Draft — pending counsel review. This Data Processing Addendum reflects Mortgage Dude Holdings' processor commitments. Counsel familiar with GLBA, FTC Safeguards Rule (16 CFR Part 314), state data-privacy laws (TX TDPSA, CA CPRA, CO CPA, VA VCDPA), and SaaS DPA practice should review before adoption.

Data Processing Addendum

Effective: [DATE] · Last updated: [DATE] · Version 1.0

This Data Processing Addendum ("DPA") forms part of and is incorporated by reference into the Terms of Service (the "Agreement") between Mortgage Dude Holdings, LLC, a Texas limited liability company ("MDH," "Processor"), and the customer entity that has accepted the Agreement ("Customer" or "Controller"). This DPA applies whenever Customer's use of the Service results in MDH processing non-public personal information ("NPI") of Customer's borrowers or other end-individuals.

In the event of a conflict between this DPA and the Agreement, this DPA controls with respect to the processing of NPI.

1. Definitions

  • NPI — non-public personal information as defined at 16 CFR § 313.3(n) under the Gramm-Leach-Bliley Act, including borrower identifiers and financial information that Customer uploads to the Service or that the Service generates from such uploads.
  • Personal Information — personal information, personal data, or personally identifiable information as defined under any applicable state privacy law.
  • Processing — any operation performed on NPI or Personal Information, whether automated or manual, including collection, storage, transmission, structuring, use, disclosure, deletion, or destruction.
  • Sub-processor — any third party engaged by MDH to process NPI or Personal Information on Customer's behalf in connection with the Service.
  • Service — the LoanIQ platform as defined in the Agreement.

2. Scope and roles

Customer is the GLBA-covered "financial institution" with respect to its borrowers' NPI and is the "controller" or "business" with respect to any Personal Information uploaded to the Service. MDH is Customer's service provider, processor, and (to the extent applicable under state law) "service provider" or "processor." MDH does not own the borrower relationship, does not issue privacy notices to Customer's consumers, does not extend credit, and does not exercise independent decisional authority over Customer's underwriting.

MDH processes NPI only on Customer's documented instructions, which are deemed to include the use of the Service's intended features (Income OCR, Scenario Desk, Income Calculator, Loan Comparison) as offered by MDH.

3. Categories of NPI processed

Through the Service, MDH may process the following categories of NPI on Customer's behalf:

  • Borrower documents uploaded to Income OCR (tax returns, paystubs, bank statements) — present in Firebase Storage at rest and transmitted to the AI sub-processor for extraction.
  • Structured income, asset, and tax-return field data extracted from the above — persisted in Customer's owner-scoped Firestore tree.
  • Borrower scenario inputs typed by Customer into the Income Calculator or other Service surfaces — persisted in Customer's owner-scoped Firestore tree.
  • Customer-borrower client-record information typed by Customer (name, contact info, file references).

MDH's tool-schema design intentionally excludes Social Security Numbers, full bank account numbers, driver license numbers, and dates of birth from the AI extraction response, regardless of what appears on the source document. See the AI Governance Policy at myloaniq.ai/ai-governance Section 7C.

4. Data subjects

Borrowers and prospective borrowers of Customer; Customer's employees and contractors who use the Service; any other individual whose information Customer uploads to the Service.

5. Purpose and duration of processing

MDH processes NPI solely to provide the Service to Customer pursuant to the Agreement, including (a) hosting borrower documents in Customer's owner-scoped storage, (b) running AI/ML inference (Income OCR extraction, Scenario Desk retrieval, Ask Lola explanations) on Customer-supplied inputs, (c) maintaining the audit trail described in Section 7D of the AI Governance Policy, and (d) supporting Customer's compliance disclosures to its regulators on request.

MDH does not use NPI for product analytics, marketing, advertising, model training, or any other purpose outside the contracted Service.

Processing continues for the term of the Agreement and any deletion grace period thereafter (Section 12).

6. Sub-processors

Customer authorizes MDH to engage the sub-processors listed below. MDH's current sub-processor inventory is published in the AI Governance Policy, Section 8, and is updated as material changes occur.

  • Google LLC / Google Cloud Platform — Firebase + Cloud Run + Cloud Functions + Cloud Storage + Firestore + Authentication — used for application hosting, account management, owner-scoped file storage, serverless compute, and identity. Data residency: us-central1. Google Cloud DPA on file. Encryption at rest (Google-managed AES-256) and in transit (TLS 1.2+) by default.
  • Google LLC / Google Cloud Vision API — used by the Income OCR pipeline to perform optical character recognition on borrower PDFs (tax returns, paystubs, bank statements). Cloud Vision receives the full PDF synchronously and returns extracted text and bounding boxes; it does not retain document content beyond the operational window required to return a response. Cloud Vision is covered under the same Google Cloud DPA as Firebase / Cloud Storage. Cloud Vision processes the document inside Google Cloud (Cloud Functions ↔ Cloud Vision is a Google-internal call). Output text is sanitized server-side before any onward LLM call (see Section 7).
  • Anthropic, PBC — provider of the Claude large language model. Anthropic is used for: (i) the Scenario Desk guideline-retrieval assistant; (ii) the Ask Lola contextual chat in the Income Calculator; (iii) the Income OCR structured-extraction step (Tax Return / Paystub / Bank Statement engines). For the Income OCR step, Anthropic receives ONLY the sanitized text output of the Cloud Vision step — the borrower PDF and unredacted OCR text never reach Anthropic. Anthropic processes prompts under standard API terms, which include a contractual commitment that customer prompt and completion data is not used for model training. Anthropic retains prompts and completions for up to 30 days for trust-and-safety review, after which they are auto-deleted. Because OCR prompts contain no borrower NPI (PII has been redacted prior to the Anthropic call), this retention does not present an NPI-disclosure concern for the OCR path.
  • Pinecone Systems, Inc. — vector database for the Scenario Desk retrieval index. Pinecone holds investor guideline text only; no borrower NPI is indexed in Pinecone.
  • Stripe, Inc. — billing and subscription processing. Stripe processes Customer's billing and payment information; it does not process borrower NPI.

Income OCR pipeline note: The Income OCR feature is implemented as OCR + sanitize + AI on sanitized text. The borrower PDF is processed by Cloud Vision; the OCR output passes through a server-side sanitization layer that redacts SSN / EIN / full account number / routing number / driver license / DOB / phone / email / credit-card-shaped numbers and tokenizes names and addresses for restoration after extraction; the sanitized text is then sent to Anthropic for structured extraction against a tool schema that itself excludes any field that could carry redacted PII. The full architecture is described in MDH's AI Governance Policy at myloaniq.ai/ai-governance, Section 7C.

Sub-processor changes: MDH will provide Customer with at least 30 days' advance notice (via email and/or in-app notification) before adding a new sub-processor that processes NPI. Customer may object in writing during the notice period; if MDH cannot reasonably accommodate Customer's objection, Customer may terminate the affected portion of the Service for convenience.

7. Security measures

MDH maintains the technical and organizational safeguards described in the AI Governance and Information Security Policy at myloaniq.ai/ai-governance, Section 7 (Controls and Operating Procedures). The Policy is incorporated into this DPA by reference and represents MDH's information security program for purposes of FTC Safeguards Rule § 314.4(f) flow-down. Material changes to the Policy follow the change-management cadence in Section 7G of the Policy and are disclosed to Customer per Section 9 of this DPA.

Specifically, MDH commits to (without limitation): owner-scoped access controls (Storage rules, Firestore rules, Cloud Run IAM); encryption of NPI at rest (Google-managed AES-256) and in transit (TLS 1.2+); tool-schema-enforced data minimization at the AI sub-processor boundary; an audit trail of every AI/ML invocation; documented incident response; and annual review of the Policy.

8. Confidentiality and personnel

MDH ensures that all personnel and contractors who access NPI are subject to written confidentiality obligations and have received appropriate information-security training (or are committed to do so per the AI Governance Policy Section 12 element (e)).

9. Data incidents

"Data incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to NPI processed by MDH on Customer's behalf.

MDH will notify Customer without unreasonable delay, and in any event within 72 hours of MDH's confirmation of a Data Incident, by email to the contact Customer designates at sign-up or in the admin app. The notice will include, to the extent known: the nature of the incident, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address the incident.

Customer is responsible for any borrower notifications required under applicable state breach-notification laws. MDH will reasonably cooperate with Customer's investigation and notification activities.

10. Audit

On Customer's reasonable written request and no more than once per calendar year (except in the event of a confirmed Data Incident or a regulator request), MDH will make available to Customer information necessary to demonstrate compliance with this DPA, including (a) the AI Governance Policy then in effect, (b) sub-processor inventory, (c) Customer's audit-log export for the requested period, and (d) responses to commercially reasonable security-questionnaire requests. Onsite audits are not contemplated; MDH does not maintain physical premises that hold NPI (NPI is held in Google Cloud).

11. Borrower / data-subject rights

Borrowers' GLBA Privacy Rule rights and applicable state-law data-subject rights run to Customer, not MDH. MDH does not respond to data-subject requests directly. On Customer's verified instruction, MDH will (a) delete specified NPI from Customer's tenant tree, (b) export specified NPI to Customer in machine-readable form, and (c) cease processing pending Customer's resolution of the underlying request. Anthropic-side 30-day standard retention cannot be accelerated by either party; this is disclosed to Customer in Section 6 of this DPA.

12. Return and deletion

On termination of the Agreement, Customer may export its data via in-app export tools. MDH will retain Customer data for 30 days after termination to allow Customer to retrieve any remaining data, after which MDH will delete Customer NPI from active systems within an additional 60 days. Backups containing Customer NPI age out per the underlying sub-processor's retention schedule (typically up to 90 days for Google Cloud backups).

13. International transfers

MDH and its sub-processors process NPI in the United States. MDH does not currently transfer NPI outside the United States. If a future sub-processor would process NPI outside the United States, MDH will obtain appropriate transfer mechanisms before such transfer occurs, and will treat the change as a sub-processor change under Section 6.

14. Term

This DPA takes effect when the Agreement does and continues for so long as MDH processes NPI on Customer's behalf, plus any deletion grace period under Section 12.

15. Limitation of liability

The limitations of liability in the Agreement apply to claims arising under this DPA. Notwithstanding, MDH's indemnification obligations for any data-incident-related liability that arises from MDH's gross negligence or willful misconduct are not limited by this DPA where prohibited by applicable law.

16. Governing law

This DPA is governed by the laws of the State of Texas, except where applicable federal law or a state-specific privacy law imposes a different rule on a particular issue, in which case the more protective rule applies.

17. Contact

Mortgage Dude Holdings, LLC
Attn: Privacy / Data Protection
Austin, Texas
Email: austen@austensmith.com

By accepting the Terms of Service, Customer agrees to this DPA.