Legal

Data Processing Agreement

Last updated: March 1, 2026

Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between DuePilot Inc. ("Data Processor") and the Customer ("Data Controller"). This DPA applies to all processing of personal data carried out by DuePilot on behalf of the Customer in connection with the DuePilot service.

Definitions

Data Controller means the Customer — the business that has subscribed to DuePilot and determines the purposes and means of processing personal data.

Data Processor means DuePilot Inc., which processes personal data on behalf of the Data Controller.

Personal Data means any information relating to an identified or identifiable natural person, as defined under applicable data protection law (including GDPR and CCPA).

Sub-Processor means any third party engaged by DuePilot to process personal data on behalf of the Customer.

Processing Details

Subject matter: Accounts receivable automation, including invoice tracking, customer contact management, and collection email sequences.

Duration: For the term of the Customer's subscription to DuePilot, plus 90 days retention after termination.

Nature of processing: Collection, storage, analysis, transmission, and deletion of personal data for the purpose of AR automation.

Types of personal data processed:

Business contact information (name, email, phone, business address)
Financial data (invoice amounts, payment history, outstanding balances)
Communication records (email content, reply classification results)
Behavioral data (email open/click events, payment timing patterns)

Categories of data subjects: The Customer's business customers and any individuals whose contact information appears in the Customer's QuickBooks or imported data.

Obligations of the Data Processor

DuePilot agrees to:

Process personal data only on documented instructions from the Data Controller (as set out in the Terms of Service and this DPA)
Ensure that all personnel authorized to process personal data are bound by confidentiality obligations
Implement and maintain appropriate technical and organizational security measures
Assist the Data Controller in fulfilling its obligations to respond to data subject requests
Delete or return all personal data upon termination of the services, at the Data Controller's choice
Provide the Data Controller with all information necessary to demonstrate compliance with this DPA

Sub-Processors

DuePilot uses the following sub-processors to deliver the service. We maintain data processing agreements with each sub-processor.

Sub-Processor

Location

Purpose

Supabase Inc.

United States

Database hosting, authentication, and data storage

Anthropic PBC

United States

AI model API for email drafting and reply classification

OpenAI L.L.C.

United States

AI model API for specific classification tasks

Google LLC

United States

Gmail OAuth and email sending

Wildbit LLC (Postmark)

United States

Transactional email delivery

Stripe Inc.

United States

Payment processing and billing

Cloudflare Inc.

United States

Edge compute, CDN, and DDoS protection

We will notify the Data Controller of any new sub-processors with at least 14 days' notice, providing an opportunity to object.

Security Measures

DuePilot implements the following technical and organizational measures:

TLS 1.3 encryption for all data in transit
AES-256 encryption for all data at rest
Row Level Security (RLS) enforced at the database layer on all tables
OAuth token storage via Supabase Vault (encrypted)
Short-lived credentials with automatic expiration for employee access
Rate limiting and DDoS protection via Cloudflare
Access logging and audit trails for all data access events

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, DuePilot will notify the Data Controller within 72 hours of becoming aware of the breach.

The notification will include: the nature of the breach, categories and approximate number of data subjects concerned, likely consequences of the breach, and measures taken or proposed to address the breach.

Data Transfers

DuePilot processes data in the United States. For customers in the European Economic Area, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for international data transfers where required.

Deletion Upon Termination

Upon termination of the service, DuePilot will retain data for 90 days to allow the Data Controller to export their data. After 90 days, all personal data will be permanently deleted from all systems and backups. Deletion confirmation can be requested at dpa@duepilot.ai.

Contact

For questions about this DPA or data processing matters:

Email: dpa@duepilot.ai
DuePilot Inc., San Francisco, CA

DuePilot

Legal

Data Processing Agreement

Last updated: March 1, 2026

Introduction

Definitions

Data Controller means the Customer — the business that has subscribed to DuePilot and determines the purposes and means of processing personal data.

Data Processor means DuePilot Inc., which processes personal data on behalf of the Data Controller.

Personal Data means any information relating to an identified or identifiable natural person, as defined under applicable data protection law (including GDPR and CCPA).

Sub-Processor means any third party engaged by DuePilot to process personal data on behalf of the Customer.

Processing Details

Subject matter: Accounts receivable automation, including invoice tracking, customer contact management, and collection email sequences.

Duration: For the term of the Customer's subscription to DuePilot, plus 90 days retention after termination.

Nature of processing: Collection, storage, analysis, transmission, and deletion of personal data for the purpose of AR automation.

Types of personal data processed:

Business contact information (name, email, phone, business address)
Financial data (invoice amounts, payment history, outstanding balances)
Communication records (email content, reply classification results)
Behavioral data (email open/click events, payment timing patterns)

Categories of data subjects: The Customer's business customers and any individuals whose contact information appears in the Customer's QuickBooks or imported data.

Obligations of the Data Processor

DuePilot agrees to:

Process personal data only on documented instructions from the Data Controller (as set out in the Terms of Service and this DPA)
Ensure that all personnel authorized to process personal data are bound by confidentiality obligations
Implement and maintain appropriate technical and organizational security measures
Assist the Data Controller in fulfilling its obligations to respond to data subject requests
Delete or return all personal data upon termination of the services, at the Data Controller's choice
Provide the Data Controller with all information necessary to demonstrate compliance with this DPA

Sub-Processors

DuePilot uses the following sub-processors to deliver the service. We maintain data processing agreements with each sub-processor.

Sub-Processor

Location

Purpose

Supabase Inc.

United States

Database hosting, authentication, and data storage

Anthropic PBC

United States

AI model API for email drafting and reply classification

OpenAI L.L.C.

United States

AI model API for specific classification tasks

Google LLC

United States

Gmail OAuth and email sending

Wildbit LLC (Postmark)

United States

Transactional email delivery

Stripe Inc.

United States

Payment processing and billing

Cloudflare Inc.

United States

Edge compute, CDN, and DDoS protection

We will notify the Data Controller of any new sub-processors with at least 14 days' notice, providing an opportunity to object.

Security Measures

DuePilot implements the following technical and organizational measures:

TLS 1.3 encryption for all data in transit
AES-256 encryption for all data at rest
Row Level Security (RLS) enforced at the database layer on all tables
OAuth token storage via Supabase Vault (encrypted)
Short-lived credentials with automatic expiration for employee access
Rate limiting and DDoS protection via Cloudflare
Access logging and audit trails for all data access events