Last updated: January 1, 2026 · To print this document, use your browser's print function (Ctrl+P / Cmd+P).
1. Purpose
This Data Processing Agreement ("DPA") governs how Digital Business Partners ("DBP," "Processor") processes personal and financial data on behalf of the Client ("Controller") in connection with the delivery of CFO Services. This DPA is incorporated into and forms part of the Service Agreement.
2. Data Processed
DBP processes the following categories of data on behalf of the Client:
- Financial transaction data (income, expenses, payroll, accounts receivable/payable)
- Business entity information (company name, EIN/tax identifiers, bank account references)
- Contact information of Client's authorized representatives (name, email, phone)
- Employee payroll records (when applicable to financial reporting)
DBP does not process personal data of the Client's end customers unless expressly required for a specific deliverable and agreed in writing.
3. Processing Instructions
DBP processes data solely on documented instructions from the Client โ specifically, for the purpose of generating financial reports, dashboards, and analysis as agreed in the Service Agreement. DBP will not process Client data for any other purpose, including marketing, profiling, or sale to third parties.
4. Data Security
DBP implements appropriate technical and organizational measures to protect Client data, including:
- Encrypted connections (TLS 1.2+) for all data in transit
- Access controls limiting data access to authorized DBP personnel only
- Read-only accounting system access โ no write permissions
- Regular access reviews and revocation upon project completion
5. Sub-processors
DBP may engage the following sub-processors: ZOHO Corporation (ZOHO Books, ZOHO Subscriptions, ZOHO Analytics) for platform infrastructure and data hosting. DBP ensures all sub-processors maintain equivalent data protection standards. The Client will be notified of any changes to sub-processors with 14 days' advance notice.
6. Data Retention & Deletion
DBP retains Client data for the duration of the active subscription plus twelve (12) months, to support any retrospective analysis or disputes. Upon the Client's written request, DBP will delete or return all Client data within thirty (30) days of subscription termination.
7. Cross-Border Transfers
Client data may be processed in the United States and, in the case of ZOHO sub-processors, in ZOHO's designated data centers. Where data originates from the EU/EEA or UK, DBP ensures adequate safeguards are in place consistent with GDPR Chapter V requirements.
8. Data Subject Rights
To the extent DBP processes personal data subject to GDPR, CCPA, or equivalent laws, DBP will assist the Client in fulfilling data subject requests (access, correction, deletion) within reasonable timelines. Requests should be directed to care@dbpgrowth.com.
9. Breach Notification
In the event of a confirmed data breach affecting Client data, DBP will notify the Client within seventy-two (72) hours of discovery, providing a description of the breach, data affected, and remediation steps taken.