Legal

Data Processing Addendum

Terms governing our role as Data Processor for Customer Data, including subprocessors, transfer mechanisms, and breach response.

Effective·February 1, 2026
01

Roles

Customer is the Data Controller. Market Fortress is the Data Processor with respect to Customer Data. We process data only on documented instructions from the Customer, as set out in the Terms of Service and this DPA.

02

Scope and Duration

This DPA applies for the duration of the Service subscription. Processing terminates with the end of the subscription, subject to the 30-day export window.

03

Categories of Data Subjects

  • Customer's personnel (officers, directors, employees) using the Service.
  • Personnel of customer's service providers (auditors, counsel, transfer agents).
  • Beneficial owners and shareholders identified in filings ingested by the Service.
04

Categories of Personal Data

  • Identification data (name, email, role, organization).
  • Authentication data (hashed credentials, session tokens, audit metadata).
  • Filings and disclosures uploaded or ingested.
05

Subprocessors

  • Vercel. Application hosting (US).
  • Supabase. Database, authentication, storage (US).
  • Google Cloud Platform. Vertex AI inference for MNPI in customer-isolated VPC (US).
  • Google AI. Gemini API for public-record analysis (US).
  • Resend. Transactional email delivery (US).
  • Sentry. Application observability and error reporting (US).
06

International Transfers

Where personal data of EEA, UK, or Swiss residents is transferred outside those regions, transfers rely on the Standard Contractual Clauses (Module Two for Controller-to-Processor) along with supplementary measures including encryption in transit and at rest.

07

Security Measures

We implement appropriate technical and organizational measures including the items detailed in our Security Statement and Security Whitepaper.

08

Breach Notification

If we become aware of a personal data breach, we will notify affected Customers without undue delay and in any event within 72 hours of confirmed identification, with such information as is reasonably available at the time.

09

Audit Rights

Customers may audit our compliance with this DPA once per calendar year on reasonable notice and at the Customer's expense, subject to confidentiality obligations and reasonable scheduling.

10

Updates

We may update the subprocessor list. Customers will be notified by email at least 30 days before any new subprocessor is engaged for the processing of personal data.

11

Contact

DPA questions? Email privacy@marketfortress.app. To execute a signed DPA, contact legal@marketfortress.app.

Effective February 1, 2026. © 2026 Market Fortress.
Questions? legal@marketfortress.app
Other Legal Documents
Terms of ServicePrivacy PolicyAcceptable UseComplianceSecurity Statement