Data Processing Addendum (DPA)

Last Updated:5/30/25

This Data Processing Addendum (“DPA”) forms part of the agreement (“Agreement”) between CapSource, Inc. (“CapSource”, “we”, “us”, or “our”) and any customer (“Customer” or “you”) who uses CapSource’s services and processes Personal Data subject to European data protection laws, including the General Data Protection Regulation (GDPR).

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person processed by CapSource on behalf of the Customer.

  • “Processing”, “Processor”, “Controller”, “Data Subject” have the meanings given under GDPR Article 4.

  • “Subprocessor” means any third party engaged by CapSource to process Personal Data.

2. Roles and Scope

  • Customer is the Data Controller, and CapSource is the Data Processor.

  • This DPA applies only to the Processing of Personal Data within the scope of the services provided by CapSource.

3. Processor Obligations

CapSource will:

  • Process Personal Data only per Customer’s written instructions.

  • Ensure that personnel authorized to process Personal Data are bound by confidentiality.

  • Implement appropriate technical and organizational security measures.

  • Assist the Customer with data subject requests (e.g. access, deletion, correction).

  • Notify the Customer of any Personal Data Breach without undue delay (within 72 hours).

  • Support data protection impact assessments and prior consultations if required.

  • Upon termination of services, delete or return Personal Data as requested.

4. Subprocessors

CapSource may engage Subprocessors to provide the Services. Our current list of Subprocessors is included below:

Subprocessor Purpose Data Handled Location
Amazon Web Services (AWS) Application hosting, file storage, DB infrastructure All platform and user data USA*
SendGrid (or equivalent) Transactional email delivery (e.g. invites, reminders) Names, emails, message content USA
Cloudflare CDN, firewall, and DDoS protection IPs, headers, metadata Global (with USA HQ)
Sentry or Rollbar Application monitoring and error tracking Logs, potentially limited user context USA
Stripe (or other payment provider) Payment processing for clients (if applicable) Billing info, names, email USA
Google Workspace Internal communications and document sharing Email, attachments, contracts USA
Intercom or HubSpot (if used) CRM or support communication User interactions, metadata USA/EU (varies)
Jira / Atlassian Engineering ticketing and roadmap management Issue metadata (some user IDs) USA

*CapSource’s primary hosting infrastructure is located in the United States, utilizing secure Amazon Web Services (AWS) data centers.

CapSource shall:

  • Ensure Subprocessors are bound by equivalent data protection obligations.

  • Notify Customer of any intended changes to Subprocessors.

  • Allow the Customer to object to Subprocessor changes where reasonably justified.

5. Cross-Border Transfers

  • CapSource hosts and processes Personal Data within the United States, using Amazon Web Services (AWS).

  • For transfers outside the EEA/UK/Switzerland, CapSource relies on Standard Contractual Clauses (SCCs) as approved by the European Commission.

6. Data Security

CapSource maintains a comprehensive security program aligned with industry best practices including:

  • Encryption at rest and in transit

  • Role-based access controls

  • Secure development lifecycle practices

  • Daily encrypted backups and multi-region replication

Details are available in CapSource’s Security Audit documentation.

7. Audits and Certification

Upon reasonable request, CapSource will:

  • Provide documentation necessary to demonstrate compliance with this DPA.

  • Cooperate with Customer’s data protection assessments, subject to reasonable limits.

8. Data Subject Requests

CapSource shall:

  • Promptly notify Customer upon receiving a data subject request.

  • Not respond directly unless legally required or instructed by Customer.

9. Term and Termination

This DPA remains in effect for the duration of the Agreement and applies as long as CapSource processes Personal Data on behalf of the Customer.

Upon termination, CapSource will delete or return all Personal Data, unless otherwise required by law.

10. Contact

For data protection inquiries, please contact:

CapSource Data Privacy Team
[email protected]

11. Acceptance

By using CapSource’s services, Customer agrees to the terms of this Data Processing Addendum. For customized DPAs or additional terms, please contact us.

CapSource can be contacted for EU/UK data protection inquiries at [email protected]. We are in the process of evaluating an appointed GDPR representative in accordance with Article 27.