Data Processing Addendum

This Data Processing Addendum ("DPA") supplements the Terms of Service ("Agreement") between ClearPlan ("Processor") and the customer identified in the customer's account ("Customer," "Controller"). It governs the processing of personal data of Customer's end clients and other data subjects ("Customer Data") by Processor in connection with the Service. In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to data processing.

To formally execute this DPA, a customer may countersign the version published at /dpa on the date of access by emailing a request to hello@getclearplan.com. ClearPlan will return a counter-executed copy.

1. Definitions

Capitalized terms not defined here have the meanings given in the Agreement or under applicable data protection law (including the California Consumer Privacy Act and, if applicable, the EU/UK GDPR).

• Customer Data means personal data relating to Customer's end clients or other data subjects that Customer enters into the Service.
• Sub-processor means a third party engaged by Processor to process Customer Data.
• Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

2. Roles and scope

Customer is the Controller of Customer Data. Processor processes Customer Data on Customer's behalf and only on Customer's documented instructions, including with regard to international transfers, except as required by applicable law (in which case Processor will inform Customer of that legal requirement before processing, unless prohibited).

3. Subject matter, duration, nature, and purpose

• Subject matter: Provision of the Service to Customer.
• Duration: The term of the Agreement plus any retention period required by law.
• Nature and purpose: Hosting, storing, displaying, and processing Customer Data so that Customer can generate, save, edit, view, and export financial-plan summaries.
• Categories of data subjects: Customer's end clients and any individuals whose information Customer voluntarily enters into the Service.
• Categories of personal data: Plan labels chosen by Customer (which may identify an individual), summary financial figures the advisor types into a plan (net worth, asset allocation, tax-rate estimates, retirement targets), net worth history, and free-text notes. The Service does not collect Social Security numbers, government IDs, account numbers, or contact details.

4. Customer obligations

Customer represents and warrants that:

• Customer has all necessary rights, consents, and lawful bases to enter Customer Data into the Service and to instruct Processor to process it;
• Customer's instructions for processing comply with applicable law;
• Customer will not enter restricted personal information into the Service (including SSNs, government IDs, and account numbers as described in the Agreement).

5. Processor obligations

Processor will:

• Process Customer Data only on Customer's documented instructions, which include the instructions embedded in the Customer's use of the Service;
• Ensure that personnel authorized to process Customer Data are subject to appropriate confidentiality obligations;
• Implement and maintain the technical and organizational security measures described in Annex 2;
• Assist Customer with data subject rights requests, security incident handling, and any required impact assessments, in each case taking into account the nature of the processing and the information available to Processor;
• Make available to Customer the information reasonably necessary to demonstrate compliance with this DPA.

6. Sub-processors

Customer authorizes Processor to engage the Sub-processors listed at /subprocessors, as updated from time to time. Processor will:

• Impose data protection obligations on each Sub-processor that are no less protective than this DPA;
• Remain liable to Customer for Sub-processor performance;
• Provide at least 14 days' prior written notice (which may be by email or by updating the Sub-processors page with an emailed notice) before adding or replacing a Sub-processor that processes Customer Data, during which Customer may object on reasonable grounds. If Customer objects, Customer's exclusive remedy is to terminate the Agreement and receive a refund of any prepaid, unused fees.

7. Personal Data Breach

Processor will notify Customer of a confirmed Personal Data Breach affecting Customer Data without undue delay and, in any event, within 72 hours of confirmation. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach.

8. Data subject rights

Where Processor receives a request from a data subject relating to Customer Data, Processor will (a) promptly inform Customer; (b) not respond to the request directly except to confirm that the request relates to Customer; and (c) reasonably assist Customer in responding, taking into account the nature of the processing.

9. International transfers

Customer Data is processed in the United States. Where Customer Data is transferred from a jurisdiction with cross-border transfer requirements (including the EU, UK, or Switzerland), the parties will enter into the relevant Standard Contractual Clauses or equivalent transfer mechanism on Customer's request.

10. Audits

Processor will make available to Customer, on reasonable request and no more than once per twelve-month period, documentation reasonably necessary to demonstrate compliance with this DPA. Customer may request additional information by emailing Processor; Processor may decline requests that would compromise the security or confidentiality of other customers' data or that exceed what is reasonable in the circumstances. On-site audits will be considered on a case-by-case basis subject to reasonable security, scoping, and confidentiality protections.

11. Deletion or return on termination

On termination of the Agreement, Customer may, within 30 days, request that Processor return Customer Data in a commonly-used format. After that period (or after Customer instructs deletion), Processor will delete Customer Data, including from backups within 30 days, except to the extent retention is required by law.

12. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set forth in the Agreement.

13. Term and termination

This DPA takes effect on the earlier of (a) Customer's acceptance of the Agreement and (b) the date of countersignature, and remains in effect for as long as Processor processes Customer Data.

14. Governing law

This DPA is governed by the same governing law and dispute-resolution provisions as the Agreement.

Annex 1 — Description of processing

• Subject matter: as described in Section 3.
• Duration: term of the Agreement.
• Nature and purpose: hosting and processing of Customer Data so Customer can generate one-page client financial plans.
• Categories of data subjects: Customer's end clients and any other individuals whose information Customer voluntarily enters into the Service.
• Categories of personal data: labels chosen by Customer (which may identify an individual), summary financial figures (net worth, allocation percentages, tax-rate estimates, retirement targets), net worth history, free-text content. No SSNs, IDs, account numbers, or contact details collected by the Service.
• Special-category data: none collected by the Service.
• Frequency of processing: continuous, while Customer uses the Service.

Annex 2 — Security measures

Processor implements the following security measures, supplemented by the practices described at /security:

• Encryption. TLS 1.2+ in transit; encryption at rest by the underlying database provider.
• Access control. Row-Level Security policies in the database isolating each Customer's data; restricted administrative access; principle of least privilege.
• Authentication. Password-based authentication with hashed-and-salted password storage; session-based authorization with secure cookies.
• Network security. All public traffic over HTTPS; managed cloud infrastructure with provider-level firewall and DDoS protections.
• Operational security. Logging and monitoring of access; periodic review of access lists; secure handling of administrative credentials.
• Personnel. Personnel with access to Customer Data are subject to confidentiality obligations.
• Incident response. Documented breach-notification process under Section 7 of the DPA.
• Business continuity. Regular backups by the database provider; disaster recovery in line with provider SLAs.
• Sub-processor management. Use of contracted Sub-processors only, listed at /subprocessors.