Data Processing Addendum

Applicable to enterprise buyers requiring a written DPA.

This Data Processing Addendum (“DPA”) supplements the Buyer Agreement between MerchantSourced (“Processor”) and the buyer (“Controller”) and governs the processing of personal data of merchants whose lead records are made available to Controller by Processor.

1. Roles

For lead-record fields generated from merchant-facing intake (consent text, capture metadata, contact details), Processor acts as Controller of original capture and as Processor of subsequent transmission to Buyer. Buyer becomes an independent Controller of the data upon delivery for its own commercial-finance contact purposes.

2. Subprocessors

• Neon (US-East) — Postgres data hosting.
• Vercel — application hosting and serverless compute.
• Vercel Blob — encrypted CSV asset storage.
• Stripe — payment processing only; no merchant lead data shared with Stripe.
• Twilio — phone validation; metadata-only, no merchant content.
• Resend — outbound email for resurrection campaigns; lead email + first name only.

3. Security

TLS in transit, AES-256 at rest, bcrypt-hashed credentials, JWT-signed sessions, HMAC-signed receipts, watermarked CSV exports. Quarterly access review. Documented incident response.

4. Data subject rights

Processor will assist Controller in responding to data subject access, deletion, or rectification requests within 14 days of written notice.

5. Breach notification

Processor will notify Controller without undue delay (and in no event later than 72 hours) of any confirmed personal-data breach affecting the data delivered to that Controller.

6. Term and survival

This DPA remains in effect for the duration of the Buyer Agreement. Upon termination, Processor will delete or anonymize Controller's data within 90 days other than what is retained for compliance and audit purposes (signatures, consent records).

For an executable counter-signature copy email legal@merchantsourced.com.