Data Processing Addendum

This Data Processing Addendum ("DPA") is entered into between:

Data Controller: The customer entity that has accepted Owner CFO's Terms of Service ("Customer", "Controller").

Data Processor: Owner CFO Ltd, a company registered in New Zealand ("Owner CFO", "Processor").

By using the Service, Customer agrees to this DPA in addition to the Terms of Service.

"Personal Data" has the meaning given in applicable privacy law (GDPR Article 4(1), NZ Privacy Act 2020, AU Privacy Act 1988).

"Processing" means any operation performed on Personal Data, including storage, retrieval, use, and transmission.

"Subprocessor" means a third-party engaged by Owner CFO to process Personal Data in connection with the Service.

"Security Incident" means any unauthorised access, use, disclosure, alteration, or destruction of Personal Data.

Subject matter: Provision of financial management software services.

Duration: For the term of the Customer's subscription plus any retention periods required by law.

Nature and purpose: Storage, organisation, categorisation, and reporting of financial transaction data; user authentication; AI-assisted categorisation and OCR of financial documents.

Categories of data subjects: The Customer's authorised users (owner, shareholders, accountants); business contacts referenced in transaction data.

Categories of Personal Data: Name, email, business name, financial transaction records, receipt images, IRD number/ABN, bank account names.

Owner CFO shall:

• Process Personal Data only on documented instructions from the Customer (these Terms constitute such instructions).
• Ensure that personnel with access to Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures (detailed in the Security page).
• Not engage new Subprocessors without providing prior notice to the Customer.
• Assist the Customer with data subject rights requests (access, deletion, portability, correction) within the timeframes required by applicable law.
• Notify the Customer of a Security Incident within 72 hours of becoming aware.
• Delete or return Personal Data at the Customer's request, subject to any legal retention obligations.

The current list of Subprocessors is published on our Trust Center. We will provide 14 days' advance notice of any new Subprocessors by email. If a Customer objects to a new Subprocessor, they may terminate the Service without penalty within 30 days of the notice.

Customer Data is primarily stored in Supabase's ap-northeast-1 (Tokyo) region. AI features result in transient transfers to US-based providers (OpenRouter, DeepSeek, Qwen). These transfers are governed by the Subprocessors' own DPAs with Owner CFO.

For EU/UK customers, these transfers rely on Standard Contractual Clauses (SCCs) where required. Contact us at support@centriweb.com for a copy of applicable SCCs.

Owner CFO implements the following security measures, detailed on the Security page: TLS 1.3 in transit, AES-256 at rest, Row-Level Security (RLS) on all database tables, MFA availability, audit logging for critical operations.

Customers may request audit information to verify Owner CFO's compliance with this DPA by emailing support@centriweb.com. We will provide relevant documentation within 30 days, subject to reasonable confidentiality constraints. Once we hold formal SOC 2 reports, these will satisfy audit requests.

This DPA is governed by New Zealand law, consistent with the main Terms of Service.

Data protection enquiries: privacy@ownercfo.com

Enterprise DPA requests: support@centriweb.com