Data Processing Addendum
Last updated: February 24, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between Toolkit, Inc. ("Toolkit", "Processor", "We", "Us", or "Our") and the entity agreeing to the Agreement ("Customer", "Controller", "You", or "Your").
This DPA applies to the extent that Toolkit processes Customer Data (as defined below) on behalf of Customer in connection with the Service.
1. Definitions
- "Customer Data" means any data that Customer uploads to, imports into, connects to, or otherwise makes available through the Service, including data from enterprise resource planning (ERP) systems, customer relationship management (CRM) systems, general ledger and accounting systems, human resource information systems (HRIS), and any other documents or data sources connected by Customer.
- "Personal Data" means any Customer Data that relates to an identified or identifiable natural person, processed by Toolkit on behalf of Customer.
- "Sub-processor" means any third party engaged by Toolkit to process Customer Data.
- "Data Protection Laws" means all applicable laws and regulations relating to the processing of personal data, including the California Consumer Privacy Act (CCPA) and, where applicable, the General Data Protection Regulation (GDPR).
- "Security Incident" means any unauthorized access to, or acquisition, use, or disclosure of Customer Data.
2. Scope and Roles
Customer is the Controller of Customer Data. Toolkit is the Processor, processing Customer Data solely on behalf of Customer and in accordance with Customer's documented instructions as set forth in the Agreement and this DPA.
Toolkit shall not process Customer Data for any purpose other than providing the Service, unless required by applicable law. If such a legal requirement arises, Toolkit will inform Customer before processing, unless prohibited by law.
3. Customer Data Processing
3.1 Categories of Data
Customer Data processed under this DPA may include:
- Data imported from connected ERP, CRM, general ledger, HRIS, and other business systems
- Financial records, reports, budgets, and forecasts
- Spreadsheets, documents, and files uploaded by Customer
- Any metadata associated with the above
3.2 Processing Activities
Toolkit processes Customer Data to:
- Consolidate data from Customer's connected data sources
- Generate reports, financial statements, and analytical outputs
- Perform AI-powered analysis and task execution, including variance analysis and drill-down
- Store and retrieve Customer Data as part of normal Service operation
4. Security Measures
Toolkit implements and maintains appropriate technical and organizational measures to protect Customer Data, including:
4.1 Encryption
- Data at rest: AES-256 encryption for all Customer Data stored in databases and file storage
- Data in transit: TLS 1.2 or higher for all data transmitted between Customer and the Service, and between internal Service components
4.2 Access Controls
- Role-based access controls enforced across all systems
- Multi-factor authentication required for all personnel accessing production systems
- Annual access reviews to verify appropriateness of access privileges
- Principle of least privilege applied to all system access
4.3 Infrastructure
- Service hosted on Google Cloud Platform (GCP), which maintains independent SOC 2 Type II certification
- Network segmentation and firewall controls via Google Cloud Armor
- Continuous monitoring and logging of system activity
5. Use of AI Services
Toolkit uses third-party AI services to provide analytical and modeling features within the Service. The following safeguards apply:
- Customer Data sent to AI providers is used solely for generating responses within the Service and is not used for model training
- AI providers are contractually bound to zero data retention
- AI providers are listed as Sub-processors in Section 7 of this DPA
6. Security Incident Notification
In the event of a Security Incident affecting Customer Data, Toolkit will:
- Notify affected Customers within 48 hours of confirming the incident
- Provide details of the nature of the incident, categories of data affected, and measures taken or proposed to address the incident
- Cooperate with Customer in investigating and remediating the incident
- Maintain an incident response plan that is reviewed and tested annually
7. Sub-processors
Customer authorizes Toolkit to engage the following Sub-processors to assist in providing the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Cloud infrastructure, compute, and database hosting | United States |
| Anthropic (Claude) | AI-powered analysis and task execution | United States |
| Google (Gemini) | AI-powered analysis and task execution | United States |
| Brave Search API | Web search queries initiated by Customer through the Service | United States |
| Nango | Third-party data source integrations | United States |
Toolkit will notify Customer of any intended changes to Sub-processors by updating this page. Customer may object to a new Sub-processor by contacting Toolkit within 30 days of notification. If Toolkit cannot reasonably accommodate the objection, Customer may terminate the affected Service.
Toolkit ensures that each Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA.
8. Data Retention and Deletion
Toolkit retains Customer Data for the duration of the Agreement. Upon termination or expiration of the Agreement:
- Customer may request export of their Customer Data within 30 days of termination
- Toolkit will delete Customer Data within 90 days of termination, unless retention is required by applicable law
- Deletion includes all copies of Customer Data in production systems, backups, and Sub-processor systems
9. Data Subject Rights
To the extent Customer Data contains Personal Data, Toolkit will assist Customer in responding to requests from data subjects exercising their rights under applicable Data Protection Laws. Toolkit will promptly notify Customer if it receives any such request directly, and will not respond to the request without Customer's prior authorization, unless required by applicable law.
10. Audits
Toolkit will make available to Customer, upon reasonable request, information necessary to demonstrate compliance with this DPA. Where Toolkit holds relevant third-party audit reports, it will provide the most recent report upon request under a mutual non-disclosure agreement.
11. International Data Transfers
Customer Data is processed and stored in the United States. If Customer Data originates from a jurisdiction that restricts international data transfers, Toolkit will cooperate with Customer to implement appropriate transfer mechanisms as required by applicable Data Protection Laws.
12. Term
This DPA takes effect on the date Customer agrees to the Agreement and remains in effect for the duration of the Agreement. Obligations relating to data deletion and confidentiality survive termination.
13. Contact
For questions about this DPA or to exercise any rights described herein, contact us at dev@jointoolkit.com.