Data Processing Addendum

Quick summary. Read the full policy below for the complete terms.

Who this is for

Customers who require a written controller-processor agreement under GDPR Art. 28, UK GDPR, CCPA service-provider terms, or analogous state laws. Available to all customers on request.

How to execute

Self-execute by accepting these terms when you sign up (clickwrap). For a counter-signed PDF, email legal@raintree.technology.

Related documents

Current sub-processors at /legal/subprocessors; privacy practices at /legal/privacy; security controls at /legal/security.

In this Data Processing Addendum ("DPA"), the terms Controller, Processor, Data Subject, Personal Data, Processing,Special Categories of Personal Data, and Supervisory Authorityhave the meanings given to them in the European Union General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"). UK GDPR means the GDPR as it forms part of UK domestic law by virtue of the European Union (Withdrawal) Act 2018. CCPA means the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020. Customermeans the entity or natural person who has accepted Clarity's Terms of Service. Clarity means FinSync LLC, operating as Raintree Technology.

For Personal Data that Customer provides to Clarity or that Clarity processes on Customer's behalf in connection with the Service, Customer is the Controller and Clarity is the Processor. For Personal Data that Clarity processes for its own purposes (e.g., billing, security, abuse prevention, product analytics in scope of Clarity's own privacy policy), Clarity is the Controller. For purposes of the CCPA, Clarity is a "service provider" with respect to Personal Data processed on Customer's behalf.

Clarity will:

• process Personal Data only on Customer's documented instructions, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by Union or Member State law to which Clarity is subject (in which case Clarity will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest);
• ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in the Security section of Clarity's public Security policy at /legal/security;
• respect the conditions referred to in Article 28(2) and (4) of the GDPR for engaging another processor (sub-processor) — see Section 5 below;
• taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to Data Subject requests;
• assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security of processing, notification of personal-data breach, data protection impact assessment, prior consultation);
• at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data; and
• make available to Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR.

Clarity has implemented and will maintain appropriate technical and organizational measures designed to protect the security, confidentiality, and integrity of Personal Data, including encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+), authenticated encryption for stored credentials, role-based access controls, principle-of-least-privilege provisioning, logging and monitoring of administrative actions, vendor risk-assessment processes, and incident-response procedures aligned with the SOC 2 Trust Services Criteria. A description of these measures and their evolution is published at /legal/security.

Customer provides general authorization for Clarity to engage the sub-processors listed at /legal/subprocessors. Clarity will impose data protection obligations on each sub-processor that are no less protective than those in this DPA. Clarity remains liable to Customer for the acts and omissions of each sub-processor with respect to Personal Data processed on Customer's behalf.

Clarity will notify Customer of any intended addition or replacement of a sub-processor with reasonable prior notice (typically 30 days) by updating the published sub-processor list and, for customers who have subscribed to change notifications, by email. Customer may object to such addition or replacement on reasonable data-protection grounds by emailing legal@raintree.technology within 14 days of the notice; the parties will then work in good faith to resolve the objection or, if no resolution can be reached, terminate the affected services without penalty.

Where Personal Data of Data Subjects in the EEA, UK, or Switzerland is transferred to a country that has not received an adequacy decision from the European Commission or UK Secretary of State, the parties agree that:

• for transfers from the EEA, the European Commission Standard Contractual Clauses (Module Two: Controller-to-Processor, Implementing Decision (EU) 2021/914) are incorporated by reference and will apply, with Customer as "data exporter" and Clarity as "data importer";
• for transfers from the UK, the UK International Data Transfer Addendum (IDTA) issued by the Information Commissioner is incorporated and supplements the SCCs as required under UK GDPR;
• for transfers from Switzerland, the SCCs apply with references to GDPR construed as references to the Swiss Federal Act on Data Protection where applicable.

Executed copies of the SCCs/IDTA are available on request to legal@raintree.technology.

Clarity will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data, and in any event within 72 hours of discovery. The notification will describe (to the extent known at the time) the nature of the breach, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

Where Clarity is a U.S. financial institution under the FTC Safeguards Rule (16 CFR Part 314) and the Personal Data Breach is a "notification event" affecting 500 or more U.S. consumers, Clarity will additionally notify the Federal Trade Commission within 30 days of discovery as required by 16 CFR § 314.5.

To the extent Clarity processes "personal information" subject to the CCPA on Customer's behalf, Clarity is a "service provider" and:

• will not sell or share the personal information (as those terms are defined in the CCPA);
• will not retain, use, or disclose the personal information outside the direct business relationship with Customer or for any purpose other than the specific purposes described in Customer's instructions and in the Service;
• will not combine the personal information with personal information from any other source except as permitted under the CCPA Regulations (e.g., to detect security incidents); and
• will notify Customer if it determines it can no longer meet its obligations under the CCPA.

Clarity will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor mandated by Customer (subject to reasonable confidentiality and scheduling constraints). For customers on standard subscription plans, Clarity will satisfy this obligation by providing the most recent independent security report (e.g., SOC 2 Type II once available) and responding in good faith to written security questionnaires.

This DPA is effective for the duration of Customer's use of the Service. On termination of the Service, Clarity will delete or return Customer's Personal Data in accordance with Clarity's retention practices described in the Privacy Policy and Section 3 above, except where retention is required by applicable law.

This DPA supplements and forms part of the Clarity Terms of Service. In case of conflict between this DPA and the Terms with respect to processing of Personal Data on Customer's behalf, this DPA prevails.