Last updated: March 22, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Finortal Inc. ("Processor") and the customer organization ("Controller").
"Personal Data" means any information relating to an identified or identifiable natural person. "Processing" means any operation performed on Personal Data. "GDPR" means EU General Data Protection Regulation 2016/679. "CCPA" means California Consumer Privacy Act.
Finortal processes Personal Data on behalf of the Controller solely to provide the deductions management platform. The types of Personal Data processed include: employee names and email addresses (for user accounts), customer contact information, and financial transaction data uploaded by the Controller.
Finortal agrees to: (a) process Personal Data only on documented instructions from the Controller; (b) ensure persons authorized to process Personal Data are bound by confidentiality; (c) implement appropriate technical and organizational security measures; (d) assist the Controller in fulfilling data subject rights requests; (e) delete or return Personal Data upon termination; (f) provide all information necessary to demonstrate compliance.
Finortal uses the following authorized sub-processors: Clerk (authentication), Neon (database), Vercel (hosting), Anthropic (AI processing). Finortal will notify the Controller of any intended sub-processor changes with 30 days' notice, giving the Controller the opportunity to object.
Finortal implements: encryption of data in transit (TLS 1.3) and at rest (AES-256); access controls with role-based permissions; tenant-level data isolation; audit logging of all data access and modifications; regular security reviews.
Finortal provides in-platform tools enabling Controllers to: export all data (GDPR Art. 20), delete data (GDPR Art. 17), and view audit logs of all data processing activities. Finortal will assist Controllers in responding to data subject requests within 72 hours of notification.
In the event of a Personal Data breach, Finortal will notify the Controller without undue delay, and in any case within 72 hours of becoming aware, providing: (a) nature of the breach; (b) categories and approximate number of individuals affected; (c) likely consequences; (d) measures taken or proposed.
Data is processed in the United States (AWS us-east-1). Transfers of Personal Data from the EEA to the United States are covered by Standard Contractual Clauses (SCCs) as approved by the European Commission.
The Controller may audit Finortal's compliance with this DPA up to once per year, with 30 days' written notice, at the Controller's expense. Finortal may satisfy audit requests by providing relevant third-party audit reports (SOC 2, ISO 27001).
This DPA remains in force for the duration of the Terms of Service. Upon termination, Finortal will delete all Personal Data within 30 days unless retention is required by applicable law.
Data Protection inquiries: privacy@finortal.com