Data Processing Addendum

1. Roles

For Customer Data submitted to CACulator.io, the customer is the controller and Gulf Holdings LLC is the processor. For account, billing, and security data of the account holder, Gulf Holdings LLC may act as an independent controller for limited purposes (for example, billing and fraud prevention).

2. Processing Purposes

We process personal data to provide, secure, support, maintain, and improve CACulator.io as described in the Privacy Policy and Terms of Service, including authentication, subscriptions, saved scenarios, board books, support, security, analytics, AI-assisted features, embeds, and API services.

3. Categories of Data and Data Subjects

• Account holders: business contact information, login credentials, subscription metadata.
• Team Members: business contact information and role.
• Recipients of board books: business contact information, view-audit metadata.
• End users of customer embed widgets: typically anonymous; embed counters are aggregated.
• Connected Stripe data: customer and subscription metadata pulled in read-only scope from the customer’s Stripe account.

4. Sub-Processors

We engage the following material sub-processors. We may add, replace, or remove sub-processors and will require equivalent safeguards from successors.

• Supabase, Inc. — Postgres database, authentication, file storage. Region: United States.
• Vercel, Inc. — application compute, edge, hosting. Region: multi-region with primary serverless function execution in the United States.
• Stripe, Inc. — payment processing and Stripe Connect read-only OAuth. Region: United States.
• Postmark (ActiveCampaign, LLC) — transactional email delivery. Region: United States.
• Sentry (Functional Software, Inc.) — error monitoring and performance tracing. Region: United States.
• PostHog Inc. — product analytics, proxied through CACulator.io. Region: United States.
• Google LLC — Google Analytics 4 audience measurement. Region: United States.
• OpenRouter, Inc. — AI gateway routing AI-assisted feature requests to underlying large language model providers. Region: United States, with model providers per OpenRouter’s published list.

5. International Transfers

Personal data may be transferred to and processed in the United States by us and our sub-processors. Where Standard Contractual Clauses or other transfer mechanisms apply, they are incorporated into our signed DPA on request.

6. Security Measures

• Row-level security on all customer-facing database tables.
• Hashed storage of API Keys, magic-link tokens, and team-invite tokens.
• Scoped, server-only credentials for sub-processors; service-role keys are never exposed to browsers.
• TOTP-based multi-factor authentication available for account holders.
• Audit logging of administrative and sensitive actions where applicable.
• Vendor security review of material sub-processors.

7. Data Subject Requests

We will assist controllers in responding to data subject requests (access, correction, deletion, restriction, objection, portability) to the extent reasonably required by applicable law. Direct requests to privacy@caculator.io.

8. Breach Notification

We will notify affected controllers without undue delay after becoming aware of a personal data breach involving Customer Data and will provide information reasonably necessary to enable the controller’s compliance with applicable breach-notification obligations.

9. Return or Deletion

Upon termination of the customer agreement, controllers may export Customer Data through in-app tools for at least thirty (30) days. After that period, Customer Data is deleted on a rolling schedule, subject to legal retention obligations. Anonymized, aggregated benchmark contributions made prior to termination may persist.

10. Contact

For DPA, sub-processor, or data-protection inquiries, contact privacy@caculator.io.