Data Processing Addendum

Version 1.0 · Effective May 28, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Billslash, Inc. ("Processor") and the Customer ("Controller") for use of the Billslash service. It governs the processing of Personal Data on Controller's behalf.

1. Roles

Controller is the Data Controller. Billslash is the Data Processor. Plaid, Supabase, Cloudflare, Stripe, and Resend are Subprocessors.

2. Scope of Processing

Billslash processes Personal Data solely to provide the Service: authenticate users, retrieve bank transactions via Plaid, categorize bills, send notifications, and process subscription payments.

3. Subprocessors

A current list is maintained at billslash.app/subprocessors. We notify Controller at least 30 days before adding a new Subprocessor.

4. Security Measures

We implement technical and organizational measures described in our Information Security Policy, including TLS 1.2+ in transit, AES-256 at rest, mandatory MFA for administrative access, RBAC, signed webhooks, an isolated token vault for Plaid access tokens, and append-only audit logs.

5. Data Subject Rights

We assist Controller in responding to requests for access, rectification, erasure, portability, restriction, and objection within 30 days.

6. Breach Notification

We notify Controller without undue delay and no later than 72 hours after becoming aware of a confirmed Personal Data breach affecting Controller's data.

7. International Transfers

EU and UK Personal Data is processed in the United States and European Union under Standard Contractual Clauses.

8. Audit Rights

Once per year, Controller may request our most recent SOC 2 report and penetration-test summary under NDA.

9. Return or Deletion

On termination, all Customer Personal Data is deleted within 90 days unless retention is required by applicable law.

To sign a countersigned copy of this DPA, contact privacy@billslash.app.