Data Processing Agreement (DPA)

Last Updated: April 8, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Kriebel LLC. (“Finicom”, “we”, “us”, or “our”), a California limited liability company, and users of our services (“Customer”, “you”, or “your”) to reflect the parties’ agreement with regard to the processing of personal data under applicable data protection and privacy laws.

1. Scope and Applicability

This DPA applies to the extent Finicom processes personal data on behalf of the Customer as a data processor in the course of providing services via https://finicom.com, including its synchronization services with third-party tools such as Google Sheets™, Notion, Airtable, and others.

This DPA is designed to comply with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy laws.

2. Roles and Responsibilities

• Customer: The data controller that determines the purpose and means of processing personal data.
• Finicom: The data processor that processes personal data on behalf of the Customer to provide agreed-upon services.

3. Types of Personal Data Processed

Finicom processes the following categories of personal data as required to deliver its services:

• Account Information: Name, email address, and authentication metadata.
• Financial Data: Transaction and Bank data accessed temporarily via financial data providers (e.g. Plaid) and immediately deleted after processing.
• Third-Party Sync Credentials: OAuth credentials for services like Google Sheets™, Notion, Airtable, and others to enable data delivery.
• Technical Data: IP address, browser type, timestamps, and activity logs for security and analytics purposes.

Note: Finicom does not permanently store financial transaction data. All such data is deleted immediately after delivery to the user's chosen platform.

4. Duration of Processing

Finicom processes personal data for as long as the Customer maintains an active account, or as required to fulfill the purpose of processing. Upon account deletion or a valid deletion request, personal data is permanently removed in accordance with our Data Retention & Deletion Policy.

5. Subprocessors

Finicom uses select third-party subprocessors to assist in delivering its services. A current list of subprocessors and their activities is available on our Sub-Processors page. Finicom enters into written agreements with each subprocessor that impose obligations substantially similar to those in this DPA.

6. Data Transfers

All user data is hosted in the United States. Finicom’s infrastructure provider, Cloudflare, may route traffic globally to optimize latency, but storage occurs in U.S.-based data centers.

For EU users, Finicom relies on Standard Contractual Clauses (SCCs) and other lawful mechanisms to ensure appropriate safeguards for international data transfers, where applicable.

7. Security Measures

Finicom employs appropriate technical and organizational measures to protect personal data, including:

• Encryption at Rest and in Transit using TLS 1.3 and modern cipher suites.
• Double Encryption of sensitive user tokens (e.g., Plaid access tokens).
• Access Controls limiting personnel access to sensitive data.
• No Employee Access to decrypted transaction data or tokens.
• Zero Data Sharing with AI models or third-party tools outside of listed subprocessors.

Our full security policy is available here.

Finicom does not sell or rent user data and is monetized solely through user-paid subscriptions.

8. Data Subject Rights

Users may exercise their data rights by contacting [email protected], including:

• Right of Access: Obtain a copy of the personal data we process.
• Right to Erasure: Request deletion of your data.
• Right to Rectification: Correct inaccurate personal data.
• Right to Portability: Export personal data in a structured format.

We respond to all requests within the timeframes required by applicable laws.

9. Data Breach Notification

In the event of a personal data breach, Finicom will notify affected Customers without undue delay, provide relevant details as required by law, and take reasonable steps to mitigate any potential harm.

10. Audit and Compliance

Upon request, Finicom will make available relevant documentation to demonstrate compliance with this DPA.

11. Term and Termination

This DPA remains in effect for the duration of the Customer’s use of Finicom’s services and will automatically terminate upon deletion of all Customer data by Finicom, unless otherwise required by law.

12. Governing Law

This DPA is governed by the laws of the State of California, without regard to conflicts of law principles.

---

If you have any questions about this DPA or wish to exercise your data rights, please contact us at [email protected].