Legal · DPA

Data Processing Agreement

Effective 2026-05-22

Counsel-in-review. This page is a structured placeholder for the Heritage / Dealflou legal team to fill in. The QC visual system + section structure are stable; the prose is being drafted with our outside firm and will replace the placeholder copy on next deploy.

1.Parties

This Data Processing Agreement ("DPA") is between Heritage Financial Advisors S.A.S. ("Processor") and the firm (the "Controller") that has accepted the Terms of Service.

2.Subject matter

The Processor processes personal data on behalf of the Controller solely to provide the Platform · data room hosting, NDA execution, AI diligence, audit chain, and billing.

3.Sub-processors

The Processor may engage the following sub-processors: Supabase (database + auth), Resend (email), Stripe (billing), Anthropic, OpenAI. The Controller is notified of any change at least 30 days in advance.

4.Security measures

AES-256 at rest, TLS 1.3 in transit, RLS-isolated tenancy at the database, MFA available on every account, audit log streamed end-to-end. Full controls list: /security.

5.Data subject rights

The Processor assists the Controller in responding to data-subject requests (access, rectification, deletion, portability) within 7 days.

6.Breach notification

The Processor notifies the Controller of any confirmed personal-data breach within 72 hours of detection, with available facts including categories of data, affected subject counts, and mitigation steps taken.

7.Audit

The Controller may audit the Processor's compliance with this DPA once per calendar year, with 30 days' notice. SOC 2 Type II reports (when available) substitute the audit obligation.

8.Contact

Email dpo@dealflou.com for any DPA question.