Data Processing Agreement
Updated February 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between Shikari Development Group, LLC (“Processor,” “we,” “us”) and the customer (“Controller,” “you,” “your”) for the use of the Elevate Small Business platform (the “Services”). This DPA supplements our Terms of Service, End-User License Agreement, and Privacy Policy.
This DPA applies where and to the extent Elevate Small Business processes Personal Data on behalf of the Controller in connection with the provision of the Services.
1. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy legislation.
“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
“Data Controller” (or “Controller”) means the entity that determines the purposes and means of the Processing of Personal Data.
“Data Processor” (or “Processor”) means the entity that processes Personal Data on behalf of the Controller.
“Sub-processor” means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
“Data Subject” means an identified or identifiable natural person whose Personal Data is processed.
2. Scope and Purpose of Processing
We process Personal Data solely to provide the Services as described in our Terms of Service, including:
- Business intelligence, data analytics, and financial reporting
- Integration with Connected Services (such as QuickBooks Online) to synchronize and analyze financial data
- Capital application support, due diligence, and procurement matching
- AI-assisted analysis, account categorization, and report generation
- Account management, authentication, and customer support
3. Types of Personal Data Processed
3.1 Categories of Data Subjects
- Business Owners and Operators: Individuals who register accounts and manage entities on the Platform
- Customers of Your Business: Individuals whose contact and transaction data may be synchronized from Connected Services (e.g., QuickBooks customer lists)
- Vendors and Suppliers: Individuals whose contact information may be synchronized from Connected Services
- Employees: Individuals whose names may appear in payroll-related financial transactions
3.2 Categories of Personal Data
- Identity Data: Names, email addresses, phone numbers
- Business Contact Data: Billing addresses, company names, business phone numbers
- Financial Data: Financial statements, account balances, transaction records, invoices, payment information (amounts and dates, not payment card numbers)
- Business Identification Data: Federal Employer ID Numbers (FEIN), NAICS codes, business certifications
- Technical Data: IP addresses, browser types, usage patterns, authentication logs
4. Processor Obligations
We shall:
- Process Personal Data only on documented instructions from the Controller, including as set forth in this DPA, the Terms of Service, and as necessary to provide the Services
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (detailed in Section 5)
- Not engage a Sub-processor without prior notice to the Controller and subject to the requirements of Section 6
- Assist the Controller in responding to Data Subject requests (Section 7)
- Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
- At the Controller's choice, delete or return all Personal Data upon termination of the Services (Section 9)
- Make available to the Controller information necessary to demonstrate compliance with this DPA
5. Security Measures
We implement and maintain the following technical and organizational security measures:
5.1 Encryption
- At Rest: Sensitive data (including OAuth tokens and credentials) is encrypted using AES-256-GCM before database storage. Database-level encryption is provided by our infrastructure provider.
- In Transit: All data transmission uses TLS 1.2 or higher. API communications with third-party services use HTTPS exclusively.
5.2 Access Controls
- Multi-Tenant Isolation: Entity-level data separation is enforced at the database level through Row Level Security (RLS) policies. Users can only access data for entities they are authorized to view.
- Role-Based Access: Platform access is controlled through defined roles (admin, member, advisor, capital provider) with appropriate permission boundaries.
- Authentication: User authentication is managed through OAuth 2.0 (Google, Microsoft) and email/password with industry-standard hashing.
5.3 Infrastructure Security
- Application hosting on Vercel with automatic HTTPS, DDoS protection, and global edge network
- Database hosted on Supabase (PostgreSQL) with managed backups, encryption at rest, and network isolation
- Server-side only processing of third-party API credentials — no sensitive tokens are exposed to browser environments
5.4 Monitoring and Logging
- Audit logging of significant actions including data connections, disconnections, synchronization events, and access pattern changes
- Error monitoring and alerting for system anomalies
- Personally identifiable information is excluded from application logs
6. Sub-processors
The Controller authorizes the use of the following Sub-processors to process Personal Data in connection with the Services:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase (PostgreSQL) | Database hosting, authentication | All platform data | United States |
| Vercel | Application hosting, edge functions | Request/response data, application logs | United States (global edge) |
| Intuit (QuickBooks Online) | Financial data source (Connected Service) | Financial reports, transactions, contacts | United States |
| Google (Gemini AI) | AI-assisted analysis and categorization | Financial data for analysis (no PII where avoidable) | United States |
| Anthropic (Claude AI) | AI-assisted analysis and content generation | Financial data for analysis (no PII where avoidable) | United States |
We will notify the Controller before adding or replacing Sub-processors, providing the Controller with an opportunity to object. If the Controller reasonably objects based on data protection grounds, we will work in good faith to address the concern or, if resolution is not possible, the Controller may terminate the affected Services.
7. Data Subject Rights
We will assist the Controller in fulfilling its obligations to respond to Data Subject requests under applicable data protection laws, including requests for:
- Access: Providing copies of Personal Data we process on behalf of the Controller
- Rectification: Correcting inaccurate Personal Data
- Erasure: Deleting Personal Data where required by law, subject to applicable legal retention obligations
- Data Portability: Providing Personal Data in a structured, commonly used, machine-readable format (CSV or JSON)
- Restriction of Processing: Limiting processing where requested and legally required
- Objection: Ceasing processing where the Data Subject has a right to object
Data Subject requests should be directed to support@elevatesb.com. We will respond within 30 days of receipt, or as otherwise required by applicable law.
8. Breach Notification
In the event of a Personal Data breach (any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data), we will:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
- Provide the Controller with sufficient information to meet its own notification obligations to supervisory authorities and Data Subjects, including:
- Nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
- Cooperate with the Controller in investigating and remediating the breach
- Document the breach, including its effects and remedial actions taken
Security incidents should be reported to security@elevatesb.com.
9. Data Return and Deletion
Upon termination of the Services or upon the Controller's written request:
- We will return all Personal Data to the Controller in a structured, commonly used format (CSV or JSON), or securely delete all Personal Data, at the Controller's election
- Deletion will be completed within 30 days of the request, except where retention is required by applicable law or regulation
- We will certify in writing that deletion has been completed upon the Controller's request
- Financial data subject to legal retention requirements (e.g., tax records) may be retained for up to 7 years as required by law, after which it will be securely deleted
10. Audit Rights
Upon reasonable notice and no more than once per calendar year (unless a breach has occurred), the Controller may:
- Request documentation demonstrating our compliance with this DPA
- Conduct an audit (or engage a qualified third-party auditor bound by confidentiality obligations) of our data processing practices relevant to the Services
We will cooperate with reasonable audit requests and provide access to relevant documentation, systems, and personnel. Audits shall be conducted in a manner that minimizes disruption to our operations and protects the confidentiality of other customers' data.
11. International Data Transfers
Personal Data is primarily processed and stored in the United States. Where Personal Data is transferred from the European Economic Area (EEA), Switzerland, or the United Kingdom to the United States, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission, where applicable
- Supplementary measures including encryption and access controls as described in Section 5
We will ensure that any international transfer of Personal Data complies with applicable data protection laws and provides an adequate level of protection.
12. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts, without regard to its conflict of law provisions, except where mandatory data protection laws of another jurisdiction apply to specific processing activities.
13. Contact Information
For questions about this DPA or to exercise any rights described herein:
General inquiries: support@elevatesb.com
Security concerns: security@elevatesb.com
Mailing address:
Shikari Development Group, LLC
386 Western Avenue
Boston, MA 02135