Data processing addendum

This Data Processing Addendum ("DPA") supplements the RateStack Terms of Service ("Agreement") and governs the processing of Personal Data by RateStack on behalf of the Customer.

1. Definitions

• "Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Subprocessor" have the meanings given in the GDPR / UK GDPR (or analogous statutes for non-EU customers).
• "Customer Personal Data" means Personal Data that Customer submits to or that the platform processes on Customer's behalf.
• "Data Protection Laws" means GDPR, UK GDPR, CCPA / CPRA, GLBA, and any other applicable privacy law.

2. Roles

For Customer Personal Data, Customer is the Controller and RateStack is the Processor. For operator account data (Customer's own employees), RateStack acts as Controller for the limited purpose of providing access and security.

3. Scope of processing

Subject matter

Provision of the platform service: pricing, eligibility, ratesheet ingestion, lock management, comp/margin, AMI lookups, and integration surfaces.

Duration

For the term of the Agreement plus the deletion period in Section 9.

Categories of data subjects

Borrowers and applicants under loans submitted by Customer; Customer's employees and contractors with platform access.

Categories of Personal Data

For borrowers: pricing-relevant attributes only (FICO, income, DTI, residency status, occupancy, loan/property attributes, state, county). The PII redactor strips full SSN, full credit reports, identification numbers, and bank account numbers at ingest. For operators: email, display name, phone (optional), professional title, company, primary state of operations.

Documented instructions

RateStack processes Customer Personal Data only on the documented instructions of Customer, including with regard to transfers to a third country or international organisation, unless required by applicable law. Use of the platform constitutes Customer's ongoing instructions.

4. Security measures

RateStack maintains the technical and organizational measures described at /trust/security, including:

• AES-256-GCM encryption at rest for persistent secrets
• TLS 1.2+ encryption in transit
• Append-only audit log with SHA-256 hash chain and actingAsOrgId for delegation
• Capability catalog (12 operational + 7 provider, published at /v1/capabilities)
• SSO support (Google / Microsoft / Apple; SAML on Enterprise)
• PII redaction on logs, traces, and audit payloads
• SSRF defense on all outbound integrations
• Distributed brute-force lockout
• Production access controls and audit
• Incident response and 24/7 on-call (Business+ tiers)

5. Subprocessors

Customer authorizes RateStack to engage Subprocessors. The current list is at /trust/subprocessors.RateStack will notify Customer of material changes (new Subprocessor, substantive change in purpose) at least 30 days in advance via the changelog and direct notification (Business+ tiers).

Customer may object in writing within 30 days of notification. The parties will work in good faith to resolve. Where resolution is not possible, Customer may terminate the affected service with pro-rated refund.

6. Cross-border transfers

Standard deployments process data in the United States. Where Customer Personal Data is transferred from the EEA, UK, or Switzerland, the EU Standard Contractual Clauses (Module 2) and the UK Addendum apply and are incorporated by reference. Enterprise customers may request EU- or UK-pinned deployment.

7. Assistance

RateStack will provide reasonable assistance to Customer in fulfilling data subject rights (access, correction, deletion, portability), in conducting data protection impact assessments, and in responding to regulator inquiries — taking into account the nature of the processing and the information available to RateStack.

8. Breach notification

RateStack will notify Customer without undue delay (and in any event within 72 hours of becoming aware) of a Personal Data Breach affecting Customer Personal Data. Notice will include the nature of the breach, categories and approximate number of data subjects, likely consequences, and measures taken or proposed.

9. Deletion & return

On termination of the Agreement, Customer has 30 days to export Customer Personal Data via the standard export tools or admin API.RateStack will delete Customer Personal Data within 60 days of termination unless retention is required by applicable law. Deletion confirmation is provided in writing.

During the term, Customer may request deletion of specific Customer Personal Data via the admin API; RateStack will complete the deletion within 30 days of an authorized request.

10. Audit

RateStack will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. RateStack will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, no more than once per year (Business and Enterprise tiers; on Customer's reasonable cost for the Team tier and below).

For practical reasons, RateStack may satisfy this obligation through a SOC 2 Type II report or analogous third-party attestation when available.

11. General

This DPA is effective on the date Customer accepts the Agreement and survives until 30 days after deletion of all Customer Personal Data. In the event of conflict between this DPA and the Agreement on data-protection matters, this DPA controls.

Customer may execute a counter-signed copy of this DPA by emailing legal@ratestack.com; we maintain a counter-signed copy for our records and provide it on request.