Data Processing Agreement

1. Definitions and Interpretation

2. Scope and Purpose of Processing

Subject Matter of Processing

• Financial assessment data and calculations
• AI-powered financial advice generation (premium users)
• Document analysis and temporary processing
• Goal tracking and progress monitoring
• User authentication and account management

Duration of Processing

• Processing continues for the duration of the service relationship
• Financial documents: Maximum 15 minutes automatic deletion
• Account data: Until account deletion plus maximum 12 months retention
• Legal hold: Extended retention if required by law or legal proceedings

Nature and Purpose

• Primary Purpose: Provision of financial education and assessment services
• Secondary Purpose: Service improvement and platform optimization
• Compliance Purpose: Legal obligations and regulatory requirements

Categories of Data Subjects

• Individual users of financial assessment services
• Premium subscribers accessing AI-powered features
• Users uploading financial documents for analysis
• Administrative contacts and support requesters

Categories of Personal Data

• Identity Data: Name, email address, account identifiers
• Financial Data: Income, expenses, assets, debts, financial goals
• Technical Data: IP addresses, device information, usage patterns
• Communication Data: Support requests, feedback, correspondence
• Document Data: Temporarily processed financial documents (auto-deleted)

3. Processor Obligations

4. Sub-processor Management

Authorized Sub-processors

Compoundly may engage the following sub-processors for specific processing activities:

Sub-processor Requirements

• Written Agreements: All sub-processors bound by written data protection agreements
• Same Obligations: Sub-processors subject to same data protection obligations as Processor
• Liability: Compoundly remains fully liable for sub-processor compliance
• Audit Rights: Controller may audit sub-processor compliance through Compoundly

Changes to Sub-processors

• General Consent: Controller provides general authorization for sub-processor engagement
• Notification: 30 days advance notice of new or replacement sub-processors
• Objection Rights: Controller may object to sub-processor changes
• Termination: If Controller objects, parties may terminate the agreement

5. Data Subject Rights Support

6. Security and Data Protection

Technical Safeguards

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Role-based access control (RBAC) with principle of least privilege
• Authentication: Multi-factor authentication for all administrative access
• Network Security: Firewalls, intrusion detection, DDoS protection
• Secure Deletion: Cryptographic erasure and secure disposal methods

Organizational Safeguards

• Staff Training: Regular data protection and security awareness training
• Background Checks: Security clearance for personnel with data access
• Incident Response: Documented breach response and notification procedures
• Business Continuity: Disaster recovery and data backup procedures
• Third-party Management: Due diligence and ongoing monitoring of vendors

Compliance Certifications

• SOC 2 Type II: Annual security and availability audits
• ISO 27001: Information security management system certification
• Privacy Shield: Adequate data protection for US-EU transfers (where applicable)
• Regular Audits: Third-party security assessments and penetration testing

7. Data Breach Response

Breach Detection and Assessment

• 24/7 Monitoring: Continuous security monitoring and automated alerts
• Incident Classification: Risk-based assessment of security incidents
• Impact Analysis: Evaluation of potential harm to data subjects
• Containment: Immediate steps to contain and remediate breaches

Notification Requirements

• Controller Notification: Notify Controller within 24 hours of breach discovery
• Information Provided: Nature of breach, categories and numbers of records affected
• Ongoing Updates: Regular updates as investigation progresses
• Regulatory Notification: Assist Controller with supervisory authority notifications

Data Subject Notification

• Risk Assessment: Determine if breach poses high risk to individuals
• Notification Content: Clear description of breach and recommended actions
• Remediation: Steps taken to address the breach and prevent recurrence
• Support: Provide assistance and monitoring services where appropriate

8. International Data Transfers

Transfer Mechanisms

• Adequacy Decisions: EU Commission adequacy decisions where available
• Standard Contractual Clauses: EU SCCs for transfers lacking adequacy
• Binding Corporate Rules: Internal data transfer mechanisms for global operations
• Derogations: Limited use of Article 49 derogations for specific situations

Transfer Safeguards

• Data Mapping: Clear documentation of all international data flows
• Impact Assessments: Transfer risk assessments per Schrems II requirements
• Supplementary Measures: Additional technical safeguards for high-risk transfers
• Ongoing Monitoring: Regular review of transfer mechanisms and legal developments

9. Audit and Compliance

Audit Rights

• Information Provision: Demonstrate compliance with data protection obligations
• Audit Assistance: Allow and contribute to audits by Controller or appointed auditor
• Documentation: Maintain records of processing activities and compliance measures
• Frequency: Annual compliance reviews or upon reasonable request

Compliance Reporting

• Regular Reports: Quarterly compliance and security reports
• Incident Reports: Detailed incident response and remediation reports
• Change Notifications: Advance notice of significant operational changes
• Certification Updates: Current security and privacy certifications

10. Return and Deletion of Data

Service Termination

• Data Return: Return all personal data to Controller in structured format
• Secure Deletion: Securely delete all copies unless legal retention required
• Certification: Provide written certification of data return and deletion
• Timeline: Complete data return/deletion within 30 days of termination

Automatic Deletion

• Financial Documents: Automatic deletion after 15 minutes
• Session Data: Deletion upon session expiry
• Backup Data: Secure deletion from all backup systems
• Verification: Technical verification of complete data removal

11. Liability and Indemnification

Processor Liability

• GDPR Article 82: Joint and several liability for damages to data subjects
• Limitation: Liability limited to damages caused by Processor's non-compliance
• Exemption: No liability if Processor proves it is not responsible for damage
• Insurance: Professional liability and cyber security insurance coverage

Indemnification

• Processor Breaches: Processor indemnifies Controller for damages from Processor non-compliance
• Sub-processor Issues: Processor liable for sub-processor compliance failures
• Third-party Claims: Defense and indemnification for covered claims
• Legal Costs: Reasonable attorney fees and litigation expenses

12. Contact Information