Legal

Data Processing Addendum

Last updated: 2026-05-23 · Version v0.1-draft

Draft — pending legal review. This text is published for transparency and for procurement review. It is not a substitute for the executed Data Processing Addendum that forms part of your EverCFO Master Service Agreement. To receive a signed counterpart, email legal@evercfo.ai.

This Data Processing Addendum (“DPA”) supplements the EverCFO Master Service Agreement (the “Agreement”, comprised of our Terms of Service and any order form executed between the parties) between Celeste Business Advisors LLP (“EverCFO”, “we”, “our”, or “us”) and the customer that accepts this DPA (the “Customer”, “you ”, or “your”). It governs the processing of Personal Data by EverCFO on Customer’s behalf where such processing is subject to Data Protection Laws.

Standalone publication of this DPA at evercfo.ai/dpa is informational. While this page is marked as a draft (see the banner at the top), it does not amend the Agreement and does not become binding between EverCFO and any reader unless it is countersigned by the parties or expressly incorporated into an order form or executed Agreement. To request a countersigned counterpart, email legal@evercfo.ai. If a future version of this DPA is published as non-draft (version 1.0 or later) and incorporated by reference into the Agreement, the order-of-precedence rules in Section 15 will then apply.

1. Definitions

Capitalized terms not defined here have the meaning given in the GDPR, the UK GDPR, or the Agreement.

  • “Controller”, “Processor”, “Sub-processor”, “Personal Data”, “Processing”, “Data Subject” have the meaning given in Article 4 of the GDPR.
  • “Customer Personal Data”means Personal Data that EverCFO processes on Customer’s behalf in the course of providing the Service, including without limitation the data categories described in Annex I.
  • “Data Protection Laws”means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU GDPR (Regulation (EU) 2016/679), the UK GDPR, the Personal Information Protection and Electronic Documents Act (PIPEDA) (Canada), Quebec’s Act respecting the protection of personal information in the private sector (Law 25), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and any other applicable privacy or data protection laws.
  • “EEA” means the European Economic Area; “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021; “UK Addendum”means the International Data Transfer Addendum to the EU Commission’s Standard Contractual Clauses, issued by the UK Information Commissioner’s Office under Section 119A(1) of the UK Data Protection Act 2018 as a Standard Data Protection Clause; it is the instrument the parties use to apply the EU SCCs to UK GDPR restricted transfers, and it is distinct from the stand-alone UK International Data Transfer Agreement (IDTA).
  • “Service” means the EverCFO product as defined in the Agreement.

2. Scope and roles

This DPA applies to the processing of Customer Personal Data by EverCFO under the Agreement. For the purposes of Data Protection Laws:

  • Customer is the Controller (or, where Customer is acting as a Processor for an upstream controller, Customer is a Processor and EverCFO is its Sub-processor; the parties acknowledge that the operational obligations are equivalent for the purposes of this DPA).
  • EverCFO is the Processor.
  • EverCFO’s Sub-processors (listed at /subprocessors) are Sub-processors.

3. Documented instructions

EverCFO processes Customer Personal Data only on documented instructions from Customer. The Agreement, this DPA, and Customer’s configuration and use of the Service constitute Customer’s documented instructions. EverCFO will inform Customer if, in its opinion, an instruction infringes Data Protection Laws, except where prohibited from doing so by law.

4. Confidentiality

EverCFO will ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and have received appropriate training on their data protection responsibilities.

5. Security

EverCFO will implement and maintain appropriate technical and organizational measures (“TOMs”) to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

The TOMs in force as of the date of this DPA are listed in Annex II and are sourced from src/data/dpa-tom.ts in the EverCFO codebase. The customer-friendly summary at /security describes the same controls in plain language; in case of conflict between the two, Annex II controls. EverCFO may update Annex II from time to time provided that the updates do not materially reduce the level of protection.

6. Sub-processors

Customer authorizes EverCFO to engage Sub-processors to process Customer Personal Data for the purposes of providing the Service. The complete list of Sub-processors in force as of the date of this DPA is maintained at /subprocessors and sourced from src/data/subprocessors.ts in the EverCFO codebase.

EverCFO’s Sub-processor program is structured to satisfy GDPR Article 28(3) and (4): each Sub-processor receives a written agreement that imposes obligations substantially similar to those imposed on EverCFO under this DPA; where a Sub-processor processes EU/UK Personal Data outside the EEA/UK, an appropriate transfer mechanism (such as Module Three SCCs or an equivalent contractual mechanism offered by the Sub-processor) applies; and EverCFO remains liable to Customer for the acts and omissions of its Sub-processors to the same extent EverCFO would be liable if performing the Sub-processor’s services directly under this DPA.

Per-Sub-processor execution evidence (signed counterparts, inherited adequacy decisions, or accepted online DPAs) is tracked alongside the published register at src/data/subprocessors.ts and is being reconciled before this DPA flips from v0.1-draft to version 1.0. The DPA-URL field on each register row indicates whether the Sub-processor publishes its DPA at a stable public URL; rows where the field is null indicate that the Sub-processor issues its DPA on request or via a bilateral execution flow. Customers requiring a copy of any specific Sub-processor counterpart can request it via legal@evercfo.ai.

EverCFO will give Customer at least thirty (30) days’ prior written notice (via email to the account owner and an update to the published list) before engaging a new Sub-processor or making a material change to the role of an existing Sub-processor. Customer may object to the change on reasonable grounds relating to data protection by notifying EverCFO before the change takes effect. If EverCFO is unable to address Customer’s objection within a reasonable period, Customer may terminate the affected portion of the Service in accordance with the Agreement.

7. Data Subject rights

Taking into account the nature of the processing, EverCFO will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfil Customer’s obligation to respond to Data Subject requests to exercise their rights under Data Protection Laws. If EverCFO receives a Data Subject request directly, EverCFO will, unless legally prohibited, promptly notify Customer and direct the Data Subject to submit the request to Customer.

8. Personal Data Breach

EverCFO will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, consistent with GDPR Article 33(2). The notification will contain, to the extent then known, the information described in GDPR Article 33(3) (the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and measures taken or proposed to mitigate). EverCFO will cooperate with Customer’s investigation and provide reasonable assistance in any notification Customer is required to make under Data Protection Laws.

EverCFO does not commit in this DPA to a fixed-hour notification target. EverCFO maintains an internal incident response procedure that targets prompt customer notification but operational delivery is governed by the “without undue delay” standard above.

9. Data Protection Impact Assessments

Taking into account the nature of the processing and the information available to EverCFO, EverCFO will provide reasonable assistance to Customer with any Data Protection Impact Assessment that Customer is required to carry out under Data Protection Laws (such as Article 35 of the GDPR) and any prior consultation Customer is required to undertake under Data Protection Laws.

10. Deletion or return of Customer Personal Data

On termination of the Agreement, EverCFO will delete or return Customer Personal Data in accordance with the retention windows published in our Terms of Service section 12 (currently a 30-day export window followed by deletion of production copies within 90 days) and our Privacy Policy section 5.

These windows are subject to the retention exceptions described in Privacy Policy section 5, including record-keeping obligations applicable to business financial records under United States and Canadian tax and accounting law (currently up to seven years). EverCFO does not commit to an unconditional purge timeline within this DPA where applicable law requires longer retention of specified categories of records.

11. Audits

EverCFO will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in accordance with the following:

  • Frequency. Customer may exercise its audit right not more than once per calendar year unless otherwise required by a supervisory authority or by Data Protection Laws.
  • Process.Customer will give EverCFO at least sixty (60) days’ prior written notice; the parties will agree the scope, timing, and reasonable conditions for the audit before it begins; audits will be conducted during normal business hours and in a manner that does not unreasonably interfere with the operation of the Service.
  • Alternative.Customer’s audit right may be satisfied by EverCFO providing the most recent third-party attestation report (e.g. SOC 2) once available. As of the date of this DPA, EverCFO has not undertaken a SOC 2 audit; the engagement is deferred until EverCFO has a customer base that materially benefits from the investment. Until such a report is available, Customer may rely on this DPA, Annex II, and the published Service documentation for evidence of compliance, supplemented by a written information request to EverCFO.
  • Cost.Each party bears its own costs of an audit unless the audit reveals a material breach of this DPA by EverCFO, in which case EverCFO will reimburse Customer’s reasonable audit costs.

12. International transfers

Where the processing of Customer Personal Data involves transfers of Personal Data subject to the GDPR or UK GDPR from the EEA, the United Kingdom, or Switzerland to a third country that has not received an adequacy decision under applicable law, the parties agree that the transfer mechanisms set out in Annex III apply.

13. Liability

Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement; any reference to the liability of a party in this DPA refers to the aggregate liability of that party under the Agreement and this DPA together. Nothing in this DPA limits or excludes any liability that cannot by applicable law be limited or excluded.

14. Governing law

This DPA is governed by the laws of the province of Quebec, Canada, without regard to its conflict-of-law principles, consistent with Section 13 of our Terms of Service. Where the SCCs apply pursuant to Annex III, the SCCs are governed by the law specified in those clauses notwithstanding this section.

15. Order of precedence

In case of any conflict between (a) this DPA, (b) the Agreement (excluding this DPA), and (c) the SCCs as incorporated by Annex III, the SCCs prevail over this DPA with respect to matters governed by the SCCs, this DPA prevails over the Agreement with respect to processing of Personal Data, and the Agreement prevails on all other matters.

Annex I — Description of processing

A. List of parties

Data exporter: Customer (as identified in the Agreement and the relevant order form).

Data importer: Celeste Business Advisors LLP (EverCFO), the legal entity that operates the Service.

B. Description of processing

  • Categories of Data Subjects. Customer’s end users of the Service (employees, contractors), Customer’s end customers (where Customer Personal Data sourced from connected accounting or commerce platforms includes contact information for Customer’s buyers or vendors), and prospects of Customer (where reflected in connected platform data).
  • Categories of Personal Data.Account identifiers and contact information; onboarding answers about Customer’s business; custom instructions and durable AI memory facts; communications with EverCFO support; data read from authorized connected platforms (accounting: invoices, bills, customers, vendors, accounts, items, payments, journal entries, balances; commerce: orders, customer contact, products, inventory, refunds, transactions); connection metadata; product usage analytics; session and security logs. Full categories, including the Shopify scope-out for phone, IP, and client-session fingerprints, are described at /privacy section 1.
  • Sensitive data. EverCFO does not intentionally collect special categories of Personal Data under GDPR Article 9. Customer should not upload special categories of Personal Data to the Service.
  • Frequency of processing. Continuous (for authorized integration syncs) and on-demand (for interactive AI sessions and exports).
  • Nature of processing. Hosting; storage; retrieval; analysis; aggregation; generation of AI outputs grounded in Customer Personal Data; preparation of deliverables; transmission to authorized Sub-processors as listed at /subprocessors.
  • Purpose of processing. Providing the Service to Customer, including all features described in the Agreement and the published product documentation.
  • Duration of processing. The duration of the Agreement and the retention periods stated in our Privacy Policy section 5 and our Terms of Service section 12, subject to the carve-outs in Section 10 above.
  • Sub-processors. See /subprocessors; each of the 19 currently engaged Sub-processors is listed there with role, data categories, and storage location, rendered from src/data/subprocessors.ts.

C. Competent supervisory authority

The competent supervisory authority for processing carried out by EverCFO depends on the location of the Data Subjects. Where Module Two SCCs apply, the supervisory authority of the Customer’s establishment in the EEA is the competent authority. For UK transfers under the UK Addendum, the UK Information Commissioner’s Office is competent.

Annex II — Technical and organizational measures

The TOMs in this Annex are sourced verbatim from src/data/dpa-tom.ts in the EverCFO codebase. Every row in this Annex is admitted only if (a) the named operational control is deployed today, and (b) a stable evidence pointer (test file, code path, or vendor-managed default at a public URL) exists. Last reconciled against the deployed system on 2026-05-23.

EverCFO may update this Annex from time to time without Customer’s consent provided that the update does not materially reduce the level of protection afforded to Customer Personal Data. Material reductions trigger a Sub-processor-style 30-day notice per Section 6.

Encryption

https-tls-in-transit

Customer-facing deployments are served over HTTPS; the hosting provider supports TLS 1.2 and TLS 1.3.

Evidence: Vercel encryption documentation lists TLS 1.2 and TLS 1.3 as the supported transport protocols (https://vercel.com/docs/cdn-security/encryption). The 2026-05-23 X1 PR-4.0 R1 HIGH-1 closure scoped this TOM to the customer-facing edge only; the application-to-database SSL-enforcement TOM is deferred until the live Supabase project SSL-enforcement setting + connection-string sslmode are verified end-to-end.

aes-256-at-rest

Customer data at rest in the primary application database is encrypted using AES-256.

Evidence: Supabase / AWS RDS managed default: storage volume encrypted with AES-256 (https://supabase.com/docs/guides/platform/compliance#encryption).

Isolation

rls-per-tenant

Row-Level Security policies are enforced at the database layer on every multi-tenant table, scoping reads and writes to the requesting tenant.

Evidence: api/tests/test_rls_migration_invariants.py asserts that every multi-tenant table created via migration has RLS enabled and a tenant_id-scoped policy attached.

cache-keys-per-tenant

A dashboard cache-scope context supplies a server-derived tenant identifier to the dashboard hooks that maintain client-side caches; those hooks key their Map-based caches on the scope so cached state cannot leak across tenants.

Evidence: src/components/dashboard/dashboard-cache-scope.tsx exposes useDashboardCacheScope() returning the tenant-derived scope string. Example consumer: src/components/dashboard/kpis/cockpit/useCockpitData.ts:51-213 declares Map<scope, CockpitDataCache> and gates every read/write/invalidate on the scope value (line 74 read, line 97 read, line 130 delete, line 213 set). Same pattern in useDeliverablesList, useDecisions, useProceduralRules, and useStakeholders.

ai-embeddings-per-tenant

Vector retrieval for AI grounding restricts every similarity query to the requesting tenant's embeddings.

Evidence: api/ai/grounding.py vector retrieval helpers scope every pgvector query by tenant_id; the embedding storage table has RLS on tenant_id.

Access control

oauth-2-0-for-third-party-integrations

Third-party integrations (accounting, commerce, banking) authenticate via OAuth 2.0; long-lived static credentials are not collected.

Evidence: All currently shipped integrations (Shopify, QuickBooks Online, QuickBooks Online Sandbox, Xero) authorize through the Nango broker via OAuth 2.0; per-integration scopes are listed in src/data/subprocessors.ts.

supabase-auth-session-management

User authentication sessions are managed by Supabase Auth, including session expiry and refresh-token rotation.

Evidence: Supabase Auth managed default: refresh-token rotation enabled, session expiry configurable per project (https://supabase.com/docs/guides/auth/sessions).

Logging and audit

ai-grounding-reasoning-log

Every AI chat response that grounds in customer data writes the data sources it consulted to an append-only reasoning log; the log is queryable per-tenant for the customer's own AI interactions.

Scope: Applies to the AI chat surface. Other AI surfaces (deliverable composer, interview classifier) record provider-level tracing via Langfuse but do not yet expose a per-message reasoning log to customers.

Evidence: supabase/migrations/20260423000000_ai_reasoning_log_append_only.sql enforces append-only semantics for the ai_reasoning_log table; LOCK-030 grounding contract requires every grounded numeric claim to return {amount, source, as_of, staleness}.

Deletion and return

termination-deletion-window

Our published Terms and Privacy Policy commit to retaining customer business data for up to 30 days post-termination to allow data export and then deleting it from production systems within 90 days, subject to the retention exceptions described in our Privacy Policy (financial records retained per applicable US/Canada tax and accounting law for up to 7 years).

Evidence: src/app/terms/page.tsx §12 Termination + src/app/privacy/page.tsx §5 (retention windows). The 2026-05-23 X1 PR-4.0 R1 MED-2 closure scopes this TOM to the published policy commitment; the operational deletion runbook is tracked separately and will be added as a distinct TOM only once an audited cron/job/runbook with evidence exists.

Vendor management

data-collection-deny-on-openrouter

Outbound LLM calls through OpenRouter are sent with provider.data_collection set to 'deny', preventing routing to providers that would log or train on the request.

Evidence: api/ai/openrouter.py:384 unconditionally sets {"provider": {"data_collection": "deny"}} on every LLM request.

sub-processor-list-maintained

The complete list of sub-processors is published, sourced from a single in-repo source-of-truth file, and updated in the same release when a sub-processor is added or changed.

Evidence: src/data/subprocessors.ts (the SoT); /privacy §3 + /subprocessors render from it; src/data/__tests__/subprocessors.test.ts pins invariants including count, ID uniqueness, and DPA-URL allowlist.

sub-processor-registry-maintained

EverCFO maintains a sub-processor registry recording each provider's role, data categories, storage location, and whether the provider publishes a public Data Processing Addendum URL. The registry is the operational source of truth for the published sub-processor list and is reconciled on every release that changes the underlying stack.

Evidence: src/data/subprocessors.ts is the typed in-repo registry; src/data/__tests__/subprocessors.test.ts pins invariants (count, unique IDs, non-empty fields, DPA-URL allowlist) on every CI run; /subprocessors §3 'How we vet and manage sub-processors' documents the program. The 2026-05-23 X1 PR-4.0 R1 HIGH-2 closure narrowed this TOM from an executed-DPA representation to a registry-maintenance representation; a separate executed-DPA TOM will be added in a future legal-ops PR once executed DPAs (or inherited equivalents) are evidenced per sub-processor.

Annex II currently lists 12 measures.

Annex III — International transfer mechanisms

Where the processing of Customer Personal Data involves a transfer of Personal Data subject to the GDPR or UK GDPR from the EEA, the United Kingdom, or Switzerland to a third country that has not received an adequacy decision under applicable law, the parties incorporate the following transfer mechanisms by reference.

A. Standard Contractual Clauses (Module Two)

The parties incorporate Module Two of the Standard Contractual Clauses (Controller to Processor) set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (the “EU SCCs”). The EU SCCs are completed as follows:

  • Clause 7 (Docking clause). Applies.
  • Clause 9 (Sub-processor authorization). Option 2 (general written authorization) applies, with the 30-day notice period stated in Section 6 above.
  • Clause 11 (Redress) – optional language. Not selected.
  • Clause 17 (Governing law). The EU SCCs are governed by the law of the EU Member State in which the Customer is established; where the Customer is not established in an EU Member State, the law of the Republic of Ireland.
  • Clause 18 (Forum and jurisdiction). Disputes arising from the EU SCCs are resolved by the courts of the EU Member State referenced in Clause 17.
  • Annex I.A — Parties. As described in Annex I.A above.
  • Annex I.B — Description of transfer. As described in Annex I.B above.
  • Annex I.C — Supervisory authority. As described in Annex I.C above.
  • Annex II — TOMs. As described in Annex II above.
  • Annex III — Sub-processors. The list of Sub-processors at /subprocessors.

B. Sub-processor flow-down (Module Three)

Where a Sub-processor in the published list processes EU/UK Personal Data outside the EEA/UK, Module Three (Processor to Sub-processor) SCCs apply (or, where the Sub-processor offers equivalent transfer mechanisms by contract, the equivalent mechanism applies). EverCFO remains liable to Customer for the acts and omissions of its Sub-processors per GDPR Article 28(4) as stated in Section 6. The execution-status reconciliation described in Section 6 governs the non-draft adoption of this Annex; until reconciliation completes, Customers requiring per-Sub-processor transfer-mechanism evidence can request it via legal@evercfo.ai.

C. UK transfers (UK Addendum)

For transfers of Personal Data subject to the UK GDPR, the parties incorporate the International Data Transfer Addendum to the EU Commission’s Standard Contractual Clauses (the “UK Addendum”) issued by the UK Information Commissioner’s Office under Section 119A(1) of the UK Data Protection Act 2018. The UK Addendum lets the parties rely on the EU SCCs as a valid Article 46 transfer mechanism for UK GDPR restricted transfers; the parties’ signatures on this DPA constitute their signatures on the UK Addendum’s Tables for the purposes of UK GDPR Article 46. The UK Addendum is distinct from the stand-alone UK International Data Transfer Agreement (IDTA); EverCFO does not currently rely on the stand-alone IDTA, and where Customer requires it, the parties may execute it separately.

D. Swiss transfers

For transfers of Personal Data subject to the Swiss Federal Act on Data Protection, the EU SCCs apply with the following modifications: references to the GDPR are construed as references to the FADP; references to the competent supervisory authority refer to the Swiss Federal Data Protection and Information Commissioner; and the law of Switzerland governs the SCCs.

16. Acceptance

While this page is marked as a draft (version v0.1-draft), it is not binding by the act of publication or by the reader’s use of the Service. The DPA becomes binding only when (a) the parties countersign this document or a derivative version, or (b) a non-draft version (version 1.0 or later) is expressly incorporated into the Agreement (whether by reference in an order form, by a click-through accept flow tied to the DPA version pin, or by a separately executed addendum). Until that happens, the published Terms of Service governing-law and processing-instruction provisions continue to apply unchanged.

For procurement workflows that require a countersigned document while this page is in draft, email legal@evercfo.ai with your subscription identifier and the entity name and authorized signatory you would like reflected on the counterpart. EverCFO will return a non-draft counterpart executable for that engagement.

EverCFO (Celeste Business Advisors LLP)

By:[Authorized signatory of Celeste Business Advisors LLP — printed on countersigned copies only]

Title: [Partner / Director]

Date: [As of the effective date of the Agreement]

This DPA is offered as a template aligned to GDPR Article 28 + UK GDPR + the EU SCCs (Implementing Decision (EU) 2021/914). It does not constitute legal advice. Customers with regulated data, sector-specific obligations, or non-standard requirements should consult their own counsel.