Data Processing Agreement

01Definitions

• "Personal Data" — any information relating to an identified or identifiable natural person, including broker contact details and client names appearing on forwarded invoices
• "Financial Data" — lease balances, payment amounts, funded amounts, and other financial figures extracted from forwarded documents
• "Subscriber Data" — all data submitted by the Subscriber to the DataDate Intelligence platform, including invoice documents, lease metadata, and communication records
• "Processing" — any operation performed on Subscriber Data, including collection, storage, extraction, calculation, transmission, and deletion
• "Controller" — the party that determines the purposes and means of processing Personal Data (the Subscriber)
• "Processor" — the party that processes Personal Data on behalf of the Controller (DataDate Intelligence)
• "Sub-Processor" — any third-party service provider engaged by DataDate Intelligence to assist in delivering the service

02Roles & Responsibilities

The Subscriber acts as the Controller with respect to any Personal Data of their clients included in forwarded invoices. DataDate Intelligence acts as the Processor of such data, processing it solely on behalf of and under the instruction of the Subscriber for the purpose of delivering the lease monitoring service.

DataDate Intelligence acts as an independent Controller with respect to the Subscriber's own account data (name, email, phone, billing information) for the purpose of managing the subscription relationship.

03Scope & Purpose of Data Processing

DataDate Intelligence processes Subscriber Data exclusively for the following purposes:

• Extracting lease financial data (balances, payment amounts, dates) from forwarded invoice and funding schedule documents
• Calculating refinance notification windows and Arbitrage Window open dates
• Storing extracted lease metadata in a secure cloud database for ongoing monitoring
• Delivering Arbitrage Window Alerts, capacity warnings, and other notifications to the Subscriber
• Maintaining deduplication records to prevent duplicate invoice processing
• Generating anonymized, aggregated analytics for internal service improvement only

DataDate Intelligence will not process Subscriber Data for any purpose outside the scope listed above without the Subscriber's explicit written consent. DataDate Intelligence will not sell, rent, share, or transfer Subscriber Data to any third party for marketing, advertising, or commercial purposes of any kind.

04Security Measures

DataDate Intelligence implements the following technical and organizational measures to protect Subscriber Data:

• All data in transit is encrypted using SSL/TLS protocols
• Access to Subscriber Data is restricted to authorized DataDate Intelligence personnel only, on a need-to-know basis
• Cloud database access is protected by role-based access controls and authentication requirements
• Email processing inboxes are protected by Enhanced Protection filtering via ForwardEmail
• Webhook endpoints that receive and transmit data are secured and rate-limited
• No full payment card numbers are stored — all billing data is handled exclusively by Stripe's PCI-compliant infrastructure

While DataDate Intelligence takes data security seriously and implements reasonable safeguards, no system is completely impenetrable. DataDate Intelligence does not warrant that its security measures will prevent all unauthorized access or data loss.

05Sub-Processors

DataDate Intelligence engages the following categories of third-party sub-processors to deliver the service. Each sub-processor is contractually bound to process Subscriber Data only for the purpose of performing their specific function and is prohibited from using it for any other purpose:

DataDate Intelligence will provide written notice to active Subscribers at least 14 days before engaging any new sub-processor that will have access to Subscriber Data.

06Data Retention & Deletion

DataDate Intelligence retains Subscriber Data only for as long as necessary to deliver the contracted services:

• Invoice documents and extracted lease metadata are retained for the duration of the active subscription
• Invoice processing logs are retained for a rolling 30-day period for deduplication and audit purposes
• Upon cancellation or termination of a subscription, all Subscriber Data will be purged from DataDate Intelligence systems within 30 days of the subscription end date
• Billing records are retained as required by applicable law and Stripe's standard retention policies
• Anonymized, aggregated data from which no individual Subscriber or client can be identified may be retained indefinitely for internal analytics purposes

Subscribers may request early deletion of their data at any time by contacting DataDate Intelligence at info@datadateintelligence.com. Early deletion requests will be fulfilled within 30 days and will result in immediate termination of the subscription.

07Data Subject Rights

To the extent required by applicable law, DataDate Intelligence will assist Subscribers in responding to requests from individuals regarding their Personal Data. Subscribers may contact DataDate Intelligence to:

• Request access to the data held on their account
• Request correction of inaccurate account information
• Request deletion of their account data (subject to retention obligations)
• Request a summary of the categories of data processed on their behalf

DataDate Intelligence will respond to verified data subject requests within 30 days. Requests related to a broker's end clients should be directed to the Subscriber as the data Controller for that data — DataDate Intelligence will assist as reasonably practicable.

08Data Breach Notification

In the event DataDate Intelligence becomes aware of a confirmed data breach that affects Subscriber Data, DataDate Intelligence will:

• Notify affected Subscribers via email within 72 hours of confirming the breach, to the extent practicable
• Provide a description of the nature of the breach, the categories of data affected, and the approximate number of records involved
• Describe the measures taken or proposed to address the breach and mitigate its effects
• Cooperate with Subscribers in meeting any applicable regulatory notification obligations

Notification will be sent to the primary email address on file for the affected Subscriber account.

09CCPA & GDPR Compliance

California Residents (CCPA): DataDate Intelligence does not sell Personal Data as defined under the California Consumer Privacy Act. Subscribers who are California residents have the right to know what personal information is collected, to request deletion, and to opt out of the sale of personal information (which does not occur). To exercise these rights, contact info@datadateintelligence.com.

EU/UK Residents (GDPR): DataDate Intelligence's services are designed for the United States market. If a Subscriber or their clients are located in the European Union or United Kingdom, the Subscriber is responsible for ensuring that forwarding personal data to DataDate Intelligence complies with applicable GDPR obligations, including any required data transfer mechanisms. DataDate Intelligence will cooperate in good faith with Subscribers on GDPR compliance matters as reasonably practicable.