Legal

Data Processing Agreement

Effective: [EFFECTIVE_DATE]

This Data Processing Agreement ("DPA") forms part of the Forecastle Terms of Service between [LEGAL_NAME] ("Processor", "Forecastle") and the Customer ("Controller"). It applies to Forecastle's processing of Personal Data on Customer's behalf in connection with the Service.

This DPA is provided to satisfy Article 28 of the EU General Data Protection Regulation (GDPR), the UK GDPR, and equivalent obligations under the California Consumer Privacy Act (CCPA / CPRA), the Personal Information Protection and Electronic Documents Act (PIPEDA, Canada), and Quebec Law 25.

By executing the Terms of Service or otherwise activating a paid subscription, Customer is deemed to have entered into this DPA. A counter-signed copy is available on request to privacy@forecastle.app.

1. Definitions

Terms used here have the meanings given in the GDPR. "Personal Data" and "Processing" are interpreted in the broadest sense.

2. Roles

• Customer is the Controller of Personal Data submitted to the Service (including end-user contact details, financial data identifying or relating to individuals).
• Forecastle is the Processor of that data.
• Forecastle is a Controller in its own right for account, billing, and support information about Customer's administrators (see Privacy Policy §1).

3. Subject matter, duration, nature, and purpose

• Subject matter: Personal Data submitted to or generated by the Service.
• Duration: for the term of the subscription, plus the retention periods described in §10 below.
• Nature: storage, organization, structuring, retrieval, transmission, and analytical computation as needed to deliver the Service.
• Purpose: delivery of financial planning & analysis functionality as described in the Forecastle Terms of Service.

4. Categories of data subjects

• Customer's administrators, employees, and contractors who use the Service
• Individuals identified in financial records Customer loads or syncs (e.g. employee names in headcount plans)
• Any other individuals Customer chooses to include in Customer Data

5. Categories of Personal Data

• Identification data (name, email, role, department)
• Authentication data (hashed password, session tokens)
• Compensation data, when included in headcount plans
• Activity data within the Service (audit log)
• Technical data (IP address, user agent, request logs)

Forecastle does not request or require special categories of Personal Data (Article 9 GDPR) and Customer should not load such data into the Service.

6. Processor obligations

Forecastle will:

1. Process Personal Data only on documented instructions from Customer, including those set out in the Terms of Service, this DPA, and any subsequent written instructions.
2. Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
3. Implement appropriate technical and organizational measures, as described in our Security Whitepaper at getforecastle.com/security/whitepaper.pdf and summarised in Annex II of this DPA.
4. Assist Customer in responding to data-subject rights requests (access, rectification, erasure, portability, restriction, objection) as described in §8.
5. Notify Customer without undue delay of any confirmed Personal Data breach, in line with the 24/72-hour commitments in the SLA.
6. Make available to Customer the information necessary to demonstrate compliance with Article 28 GDPR and allow for audits per §11.
7. Return or delete Personal Data at the end of the relationship per §10.

7. Subprocessors

Customer authorizes Forecastle to engage the subprocessors listed at getforecastle.com/security/subprocessors. Forecastle will:

1. Maintain that page as the live list of authorized subprocessors.
2. Notify Customer at least 30 days before adding a new subprocessor that processes Personal Data, via email to the workspace owner.
3. Object handling: if Customer reasonably objects to a new subprocessor within 30 days of notice, Customer may terminate the affected subscription on a pro-rated refund basis.
4. Impose data-protection obligations on each subprocessor substantially equivalent to those in this DPA.

8. Data-subject rights

To the extent legally permitted, Customer will direct data-subject rights requests through the Service (where the request can be fulfilled by Customer using product functionality) or to privacy@forecastle.app. Forecastle will provide reasonable assistance to Customer at no additional cost for requests within the scope of this DPA, responding within 30 days.

9. International transfers

Forecastle is operated from Canada. Primary infrastructure is in the United States (Render, us-east). EU-region hosting is available on Advanced and above.

For transfers of Personal Data from the EEA, UK, or Switzerland to jurisdictions without an adequacy decision, the parties agree to the EU Commission Standard Contractual Clauses (SCCs) Module 2 (Controller-to-Processor), incorporated by reference. Annex I and Annex II of this DPA serve as Annex I and Annex II of the SCCs.

For UK-originating data, the parties also agree to the UK International Data Transfer Addendum (Information Commissioner's Office Version B1.0). For Swiss-originating data, the parties agree to apply the SCCs as if the Swiss Federal Act on Data Protection were the GDPR.

10. Retention and deletion

Forecastle retains Personal Data only as long as needed to deliver the Service. Standard retention:

• During active subscription: as required for the Service.
• After cancellation: 30 days frozen state, then deletion from production. Backups containing Customer data age out within 90 days.

Written confirmation of deletion is available on request.

Backup retention is necessary for business continuity and disaster recovery; backups are encrypted and access-controlled, are not used operationally, and roll off on the schedule above.

11. Audit rights

Forecastle will provide Customer with the information reasonably necessary to demonstrate compliance with this DPA, including:

• The Security Whitepaper
• The Service Level Agreement
• The live subprocessor list
• Annual penetration test summary letters (under NDA)
• SOC 2 attestation reports (once available)

On reasonable written notice and no more than once annually, Customer may conduct an audit either: (i) by reviewing the documentation listed above; or (ii) where (i) is insufficient and Customer is a large or regulated organization, by conducting an on-site audit at Customer's expense, subject to confidentiality and scheduling agreed in advance. Audits triggered by a confirmed Personal Data breach are not subject to the annual cap.

12. Liability

Liability for breach of this DPA is governed by the limitation of liability provisions in the Forecastle Terms of Service.

13. Term and termination

This DPA enters into force when both parties have agreed to it (or when the subscription becomes active, whichever is first) and continues for as long as Forecastle processes Personal Data on Customer's behalf. Sections that by their nature should survive termination (including 6.4, 6.5, 10, 11, 12, and the SCCs) survive.

14. Conflict

If there is a conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to the Processing of Personal Data. The SCCs prevail over both for matters within their scope.

Annex I — Description of the processing

• Categories of data subjects: §4 above
• Categories of personal data: §5 above
• Sensitive data: not requested or required
• Frequency: continuous
• Nature of processing: §3 above
• Purpose: §3 above
• Retention: §10 above
• Subprocessors: live list at the URL in §7

Annex II — Technical and organizational measures

A complete description of the technical and organizational measures is published in the Forecastle Security Whitepaper at getforecastle.com/security/whitepaper.pdf. Summary:

• Pseudonymization and encryption: TLS 1.2+ in transit; AES-256 at rest; OAuth tokens encrypted with a separate application-layer key; bcrypt password hashing.
• Confidentiality, integrity, availability, and resilience: schema-per-tenant isolation; full audit trail on every mutation; managed Postgres with point-in-time recovery; hot-standby replication; quarterly restore drills.
• Restoration in the event of incident: 4-hour RTO, 1-minute RPO; documented incident response with 24/72/14-day customer communication commitment.
• Testing: annual third-party penetration test; CI test suite pinning security-relevant invariants.
• User authentication and access: bcrypt password hashing; optional SAML SSO on Advanced and above; SCIM on Multi-Entity; session expiry; rate-limited login.
• Personnel: production database access restricted to the founder; mandatory MFA on commit-authoring accounts.

Signed for [LEGAL_NAME] (Processor):

Name: ________

Title: Director

Date: ________

Signature: ________

Signed for Customer (Controller):

Name: ________

Title: ________

Date: ________

Signature: ________