Data Processing Addendum

Who this applies to

This Data Processing Addendum (the "DPA") forms part of the agreement between FinXteam AI, Inc. ("we", "us", "FinXteam") and the business customer ("you", "Customer") that uses our services. It governs personal data we process on your behalf when you use FinXteam AI.

In privacy law terms, you are the Controller and we are the Processor. You decide what personal data to bring into the platform and why; we process it on documented instructions from you.

This DPA is automatically incorporated into our Master Services Agreement and Terms of Service. By using the service, you accept it.

What personal data we process

Account and identity data: names, business email addresses, phone numbers, role titles, and authentication signals (password hashes, MFA factors, session metadata).

Financial data you bring in: bank-transaction records, invoices, bills, receipts, ledger entries, tax filings, and the AI model proposals about them. This may include the names and contact details of your vendors, customers, employees, and contractors.

Product-usage telemetry: pages visited, features used, errors hit. We never sell this. Telemetry is tied to the workspace, not to a specific named end-user unless you configure it that way.

For inbound payments processed through Stripe Connect (where supported), we process the limited customer-payment data Stripe shares with us — never full PAN/CVV. Stripe acts as the payment processor.

How we process it

Only as needed to deliver the service you bought: bookkeeping, reconciliation, reporting, tax prep, alerts, multi-user collaboration, and the AI agents that operate over the books.

Only on your documented instructions, which include: your acceptance of our standard product behavior, your settings inside the workspace, the API calls and webhooks you make against the platform, and any direct written instruction you send to dpa@finxteam.com.

For the duration of the agreement. After termination, we retain financial records for the period required by US accounting and tax law (typically 7 years), then delete or anonymize. You can request deletion of non-retained data at any time.

Confidentiality and access controls

Personnel who access personal data are bound by written confidentiality obligations. Access is least-privilege: only the engineers and support staff working a specific issue can see the relevant data, only for as long as needed, and every access is logged.

We require all personnel to complete annual security and privacy training before they receive production access.

Security measures

Encryption: TLS 1.2+ with HSTS preload in transit; AES-256 at rest. Database backups encrypted and retained for 30 days.

Authentication: argon2 password hashing; mandatory MFA for FinXteam personnel; refresh-token rotation for end-users.

Network: WAF and rate limiting in front of the API; least-privilege IAM in AWS; secrets in the hosting-provider secret store, never in source control.

Monitoring: structured audit logs of every read and write to financial records; intrusion detection on the production network; on-call rotation 24/7.

SOC 2 Type II is in progress. We will share the report under NDA once it lands.

Sub-processors

We use vetted third parties to deliver parts of the service. Each operates under their own written privacy and security commitments, plus the contractual flow-down terms required by this DPA.

Current sub-processors: AWS (US-East and US-West, infrastructure hosting); Supabase (managed Postgres); Plaid (read-only bank connections); Stripe (payments + billing); Resend (transactional email); Mixpanel (product analytics; anonymized where possible); Anthropic and OpenAI (LLM inference for agent reasoning; we send only the minimum context needed and store nothing on their side beyond the API call lifetime).

We notify Customers of any new sub-processor at least 30 days before they begin processing personal data, by posting to /dpa and emailing the workspace owner. You can object in writing within 14 days; if we can't accommodate the objection, you can terminate the affected service for a pro-rated refund.

International transfers

Personal data is processed in the United States. If you are based in the EU, UK, or Switzerland, we rely on the EU-US Data Privacy Framework, the UK Extension to the DPF, and (where applicable) the Standard Contractual Clauses approved by the European Commission as the transfer mechanism.

We do not transfer your data to any country outside the US without an adequate safeguard in place.

Personal-data breach notification

If we become aware of a confirmed personal-data breach affecting your workspace, we will notify you without undue delay and in any case within 72 hours of confirmation.

The notification will describe the nature of the breach, the categories and approximate volume of records affected, the likely consequences, and the measures taken or proposed to address it. We will keep you informed as remediation progresses.

Data-subject requests

If an end-user (your employee, customer, vendor, etc.) sends a data-subject request directly to us, we will not respond on your behalf. We will forward it to the workspace owner within 5 business days so you can respond as the Controller.

We will assist you with reasonable measures to respond — exports, deletions, corrections, restrictions. Most data-subject rights can be exercised directly through product features (export, delete, edit) without our involvement.

Audits

Once per 12-month period, you may audit our compliance with this DPA by reviewing our SOC 2 report and the current sub-processor list (both available under NDA on request).

For audits beyond that scope, we will accommodate reasonable written requests during business hours, at your expense, and on terms that do not disrupt service delivery to other customers.

Return and deletion at termination

On termination of the agreement, you have 90 days of read-only access to your workspace to export everything you need. After 90 days, we delete or anonymize personal data that isn't under legal retention.

Financial records required by US law remain for the statutory period (typically 7 years), accessible to you on request, then deleted.

Liability and changes

Liability under this DPA is subject to the limits in the underlying Master Services Agreement.

We may update this DPA from time to time. Material changes will be announced by email to the workspace owner at least 30 days before they take effect. The current version always lives at finxteam.com/dpa with a "last updated" date.

Contact

For DPA questions, sub-processor objections, or data-subject-request coordination, email dpa@finxteam.com. We respond within one business day.