Data Processing Agreement

1. Definitions

For purposes of this DPA:

• "Agreement" means the Verde Terms of Service or other master agreement between Verde and Customer governing use of the Service.
• "Applicable Data Protection Laws" means privacy and data protection laws applicable to the parties' processing of Personal Data, including the California Consumer Privacy Act as amended ("CCPA"), the Colorado Privacy Act, the Virginia Consumer Data Protection Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and other US state privacy laws as enacted.
• "Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Customer" means the entity that has entered into the Agreement with Verde ("you," "your").
• "Customer Personal Data" means Personal Data Customer transfers to Verde or that Verde accesses on Customer's behalf in providing the Service.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Personal Data" means information relating to a Data Subject as defined under Applicable Data Protection Laws.
• "Processor" / "Service Provider" means an entity that processes Personal Data on behalf of a Controller; "Service Provider" has the meaning given under the CCPA.
• "Process" / "Processing" means any operation performed on Personal Data.
• "Service" means the Verde service as defined in the Agreement.
• "Sub-processor" means a third party engaged by Verde to process Customer Personal Data in providing the Service.

2. Roles and Responsibilities

2.1 Controller / Processor designation

The parties acknowledge and agree:

• Customer is the Controller of Customer Personal Data; Verde is the Processor, acting only on Customer's documented instructions.
• For Personal Data as to which Verde acts as a Controller — for example, Verde account registration data and billing data Verde collects to manage the customer relationship — Verde's processing is governed by the Verde Privacy Policy, not this DPA. This DPA addresses Verde's Processor role with respect to Customer Personal Data.

2.2 Customer responsibilities

Customer represents and warrants that it: has obtained all necessary consents, authorizations, and lawful bases for transferring Customer Personal Data to Verde; gives instructions that comply with Applicable Data Protection Laws; and has provided required notices to its own data subjects (employees, customers, vendors whose data may appear in Customer's QBO records).

2.3 Verde responsibilities

Verde will: process Customer Personal Data only on documented Customer instructions (subject to §10); ensure personnel are bound by confidentiality; implement the measures in Exhibit B; engage Sub-processors only as permitted in §6; assist with data-subject requests (§7); notify Customer of Personal Data Breaches (§8); delete or return Customer Personal Data on termination (§9); and make available information necessary to demonstrate compliance with this DPA.

3. Scope of Processing

3.1 Subject matter

Verde processes Customer Personal Data to provide the Service as described in the Agreement.

3.2 Duration

Processing continues for the duration of the Agreement and the post-termination retention period in §9.

3.3 Categories of Data Subjects

Customer's representatives (employees, contractors, agents authorized to access Verde); and individuals whose information appears in Customer's QuickBooks Online records (Customer's customers, vendors, suppliers, payroll-related individuals, etc.).

3.4 Categories of Personal Data

Account information (business email, names, role assignments); financial records (customer and vendor names, amounts, dates, memo text, account categorizations, and other QBO ledger data); and communications (chat messages and AI-generated responses).

3.5 Special categories

Verde does not request or intentionally process sensitive or special categories of Personal Data (such as health information, government identifiers, or biometric data). Customer agrees not to upload, sync, or otherwise make available such data through the Service, and acknowledges that any such data incidentally present in Customer's QBO records is processed only as part of providing the Service and not used for any other purpose.

4. Processing Instructions

Verde will process Customer Personal Data only: on documented instructions from Customer (including the instructions inherent in Customer's use of the Service); and as necessary to comply with Applicable Data Protection Laws (in which case Verde will notify Customer of the legal requirement before processing, unless prohibited by law). Verde will inform Customer if, in Verde's opinion, an instruction infringes Applicable Data Protection Laws.

5. Confidentiality

Verde will ensure that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations and that access is limited to personnel with a legitimate business need.

5A. Multi-Client Advisor Tier Isolation (Partner Plan)

The Partner plan permits a CPA firm or advisor user (the "Advisor") to view financial data of multiple Customer entities (each a "Managed Client") through a single Advisor account. Each Managed Client remains the controller of its own Personal Data; Verde acts as the processor for each Managed Client independently.

5A.1 Access requires explicit grant

An Advisor sees a Managed Client's data only after Verde records an explicit access grant linking the Advisor's account to the Managed Client's account. Verde establishes such grants on behalf of the Managed Client only upon the Managed Client's authorization (or upon the Advisor's authorization when the Managed Client is also a Customer of the Advisor under their separate engagement agreement). Without an active grant, the Advisor cannot view, query, or export the Managed Client's data.

5A.2 Dual-gate enforcement

Verde enforces Advisor↔Managed Client access at two independent layers: (a) an application-layer access-control helper that runs on every Advisor request and verifies the active grant; and (b) database-layer row-level security policies that independently verify the grant and tier eligibility before returning any row. Either layer alone would prevent unauthorized access; both must be satisfied for access to be granted. This defense-in-depth design is intentional and load-bearing for Partner-tier isolation.

5A.3 Automatic access closure on tier downgrade

If an Advisor's Partner subscription transitions to a non-Partner plan or is cancelled, the database-layer access policies automatically deny further data access from that Advisor account to any previously granted Managed Client, even where the underlying grant row remains in place. Access is restored only upon a subsequent Partner subscription becoming active.

5A.4 Verde staff impersonation (operator preview)

A small number of Verde staff (currently limited to a single Verde-staff identity, with future expansion subject to written change to this DPA) may impersonate a Customer or Managed Client account for diagnostic and support purposes via an internal "operator preview" mechanism. Operator-preview sessions are logged and authenticated; they do not constitute a transfer of data to a third party and do not extend access to data outside Verde's sub-processing infrastructure listed in Exhibit A. Operator-preview is invoked only as needed to investigate Customer-raised support issues, to validate sub-processor changes, or to investigate suspected security incidents.

5A.5 Grant termination on Managed Client revocation

Either the Managed Client or the Advisor may revoke an active grant by emailing privacy@useverde.ai with the request. Verde will remove the grant within 72 hours of receiving the request. After removal, Verde retains an audit-trail record of the grant's existence and removal for the period required by §9 (Data Return and Deletion) of this DPA.

6. Sub-processors

6.1 Authorization

Customer authorizes Verde's engagement of the Sub-processors listed in Exhibit A. Verde maintains data-processing terms with each Sub-processor that impose obligations no less protective than those in this DPA.

6.2 Additional Sub-processors

Verde may engage additional Sub-processors and will: maintain a current list of Sub-processors in Exhibit A below (which is updated when changes occur); notify Customer at least 30 days in advance of any new Sub-processor by email or by updating Exhibit A; and impose data-protection obligations on each that are no less protective than this DPA.

6.3 Right of objection

Customer may object to a new Sub-processor by emailing privacy@useverde.ai within 30 days of notice. If the objection is on reasonable data-protection grounds and Verde cannot accommodate it, Customer may terminate the affected portion of the Service with a prorated refund of prepaid fees for that portion.

6.4 Liability for Sub-processors

Verde remains liable for the acts and omissions of its Sub-processors to the same extent it would be liable for performing the services directly, subject to the limitation of liability in the Agreement.

7. Data Subject Rights

7.1 Verde's assistance

Verde will assist Customer in responding to Data Subject requests (access, correction, deletion, portability, etc.) through self-serve data-export and account-deletion tools and, for requests not fulfillable through those tools, by manual assistance upon a request to privacy@useverde.ai, to which Verde will respond within 10 business days.

7.2 Direct requests to Verde

If Verde receives a request directly from a Data Subject regarding Customer Personal Data, Verde will direct the Data Subject to Customer (the Controller), notify Customer within 5 business days, and not respond substantively without Customer's instruction (except as legally required).

8. Personal Data Breach Notification

8.1 Timeline

Verde will notify Customer without undue delay and, where feasible, within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data.

8.2 Content

To the extent known at the time, the notification will describe: the nature of the breach (categories and approximate numbers of Data Subjects and records affected); the likely consequences; the measures Verde has taken or proposes to take to address and mitigate it; and a point of contact. Where full information is not available within the notification window, Verde will provide it in phases as it becomes available.

8.3 Cooperation

Verde will cooperate with Customer's breach response, including assisting with regulatory notifications and Data Subject communications where Verde's involvement is necessary.

9. Data Return and Deletion

9.1 During the Agreement

At Customer's request, Verde will provide a machine-readable export of Customer Personal Data.

9.2 Upon termination

Within 90 days of termination of the Agreement: Customer may request export of Customer Personal Data; and Verde will delete Customer Personal Data from production systems. Backup copies (Point-in-Time Recovery) are retained for 7 days after deletion from production and then purged automatically.

9.3 Certified deletion

Upon written request, Verde will provide Customer a certificate confirming deletion of Customer Personal Data.

9.4 Legal hold exception

Verde may retain Customer Personal Data after termination to the extent required by law (for example, billing records retained for tax compliance) or in connection with an active legal hold.

10. International Data Transfers

10.1 Current scope

At the effective date of this DPA, Verde processes Customer Personal Data only within the United States; the Sub-processors listed in Exhibit A are US-based; and no international transfer mechanism is required.

10.2 Future transfers

If Verde expands to process Customer Personal Data outside the United States, or if Customer becomes subject to international transfer requirements (such as GDPR or UK GDPR), the parties will execute appropriate transfer mechanisms upon request, which may include the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful mechanisms applicable at the time.

11. CCPA Service Provider Designation

To the extent the CCPA applies to processing of Customer Personal Data: Verde acts as a "Service Provider"; Verde will process Customer Personal Data only for the business purposes set forth in the Agreement and this DPA; Verde will not "sell" or "share" Customer Personal Data as those terms are defined under the CCPA; Verde will not retain, use, or disclose Customer Personal Data for any commercial purpose other than providing the Service to Customer; and Verde will not combine Customer Personal Data with personal information from other sources for purposes prohibited by the CCPA. Verde certifies that it understands and will comply with these restrictions.

12. Audit Rights

12.1 Audit scope

Customer may audit Verde's compliance with this DPA, subject to the following: frequency of once per twelve-month period (more frequently if a material breach has been identified); at least 30 days' written notice; conducted during Verde's normal business hours; at Customer's expense, unless the audit reveals a material breach by Verde, in which case Verde reimburses reasonable audit costs; subject to confidentiality; conducted by a qualified independent auditor; respecting other customers' confidentiality; and not unreasonably disrupting Verde's operations.

12.2 Audit reports in lieu of audit

Verde may satisfy an audit request by providing relevant third-party audit reports (such as SOC 2 Type II) when available.

13. Liability

The liability of each party under this DPA is subject to the limitations of liability set forth in the Agreement.

14. Term

This DPA is effective on its effective date and continues until the Agreement is terminated and Verde's data return and deletion obligations under §9 have been satisfied.

15. Conflict

In the event of a conflict between this DPA and the Agreement on data-protection matters, this DPA controls. On all other matters, the Agreement controls.

16. Governing Law

This DPA is governed by the laws of the State of Delaware, without regard to its conflict-of-laws principles.

Exhibit A — Authorized Sub-processors

Exhibit B — Technical and Organizational Measures

Verde implements the following measures to protect Customer Personal Data.

B.1 Encryption

• In transit: TLS 1.2 or higher on all Verde endpoints (enforced by Vercel).
• At rest: AES-256 encryption on all stored data (Supabase / AWS).
• Field-level: AES-256-GCM application-layer encryption on QBO OAuth access and refresh tokens (defense in depth, in addition to at-rest encryption).

B.2 Access controls

• Row-Level Security: all tables containing Customer Personal Data are RLS-enforced in Postgres; authenticated users can read only their own client-scoped data.
• Service-role isolation: sensitive tables (OAuth tokens, payment events, internal logs) are accessible only via Verde's server-side service-role connection, not by any authenticated user.
• Multi-factor authentication: available to all users via Supabase Auth.
• Operator role: Verde-internal access to Customer data is restricted to authorized operator-role personnel with operational need and is audited.
• Operator client-switcher: when operators access Customer data for support, the active client is set via a signed cookie and validated server-side on each request.

B.3 Network and infrastructure security

• Hosting: Vercel (SOC 2 Type II compliant).
• Database: Supabase (SOC 2 Type II compliant).
• HTTPS-only with HSTS enforced.
• OAuth state validation: cryptographic state tokens with timestamp expiry on OAuth flows.

B.4 Application security

• Authentication: Supabase Auth with bcrypt password hashing (Verde never sees plaintext passwords).
• Subscription gating: paid API routes gated by a subscription-status check.
• Input validation: schema validation on API endpoints.
• CSRF protection: same-origin enforcement on state-changing endpoints.
• Webhook signature verification: payment webhook events verified via signature before processing.

B.5 Monitoring and incident response

• Application logs: request metadata (no Customer Personal Data in URLs or query strings for auth-gated routes).
• Audit logging: change-tracking columns on tables holding sensitive data.
• Error tracking: production error logging.
• Incident response: breach notification to affected Customers without undue delay and, where feasible, within 72 hours.

B.6 Personnel

• Access limitation: access to production Customer Personal Data is limited to authorized personnel on a least-privilege basis.
• Confidentiality: all personnel with access to Customer Personal Data are bound by written confidentiality obligations.
• Training: data-handling and security training at onboarding and annually thereafter.

B.7 Data lifecycle

• Backup retention: Point-in-Time Recovery with a 7-day rolling window.
• Production data retention: 90 days post-Customer termination, then deletion.
• Sub-processor obligations: each Sub-processor is contractually bound to data-protection obligations consistent with this DPA.

Execution

To execute a counterpart of this DPA for your organization, contact contact@useverde.ai.