Data Processing Agreement (DPA)
Version: 1.0 | Effective Date: March 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Data Controller") and Fundry AI, Inc. ("Data Processor") for the use of the Fundry AI platform ("Service").
To request a customized DPA, contact security@fundry.ai. Typical turnaround is 5 business days.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1) and applicable privacy laws.
- Processing: Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
- Sub-processor: A third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.
2. Scope of Processing
The Data Processor processes Personal Data solely for the purpose of providing the Service, which includes:
- Processing DDQ documents to generate draft responses
- Classifying and drafting responses to LP communications
- Parsing tax documents (K-1s) for variance analysis
- Generating financial reports from expense and P&L data
Categories of Personal Data
| Category | Examples | Retention |
|---|---|---|
| LP Contact Information | Names, email addresses, phone numbers | Customer-controlled |
| Financial Identifiers | SSN, TIN, bank account numbers | PII vault (90 days default) |
| Investment Data | Commitment amounts, distributions, allocations | Customer-controlled |
| Tax Data | K-1 fields, tax basis, gains/losses | 7 years (IRS compliance) |
3. Data Processor Obligations
The Data Processor shall:
- Process Personal Data only on documented instructions from the Data Controller
- Ensure persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see Security Whitepaper)
- Assist the Data Controller in responding to data subject access requests
- Delete or return Personal Data upon termination of the Service, at the Data Controller's choice
- Make available all information necessary to demonstrate compliance with this DPA
4. Sub-processors
The Data Processor uses the following sub-processors:
| Sub-processor | Purpose | Data Access | Location |
|---|---|---|---|
| Supabase | Database hosting | All structured data | US |
| Vercel | Application hosting | Application logs | US |
| Anthropic | LLM processing | PII-stripped text | US |
| OpenAI | Text embeddings | PII-stripped text | US |
| Stripe | Payment processing | Billing info only | US |
| Resend | Email delivery | Email addresses | US |
| Inngest | Job orchestration | Job metadata only | US |
The Data Controller consents to the use of these sub-processors. The Data Processor will notify the Data Controller at least 30 days before adding or replacing a sub-processor.
5. Data Transfers
All data is processed and stored in the United States. If the Data Controller is located in the EU/EEA, processing is covered by Standard Contractual Clauses (SCCs) as adopted by the European Commission.
6. Security Measures
The Data Processor implements the following measures (detailed in the Security Whitepaper):
- AES-256 encryption at rest and TLS 1.3 in transit
- Row-level security (RLS) for multi-tenant data isolation
- PII detection and stripping before LLM processing
- MFA-enabled authentication with role-based access control
- Automated PII audit and quarantine processes
7. Breach Notification
In the event of a Personal Data breach, the Data Processor shall:
- Notify the Data Controller without undue delay and no later than 72 hours after becoming aware of the breach
- Provide the following information:
- Nature of the breach and categories of data affected
- Approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
8. Data Subject Rights
The Data Processor shall assist the Data Controller in fulfilling obligations to respond to data subject requests for:
- Access to their Personal Data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Data portability (export in CSV/JSON format)
- Restriction of processing
9. Data Retention and Deletion
Upon termination of the Service:
- The Data Controller may export all data via the dashboard export feature
- The Data Processor will delete all Personal Data within 30 days of termination
- Agent invocation logs are retained for 7 years per SEC recordkeeping requirements
- Written confirmation of deletion provided within 10 business days of request
10. Audit Rights
The Data Controller may, upon 30 days' written notice and no more than once per year:
- Request evidence of compliance with this DPA
- Review the Data Processor's security measures and certifications
- Request results of third-party security audits or penetration tests (when available)
11. Liability
The Data Processor's liability under this DPA is subject to the limitations set forth in the underlying Service agreement.
12. Term
This DPA remains in effect for the duration of the Service agreement and until all Personal Data has been deleted or returned.
Data Controller (Customer)
Name: \\\\\\\_\_\_\_\\\\\\
Title: \\\\\\\_\_\_\_\\\\\\
Date: \\\\\\\_\_\_\_\\\\\\
Signature: \\\\\\\_\_\_\_\\\\\\
Data Processor (Fundry AI, Inc.)
Name: \\\\\\\_\_\_\_\\\\\\
Title: \\\\\\\_\_\_\_\\\\\\
Date: \\\\\\\_\_\_\_\\\\\\
Signature: \\\\\\\_\_\_\_\\\\\\
To request a signed DPA, contact security@fundry.ai (5 business day turnaround).