Data Processing Addendum
Last Updated: September 30, 2025
Quick Summary: This Data Processing Addendum (DPA) governs how Found Opportunity processes personal data on your behalf, ensuring compliance with GDPR, CCPA, and other data protection laws. It defines our roles, responsibilities, and security measures.
1. Introduction and Scope
1.1 Purpose
This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer," "Data Controller," or "you") and Found Opportunity ("Processor," "we," "us," or "our"). This DPA applies to the extent that we process Personal Data on your behalf in providing the Service.
1.2 Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws
- "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR, CCPA, and other applicable laws
- "GDPR" means the EU General Data Protection Regulation 2016/679
- "CCPA" means the California Consumer Privacy Act
- "Data Subject" means the individual to whom Personal Data relates
- "Processing" means any operation performed on Personal Data, including collection, storage, analysis, and deletion
- "Sub-processor" means any third party engaged by Found Opportunity to process Personal Data
1.3 Hierarchy
In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to data processing matters.
2. Roles and Responsibilities
2.1 Controller and Processor
The parties acknowledge and agree that:
- Customer is the Data Controller of Personal Data contained in emails and user account information
- Found Opportunity is the Data Processor acting on Customer's behalf
- Found Opportunity will process Personal Data only in accordance with Customer's documented instructions and this DPA
2.2 Customer Responsibilities
Customer warrants and represents that:
- It has all necessary rights and consents to provide Personal Data to Found Opportunity for processing
- It has provided all required notices to Data Subjects regarding the processing activities
- It complies with all applicable Data Protection Laws in its use of the Service
- It has authorization to connect email accounts containing Personal Data
- It will respond to Data Subject requests in accordance with applicable laws
2.3 Processor Responsibilities
Found Opportunity will:
- Process Personal Data only on documented instructions from Customer
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational measures to ensure data security
- Assist Customer in responding to Data Subject requests
- Assist Customer in ensuring compliance with Data Protection Laws
- Delete or return Personal Data upon termination of services
- Make available all information necessary to demonstrate compliance
3. Details of Processing
3.1 Nature and Purpose
Found Opportunity processes Personal Data to provide email analysis and opportunity detection services as described in the Terms of Service.
3.2 Types of Personal Data
| Category | Data Types |
|---|---|
| Account Data | Name, email address, firm name, phone number |
| Email Content | Email subject lines, body text, sender/recipient information, timestamps |
| Opportunity Data | Extracted business opportunities, contact information, property details, financial information |
| Usage Data | Login timestamps, feature usage, interaction patterns |
| Technical Data | IP addresses, browser information, device identifiers |
3.3 Categories of Data Subjects
- Customer's email contacts (senders and recipients)
- Potential business partners and clients
- Property owners and buyers
- Real estate professionals
- Customer's employees and authorized users
3.4 Processing Activities
- Collection of email data via OAuth and IMAP connections
- Analysis of email content using artificial intelligence
- Extraction and categorization of business opportunities
- Storage of opportunity data in secure databases
- Presentation of opportunities through dashboard interface
- Notification delivery via email
3.5 Processing Location
Personal Data is processed primarily in the United States. Customer authorizes such processing and any necessary international data transfers.
3.6 Retention Period
- Email Content: Processed in real-time, not permanently stored
- Opportunity Data: Retained until Customer deletes or account termination
- Account Data: Retained during active subscription
- Deleted Data: Permanently removed within 30 days of deletion request
4. Sub-processors
4.1 Authorization to Use Sub-processors
Customer authorizes Found Opportunity to engage Sub-processors to assist in providing the Service. Found Opportunity maintains a list of current Sub-processors below.
4.2 Current Sub-processors
| Sub-processor | Service Provided | Location |
|---|---|---|
| Anthropic (Claude AI) | Email content analysis and opportunity detection | United States |
| OpenAI (ChatGPT) | Supplemental email analysis | United States |
| DigitalOcean | Cloud infrastructure and data storage | United States |
| Gmail OAuth authentication and email access | United States | |
| Microsoft | Outlook OAuth authentication and email access | United States |
4.3 Sub-processor Obligations
Found Opportunity will:
- Impose data protection obligations on Sub-processors that are materially similar to this DPA
- Remain liable for Sub-processor acts and omissions
- Conduct appropriate due diligence before engaging Sub-processors
- Provide 30 days notice before adding or replacing Sub-processors
4.4 Objection to Sub-processors
Customer may object to a new Sub-processor on reasonable data protection grounds within 30 days of notice. If Customer objects and no resolution is reached, Customer may terminate the affected services without penalty.
5. Security Measures
5.1 Technical and Organizational Measures
Found Opportunity implements appropriate technical and organizational measures to protect Personal Data, including:
5.1.1 Access Controls
- Multi-factor authentication for administrative access
- Role-based access control with principle of least privilege
- Individual user accounts with unique credentials
- Regular access reviews and revocation procedures
5.1.2 Encryption
- TLS 1.2+ encryption for data in transit
- AES-256 encryption for data at rest
- Encrypted database storage
- Secure OAuth token storage (never storing passwords)
5.1.3 Network Security
- Firewall protection and network segmentation
- Intrusion detection and prevention systems
- Regular security patches and updates
- Distributed denial-of-service (DDoS) protection
5.1.4 Application Security
- Secure development practices and code reviews
- Regular vulnerability scanning and penetration testing
- Input validation and output encoding
- Protection against common vulnerabilities (OWASP Top 10)
5.1.5 Operational Security
- Security awareness training for personnel
- Incident response and business continuity plans
- Regular data backups with encryption
- Logging and monitoring of security events
5.2 Security Audits
Found Opportunity conducts regular security assessments and will make summaries available to Customer upon reasonable request, subject to confidentiality restrictions.
6. Data Subject Rights
6.1 Assistance with Data Subject Requests
Found Opportunity will provide reasonable assistance to Customer in responding to Data Subject requests for:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Restriction of processing
- Data portability
- Objection to processing
6.2 Request Handling
If Found Opportunity receives a Data Subject request directly, we will:
- Promptly notify Customer of the request
- Not respond to the request without Customer's authorization
- Assist Customer in responding as reasonably requested
6.3 Customer Self-Service Tools
Customer can facilitate Data Subject rights through the Service dashboard:
- View and export opportunity data
- Delete individual opportunities or all data
- Disconnect email accounts to stop processing
- Close account to delete all Personal Data
7. Data Breach Notification
7.1 Notification Obligation
In the event of a Personal Data breach, Found Opportunity will:
- Notify Customer without undue delay, and in any event within 72 hours of becoming aware
- Provide sufficient information to allow Customer to meet its own breach notification obligations
- Cooperate with Customer in investigating and mitigating the breach
7.2 Breach Information
Notification will include, to the extent known:
- Nature of the breach, including categories and approximate number of Data Subjects and records affected
- Name and contact details of the data protection officer or other contact point
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate potential adverse effects
7.3 Investigation and Remediation
Found Opportunity will:
- Promptly investigate the breach
- Take reasonable steps to remediate the cause
- Document the breach and response actions
- Implement measures to prevent recurrence
8. Data Protection Impact Assessment
8.1 Assistance Obligation
Upon Customer's request, Found Opportunity will provide reasonable assistance in conducting Data Protection Impact Assessments (DPIAs) where required by Data Protection Laws.
8.2 Prior Consultation
Found Opportunity will assist Customer in consultations with supervisory authorities where a DPIA indicates high risk and Customer must consult before processing.
9. Deletion and Return of Data
9.1 Upon Termination
Upon termination of services, Found Opportunity will, at Customer's choice:
- Delete all Personal Data within 30 days, or
- Return Personal Data in a commonly used electronic format, then delete all copies
9.2 Exceptions
Found Opportunity may retain Personal Data to the extent required by applicable law, provided such data remains subject to confidentiality obligations and is only used for the purposes required by law.
9.3 Deletion Certification
Upon Customer's request, Found Opportunity will provide written certification of data deletion.
10. Audits and Compliance
10.1 Audit Rights
Customer may, upon reasonable notice and no more than once per year, audit Found Opportunity's compliance with this DPA. Audits must:
- Be conducted during business hours
- Not interfere with Found Opportunity's operations
- Be subject to reasonable confidentiality obligations
- Be at Customer's expense
10.2 Alternative Compliance Verification
In lieu of an on-site audit, Customer may request and Found Opportunity will provide:
- Summary audit reports or certifications
- Security questionnaire responses
- Third-party attestations or certifications
11. International Data Transfers
11.1 Transfer Mechanisms
For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries without adequate data protection laws, the parties rely on:
- Standard Contractual Clauses approved by the European Commission
- Other legally recognized transfer mechanisms as they become available
11.2 Standard Contractual Clauses
To the extent applicable, the Standard Contractual Clauses are incorporated into this DPA by reference. In case of conflict, the Standard Contractual Clauses prevail.
11.3 Additional Safeguards
Found Opportunity implements supplementary measures to ensure adequate protection for transferred data, including:
- Encryption of data in transit and at rest
- Strict access controls and authentication
- Contractual protections with Sub-processors
- Regular security assessments
12. California Privacy Rights
12.1 CCPA Compliance
For Personal Information subject to the CCPA, Found Opportunity certifies that it:
- Processes Personal Information only as a Service Provider on Customer's behalf
- Does not sell Personal Information
- Does not retain, use, or disclose Personal Information except as necessary to perform services
- Does not combine Personal Information with information from other sources
12.2 Consumer Rights
Found Opportunity will assist Customer in responding to CCPA consumer rights requests, including:
- Right to know what Personal Information is collected
- Right to delete Personal Information
- Right to opt-out of sale (not applicable as we don't sell)
- Right to non-discrimination
13. Term and Termination
13.1 Term
This DPA remains in effect for the duration of the Terms of Service and any period during which Found Opportunity processes Personal Data on Customer's behalf.
13.2 Survival
Provisions regarding data deletion, confidentiality, liability, and audit rights survive termination as necessary to fulfill their purposes.
14. Liability and Indemnification
14.1 Liability Allocation
Each party is liable for damages it causes by breaching this DPA. Liability is subject to the limitations set forth in the Terms of Service.
14.2 Indemnification
Found Opportunity will indemnify Customer against third-party claims arising from Found Opportunity's breach of this DPA, subject to:
- Customer promptly notifying Found Opportunity of the claim
- Found Opportunity having sole control of defense and settlement
- Customer providing reasonable assistance in defense
15. General Provisions
15.1 Amendments
Found Opportunity may update this DPA to reflect changes in Data Protection Laws, provided updates do not materially reduce Customer's data protection rights. Material changes require 30 days notice.
15.2 Severability
If any provision is held invalid, the parties will replace it with a valid provision that reflects the original intent.
15.3 Conflicts
In case of conflict between this DPA and:
- Standard Contractual Clauses: SCCs prevail
- Data Protection Laws: Laws prevail
- Terms of Service: This DPA prevails on data processing matters
15.4 Governing Law
This DPA is governed by the same law as the Terms of Service, except where Data Protection Laws require otherwise.
16. Contact Information
For questions or concerns regarding this DPA or data processing practices:
- Data Protection Contact: privacy@foundopportunity.com
- Found Opportunity
- Address: PO Box 727, Wainscott, NY 11975
- Website: www.foundopportunity.com
By using Found Opportunity's services, Customer agrees to the terms of this Data Processing Addendum.