Data Processing Agreement | Elevate Small Business

This Data Processing Agreement (“DPA”) forms part of the agreement between Shikari Development Group, LLC (“Processor,” “we,” “us”) and the customer (“Controller,” “you,” “your”) for the use of the Elevate Small Business platform (the “Services”). This DPA supplements our Terms of Service, End-User License Agreement, and Privacy Policy.

This DPA applies where and to the extent Elevate Small Business processes Personal Data on behalf of the Controller in connection with the provision of the Services.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable privacy legislation.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

“Data Controller” (or “Controller”) means the entity that determines the purposes and means of the Processing of Personal Data.

“Data Processor” (or “Processor”) means the entity that processes Personal Data on behalf of the Controller.

“Sub-processor” means a third party engaged by the Processor to process Personal Data on behalf of the Controller.

“Data Subject” means an identified or identifiable natural person whose Personal Data is processed.

2. Scope and Purpose of Processing

We process Personal Data solely to provide the Services as described in our Terms of Service, including:

Business intelligence, data analytics, and financial reporting
Integration with Connected Services (such as QuickBooks Online) to synchronize and analyze financial data
Capital application support, due diligence, and procurement matching
AI-assisted analysis, account categorization, and report generation
Account management, authentication, and customer support

3. Types of Personal Data Processed

3.1 Categories of Data Subjects

Business Owners and Operators: Individuals who register accounts and manage entities on the Platform
Customers of Your Business: Individuals whose contact and transaction data may be synchronized from Connected Services (e.g., QuickBooks customer lists)
Vendors and Suppliers: Individuals whose contact information may be synchronized from Connected Services
Employees: Individuals whose names may appear in payroll-related financial transactions

3.2 Categories of Personal Data

Identity Data: Names, email addresses, phone numbers
Business Contact Data: Billing addresses, company names, business phone numbers
Financial Data: Financial statements, account balances, transaction records, invoices, payment information (amounts and dates, not payment card numbers)
Business Identification Data: Federal Employer ID Numbers (FEIN), NAICS codes, business certifications
Technical Data: IP addresses, browser types, usage patterns, authentication logs

4. Processor Obligations

We shall:

Process Personal Data only on documented instructions from the Controller, including as set forth in this DPA, the Terms of Service, and as necessary to provide the Services
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (detailed in Section 5)
Not engage a Sub-processor without prior notice to the Controller and subject to the requirements of Section 6
Assist the Controller in responding to Data Subject requests (Section 7)
Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations
At the Controller's choice, delete or return all Personal Data upon termination of the Services (Section 9)
Make available to the Controller information necessary to demonstrate compliance with this DPA

5. Security Measures

We implement and maintain the following technical and organizational security measures:

5.1 Encryption

At Rest: Sensitive data (including OAuth tokens and credentials) is encrypted using AES-256-GCM before database storage. Database-level encryption is provided by our infrastructure provider.
In Transit: All data transmission uses TLS 1.2 or higher. API communications with third-party services use HTTPS exclusively.

5.2 Access Controls

Multi-Tenant Isolation: Entity-level data separation is enforced at the database level through Row Level Security (RLS) policies. Users can only access data for entities they are authorized to view.
Role-Based Access: Platform access is controlled through defined roles (admin, member, advisor, capital provider) with appropriate permission boundaries.
Authentication: User authentication is managed through OAuth 2.0 (Google, Microsoft) and email/password with industry-standard hashing.

5.3 Infrastructure Security

Application hosting on Vercel with automatic HTTPS, DDoS protection, and global edge network
Database hosted on Supabase (PostgreSQL) with managed backups, encryption at rest, and network isolation
Server-side only processing of third-party API credentials — no sensitive tokens are exposed to browser environments

5.4 Monitoring and Logging

Audit logging of significant actions including data connections, disconnections, synchronization events, and access pattern changes
Error monitoring and alerting for system anomalies
Personally identifiable information is excluded from application logs

6. Sub-processors

The Controller authorizes the use of the following Sub-processors to process Personal Data in connection with the Services:

Sub-processor	Purpose	Data Processed	Location
Supabase (PostgreSQL)	Database hosting, authentication	All platform data	United States
Vercel	Application hosting, edge functions	Request/response data, application logs	United States (global edge)
Intuit (QuickBooks Online)	Financial data source (Connected Service)	Financial reports, transactions, contacts	United States
Google (Gemini AI)	AI-assisted analysis and categorization	Financial data for analysis (no PII where avoidable)	United States
Anthropic (Claude AI)	AI-assisted analysis and content generation	Financial data for analysis (no PII where avoidable)	United States

We will notify the Controller before adding or replacing Sub-processors, providing the Controller with an opportunity to object. If the Controller reasonably objects based on data protection grounds, we will work in good faith to address the concern or, if resolution is not possible, the Controller may terminate the affected Services.

7. Data Subject Rights

We will assist the Controller in fulfilling its obligations to respond to Data Subject requests under applicable data protection laws, including requests for:

Access: Providing copies of Personal Data we process on behalf of the Controller
Rectification: Correcting inaccurate Personal Data
Erasure: Deleting Personal Data where required by law, subject to applicable legal retention obligations
Data Portability: Providing Personal Data in a structured, commonly used, machine-readable format (CSV or JSON)
Restriction of Processing: Limiting processing where requested and legally required
Objection: Ceasing processing where the Data Subject has a right to object

Data Subject requests should be directed to support@elevatesb.com. We will respond within 30 days of receipt, or as otherwise required by applicable law.

8. Breach Notification

In the event of a Personal Data breach (any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data), we will:

Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach
Provide the Controller with sufficient information to meet its own notification obligations to supervisory authorities and Data Subjects, including:
- Nature of the breach
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
Cooperate with the Controller in investigating and remediating the breach
Document the breach, including its effects and remedial actions taken

Security incidents should be reported to security@elevatesb.com.

9. Data Return and Deletion

Upon termination of the Services or upon the Controller's written request:

We will return all Personal Data to the Controller in a structured, commonly used format (CSV or JSON), or securely delete all Personal Data, at the Controller's election
Deletion will be completed within 30 days of the request, except where retention is required by applicable law or regulation
We will certify in writing that deletion has been completed upon the Controller's request
Financial data subject to legal retention requirements (e.g., tax records) may be retained for up to 7 years as required by law, after which it will be securely deleted

10. Audit Rights

Upon reasonable notice and no more than once per calendar year (unless a breach has occurred), the Controller may:

Request documentation demonstrating our compliance with this DPA
Conduct an audit (or engage a qualified third-party auditor bound by confidentiality obligations) of our data processing practices relevant to the Services

We will cooperate with reasonable audit requests and provide access to relevant documentation, systems, and personnel. Audits shall be conducted in a manner that minimizes disruption to our operations and protects the confidentiality of other customers' data.

11. International Data Transfers

Personal Data is primarily processed and stored in the United States. Where Personal Data is transferred from the European Economic Area (EEA), Switzerland, or the United Kingdom to the United States, we rely on:

Standard Contractual Clauses (SCCs) as approved by the European Commission, where applicable
Supplementary measures including encryption and access controls as described in Section 5

We will ensure that any international transfer of Personal Data complies with applicable data protection laws and provides an adequate level of protection.

12. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Commonwealth of Massachusetts, without regard to its conflict of law provisions, except where mandatory data protection laws of another jurisdiction apply to specific processing activities.

13. Contact Information

For questions about this DPA or to exercise any rights described herein:

General inquiries: Contact form
Security concerns: security@elevatesb.com

Mailing address:
Shikari Development Group, LLC
386 Western Avenue
Boston, MA 02135