Sign in Start free trial
DPA

Data processing addendum.

Last updatedMay 21, 2026 EffectiveMay 21, 2026 Version1.0 Download PDF

Scope

This Data Processing Addendum ("DPA") supplements the Terms of Service between Unlevered, Inc. ("Processor") and the firm using the Service ("Controller"). It applies to all Personal Data processed in connection with the Service.

Roles

The Controller determines the purposes and means of processing. The Processor processes Personal Data on behalf of and under the documented instructions of the Controller, subject to these terms.

Subject matter & duration

Subject matter: provision of cost segregation software, engine analysis, engineer review, and white-labeled client deliverables. Duration: for the term of the underlying Terms of Service plus the retention periods documented in the Privacy Policy.

Categories of data subjects

The Service processes Personal Data of: firm staff (CPAs, EAs, tax strategists, admin); property owners invited to client portals; engineers of record who review studies.

Types of personal data

Identifiers (name, email, phone), property addresses, document uploads (closing statements, rent rolls, receipts, photographs), tax identifiers (EIN/SSN, encrypted at rest), and operational metadata.

Security measures

Encryption at rest (AES-256) and in transit (TLS 1.3); default-deny row-level access controls; least-privilege role separation; audit logging on material actions; quarterly access reviews; vulnerability management; incident response procedures. See Security for detail.

Subprocessors

Authorized subprocessors:

  • Supabase — Postgres + auth · US-East
  • AWS (S3, RDS) — object & database storage · US-East
  • Vercel — application hosting · US-East
  • Stripe — payments & Connect · US
  • Smarty — address validation · US
  • Google Workspace — internal email & docs · US
  • Sentry — anonymized error reporting · US

We’ll provide 14-day advance notice before adding or replacing a subprocessor that handles customer data.

Data subject rights

We’ll assist the Controller in responding to data subject requests (access, deletion, portability) within the timelines required by applicable law.

Breach notification

We’ll notify the Controller of a Personal Data breach without undue delay and in any event within 72 hours of discovery, including the nature of the breach, categories of data and subjects affected, and remediation actions taken.

Audits

The Controller may request a summary of our security controls and SOC 2 audit report (once available) once per year, on reasonable notice and subject to confidentiality.

Return & deletion

On termination, the Controller may export all data via the standard export tools. After 90 days, residual data is purged unless the Controller has explicit hold instructions or legal retention requirements apply.

Have a question? Write to legal@unlevered.io for legal, privacy@unlevered.io for data, or security@unlevered.io for disclosure.