Draft — these legal documents are a starting template for a Florida-based title and closing platform. Review with licensed counsel before holding them out as binding terms.

Data Processing Agreement

Last updated: May 28, 2026

This Data Processing Agreement (“DPA”) supplements the Terms of Service between Title Company Agency LLC d/b/a GoodCloser (“Processor”) and the Customer (“Controller”). It addresses the handling of Personal Data on Controller’s behalf in the course of providing the Service.

1. Definitions

“Applicable Privacy Laws” means GLBA, FIPA (Florida Information Protection Act), the Florida Digital Bill of Rights, the California Consumer Privacy Act (CCPA/CPRA), the GDPR, the UK GDPR, and any other applicable data-protection law.
“Personal Data” has the meaning given in the Applicable Privacy Laws.
“Data Subject” means an identified or identifiable individual whose Personal Data is processed under this DPA — typically buyers, sellers, borrowers, agents, and beneficial owners of a closing.
“Subprocessor” means any third party engaged by Processor to process Personal Data on Controller’s behalf. The current list is in Annex II.
“Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope & roles

Controller is the data controller for Personal Data submitted to the Service. Processor processes Personal Data on Controller’s behalf, solely on documented instructions from Controller — which include the Terms of Service, this DPA, and Controller’s configured use of the Service.

The categories of Data Subjects, types of Personal Data, processing operations, and processing duration are set out in Annex I.

3. Processor obligations

Processor will:

Process Personal Data only on documented instructions from Controller, except as required by law (in which case Processor will notify Controller before processing, unless legally prohibited);
Ensure all personnel authorized to process Personal Data are bound by written confidentiality obligations;
Implement and maintain the technical and organizational security measures described in Annex III;
Assist Controller in responding to Data Subject requests (access, deletion, portability, correction) within applicable statutory deadlines;
Assist Controller with data-protection impact assessments and prior consultations with supervisory authorities, to the extent required;
At Controller’s choice, delete or return all Personal Data at the end of the agreement, except where retention is required by law (e.g., Florida 7-year title-file retention).

4. Subprocessors

Controller authorizes Processor to engage the Subprocessors listed in Annex II. Processor will:

Impose written terms on each Subprocessor providing at least the same level of data protection as this DPA;
Remain fully liable for the acts and omissions of its Subprocessors;
Provide Controller at least 30 days’ prior written notice of any new or replacement Subprocessor. Controller may object on reasonable data-protection grounds; if the parties cannot resolve the objection, Controller may terminate the affected Service component without penalty.

5. Security & incident notification

Processor implements industry-standard administrative, technical, and physical safeguards. See Annex III for the current control set.

Processor will notify Controller without undue delay, and in any event within 72 hours, of becoming aware of any Security Incident affecting Controller’s Personal Data, with the information required by GDPR Article 33(3) to the extent available.

6. Audits

Processor will make available to Controller all information reasonably necessary to demonstrate compliance with this DPA, including SOC 2 Type II reports and penetration-test summaries (subject to confidentiality). Controller may, at its own expense and no more than once per year (or more often if required by law or following a Security Incident), audit Processor’s compliance, subject to reasonable scoping, notice, and confidentiality terms.

7. International transfers

Personal Data is hosted in the United States. For transfers of EU/UK Personal Data to the United States, the parties enter into the European Commission’s Standard Contractual Clauses (Module Two, Controller-to-Processor) and the UK Addendum, both of which are incorporated by reference. Processor will implement supplementary measures as required by Schrems II case law.

8. Term & termination

This DPA is effective on the date Controller first accesses the Service or otherwise accepts these terms, and continues until the Terms of Service terminate or this DPA is superseded by a successor data-processing agreement.

9. Liability

The liability of each party under this DPA is subject to the limitations and exclusions in the Terms of Service.

Annex I — Description of processing

Item	Description
Subject matter	Provision of the GoodCloser title and closing platform.
Duration	Term of the underlying Service agreement plus retention required by law.
Nature & purpose	Hosting closing files, document storage, e-signature routing, OFAC screening, IRS 1099-S preparation, escrow accounting, BSA/AML monitoring, AI-assisted document analysis.
Categories of Data Subjects	Buyers, sellers, borrowers, lenders, real estate agents, attorneys, beneficial owners, notaries, Users.
Categories of Personal Data	Identifiers (name, address, phone, email, government ID), financial (SSN/EIN, bank-account numbers, wire instructions, loan details), property (address, deed, title chain), professional (license numbers, employer), signature images, IP address, usage analytics.
Special categories	Government identification numbers and copies of government-issued ID where collected for KYC/CIP compliance. No biometric, health, or sexual-orientation data is intentionally processed.

Annex II — Authorized Subprocessors

Provider	Purpose	Location
Supabase, Inc.	Database, file storage, authentication	USA
Cloudflare, Inc.	Compute (Workers), CDN, DNS, security	Global edge
Anthropic, PBC	AI inference (document triage, OCR, search)	USA
Stripe, Inc.	Subscription billing	USA
DocuSign, Inc. (if enabled)	E-signature processing	USA
DocuSeal (if self-hosted by Customer)	E-signature processing	Customer-controlled
Plaid, Inc. (if enabled)	Bank-account aggregation	USA
Mercury (if enabled)	Bank-account direct API	USA
QuickBooks Online (if enabled)	Accounting sync	USA
Twilio, Inc. (if enabled)	SMS / voice	USA
SendGrid (if enabled)	Transactional email	USA
Notarize, Inc. (if enabled)	Remote Online Notarization	USA
Sentry, Inc. (if consent given)	Error tracking	USA
PostHog, Inc. (if consent given)	Product analytics	USA

Subprocessor list as of the “Last updated” date. Subscribe to subprocessor-change notifications at dpo@goodcloser.com.

Annex III — Security measures

Access control — role-based access; multi-factor authentication enforced for platform admins; least-privilege principle for engineering access; access reviews quarterly.
Encryption — TLS 1.2+ in transit; AES-256 at rest; secrets stored in Cloudflare-managed secret store and Supabase vault; never in source code or env files committed to version control.
Tenant isolation — Postgres Row-Level Security enforced at the database layer for every customer table; queries return only rows the authenticated user’s org may see.
Resilience — daily automated backups with 7-day point-in-time recovery; disaster-recovery plan tested annually; RPO 24 hours, RTO 4 hours.
Monitoring — security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options); structured audit log of every significant action; error monitoring; anomaly detection on auth flows.
People — background checks for personnel with access to production data; mandatory security & privacy training annually; revocation of access on termination within 24 hours.
Vendor management — SOC 2 Type II review for each subprocessor; DPA executed with each subprocessor; flowdown of GDPR Article 28 obligations.

Contact

For DPA execution, subprocessor objections, or Data Subject requests:
dpo@goodcloser.com