Legal · Data Processing Addendum v1.2026-05-15
Data Processing Addendum
Applicable to enterprise buyers requiring a written DPA. This Data Processing Addendum supplements the Buyer Agreement between FundingSourced (“Processor”) and the buyer (“Controller”).
1. Roles
FundingSourced acts as the Controller of data at the point of original capture from the submitting merchant, and as the Processor during the transmission of that data to the buyer. Upon delivery, the buyer becomes an independent Controller and assumes full responsibility for subsequent processing activities.
2. Subprocessors
The following subprocessors are engaged in the delivery of our services:
| Subprocessor | Purpose |
|---|---|
| Cloud hosting (US-East) | Primary database |
| Vercel | Application hosting |
| Cloud storage | Encrypted CSV assets |
| Stripe | Payment processing only |
| Twilio | Phone validation metadata only |
| Resend | Outbound email (lead email + first name only) |
3. Security
FundingSourced maintains the following technical and organizational measures:
- TLS encryption for all data in transit.
- AES-256 encryption for all data at rest.
- Bcrypt-hashed credentials for user accounts.
- JWT-based session management.
- HMAC receipts for cryptographic delivery verification.
- Watermarked CSV exports for leak detection.
- Quarterly access reviews across all production systems.
- Documented incident response plan with defined escalation procedures.
4. Data Subject Rights
Where the Processor receives a data subject request relating to data controlled by the buyer, the Processor will assist the Controller in fulfilling that request within 14 days of written notice.
5. Breach Notification
In the event of a confirmed personal data breach, FundingSourced will notify affected Controllers within 72 hours of confirmation, providing a description of the breach, the categories and approximate number of records affected, and the remediation steps taken.
6. Term and Survival
This DPA remains in effect for the duration of the Buyer Agreement. Upon termination, FundingSourced will delete or anonymize all buyer-specific data within 90 days, except for records required for compliance and audit purposes, which will be retained in accordance with the Privacy Policy retention schedule.
For an executable counter-signature copy, email legal@fundingsourced.com.