Data Processing Agreement
Last Updated: October 27, 2025
Version 1.0.0 - For Business & Enterprise Customers
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between FinVI, Inc. ("FinVI," "we," "us," or "our") and the Customer ("you" or "Customer") for the use of FinVI's services ("Services").
This DPA governs the processing of Personal Data (as defined below) by FinVI on behalf of Customer in connection with the Services, and ensures compliance with applicable data protection laws including the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (PDPA) of Singapore.
Enterprise Contact:
For questions about this DPA or to request a signed copy, please contact our enterprise team at enterprise@companion.app
2. Definitions
For the purposes of this DPA, the following definitions apply:
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by FinVI on behalf of Customer in connection with the Services.
- "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, or erasure.
- "Data Controller" means the entity that determines the purposes and means of Processing Personal Data. For this DPA, Customer is the Data Controller.
- "Data Processor" means the entity that Processes Personal Data on behalf of the Data Controller. For this DPA, FinVI is the Data Processor.
- "Sub-processor" means any third-party processor engaged by FinVI to Process Personal Data on behalf of Customer.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "PDPA" means the Personal Data Protection Act 2012 of Singapore.
3. Roles and Responsibilities
3.1 Customer as Data Controller
Customer is the Data Controller and is responsible for:
- Determining the purposes and means of Processing Personal Data
- Ensuring compliance with applicable data protection laws
- Obtaining all necessary consents from Data Subjects
- Providing lawful, fair, and transparent Processing instructions to FinVI
- Responding to Data Subject requests within required timeframes
3.2 FinVI as Data Processor
FinVI is the Data Processor and will:
- Process Personal Data only on documented instructions from Customer
- Implement appropriate technical and organizational measures to protect Personal Data
- Ensure persons authorized to Process Personal Data are bound by confidentiality
- Assist Customer in responding to Data Subject requests
- Delete or return Personal Data at the end of the agreement
- Make available all information necessary to demonstrate compliance
4. Scope of Processing
4.1 Subject Matter
The subject matter of Processing is the provision of FinVI's AI trading assistant Services to Customer.
4.2 Duration
Processing will continue for the duration of the Services agreement, unless terminated earlier in accordance with the Terms of Service.
4.3 Nature and Purpose
The nature and purpose of Processing is to provide:
- AI-powered trading insights and analysis
- Stock watchlist monitoring and alerts
- Portfolio tracking and performance analytics
- Natural language conversation interface
- Data storage and retrieval services
4.4 Types of Personal Data
| Category | Data Types |
|---|---|
| Identity Data | Name, email address, username |
| Financial Data | Watchlist stocks, portfolio holdings, trading preferences |
| Usage Data | Chat messages, search queries, alert configurations |
| Technical Data | IP address, device information, browser type |
4.5 Categories of Data Subjects
Data Subjects may include:
- Customer's employees and contractors
- Customer's clients and customers
- Individual users of Customer's account
5. Security Measures
5.1 Technical Measures
FinVI implements the following technical security measures:
- Encryption in Transit: All data transmitted via HTTPS/TLS 1.3
- Encryption at Rest: Database encryption using AES-256
- Access Controls: Role-based access control (RBAC) and multi-factor authentication
- Pseudonymization: Where appropriate, Personal Data is pseudonymized
- Regular Backups: Automated daily backups with 30-day retention
- Intrusion Detection: Real-time monitoring for suspicious activity
5.2 Organizational Measures
FinVI implements the following organizational security measures:
- Staff Training: Regular data protection and security training
- Confidentiality: All staff sign confidentiality agreements
- Access Limitation: Personal Data access limited to authorized personnel only
- Incident Response: Documented data breach response procedures
- Security Audits: Regular security assessments and penetration testing
- Vendor Management: Sub-processor evaluation and monitoring
6. Sub-processors
6.1 Authorized Sub-processors
Customer authorizes FinVI to engage the following Sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Supabase | Database & Authentication | United States (AWS) |
| Anthropic | AI Processing (Claude) | United States |
| Vercel | Hosting & CDN | United States |
| Stripe | Payment Processing | United States |
| Resend | Email Delivery | United States |
6.2 Changes to Sub-processors
FinVI may add or replace Sub-processors with 30 days' prior written notice to Customer via email. Customer may object to a new Sub-processor within 30 days of notification. If Customer objects, FinVI will use reasonable efforts to provide an alternative solution or allow Customer to terminate the Services without penalty.
7. Data Subject Rights
FinVI will assist Customer in fulfilling Data Subject requests, including:
- Right of Access: Provide access to Personal Data
- Right to Rectification: Correct inaccurate or incomplete data
- Right to Erasure: Delete Personal Data ("right to be forgotten")
- Right to Restriction: Limit Processing of Personal Data
- Right to Data Portability: Provide data in machine-readable format
- Right to Object: Object to certain types of Processing
Customer is responsible for responding to Data Subject requests within the timeframes required by law (typically 30 days under GDPR). FinVI will provide reasonable assistance and respond to Customer's requests for information within 10 business days.
8. Data Breach Notification
In the event of a Personal Data breach, FinVI will:
- Notify Customer within 72 hours of becoming aware of the breach
- Provide details of the breach, including the nature, categories, and approximate number of affected Data Subjects
- Describe the likely consequences of the breach
- Outline measures taken or proposed to address the breach and mitigate harm
- Provide regular updates as the investigation progresses
- Cooperate with Customer's investigation and regulatory notifications
9. Data Retention and Deletion
9.1 Retention Periods
FinVI will retain Personal Data for the following periods:
- Active Services: During the term of the Services agreement
- Backups: Up to 30 days in backup systems
- Legal Requirements: As required by applicable law (e.g., financial records for 7 years)
9.2 Deletion Upon Termination
Upon termination of the Services or upon Customer's request, FinVI will:
- Provide a final data export to Customer within 30 days
- Delete all Personal Data from production systems within 90 days
- Delete all Personal Data from backup systems within 180 days
- Provide written certification of deletion upon request
10. International Data Transfers
Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA) and Singapore, including the United States.
FinVI ensures adequate protection through:
- Standard Contractual Clauses (SCCs): EU Commission-approved SCCs with all Sub-processors
- Supplementary Measures: Additional technical and organizational safeguards
- Transfer Impact Assessments: Regular assessments of data transfer risks
11. Audits and Compliance
Customer has the right to audit FinVI's compliance with this DPA, subject to the following:
- Audits must be requested with 30 days' prior written notice
- Audits may be conducted once per year unless required by law or following a breach
- Audits must be conducted during business hours and not interfere with operations
- Customer may use an independent third-party auditor bound by confidentiality
- Customer bears all costs associated with the audit
FinVI will provide reasonable cooperation and access to information necessary to demonstrate compliance.
12. Liability and Indemnification
12.1 Limitation of Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.
12.2 Indemnification
FinVI will indemnify Customer against claims arising from FinVI's breach of this DPA, provided that:
- Customer promptly notifies FinVI of the claim
- FinVI has sole control of the defense and settlement
- Customer provides reasonable cooperation
13. Term and Termination
This DPA will remain in effect for the duration of the Services agreement and will automatically terminate upon termination of the Services agreement.
The provisions relating to data deletion, confidentiality, and liability will survive termination.
14. Governing Law and Jurisdiction
This DPA is governed by the same law and jurisdiction as the Terms of Service.
For matters specifically related to GDPR, the laws of the European Union and the jurisdiction of the courts of Ireland will apply. For matters specifically related to PDPA, the laws of Singapore will apply.
15. Contact Information
For questions or concerns about this DPA, please contact:
Data Protection Officer: dpo@companion.app
Enterprise Team: enterprise@companion.app
Privacy Team: privacy@companion.app
Address: FinVI, Inc., 123 Market Street, San Francisco, CA 94103
📝 Execution
For Enterprise Customers:
If you require a signed DPA for your records, please contact our enterprise team at enterprise@companion.app. We will provide a counter-signed copy within 5 business days.
By using our Services, you acknowledge that you have read, understood, and agree to be bound by the terms of this DPA.