency audits, automated vulnerability scanning, and timely patching of identified security issues.
6. Employee Security. Background checks for personnel with access to Personal Data. Security awareness training. Access provisioned and deprovisioned aligned with employment status.
7. Infrastructure. Services hosted on infrastructure providers that maintain SOC 2 Type II certifications. Geographic redundancy within the United States.

See our Security & Compliance page for current technical details.

5. Subprocessors

1. Current Subprocessors. Controller authorizes the use of the following subprocessors as of the effective date of this DPA:

   Subprocessor	Purpose	Location
   Supabase, Inc.	Database hosting, authentication, row-level security	United States
   Vercel, Inc.	Application hosting, serverless compute, CDN	United States
   Amazon Web Services (AWS)	Cloud infrastructure (underlying Supabase hosting)	United States
   Stripe, Inc.	Payment processing, subscription billing	United States
   Equifax, Experian, TransUnion, Innovis	Credit bureau data transmission (SFTP endpoints)	United States

2. Notification of Changes. Processor will provide Controller with at least 30 days’ written notice before engaging a new subprocessor or materially changing the scope of an existing subprocessor’s processing activities.
3. Objection Right. Controller may object to a new or changed subprocessor within 15 days of notice. If Processor cannot reasonably accommodate the objection, either party may terminate the affected Services upon 30 days’ notice.
4. Subprocessor Obligations. Processor will impose data protection obligations on each subprocessor that are materially consistent with this DPA. Processor remains liable for the acts and omissions of its subprocessors.

6. Security Incident Response

1. Notification. Processor will notify Controller of a confirmed Security Incident without undue delay and within 72 hours of confirmation. The notification will include, to the extent known: (a) the nature and scope of the incident; (b) the categories and approximate number of affected records; (c) the likely consequences; and (d) measures taken or proposed to mitigate the incident.
2. Detailed Report. Processor will provide a detailed written incident report within 5 business days of the initial notification, including root cause analysis, affected data categories, remediation steps, and measures to prevent recurrence.
3. Cooperation. Processor will (a) take all commercially reasonable steps to contain and remediate the incident; (b) cooperate with Controller’s investigation; (c) assist Controller in meeting its own notification obligations to consumers and regulators; and (d) preserve evidence related to the incident.
4. Consumer Notification. Where a Security Incident involves Sensitive Personal Data and notification to affected consumers is required by law, Processor will cooperate with Controller and, if requested, offer credit monitoring services to affected individuals.

7. Data Residency

1. All Personal Data is processed and stored within the United States. Processor will not transfer Personal Data outside the United States without Controller’s prior written consent.
2. If a transfer outside the United States becomes necessary (e.g., due to subprocessor change), Processor will implement appropriate safeguards and obtain Controller’s consent in advance.

8. Consumer Rights & Requests

1. FCRA Rights. Processor will assist Controller in responding to consumer disputes submitted through Bureau channels (ACDV/EOSCAR) by providing dispute management tools, audit trail exports, and compliance documentation.
2. CCPA Rights. Processor will assist Controller in responding to verifiable consumer requests for access, deletion, or correction of Personal Data. Processor supports:
   • Right to Delete: Consumer data deletion through the API or Dashboard, processed within 30 days
   • Right to Know: Data export in CSV or JSON format
   • Right to Correct: Record modification through standard edit workflows with full audit trail
3. No Direct Consumer Access. Processor does not provide direct access to consumers. All consumer rights requests must be initiated by Controller.

9. Regulatory Compliance

The Services are designed to support compliance with the following regulatory frameworks. Controller remains solely responsible for its own compliance obligations.

• FCRA / FACTA. Dispute management with 30-day deadline tracking, Compliance Condition Code XB flagging, audit trail for CFPB examination readiness.
• GLBA. Financial data protection through encryption, access controls, and data segregation. Safeguards for nonpublic personal information.
• CCPA / CPRA. Service provider classification with contractual restrictions on data use. Support for consumer deletion, access, and correction requests. No selling or sharing of Personal Data.
• ECOA. Metro 2 validation rules enforce reporting requirements consistent with Equal Credit Opportunity Act obligations.
• State Privacy Laws. Processing is consistent with applicable state privacy and data breach notification laws, including those of California, Virginia, Colorado, Connecticut, and other states with comprehensive privacy legislation.

10. Audit Rights

1. Right to Audit. Controller may, at its own expense and upon at least 30 days’ written notice, audit Processor’s compliance with this DPA no more than once per twelve-month period. Audits will be conducted during normal business hours and will not unreasonably interfere with Processor’s operations.
2. Third-Party Audits. Controller may engage a mutually agreed-upon independent third-party auditor, subject to appropriate confidentiality obligations.
3. Certifications & Reports. In lieu of an on-site audit, Processor may provide (a) SOC 2 Type II reports from its infrastructure providers; (b) penetration test summaries; (c) security questionnaire responses; or (d) other evidence of compliance reasonably acceptable to Controller.
4. Regulatory Examinations. Processor will cooperate with regulatory examinations affecting Controller (including CFPB, state attorney general, and Bureau examinations) by providing requested documentation, audit trails, and dispute records in a timely manner.

11. Data Retention & Deletion

1. During the Term. Processor retains Personal Data as necessary to perform the Services, subject to the retention periods specified in Section 7.3 of the Agreement. Controller may configure shorter retention periods through the Dashboard.
2. Upon Termination. Within 30 days of termination, Processor will (a) cease all processing of Personal Data; (b) upon request, return Personal Data to Controller in CSV or JSON format; and (c) securely delete all remaining Personal Data within 60 days, except as required by law.
3. Deletion Certification. Upon Controller’s written request, Processor will certify in writing that all Personal Data has been securely deleted in accordance with this Section.
4. Legal Holds. If Processor is required by law to retain Personal Data beyond the periods specified herein, Processor will (a) notify Controller (to the extent legally permitted); (b) limit processing to the minimum required by law; and (c) maintain the confidentiality and security of such data.

12. GLBA Safeguards

To the extent that Client Data includes nonpublic personal information (“NPI”) as defined by the GLBA, Processor will:

1. Implement an information security program that contains administrative, technical, and physical safeguards appropriate to the size, complexity, and scope of processing activities.
2. Designate an employee responsible for coordinating the information security program.
3. Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of NPI and assess the sufficiency of safeguards in place.
4. Design and implement safeguards to control the identified risks and regularly test and monitor their effectiveness.
5. Oversee subprocessors by requiring them to implement appropriate safeguards and contractually obligating them to maintain such safeguards.
6. Evaluate and adjust the information security program in light of relevant circumstances, including changes in technology, sensitivity of NPI, and threats.