Data Processing Agreement (DPA)

GDPR-compliant data processing terms

Last updated: November 14, 2025

DPA at a Glance

You (the customer) are the Data Controller - you determine purposes and means of processing
We are the Data Processor - we process data only on your instructions
Zero document retention - documents deleted immediately after processing
Customer-specific encryption protects YOUR data with YOUR unique keys
SOC 2 certified third-party AI services under contractual data protection obligations
We assist with all GDPR data subject rights (access, deletion, portability, etc.)
Standard Contractual Clauses (SCCs) for EU-to-USA data transfers

Agreement Purpose

This Data Processing Agreement (DPA) forms part of the Terms of Service and governs the processing of personal data in accordance with GDPR and other applicable data protection laws.

Roles & Responsibilities

You (the Customer) = Data Controller

You determine purposes and means of processing

Determine which loan documents to process and for what purpose

Make lending decisions based on extracted data

Ensure lawful basis for processing under GDPR Article 6

Obtain necessary consents from data subjects (borrowers)

Provide privacy notices to borrowers

Ensure compliance with FCRA, ECOA, and fair lending laws

Handle data subject rights requests (access, deletion, etc.)

We (LoanIntelligence.ai) = Data Processor

We process data only on your instructions

Process personal data ONLY on your instructions (via API calls)

Do NOT make lending decisions or determine loan outcomes

Act solely as a technical service provider for data processing

Implement appropriate security measures to protect your data

Engage sub-processors in compliance with this DPA

Assist with data subject rights requests and breach notifications

Delete or return personal data upon termination

Processing Scope

Purpose of Processing

Extract structured data from loan documents for data accuracy and quality analysis, perform financial calculations (DSCR, LTV, P&I, NOI), ensure data quality through proprietary algorithms and signal systems, and sync results to your Google Sheets (if authorized).

Types of Personal Data

Borrower names, addresses, SSNs, TINs, financial data (income, assets, liabilities), employment information, property data, and loan transaction details. IMPORTANT: We do NOT retain personal data beyond ephemeral processing (during each processing run). All persistent data is encrypted and stored in YOUR Google Drive AppData.

Data Subjects

Loan applicants, co-borrowers, co-signers, property owners, guarantors, and business owners (for commercial loans).

Processing Instructions

Permitted Activities

Extract text from loan documents (OCR)

Classify documents by type (pay stubs, bank statements, tax returns, etc.)

Extract structured data fields (names, amounts, dates, addresses)

Perform financial calculations and validations

Ensure data accuracy and quality through proprietary algorithms and signal systems

Export results to your Google Sheets (if authorized)

Temporarily cache processing results (encrypted, customer-isolated) for cost optimization

Prohibited Activities

Use personal data for our own purposes

Share personal data with third parties (except authorized sub-processors)

Use personal data for AI training or analytics

Retain personal data beyond processing completion (zero retention)

Process personal data outside the scope of your instructions

Sub-Processors

Third parties we use to provide the service

Third-Party AI Services

Purpose: Document processing (OCR, classification, extraction)

Location: USA

Safeguards: SOC 2 Type I and Type II certified, DPAs in place, data encrypted in transit, contractually prohibited from using your data for training

Google LLC

Purpose: OAuth authentication, Drive API, Sheets API

Location: USA (your choice)

Safeguards: SOC 2 Type II, ISO 27001, Standard Contractual Clauses (SCCs)

Stripe Inc.

Purpose: Payment processing (email, customer ID only - no credit cards)

Location: USA

Safeguards: PCI-DSS Level 1 certified, GDPR-compliant

Cloud Infrastructure Provider

Purpose: Hosting and computing

Location: USA

Safeguards: SOC 2 Type II certified data centers

We utilize proprietary algorithms and signal systems combined with SOC 2 certified third-party AI services. All sub-processors operate under contractual data protection obligations.

Changes to Sub-Processors

We will notify you 30 days in advance of any changes to sub-processors. You may object on reasonable data protection grounds within 14 days.

Data Subject Rights Assistance

How we help you fulfill GDPR obligations

Right to Access (Article 15)

We provide data export in JSON format within 30 days of your request.

Right to Rectification (Article 16)

We update inaccurate data upon your request.

Right to Erasure / Right to be Forgotten (Article 17)

We delete all personal data within 24 hours of your request.

Right to Restriction of Processing (Article 18)

We suspend processing upon your request.

Right to Data Portability (Article 20)

We provide data in structured, machine-readable JSON format.

Right to Object (Article 21)

We allow opt-out of non-essential processing.

Rights Related to Automated Decision-Making (Article 22)

We provide transparency on AI processing logic and ensure data quality.

Request Process

If we receive a data subject request, we forward it to you within 2 business days. You are responsible for responding to the data subject (within 30 days per GDPR). We assist by providing necessary data exports, deletions, or corrections within 7 business days of your request.

Zero-Retention Benefits

Due to our zero-retention architecture: (1) Personal data in loan documents is NOT retained (ephemeral processing), (2) Extracted data is stored ONLY in YOUR Google Drive AppData (encrypted), (3) Data subject requests can be fulfilled by deleting your account (purges all our systems within 24 hours) or by you manually deleting data from your own Google Drive.

Security Measures

How we protect your data

Encryption

HTTPS/TLS 1.3 encryption for all API requests and third-party connections

Customer-specific encryption: Each customer has unique AES-256-GCM encryption keys

Automatic key rotation: Storage keys rotated after every processing run

Encrypted AI cache: All cache entries encrypted with customer-isolated keys

OAuth tokens encrypted at rest (AES-256-GCM)

Database encryption at rest for account data

Access Controls

Principle of least privilege: Employees have minimal access required for their role

Role-based access control (RBAC) with admin, developer, and support roles

Multi-factor authentication (2FA) required for all administrative access

Audit logs: All administrative access logged and monitored

Zero Retention Architecture

Documents processed in memory during each processing run, then immediately deleted

Loan documents NOT retained on our infrastructure

Processing results stored ONLY in YOUR Google Drive (encrypted with your keys)

View Full Security Policy

Data Breach Notification

Immediate Response (within 1 hour)

Contain the breach, assess scope and impact, begin investigation.

Controller Notification (within 72 hours)

Notify you via email with preliminary details (nature of breach, affected data, estimated impact).

Full Report (within 7 days)

Detailed incident report including description, affected data subjects/records, consequences, remediation measures, and recommendations.

We Assist You With

Notifying supervisory authorities within 72 hours (GDPR Article 33)

Communicating the breach to affected data subjects (GDPR Article 34)

Conducting forensic investigation

Implementing remediation measures

Breach Status

As of November 14, 2025: Zero personal data breaches, zero unauthorized access incidents, zero encryption key compromises. Our zero-retention architecture minimizes exposure (documents exist during processing run only), customer-specific encryption isolates customers (breach of one does NOT affect others), and automatic key rotation limits impact (compromised key valid for one processing run only).

International Data Transfers (EU to USA)

Standard Contractual Clauses (SCCs)

We rely on Standard Contractual Clauses approved by the European Commission (Decision (EU) 2021/914, Module Two: Controller to Processor transfers).

Supplementary Technical Measures

Customer-specific encryption: Data encrypted with unique customer keys (unknown to us)

Automatic key rotation: Storage keys rotated after every processing run

Zero document retention: Documents NOT stored on our infrastructure

Encrypted AI cache: Cache entries encrypted with customer-isolated keys

Contractual prohibitions: Sub-processors prohibited from disclosing data to governments (except as required by law)

U.S. Government Access Requests

We are subject to U.S. surveillance laws (FISA, CLOUD Act). However, our zero-knowledge architecture ensures that even if compelled to disclose data, we cannot decrypt your data without keys (stored in YOUR Google Drive). Zero document retention means minimal data available to disclose. We will notify you of government requests (unless prohibited by law) and challenge overbroad or unlawful requests. To date: Zero government data requests received (as of November 14, 2025).

Data Deletion Upon Termination

Within 24 Hours

Delete all personal data from our systems

Delete encrypted AI cache entries

Revoke OAuth tokens (Google Drive access)

Purge account information from production database

Within 30 Days

Delete all personal data from encrypted backups and overwrite deleted data (secure deletion).

Certificate of Deletion

Upon request, we provide a Certificate of Deletion confirming date of deletion, categories of data deleted, and secure deletion methods used.

Audit Rights

Your Audit Rights

You may audit our compliance with this DPA once per year (30 days advance notice required). Audits must be non-disruptive, during business hours, and subject to confidentiality agreement. You bear all audit costs.

Third-Party Audit Reports

Instead of direct audit, you may review our SOC 2 Type II report (when available), third-party security audit reports, or request written responses to standardized questionnaires.

Limitation of Liability

Under GDPR Article 82, we are liable for damages caused by processing that violates GDPR obligations for Processors or when we act outside or contrary to your lawful instructions. Our total liability is limited to the amounts specified in the Terms of Service, except for gross negligence, willful misconduct, or liability that cannot be limited by law.

Need help?

Need Help With This DPA?

For GDPR, SCC, or DPA-related questions, email our legal team at [email protected].

[email protected]

We respond within one business day.