Data Processing Addendum

Last updated: 2026-05-05 · Version 1.0 (draft)

1. Parties & roles

Subscriber: the CPA firm subscribing to the Service. Acts as Controller of end-client personal data.
I-Taxplan / AI-TaxPlan: the Service provider. Acts as Processor on behalf of the Subscriber.

2. Subject matter & duration

I-Taxplan processes Subscriber's end-client personal data solely to provide the Service for the duration of the active subscription, plus the retention period defined in the Privacy Policy.

3. Categories of data & data subjects

Data subjects: end-clients of the Subscriber CPA firm, including individual taxpayers and beneficial owners of business entities. Categories: identifying information (name, address, contact), financial data (income, deductions, balances), tax identifiers (SSN, EIN, PTIN), and any data contained in tax returns and supporting documents Subscriber uploads.

4. Processor obligations

Process personal data only on Subscriber's documented instructions, including via Subscriber's use of the Service.
Ensure persons authorised to process the personal data have committed to confidentiality.
Implement appropriate technical and organisational measures (encryption at rest and in transit, access controls, least-privilege, audit logging, multi-tenant isolation).
Engage sub-processors only with Subscriber's general written authorisation and notify Subscriber of additions or replacements.
Assist Subscriber, as far as possible, in fulfilling its obligations to respond to data-subject requests.
Assist Subscriber in ensuring compliance with security and breach-notification obligations.
Make available all information necessary to demonstrate compliance and allow for and contribute to audits, conducted by Subscriber or another auditor mandated by Subscriber, with reasonable notice.
At Subscriber's choice, return or delete all personal data after the end of provision of the Service, subject to legal retention requirements.

5. Sub-processors (current list)

Cloudflare, Inc. (US) — hosting, storage, DNS
Anthropic, PBC (US) — AI model inference; under Anthropic's API terms, prompts/outputs are not used to train Anthropic models
Resend (US) — transactional email
Stripe, Inc. (US) — payment processing (when activated)
Google LLC / Apple Inc. — only when Subscriber's user opts to sign in via OAuth

6. Security measures

Encryption in transit (TLS 1.2+) and at rest (Cloudflare-default encryption on D1 and R2).
Password hashing with PBKDF2 (200,000 iterations, SHA-256).
Optional TOTP-based 2FA.
Multi-tenant isolation via firm-scoped queries on every database call.
Comprehensive audit logging (7-year retention) of all data access.
Rate limits and quota enforcement.
Quarterly access reviews; incident response procedures.

7. International transfers

All processing occurs in the United States. Where required, the parties incorporate the relevant Standard Contractual Clauses (SCCs) issued by the European Commission for cross-border transfers.

8. Breach notification

I-Taxplan will notify Subscriber without undue delay (and within 72 hours where feasible) after becoming aware of a personal data breach affecting Subscriber's data, providing the information necessary to meet Subscriber's regulatory obligations.

9. Liability & indemnification

Liability under this DPA is governed by the limitations set out in the Terms of Service.

10. Term & termination

This DPA is effective on Subscriber's acceptance of the Terms of Service and remains in force for the duration of the Service plus any retention period.

11. Order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails for matters relating to processing of personal data.

12. Contact

renato@i-taxplan.com · I-Taxplan, Miami, FL