Enterprise Customers

This Data Processing Agreement (DPA) is incorporated into and forms part of the LendAutomate Master Subscription Agreement or other written agreement between LendAutomate and the Customer governing the use of the Services. If you require a signed DPA for your organization, please contact [email protected].

1. Definitions

In this Data Processing Agreement:

"Controller" means the Customer, who determines the purposes and means of processing Personal Data.
"Processor" means LendAutomate, who processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person processed in connection with the Services.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Sub-processor" means any third party engaged by LendAutomate to process Personal Data.
"Applicable Privacy Laws" means GDPR, PIPEDA, CCPA, and any other applicable data protection laws.

2. Scope and Purpose of Processing

LendAutomate processes Personal Data solely for the purpose of providing the Services as described in the Master Subscription Agreement and as instructed by the Customer. LendAutomate will not process Personal Data for any other purpose without the Customer's prior written consent.

The categories of Personal Data processed include:

Borrower personal and financial information (names, addresses, SINs/SSNs, income data)
Investor personal and financial information
Customer employee and user account information
Loan application and transaction data
Document and communication records

3. Customer Obligations

The Customer agrees to:

Ensure it has a lawful basis for processing Personal Data and sharing it with LendAutomate
Provide all necessary notices and obtain all required consents from data subjects
Comply with all Applicable Privacy Laws in its use of the Services
Ensure that its instructions to LendAutomate comply with Applicable Privacy Laws
Promptly notify LendAutomate of any changes to its instructions that may affect LendAutomate's compliance obligations

4. LendAutomate Obligations

LendAutomate agrees to:

Process Personal Data only on documented instructions from the Customer
Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist the Customer in responding to data subject rights requests
Notify the Customer without undue delay of any Personal Data breach
Delete or return all Personal Data upon termination of the Services
Provide all information necessary to demonstrate compliance with this DPA

5. Security Measures

LendAutomate implements and maintains the following technical and organizational security measures:

Encryption: AES-256 encryption at rest; TLS 1.3 in transit
Access Controls: Role-based access control (RBAC) with multi-factor authentication
Infrastructure: Hosted in SOC 2 Type II certified data centers in North America
Monitoring: 24/7 security monitoring and intrusion detection
Backups: Automated daily backups with 30-day retention and tested recovery procedures
Penetration Testing: Annual third-party penetration testing
Employee Training: Regular security awareness training for all personnel

6. Sub-processors

LendAutomate uses the following categories of sub-processors to provide the Services. LendAutomate will notify the Customer of any intended changes to sub-processors and provide the Customer with the opportunity to object.

Sub-processor	Purpose	Location
Amazon Web Services (AWS)	Cloud infrastructure and data storage	Canada / US
Stripe	Payment processing	US
SendGrid	Transactional email delivery	US
Twilio	SMS notifications	US

7. Data Subject Rights

LendAutomate will assist the Customer in fulfilling its obligations to respond to data subject rights requests, including rights of access, rectification, erasure, restriction of processing, data portability, and objection. LendAutomate will promptly forward any data subject requests received directly to the Customer.

8. Data Breach Notification

In the event of a Personal Data breach, LendAutomate will notify the Customer without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include, to the extent available: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.

9. Data Retention and Deletion

Upon termination or expiration of the Services, LendAutomate will, at the Customer's election, delete or return all Personal Data within 30 days. LendAutomate will retain Personal Data for no longer than necessary to fulfill the purposes described in this DPA, unless longer retention is required by law.

10. International Data Transfers

LendAutomate processes and stores data in Canada and the United States. For customers subject to GDPR, LendAutomate relies on Standard Contractual Clauses (SCCs) for any transfers of Personal Data outside the European Economic Area. For Canadian customers, LendAutomate complies with PIPEDA's requirements for cross-border transfers.

11. Audit Rights

LendAutomate will make available to the Customer all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or a mandated auditor. LendAutomate may require reasonable advance notice and may require the auditor to sign a confidentiality agreement.

12. Governing Law

This DPA is governed by the same law as the Master Subscription Agreement. For customers in Canada, this DPA is governed by the laws of Ontario, Canada. For customers in the United States, this DPA is governed by the laws of the State of Delaware.

13. Contact Information

For questions about this DPA or to request a signed DPA for your organization:

LendAutomate Inc. — Data Protection Officer
Email: [email protected]
Address: 100 King Street West, Suite 5600, Toronto, ON M5X 1C9, Canada