Request demo
Home·Data Processing Agreement
Resource

Data Processing Agreement

Version 1.0 · Effective Date: 20 January 2026 · Applies in Australia, the United Kingdom, the European Economic Area, and the United States

1. Introduction and Scope

1.1 Purpose

This Data Processing Agreement (“DPA”) forms part of and is an addendum to the Master Services Agreement, Terms of Use, or other written or electronic agreement between MoneyMind Profile Pty Ltd (“MoneyMind Profile,” “Processor,” “Service Provider,” “we,” “us,” or “our”) and the Customer (“Customer,” “Controller,” “Business,” “you,” or “your”) for the provision of the MoneyMind Profile software platform and related services (the “Services”) (the “Agreement”).

1.2 Application

This DPA applies when and to the extent that MoneyMind Profile Processes Personal Data on behalf of Customer in the course of providing the Services. This DPA reflects the Parties' agreement with regard to the Processing of Personal Data in accordance with applicable Data Protection Laws and Regulations.

1.3 Incorporation

This DPA is incorporated into and forms an integral part of the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement regarding the Processing of Personal Data, this DPA shall prevail to the extent of such conflict or inconsistency.

1.4 Authorized Affiliates

This DPA shall also apply to any Authorized Affiliates of Customer who have executed an Order Form or are otherwise authorized to use the Services pursuant to the Agreement. Each such Authorized Affiliate shall be deemed a separate “Customer” for purposes of this DPA.

1.5 Pre-Signed Addendum

This DPA has been pre-signed on behalf of MoneyMind Profile. Customer may execute this DPA by: (a) signing and returning a Master Services Agreement; (b) accepting this DPA electronically through the Platform during account setup; or (c) executing the Agreement, which incorporates this DPA by reference. Upon execution or acceptance by Customer, this DPA becomes legally binding between the Parties.

2. Definitions

2.1 Defined Terms

The following terms have the meanings set forth below. Capitalized terms not otherwise defined in this DPA have the meanings given to them in the Agreement.

  • “Agreement” — the Master Services Agreement, Terms of Use, or other written or electronic agreement between MoneyMind Profile and Customer for the provision of Services.
  • “Authorized Affiliate” — any Affiliate of Customer which: (a) is subject to Data Protection Laws and Regulations; (b) is permitted to use the Services pursuant to the Agreement; and (c) has executed an Order Form or been authorized by Customer to access the Services.
  • “Business” — has the meaning given in the CCPA and means Customer in its capacity as an entity that determines the purposes and means of the Processing of Personal Information.
  • “CCPA” — the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Proposition 24), Cal. Civ. Code § 1798.100 et seq., and any implementing regulations.
  • “Controller” — the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, Customer is the Controller.
  • “Data Protection Laws and Regulations” — all applicable laws, regulations, and other legal requirements relating to privacy, data protection, and data security, including: (a) The EU General Data Protection Regulation 2016/679 (“GDPR”); (b) The UK GDPR and the Data Protection Act 2018 (UK); (c) The Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”); (d) The CCPA and other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA); (e) Any other applicable national, federal, state, provincial or other data protection laws, regulations, and guidance.
  • “Data Subject” — an identified or identifiable natural person to whom Personal Data relates.
  • “Data Subject Request” — a request by a Data Subject to exercise their rights under applicable Data Protection Laws and Regulations, including rights of access, rectification, erasure, restriction, portability, objection, or rights related to automated decision-making.
  • “EEA” — the European Economic Area.
  • “End Client” — a natural person who receives financial advice or wealth management services from Customer (or Customer's Authorized Users) and whose Personal Data is Processed through the Services.
  • “EU Standard Contractual Clauses” or “SCCs” — the standard contractual clauses for the transfer of personal data to third countries approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced from time to time.
  • “Personal Data” or “Personal Information” — any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws and Regulations, that is Processed by MoneyMind Profile on behalf of Customer in the course of providing the Services. Personal Data includes End Client Personal Data and Authorized User Personal Data.
  • “Processing” or “Process” — any operation or set of operations performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • “Processor” or “Service Provider” — an entity which Processes Personal Data on behalf of the Controller. For the purposes of this DPA, MoneyMind Profile is the Processor.
  • “Security Incident” — any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by MoneyMind Profile in connection with the provision of the Services. Security Incidents exclude unsuccessful attempts that do not compromise the security of Personal Data.
  • “Sensitive Personal Data” — Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a natural person's sex life or sexual orientation. Under some Data Protection Laws (e.g., CCPA), Sensitive Personal Information also includes Social Security numbers, financial account information, precise geolocation, and content of communications.
  • “Sub-Processor” — any Processor engaged by MoneyMind Profile to Process Personal Data on behalf of Customer in connection with the Services.
  • “UK GDPR” — the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.

2.2 Interpretation

Unless the context otherwise requires: defined terms in the singular include the plural and vice versa; references to sections, annexes, and schedules are to sections of and annexes and schedules to this DPA; “Including” and similar terms mean “including without limitation”; headings are for convenience only and do not affect interpretation.

3. Roles and Responsibilities

3.1 Controller-Processor Relationship

The Parties acknowledge and agree that: (a) Customer is the Controller (or Business under CCPA) which determines the purposes and means of Processing Personal Data; (b) MoneyMind Profile is the Processor (or Service Provider under CCPA) which Processes Personal Data on behalf of and upon the instructions of Customer; and (c) this DPA establishes the respective obligations of the Controller and the Processor.

3.2 Customer as Controller

Customer, as Controller, shall: ensure that Customer's instructions comply with all applicable Data Protection Laws and Regulations; obtain and maintain all necessary consents, authorizations, and legal bases for the collection and Processing of Personal Data; ensure the accuracy, quality, and legality of Personal Data; remain solely responsible for responding to Data Subject Requests and handling complaints; implement and maintain appropriate technical and organizational measures to secure Personal Data; and not Process Sensitive Personal Data through the Services unless Customer has obtained appropriate consents under applicable law.

3.3 MoneyMind Profile as Processor

MoneyMind Profile, as Processor, shall: Process Personal Data only in accordance with Customer's documented instructions; ensure that persons authorized to Process Personal Data have committed themselves to confidentiality; implement and maintain appropriate technical and organizational measures as described in Section 8 and Annex 3; respect the conditions for engaging Sub-Processors as described in Section 7; assist Customer in responding to Data Subject Requests as described in Section 9; assist Customer in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations; at Customer's election, delete or return all Personal Data after the end of the provision of Services; make available all information reasonably necessary to demonstrate compliance with this DPA; and immediately inform Customer if an instruction from Customer infringes applicable Data Protection Laws and Regulations.

4. Details of Processing

4.1 Subject Matter and Duration

Subject Matter: Provision of the MoneyMind Profile software-as-a-service platform and related services to enable Customer to conduct financial advisory services, including client behavior profiling, risk tolerance assessment, and client relationship management.

Duration: Processing will continue for the Term of the Agreement plus any period reasonably necessary to delete or return Personal Data in accordance with Section 13.

4.2 Nature and Purpose of Processing

MoneyMind Profile will Process Personal Data by hosting, storing, managing, and enabling Customer and Authorized Users to access, input, modify, analyze, import, and export Personal Data through the Services — to enable Customer to conduct behavior profiling and risk tolerance assessments of End Clients, manage client relationships through CRM functionality, and comply with regulatory and professional record-keeping obligations.

4.3 Types of Personal Data

End Client Personal Data: identity information (names, dates of birth, contact details), financial information (income, assets, liabilities, net worth, investment portfolio asset allocation), behavioral data (risk tolerance responses, financial goals, investment preferences), professional and demographic information (employment, occupation, family status, life stage), advisor and client reports (behavioral and risk profile analysis), and communication records (emails, notes, meeting summaries).

Authorized User Personal Data: identity information (names, contact details), professional information (job title, credentials, licenses), account and authentication information (usernames, login activity), and usage data (features accessed, documents created, activity logs).

Sensitive Personal Data (if authorized by Customer): information revealing racial or ethnic origin, religious beliefs, or other special categories (only if provided by Customer).

4.4 Categories of Data Subjects

  • End Clients (individuals receiving financial advice from Customer)
  • Authorized Users (Customer's employees, contractors, and authorized representatives)
  • Prospective clients (individuals in Customer's CRM)

5. Customer Instructions

5.1 Scope of Instructions

Customer instructs MoneyMind Profile to Process Personal Data: to provide the Services in accordance with the Agreement (including hosting, storing, enabling access, generating outputs, providing support, performing backups, maintaining security and integrity); as necessary to comply with applicable laws and regulations; to create Aggregated Data in accordance with the Data Aggregation and De-Identification Policy and the terms set forth in Section 9 of the Agreement; and as otherwise documented in writing by Customer through Order Forms, support tickets, or other written communications.

5.2 Compliance with Instructions

MoneyMind Profile shall Process Personal Data only in accordance with Customer's documented instructions unless Processing is required by EU or Member State law, UK law, Australian law, US federal or state law, or other applicable law (in which case MoneyMind Profile shall inform Customer before Processing unless prohibited by law); or Processing is necessary to provide the Services requested by Customer (e.g., routine system maintenance, backup processes).

5.3 Objection to Instructions

If MoneyMind Profile becomes aware that Customer's instructions infringe applicable Data Protection Laws and Regulations, MoneyMind Profile shall immediately inform Customer in writing of the suspected infringement and suspend Processing of Personal Data in accordance with the suspected unlawful instruction until Customer confirms the instruction has been modified or withdrawn, or provides legal justification for the instruction. MoneyMind Profile shall not be liable for any failure to comply with instructions that MoneyMind Profile reasonably believes to be unlawful.

5.4 Additional Instructions

Customer may issue additional written instructions regarding the Processing of Personal Data, provided that such instructions are consistent with the terms of this DPA and the Agreement, MoneyMind Profile has agreed in writing to the additional instructions, and Customer pays any additional fees agreed upon for Processing pursuant to such instructions.

6. Processor Obligations

6.1 Confidentiality

MoneyMind Profile shall ensure that any person authorized to Process Personal Data is subject to a contractual or statutory obligation of confidentiality, has received appropriate training on data protection and privacy obligations, and Processes Personal Data only as necessary to perform their duties in connection with providing the Services.

6.2 Security Measures

MoneyMind Profile shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing Personal Data, as further described in Section 8 and Annex 3.

6.3 Sub-Processing

MoneyMind Profile shall engage Sub-Processors only in accordance with Section 7 of this DPA.

6.4 Assistance with Data Subject Rights

MoneyMind Profile shall provide reasonable assistance to Customer in fulfilling Customer's obligation to respond to Data Subject Requests, as described in Section 9.

6.5 Assistance with Security and Compliance

MoneyMind Profile shall assist Customer in ensuring compliance with security obligations under Data Protection Laws and Regulations, with data breach notifications (Section 10), and with data protection impact assessments and prior consultations with supervisory authorities (Section 11).

6.6 Deletion or Return of Personal Data

At the end of the provision of Services, MoneyMind Profile shall delete or return Personal Data in accordance with Section 13.

6.7 Audit and Information Provision

MoneyMind Profile shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections as described in Section 12.

6.8 Record of Processing Activities

MoneyMind Profile shall maintain written records of all categories of Processing activities carried out on behalf of Customer, in accordance with Article 30(2) of the GDPR and equivalent provisions in other Data Protection Laws and Regulations.

6.9 Data Protection Officer

MoneyMind Profile has designated a Data Protection Officer (“DPO”) who may be contacted at dpo@moneymindprofile.com for matters related to the Processing of Personal Data under this DPA.

7. Sub-Processors

7.1 Authorization to Use Sub-Processors

Customer provides general authorization for MoneyMind Profile to engage Sub-Processors to Process Personal Data on Customer's behalf, subject to the conditions in this Section 7.

7.2 Current Sub-Processors

A current list of Sub-Processors engaged by MoneyMind Profile is published and maintained at moneymindprofile.com/legal/subprocessors. As of the Effective Date of this DPA, MoneyMind Profile's Sub-Processors include:

  • Amazon Web Services, Inc.
  • GitHub
  • Supabase
  • Vercel

7.3 New Sub-Processors

MoneyMind Profile shall provide Customer with at least thirty (30) days' prior written notice before authorizing any new Sub-Processor or replacing an existing Sub-Processor, via email to Customer's primary contact and update to the Sub-Processor list. Customer may object on reasonable data protection grounds within fourteen (14) days. If MoneyMind Profile is unable to make available a change within a reasonable period (not to exceed ninety (90) days), Customer may terminate the affected Services and receive a pro-rata refund of prepaid Fees.

7.4 Sub-Processor Obligations

MoneyMind Profile shall enter into an agreement with each Sub-Processor imposing data protection obligations no less protective than those imposed on MoneyMind Profile under this DPA, including Processing only on documented instructions, confidentiality obligations, appropriate security measures, assistance with Data Subject Requests and security obligations, deletion or return of Personal Data, and audit rights. MoneyMind Profile shall remain fully liable to Customer for the performance of each Sub-Processor's obligations.

7.5 Sub-Processor Access to Contracts

Upon Customer's request, MoneyMind Profile shall provide Customer with a copy of the Sub-Processor agreement (redacted to remove confidential commercial information not relevant to data protection obligations) or a summary thereof.

8. Security Measures

8.1 Security Obligations

MoneyMind Profile shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents and to ensure a level of security appropriate to the risk of Processing, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risks to the rights and freedoms of Data Subjects.

8.2 Technical and Organizational Measures

(a) Encryption: Data in transit encrypted using TLS 1.2 or higher; data at rest encrypted using AES-256 or equivalent; database encryption and encrypted backups.

(b) Access Controls: Multi-factor authentication (MFA) for all administrative access; role-based access control (RBAC) limiting access based on job function; principle of least privilege; regular access reviews and revocations.

(c) Network Security: Firewalls and intrusion detection/prevention systems; network segmentation and isolation; DDoS protection and mitigation; regular vulnerability scanning and penetration testing.

(d) Application Security: Secure software development lifecycle (SDLC); code reviews and security testing; input validation and output encoding; protection against OWASP Top 10 vulnerabilities.

(e) Personnel Security: Background checks for employees with access to Personal Data; confidentiality agreements for all personnel; regular security awareness training; separation of duties.

(f) Physical Security: Secure data centers with access controls (via third-party hosting providers); 24/7 monitoring and surveillance; environmental controls (power, cooling, fire suppression).

(g) Monitoring and Incident Response: Security information and event management (SIEM); 24/7 security monitoring; incident response plan and procedures; regular security drills and tabletop exercises.

8.3 Security Certifications and Audits

MoneyMind Profile maintains or is working toward SOC 2 Type II (in progress) and ISO/IEC 27001:2013 (planned) certifications. Upon Customer's reasonable request (not more than annually), MoneyMind Profile will provide a summary of security measures and controls, copies of current security certifications, and summary of penetration test results (redacted for security).

8.4 Updates to Security Measures

MoneyMind Profile may update or modify its security measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services.

8.5 Customer Security Responsibilities

Customer is responsible for implementing strong password policies and enforcing MFA; managing Authorized User accounts and access permissions; promptly revoking access for terminated users; reporting suspected security incidents to support@moneymindprofile.com; maintaining security of Customer's own systems and networks; and regularly backing up and exporting Personal Data.

9. Data Subject Rights

9.1 Assistance Obligation

Taking into account the nature of the Processing, MoneyMind Profile shall provide reasonable assistance to Customer to enable Customer to respond to Data Subject Requests, including requests for access, rectification, erasure (“right to be forgotten”), restriction of Processing, data portability, objection to Processing, and rights related to automated decision-making and profiling.

9.2 Data Subject Request Procedures

If MoneyMind Profile receives a Data Subject Request directly from a Data Subject, MoneyMind Profile shall promptly forward the request to Customer (within 2 Business Days) and not respond to the Data Subject directly without Customer's prior written authorization. If Customer requests MoneyMind Profile's assistance, MoneyMind Profile shall provide the requested assistance within ten (10) Business Days and provide access to relevant Personal Data through the Platform's export functionality or other means.

MoneyMind Profile's assistance is included in the Fees for the Services, except that MoneyMind Profile may charge reasonable fees for assistance with Data Subject Requests that are manifestly unfounded or excessive, or require significant custom development or engineering effort.

9.3 Limitations

MoneyMind Profile is not required to assist with Data Subject Requests to the extent that Customer has the ability to address the request through use of the Platform's functionality, the request relates to Personal Data for which Customer (not MoneyMind Profile) is responsible, or complying with the request would violate applicable law or legal obligations to which MoneyMind Profile is subject.

9.4 Automated Decision-Making

Customer acknowledges that the Services provide tools and analytics to assist Customer in making decisions, but the Services do not make automated decisions that produce legal effects or similarly significantly affect Data Subjects. Customer remains responsible for all decisions made regarding End Clients.

10. Data Breach Notification

10.1 Notification to Customer

MoneyMind Profile shall notify Customer without undue delay after becoming aware of a Security Incident: within seventy-two (72) hours for UK/EU/EEA customers (to meet GDPR requirements); within seventy-two (72) hours for Australian customers (to meet Privacy Act requirements); and within the timeframes required by applicable US state law (24–72 hours) for US customers.

10.2 Notification Content

The notification shall include, to the extent available: description of the nature of the Security Incident including categories and approximate number of affected Data Subjects and Personal Data records; name and contact details of MoneyMind Profile's DPO or other contact point; description of the likely consequences of the Security Incident; description of measures taken or proposed to address the Security Incident; and timeline of events and discovery of the incident.

10.3 Notification Method

Notification will be delivered via email to primary contact email address on file, in-Platform alert (if accessible), and phone call to primary contact (for critical incidents).

10.4 Investigation and Remediation

MoneyMind Profile shall promptly investigate the Security Incident, take reasonable steps to contain and remediate it, cooperate with Customer in investigating it, provide timely updates (at least weekly for ongoing incidents), and implement measures to prevent similar Security Incidents in the future.

10.5 Customer Obligations

Customer is responsible for determining whether the Security Incident requires notification to Data Subjects, supervisory authorities, or other parties under applicable Data Protection Laws and Regulations. MoneyMind Profile's notification to Customer does not constitute an acknowledgment of fault or liability. MoneyMind Profile will not notify Data Subjects, supervisory authorities, or third parties on Customer's behalf without Customer's prior written consent (except where required by law).

10.6 Exclusions

The notification obligations do not apply to incidents that do not result in accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data; are caused solely by Customer or Authorized Users; or consist of unsuccessful attempts that do not compromise Personal Data.

11. Data Protection Impact Assessments

11.1 Assistance with DPIAs

MoneyMind Profile shall provide reasonable assistance to Customer if Customer is required to conduct a Data Protection Impact Assessment (“DPIA”) under Article 35 of the GDPR or equivalent provisions in other Data Protection Laws and Regulations.

11.2 Information Provision

Upon Customer's reasonable request, MoneyMind Profile shall provide description of the Processing operations, information about security measures implemented (see Annex 3), information about Sub-Processors, information about data retention and deletion practices, and other information reasonably necessary for Customer to complete the DPIA.

11.3 Prior Consultation

If Customer is required to consult with a supervisory authority following a DPIA, MoneyMind Profile shall provide reasonable assistance and cooperation, including providing additional information or clarification as requested by the supervisory authority through Customer.

11.4 Limitation

MoneyMind Profile's assistance does not include conducting the DPIA on Customer's behalf (this is Customer's responsibility as Controller), making decisions about whether a DPIA is required, or providing legal or compliance advice regarding the DPIA.

12. Audits and Inspections

12.1 Customer's Audit Rights

Customer (or Customer's independent third-party auditor) may, upon reasonable advance written notice to MoneyMind Profile and subject to the conditions in this Section 12, audit MoneyMind Profile's compliance with its obligations under this DPA.

12.2 Audit Frequency and Scope

Customer may conduct audits no more than once per twelve (12) month period (except if required by a supervisory authority, in response to a Security Incident, or if Customer has reasonable grounds to believe MoneyMind Profile is not complying with this DPA). Customer shall provide at least thirty (30) days' advance written notice specifying the proposed scope, duration, date(s), and identity of any third-party auditors.

12.3 Third-Party Auditors

If Customer engages a third-party auditor, the auditor must be independent, reputable, and bound by confidentiality obligations no less protective than those in the Agreement; must be approved by MoneyMind Profile (such approval not to be unreasonably withheld); and may not be a competitor of MoneyMind Profile.

12.4 Audit Procedures

Audits shall be conducted during normal business hours (9:00 AM – 5:00 PM local time, Monday–Friday, excluding public holidays), at MoneyMind Profile's facilities or remotely via secure connection at MoneyMind Profile's discretion, in a manner that does not unreasonably disrupt MoneyMind Profile's operations or those of other customers, and subject to MoneyMind Profile's reasonable security policies and procedures.

12.5 Alternative to Audit

In lieu of an on-site audit, MoneyMind Profile may provide copies of relevant security certifications (SOC 2 Type II, ISO 27001) obtained within the preceding twelve (12) months, summary reports of internal or third-party audits, completed third-party audit questionnaires (e.g., SIG, CAIQ), or other information sufficient to verify compliance with this DPA. If Customer accepts such alternative verification, no on-site audit is required.

12.6 Audit Reports

Customer shall provide MoneyMind Profile with a draft audit report and allow MoneyMind Profile at least ten (10) Business Days to comment on the accuracy of factual findings before finalizing the report. Audit reports are Confidential Information of MoneyMind Profile. If an audit identifies non-compliance, MoneyMind Profile shall acknowledge the findings within ten (10) Business Days, prepare a remediation plan within thirty (30) days, and implement corrective measures within a reasonable timeframe agreed with Customer.

12.7 Costs

Each Party shall bear its own costs related to audits.

13. Deletion and Return of Data

13.1 Deletion or Return

Upon termination or expiration of the Agreement, or upon Customer's written request, MoneyMind Profile shall, at Customer's election, either delete all Personal Data in accordance with Section 13.2, or return all Personal Data to Customer in a commercially reasonable format in accordance with Section 13.3.

13.2 Deletion

MoneyMind Profile shall delete Personal Data within thirty (30) days after termination or expiration of the Agreement, or promptly upon Customer's written request during the Agreement, to the extent feasible while continuing to provide the Services. Deletion shall be carried out using secure deletion methods that render Personal Data unrecoverable, including overwriting or cryptographic erasure of primary storage and deletion from backups in accordance with MoneyMind Profile's standard backup retention schedule (backups are retained for up to ninety (90) days, after which they are securely deleted). Upon Customer's request, MoneyMind Profile shall provide written certification that Personal Data has been deleted.

13.3 Return

If Customer elects return of Personal Data, MoneyMind Profile shall return the data in a structured, commonly used, machine-readable format (e.g., CSV, JSON, XML) or via the Platform's standard export functionality, via secure electronic transfer or other secure method agreed upon by the Parties. Return shall be completed within thirty (30) days of Customer's request. After returning Personal Data to Customer, MoneyMind Profile shall delete all copies of Personal Data in accordance with Section 13.2(b).

13.4 Exceptions

MoneyMind Profile may retain Personal Data to the extent required by applicable law, provided that MoneyMind Profile shall inform Customer of any legal requirement to retain Personal Data; retained Personal Data shall be subject to confidentiality obligations and shall not be Processed for any purpose other than compliance with the legal requirement; and MoneyMind Profile shall delete the retained Personal Data as soon as the legal requirement expires.

13.5 Aggregated Data

The deletion and return obligations in this Section 13 do not apply to Aggregated Data (as defined in the Agreement and Data Aggregation and De-Identification Policy) that has been properly de-identified and anonymized such that it no longer constitutes Personal Data under applicable Data Protection Laws and Regulations.

14. CCPA and US State Privacy Laws

14.1 Application

This Section 14 applies to the extent that MoneyMind Profile Processes Personal Information (as defined in the CCPA) on behalf of Customer, and Customer is subject to the CCPA or other US state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, etc.).

14.2 Service Provider Status

The Parties acknowledge and agree that Customer is a Business (as defined in the CCPA) that determines the purposes and means of Processing Personal Information; MoneyMind Profile is a Service Provider (as defined in the CCPA) that Processes Personal Information on behalf of Customer; and Personal Information is disclosed by Customer to MoneyMind Profile solely for the Business Purpose of providing the Services as described in the Agreement.

14.3 Service Provider Obligations

MoneyMind Profile certifies that it understands the restrictions in CCPA Section 1798.140(v) and agrees that it shall not sell or share (as those terms are defined in the CCPA) Personal Information received from Customer or collected on Customer's behalf; shall not retain, use, or disclose Personal Information for any purpose other than for the specific Business Purpose of performing the Services specified in the Agreement or as permitted by the CCPA for Service Providers; and shall not combine Personal Information received from Customer with Personal Information received from or on behalf of another person or persons, or collected from MoneyMind Profile's own interactions with consumers, except as permitted by the CCPA.

14.4 Consumer Rights Assistance

MoneyMind Profile shall provide reasonable assistance to Customer in responding to verified consumer requests under the CCPA, including requests to know what Personal Information is being collected, delete Personal Information, correct inaccurate Personal Information, opt-out of sale or sharing (not applicable as MoneyMind Profile does not sell or share), and limit use of Sensitive Personal Information (to the extent applicable).

14.5 Sensitive Personal Information

To the extent MoneyMind Profile Processes Sensitive Personal Information (as defined under CCPA and other US state laws), MoneyMind Profile shall use and disclose such Sensitive Personal Information only to perform the Services, as necessary for security and integrity purposes, for short-term, transient use, and as permitted under CCPA Section 1798.121(a) and equivalent provisions in other US state laws.

14.6 Other US State Privacy Laws

The obligations in this Section 14 apply mutatis mutandis to Customer's and MoneyMind Profile's respective obligations under Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and other substantially similar US state privacy laws.

15. Australian Privacy Principles

15.1 Application

This Section 15 applies to the extent that MoneyMind Profile Processes Personal Information (as defined under the Australian Privacy Act 1988) on behalf of Customer, and Customer is subject to the Privacy Act and Australian Privacy Principles (APPs).

15.2 Compliance with APPs

MoneyMind Profile agrees to comply with the APPs to the extent applicable to MoneyMind Profile as a Processor, including APP 1 (Open and Transparent Management — maintaining this DPA and making information about privacy practices available), APP 8 (Cross-border Disclosure — taking reasonable steps to ensure overseas recipients do not breach the APPs), and APP 11 (Security — taking reasonable steps to protect Personal Information from misuse, interference, loss, unauthorized access, modification, or disclosure).

15.3 Notifiable Data Breaches

In the event of an Eligible Data Breach (as defined under Part IIIC of the Privacy Act 1988), MoneyMind Profile shall notify Customer as soon as practicable and in any event within seventy-two (72) hours; provide Customer with sufficient information to enable Customer to assess whether notification to the OAIC and affected individuals is required; and cooperate with Customer in Customer's assessment and notification obligations.

15.4 OAIC Complaints

If a complaint is made to the OAIC regarding MoneyMind Profile's handling of Personal Information, MoneyMind Profile shall notify Customer promptly, cooperate with Customer and the OAIC in investigating the complaint, and provide information and assistance as reasonably requested.

15.5 Australian Data Hosting

Upon Customer's request, MoneyMind Profile may offer the option to host Customer's Personal Data exclusively in Australian data centers (AWS ap-southeast-2 region), subject to availability of the feature, additional fees as specified in an Order Form, and execution of an addendum specifying data residency requirements.

16. Liability and Indemnification

16.1 Liability

Each Party's liability under this DPA is subject to the limitation of liability provisions in the Agreement. Notwithstanding the limitation of liability, neither Party limits or excludes its liability for gross negligence or willful misconduct in the Processing of Personal Data; breach of confidentiality obligations regarding Personal Data; fraud or fraudulent misrepresentation; or liabilities that cannot be limited or excluded under applicable Data Protection Laws and Regulations.

16.2 Indemnification by Customer

Customer shall indemnify, defend, and hold harmless MoneyMind Profile from and against any claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising from or relating to Customer's violation of applicable Data Protection Laws and Regulations; Customer's failure to obtain necessary consents or provide required notices to Data Subjects; Customer's Processing of Personal Data in violation of this DPA or applicable law; and inaccurate, unlawful, or fraudulent information provided by Customer or Authorized Users.

16.3 Indemnification by MoneyMind Profile

MoneyMind Profile shall indemnify, defend, and hold harmless Customer from and against any claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys' fees) arising from or relating to MoneyMind Profile's material breach of its obligations under this DPA; MoneyMind Profile's gross negligence or willful misconduct in the Processing of Personal Data; and MoneyMind Profile's violation of applicable Data Protection Laws and Regulations in the performance of its obligations as Processor (excluding violations caused by Customer's instructions).

16.4 Allocation of Responsibility

Customer (as Controller) is solely responsible for: determining the lawfulness of Processing; obtaining consents and providing notices to Data Subjects; determining retention periods; responding to Data Subject Requests (except to the extent MoneyMind Profile must assist); notifying supervisory authorities and Data Subjects of data breaches; conducting Data Protection Impact Assessments; and ensuring accuracy and lawfulness of Personal Data provided to MoneyMind Profile.

MoneyMind Profile (as Processor) is solely responsible for: Processing Personal Data only on instructions; implementing appropriate security measures; engaging Sub-Processors in accordance with this DPA; assisting Customer with Data Subject Requests, security obligations, and DPIAs; notifying Customer of Security Incidents; and deleting or returning Personal Data.

17. Term and Termination

17.1 Term

This DPA shall become effective on the Effective Date and shall remain in effect for so long as MoneyMind Profile Processes Personal Data on behalf of Customer, including during the term of the Agreement and for such additional period as is necessary for MoneyMind Profile to delete or return Personal Data in accordance with Section 13.

17.2 Termination

This DPA shall automatically terminate upon the earlier of: termination or expiration of the Agreement, or completion of MoneyMind Profile's deletion or return of all Personal Data in accordance with Section 13.

17.3 Survival

The following provisions shall survive termination of this DPA: Section 8 (Security Measures) with respect to any Personal Data retained pursuant to Section 13.4; Section 10 (Data Breach Notification) with respect to any Security Incidents occurring before termination; Section 13 (Deletion and Return of Data); Section 16 (Liability and Indemnification); and Section 18 (General Provisions).

18. General Provisions

18.1 Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws specified in the Agreement for Customer's jurisdiction: New South Wales, Australia (for Australian customers); England and Wales (for UK customers); or State of New York, United States (for US customers). Disputes arising from this DPA shall be resolved in accordance with the dispute resolution provisions in the Agreement.

18.2 Order of Precedence

In the event of any conflict or inconsistency between the documents forming the relationship between the Parties, the following order of precedence applies (highest to lowest): this Data Processing Agreement (for data protection matters only), EU Standard Contractual Clauses (Annex 1), the Master Services Agreement or other Agreement, and Order Forms and Statements of Work. In the event of any conflict between the main body of this DPA and the Annexes, the Annexes shall prevail with respect to the specific matters they govern.

18.3 Entire Agreement

This DPA, together with the Agreement, constitutes the entire agreement between the Parties with respect to the Processing of Personal Data and supersedes all prior agreements, understandings, and representations (whether written or oral) relating to such Processing.

18.4 Amendments

This DPA may only be amended or modified by mutual written agreement of the Parties, or by MoneyMind Profile where required to comply with changes in Data Protection Laws and Regulations, provided that MoneyMind Profile provides Customer with at least ninety (90) days' advance written notice of the amendment, the amendment does not materially reduce Customer's rights or increase Customer's obligations, and if Customer objects on reasonable data protection grounds, Customer may terminate the Agreement.

18.5 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the validity, legality, and enforceability of the remaining provisions shall not be affected or impaired. The Parties shall negotiate in good faith to replace the invalid provision with a valid provision that achieves the same or similar objective.

18.6 Waiver

No failure or delay by either Party in exercising any right under this DPA shall operate as a waiver, nor shall any single or partial exercise of any right preclude any other or further exercise of that or any other right.

18.7 Assignment

Neither Party may assign or transfer this DPA without the prior written consent of the other Party, except that MoneyMind Profile may assign this DPA in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided that the assignee agrees in writing to be bound by the terms of this DPA.

18.8 Third-Party Beneficiaries

Except as expressly provided in the EU Standard Contractual Clauses (Annex 1), this DPA does not confer any rights upon any person or entity other than the Parties.

18.9 Notices

All notices under this DPA shall be provided in accordance with the notice provisions in the Agreement. For DPA-specific notices, contact: MoneyMind Profile — Email: info@moneymindprofile.com, Attn: Data Protection Officer, Legal Department, or Privacy Officer.

18.10 General Interpretation

This DPA is executed in English. If translated into any other language, the English version shall prevail in the event of any conflict or inconsistency. This DPA may be executed in counterparts with electronic signatures having the same legal effect as original signatures. To the extent that the EU Standard Contractual Clauses conflict with any provision of this DPA, the SCCs or UK IDTA (as applicable) shall prevail with respect to transfers of Personal Data to which they apply. In the event of any ambiguity or uncertainty, the interpretation most favorable to the protection of Personal Data and the rights of Data Subjects shall apply. Neither Party shall be liable for any failure or delay in performance due to causes beyond its reasonable control, except this provision does not excuse Customer's payment obligations, MoneyMind Profile's security obligations under Section 8, or MoneyMind Profile's data breach notification obligations under Section 10.

Note: This DPA may be executed by Customer by: accepting electronically through the MoneyMind Profile Platform during account setup; OR executing the Master Services Agreement, which incorporates this DPA by reference.

Version 1.0 · Effective Date: January 20, 2026

Annex 1 — EU Standard Contractual Clauses (2021/914)

Application

This Annex 1 applies to transfers of Personal Data from the European Economic Area (EEA) to countries not recognized by the European Commission as providing an adequate level of data protection.

Section I — Purpose and Scope

Clause 1 — Purpose. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.

Clause 2 — Invariability of the Clauses. The Parties undertake not to modify the Clauses. This does not preclude the Parties from adding clauses on business-related issues where required as long as they do not contradict the Clause.

Clause 3 — Interpretation. (a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation. (b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679. (c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 4 — Hierarchy. In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Module Two — Controller to Processor

The following clauses apply where the data exporter is a controller and the data importer is a processor:

Section II — Obligations of the Parties

Clause 8 — Data protection safeguards. The data importer shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (as described in Annex 3 to this DPA).

Clause 9 — Use of sub-processors. (a) The data importer has the data exporter's general authorisation for the engagement of sub-processors from the list published at moneymindprofile.com/legal/subprocessors. The data importer shall specifically inform the data exporter in writing of any intended changes to that list at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). (b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for the same data protection obligations as those binding the data importer under these Clauses. (c) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor's obligations under its contract with the data importer.

Clause 10 — Data subject rights. The data importer shall assist the data exporter in responding to requests by data subjects to exercise their rights under Regulation (EU) 2016/679, as described in Section 9 of the main DPA.

Clause 11 — Redress. (a) The data importer shall inform data subjects in a transparent and easily accessible format of a contact point authorised to handle complaints. The contact point is: dpo@moneymindprofile.com. (b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion.

Clause 12 — Liability. (a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses. (b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses. (c) The Parties agree that if the data exporter is held liable under paragraph (b) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer's responsibility for the damage.

Clause 13 — Supervision. (a) The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority. (b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses.

Section III — Local Laws and Obligations in case of Access by Public Authorities

Clause 14 — Local laws and practices affecting compliance with the Clauses. (a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. (b) The Parties agree that the documentation listed in Annex 1-A demonstrates that the data importer has conducted a Transfer Impact Assessment and implemented supplementary measures as needed.

Clause 15 — Obligations of the data importer in case of access by public authorities. (a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly if it receives a legally binding request from a public authority for disclosure of personal data, or becomes aware of any direct access by public authorities to personal data. (b) The data importer agrees to challenge the request if it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination.

Annex 1-A — List of Parties and Description of Transfer

Data exporter(s):

  • Name: NA (Customer, as identified in the Agreement)
  • Contact person: NA (as specified in the Agreement)
  • Role: Controller

Data importer(s):

Description of transfer:

  • Categories of data subjects: End Clients, Authorized Users (as described in Section 4.4 of DPA)
  • Categories of personal data: As described in Section 4.3 of DPA
  • Sensitive data: As described in Section 4.3 of DPA (if applicable)
  • Frequency of transfer: Continuous during provision of Services
  • Nature of processing: Hosting, storage, management as described in Section 4.2 of DPA
  • Purpose of transfer: Provision of Services as described in Section 4.2 of DPA
  • Retention period: As described in Section 13 of DPA
  • Sub-processors: As listed at moneymindprofile.com/legal/subprocessors

Competent supervisory authority: The supervisory authority in the data exporter's jurisdiction (e.g., CNIL for France, ICO for UK, etc.)

Annex 2 — Sub-Processors List

The current list of Sub-Processors engaged by MoneyMind Profile is maintained at moneymindprofile.com/legal/subprocessors.

Annex 3 — Technical and Organizational Security Measures

A summary of MoneyMind Profile's technical and organizational security measures is provided in Section 8 of this DPA. The full Technical and Organizational Security Measures document is provided upon request to Customers under NDA. Contact info@moneymindprofile.com to request a copy.