Data Processing Agreement

Effective 2 June 2026 · Last updated 2 June 2026

This DPA governs how Prism processes personal data on behalf of an advisory firm. It supplements and forms part of the Terms of Service. Where this DPA conflicts with the Terms on data protection, this DPA controls.

Parties. The advisory firm using Prism is the Controller; Prism Advisor Workspace, operated by LeMay Ventures LLC, is the Processor. A firm that needs a counter-signed copy can request one at legal@prismaw.com.

1. Definitions

"Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Personal Data Breach" have the meanings given under applicable data-protection law (including the GDPR and U.S. state privacy laws). "Customer Personal Data" means Personal Data within the Customer Data that Prism processes on the Controller's behalf.

2. Roles & scope

The Controller determines the purposes and means of processing Customer Personal Data; Prism processes it only as a Processor to provide the service. The subject matter, duration, nature, and purpose of processing, the types of data, and the categories of data subjects are set out in Annex A.

3. Processor obligations

Instructions. Process Customer Personal Data only on the Controller's documented instructions (including those given through use of the service), unless required by law — in which case we will notify the Controller unless legally prohibited.
Confidentiality. Ensure personnel authorized to process the data are bound by confidentiality.
Security. Implement appropriate technical and organizational measures, summarized in Annex B and our security overview.
Subprocessors. Engage only the subprocessors in Annex C under terms no less protective than this DPA, and remain responsible for their performance. We will give the Controller advance notice of new subprocessors and an opportunity to object on reasonable data-protection grounds.
Data subject requests. Taking into account the nature of the processing, assist the Controller to respond to requests to exercise data-subject rights.
Assistance. Assist the Controller with security, breach notification, and data-protection impact assessments, given the information available to us.
Breach notice. Notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, with the information reasonably available.
Deletion or return. On termination, delete or return Customer Personal Data at the Controller's choice, except where retention is required by law (including advisory record-keeping rules).
Audits. Make available information necessary to demonstrate compliance and allow for reasonable audits, which may be satisfied by our then-current documentation and any third-party attestations we hold.

4. International transfers

Prism processes data in the United States. Where data-protection law requires a transfer mechanism, the parties agree that Standard Contractual Clauses (or another lawful mechanism) apply to transfers of Customer Personal Data originating from a restricted jurisdiction.

5. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service.

Annex A — Details of processing

Subject matter: provision of the Prism Advisor Workspace service.
Duration: the term of the Controller's account, plus any legally required retention.
Nature & purpose: hosting, storing, organizing, and displaying client financial-planning data; authentication; collaboration; reporting; aggregation; billing.
Types of Personal Data: identifiers (names, emails), household and financial-profile data, account balances and holdings, plan milestones, messages, and activity logs.
Categories of Data Subjects: the firm's advisors and staff, and the firm's clients and their household members.

Annex B — Security measures (summary)

Tenant isolation enforced by row-level security at the database layer (firm → advisor → client).
Encryption of data in transit (TLS) and at rest via our managed database provider.
Optional multi-factor authentication; PKCE authentication flow; least-privilege roles.
Secrets held server-side in serverless functions, never exposed to the browser.
Enforced Content-Security-Policy, HSTS, and hardened security headers; self-hosted core libraries.
Append-only audit logging and immutable profile versioning.

The current, detailed posture — including items in place today versus on the roadmap — is published in our security overview.

Annex C — Subprocessors

Subprocessor	Purpose	Location
Supabase	Database, authentication, storage, serverless functions	United States
Cloudflare	Static hosting, CDN, edge security	Global edge / United States
Stripe	Subscription payment processing	United States
Plaid	Account linking and aggregation (on user consent)	United States
Google	Optional sign-in (OAuth)	United States

This DPA is a template provided for transparency and is not legal advice. Firms with specific regulatory or jurisdictional requirements should have counsel review it before relying on it.