Legal

Data Processing Addendum

How Cash Flow Optimizer processes personal data on your behalf — covering GDPR, CCPA, security measures, data subject rights, and subprocessor commitments.

Last Updated: July 13, 2026

This Data Processing Addendum ("DPA") is entered into by and between RealtoResource, LLC dba Solidify Solutions ("Processor," "we," or "us") and the Customer identified in the applicable Order or Terms of Service ("Controller" or "you"). This DPA forms part of, and is governed by, the Cash Flow Optimizer Terms of Service. Where you are not subject to GDPR or a similar law mandating a written processing agreement, this DPA still describes our commitments and your rights regarding Customer Personal Data. By using the Services you acknowledge and agree to this DPA.

1. Definitions

For purposes of this DPA:

  • "Customer Personal Data" means Personal Data that Controller submits to, or that is collected by, the Services in connection with Controller's use of the Services, and that Processor processes on Controller's behalf.
  • "Data Protection Laws" means all applicable laws relating to data protection, privacy, and security, as amended from time to time, including (where applicable) the GDPR, the UK GDPR, the CCPA/CPRA, and U.S. state privacy laws.
  • "GDPR" means EU Regulation 2016/679 (General Data Protection Regulation).
  • "Personal Data," "Controller," "Processor," "Sub-processor," "Data Subject," "Processing," and "Supervisory Authority" have the meanings given in the GDPR or equivalent Data Protection Laws.
  • "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
  • "Services" means the Cash Flow Optimizer platform and related services provided by Processor under the Terms of Service.

2. Scope and Role of the Parties

The parties acknowledge that, with respect to Customer Personal Data, Controller is a Controller and Processor is a Processor. Processor will process Customer Personal Data only on behalf of and at the documented instructions of Controller (which include the Terms of Service, this DPA, and any configuration choices Controller makes within the Services), except where Processing is otherwise required by applicable law.

If Processor is required by law to process Customer Personal Data other than as instructed, Processor will notify Controller of this legal requirement before processing (unless prohibited by law from doing so).

3. Details of Processing

A description of the categories of Personal Data processed, data subjects, purposes, and nature of processing is set out in Annex 1. The duration of processing is the term of the applicable Terms of Service plus any post-termination period required for deletion or return obligations under Section 13.

4. Controller Obligations

Controller represents and warrants that it has and will maintain all consents, authorizations, and lawful bases necessary for Processor to process Customer Personal Data as contemplated by the Terms of Service and this DPA; that all Customer Personal Data is collected, transmitted, and provided to Processor in accordance with Data Protection Laws; and that it has provided, and will provide, all required privacy notices to Data Subjects. Controller is responsible for the accuracy and legality of the Customer Personal Data it submits and for ensuring that its instructions to Processor are lawful.

5. Processor Obligations

Processor will:

  • process Customer Personal Data only in accordance with Controller's documented instructions and this DPA, and only for the purposes described in Annex 1;
  • promptly notify Controller if, in Processor's opinion, an instruction from Controller infringes applicable Data Protection Laws;
  • implement and maintain the technical and organizational security measures described in Annex 2;
  • provide Controller with reasonable assistance in fulfilling Controller's obligations under applicable Data Protection Laws, including with regard to data subject rights (Section 9), security (Section 7), breach notification (Section 10), impact assessments (Section 11), and prior consultation with supervisory authorities;
  • make available to Controller all information reasonably necessary to demonstrate compliance with this DPA; and
  • not process, sell, share, retain, use, or disclose Customer Personal Data outside the scope of the Terms of Service and this DPA.

6. Confidentiality

Processor will ensure that personnel authorized to process Customer Personal Data have committed to confidentiality or are subject to a statutory obligation of confidentiality. Processor will not disclose Customer Personal Data to any person except: (a) as necessary to provide the Services; (b) to authorized sub-processors under Section 8; (c) as required by applicable law; or (d) with Controller's prior written consent.

7. Security

Processor will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against Security Incidents, as further described in Annex 2. These measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons.

Controller acknowledges that security is a shared responsibility and that Controller's own security practices — including credential management, access control, and the security of systems used to access the Services — are outside Processor's control.

8. Subprocessors

Controller grants Processor a general authorization to engage sub-processors as listed in Annex 3. Processor will: (a) enter into a written agreement with each sub-processor that imposes data protection obligations no less protective than those in this DPA; (b) notify Controller at least 14 days in advance (by updating Annex 3 or by email to the Controller's account email) before adding or replacing a sub-processor; and (c) remain liable for the acts and omissions of its sub-processors to the same extent as if Processor were performing the processing directly.

Controller may object to a proposed new sub-processor within 14 days of notice on reasonable grounds relating to data protection. If the parties cannot resolve the objection, Controller may terminate the affected portion of the Services on written notice. This is Controller's sole remedy for objection to a sub-processor.

9. Data Subject Rights

To the extent that Controller cannot fulfill Data Subject rights requests (access, rectification, erasure, restriction, portability, objection) through the Services' self-service features, Processor will, upon written request, provide Controller with reasonable assistance to respond to such requests. Processor will promptly forward any Data Subject rights request received directly from a Data Subject to Controller and will not respond to such requests except as directed by Controller or as required by law.

10. Data Breach Notification

Processor will notify Controller without undue delay — and in any event within 72 hours of becoming aware — of a Security Incident involving Customer Personal Data. Processor's notification will describe (to the extent known): the nature of the Security Incident; the categories and approximate number of Data Subjects and records affected; the likely consequences; and the measures taken or proposed to address the incident and mitigate its effects. Where all required information is not yet available, Processor may provide it in phases. Notification under this section does not constitute an acknowledgment of fault or liability. Controller is responsible for any notifications to Data Subjects or Supervisory Authorities as required by applicable law.

11. Impact Assessments and Prior Consultation

To the extent required by Data Protection Laws, Processor will assist Controller in carrying out data protection impact assessments (DPIAs) and, where required, prior consultation with supervisory authorities, where such assistance is reasonably necessary and relates to processing performed by Processor under this DPA. Processor may charge Controller at its standard rates for time spent on such assistance.

12. International Transfers

Processor will not transfer Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of data protection, except where: (a) the transfer is covered by an adequacy decision; (b) appropriate safeguards (such as EU Standard Contractual Clauses or UK Addendum) are in place; or (c) a derogation under Article 49 GDPR applies. Where required, Processor will enter into EU Standard Contractual Clauses or equivalent transfer mechanism with Controller on request. Current sub-processor locations and applicable transfer mechanisms are listed in Annex 3.

13. Return or Deletion of Data

Upon termination or expiry of the Terms of Service, or upon Controller's request, Processor will, at Controller's election: (a) return all Customer Personal Data to Controller in a commonly used, machine-readable format; or (b) securely delete all Customer Personal Data, including copies in backups (on their normal deletion schedule), within 90 days. Processor will certify such deletion upon written request. Processor may retain Customer Personal Data where required by applicable law, in which case it will notify Controller and continue to apply the protections in this DPA.

14. Audit Rights

Processor will make available to Controller, upon reasonable written request (no more than once per year unless a Security Incident has occurred), information and documentation sufficient to demonstrate compliance with this DPA, which may take the form of third-party audit reports, certifications, or summaries. Where such information is insufficient to satisfy Controller's audit rights under applicable law, Controller may conduct or commission an audit of Processor's relevant systems and data processing practices upon at least 30 days' advance written notice, subject to reasonable confidentiality protections and at Controller's expense.

15. Limitation of Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects or supervisory authorities where applicable Data Protection Laws do not permit such limitation.

Annex 1 — Processing Details

Annex 1: Details of Processing

Subject matter and duration

Processing of Customer Personal Data in connection with providing the Cash Flow Optimizer Services, for the duration of the applicable Terms of Service and until deletion or return under Section 13.

Nature and purpose of processing

  • Providing, operating, securing, and improving the Services
  • Financial analysis, reporting, forecasting, and cash-flow management
  • AI-powered insight generation and document drafting
  • Communication management (email sync, lead capture, calendar)
  • Accounts receivable, billing, invoicing, and collections tracking
  • Social media management and publishing
  • Integration with third-party financial and productivity systems
  • Customer support, abuse prevention, and compliance

Categories of Personal Data

  • Business contact data (name, email, phone, address, job title)
  • Financial and transaction data (invoices, payments, account balances, bank and credit-card transaction records via Plaid)
  • Communications data (email content, calendar events, social-media messages synced via Unipile)
  • Usage and device data (IP addresses, browser/device identifiers, log data, feature-usage events)
  • Account credentials (encrypted passwords, OAuth tokens for connected accounts)
  • Any other data that Controller or its users submit to the Services

Categories of Data Subjects

  • Controller's employees, contractors, and authorized users
  • Controller's customers, leads, prospects, and vendors whose data Controller inputs
  • Third parties whose data appears in communications or documents submitted to the Services
Annex 2 — Technical & Organizational Measures

Annex 2: Technical and Organizational Security Measures

Processor implements the following measures (subject to periodic review and update):

Infrastructure and Hosting

  • Platform hosted on Vercel (frontend/serverless) and Supabase (database), both SOC 2-certified providers in U.S.-based data centers
  • Data stored within provider regions; no cross-region replication without necessity
  • Automated daily database backups with point-in-time recovery (Supabase managed)

Encryption

  • All data in transit protected with TLS 1.2 or higher
  • Data at rest encrypted using AES-256 (provider-managed encryption keys)
  • OAuth tokens and API credentials encrypted at application layer

Access Controls

  • Supabase Row-Level Security (RLS) enforcing strict per-tenant data isolation
  • Principle of least privilege applied to all internal and sub-processor access
  • MFA being actively added for platform accounts
  • Production system access limited to authorized personnel

Vulnerability Management and Incident Response

  • Source code maintained in private GitHub repository; dependency scanning enabled
  • Vulnerability Reporting Policy published at Vulnerability Reporting Policy
  • Documented incident response procedure; breach notifications per Section 10

Organizational Controls

  • Confidentiality obligations on all personnel with access to Customer Personal Data
  • Sub-processor agreements with data protection obligations at least as protective as this DPA
  • Regular review of security measures and sub-processor list
Annex 3 — Approved Subprocessors

Annex 3: Approved Subprocessors

The following sub-processors are authorized to process Customer Personal Data as of the date of this DPA. Processor will notify Controller of any changes in accordance with Section 8.

Subprocessor Purpose Location Transfer Mechanism
Vercel, Inc. Frontend hosting & serverless compute USA DPA / SCCs
Supabase, Inc. Database, auth & storage USA DPA / SCCs
Intuit Inc. (QuickBooks) Accounting data integration USA DPA
Plaid Inc. Bank & financial account connectivity USA DPA / SCCs
Anthropic, PBC AI model processing (Claude) USA DPA / SCCs
Google LLC AI model processing (Gemini); Analytics USA / Global DPA / SCCs
OpenAI, LLC AI model processing (GPT) USA DPA / SCCs
Unipile Email, calendar & social sync France / EU DPA (EEA-based)
Stripe, Inc. Payment processing & billing USA DPA / SCCs
postforme.dev Social media publishing USA DPA
Meta Platforms, Inc. Advertising (Meta Pixel) — only with consent USA DPA / SCCs

Controller may request an up-to-date subprocessor list at any time by contacting [email protected].