Data Processing Addendum
Last updated: February 10, 2026
Preamble
This Data Processing Addendum (the “DPA”) supplements and is subject to the Terms of Service or other executed agreement (the “Agreement”), as applicable, between Ply Financial, Inc. (“Ply”) and a business customer (“Customer”) governing Ply's provision of the Services to the Customer. In the event of any inconsistency or conflict between this DPA and the Agreement with respect to the Processing of Customer Personal Data, the terms of this DPA will govern solely to the extent of such inconsistency or conflict.
This DPA sets out the terms that apply when Customer Personal Data is Processed by Ply under the Agreement. The purpose of the DPA is to ensure that such Processing is conducted in accordance with Data Protection Legislation and respects the rights of individuals whose Personal Data is Processed under the Agreement and applies to Ply and any of our affiliates involved in the Processing of Customer Personal Data.
1. Definitions
i. Business means an entity which, alone or jointly with others, determines the purposes and means of Processing Personal Data, which includes, as applicable, a “Business” as defined under Section 1798.140 of the CCPA, and any analogous variation of such term under U.S. Data Protection Laws.
ii. Controller means “Controller” or “Business” as those terms are defined by applicable Data Protection Legislation.
iii. Customer Personal Data means Personal Data that is included in documents or messages by Customer or its Users using the Services. Customer Personal Data does not include Personal Data that Ply collects to administer the Services.
iv. Confidential Information shall have the meaning ascribed to it in Ply's Terms of Service.
v. Data Protection Legislation means U.S. privacy and data protection laws and regulations applicable to Ply's Processing of Customer Personal Data in the provision of the Services to Customer, including, as applicable, the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., as amended by the California Privacy Rights Act (“CCPA”), and its implementing regulations, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act, and any other applicable U.S. state privacy laws; in each case, as may be amended, superseded, or replaced from time to time.
vi. Data Subject means an individual to whom Customer Personal Data relates.
vii. Order refers to a statement of work, invoice, or other ordering document in connection with the Services.
viii. Personal Data means any data or information that constitutes “personal data,” “personal information,” or any analogous term as defined by applicable Data Protection Legislation.
ix. Process, Processing, and Processed have the meaning as defined by applicable Data Protection Legislation or, if not defined by applicable Data Protection Legislation, mean collect, hold, use, disclose, process, store, transfer, access, correct, deal with or handle.
x. Processor means “Processor,” “Service Provider,” or “Contractor” as those terms are defined by applicable Data Protection Legislation.
xi. Sale, Sell, and Selling have the meaning defined in applicable Data Protection Legislation.
xii. Security Incident means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise Processed.
xiii. Services means the platform, websites, and services provided by Ply to Customer under the Agreement.
xiv. Subprocessor means any third party engaged by Ply to Process Customer Personal Data on behalf of Ply in connection with providing the Services.
xv. Supervisory Authority means any U.S. federal or state regulatory authority with jurisdiction over data protection or privacy matters.
xvi. Users will have the meaning ascribed to it in Ply's Terms of Service.
The terms “Business,” “Share,” and “Service Provider” as used in this DPA will have the meanings ascribed to them in the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., as amended by the California Privacy Rights Act, and its implementing regulations (“CCPA”), as applicable.
All capitalized terms not defined in this DPA will have the meaning given to them in the Agreement.
2. Processing of Data
2.1 Scope and Purpose of Processing
This DPA applies only where and to the extent Data Protection Legislation governs Ply's Processing of Customer Personal Data on behalf of Customer in the course of providing the Services pursuant to the Agreement, including Ply's Processing of Customer Personal Data for the nature, purposes, and duration set forth in Appendix 1. Ply will not collect, use, disclose, release, disseminate, transfer, or otherwise communicate or make available to a third-party Customer Personal Data except to provide the Services or as expressly permitted by the Agreement or this DPA.
2.2 Processor and Controller Responsibilities
The parties acknowledge and agree that as between the parties: (a) Ply is the Processor of Customer Personal Data under the Data Protection Legislation; (b) Customer is the Controller of Customer Personal Data under the Data Protection Legislation; and (c) each party will comply with the obligations applicable to it under the Data Protection Legislation regarding the Processing of Customer Personal Data.
2.3 Authorization by Third-Party Controller
If Customer is a Processor, Customer warrants to Ply that Customer's instructions and actions with respect to Customer Personal Data, including its appointment of Ply as another Processor, have been authorized by the relevant Controller.
2.4 Customer Instructions
Customer instructs Ply to Process Customer Personal Data: (a) for all activities described in the Agreement, this DPA (including Appendix 1), or any applicable Order, or otherwise required by Customer's use of the Services pursuant thereto; and (b) to comply with other reasonable instructions provided by Customer or a User where such instructions are consistent with the terms of the Agreement. The parties agree that the Agreement (including this DPA), together with Customer's use of the Services in accordance with the Agreement, constitute Customer's complete and final instructions to Ply in relation to the Processing of Customer Personal Data, and additional instructions outside the scope of these shall require prior written agreement between the parties. Customer will ensure that its instructions for the Processing of Customer Personal Data comply with the Data Protection Legislation. Customer has sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data. Customer will disclose Customer Personal Data to Ply solely pursuant to a valid business purpose. Customer will ensure that, if required under the Data Protection Legislation, Data Subjects are notified of and give their consent to Ply's Processing of Customer Personal Data.
2.5 Ply's Compliance with Customer Instructions
Ply will only Process Customer Personal Data in accordance with Customer's instructions and will treat Customer Personal Data as Confidential Information. Ply may Process Customer Personal Data other than on the written instructions of Customer if it is required under applicable law to which Ply is subject. In this situation, Ply will inform Customer of such requirement before Ply Processes the Customer Personal Data unless prohibited by applicable law. Ply will immediately inform Customer if, in Ply's opinion, Customer's instructions infringe Data Protection Legislation. Ply may suspend such Processing until Customer modifies the instruction to resolve the non-compliance.
2.6 Assistance with Customer's Obligations
Ply provides Customer the ability to access, correct, amend or delete Customer Personal Data contained in the Services. Taking into account the nature of processing and information available to Ply, Ply will promptly comply with reasonable requests by Customer to assist with such actions to the extent Ply is legally permitted and able to do so. Ply may charge a reasonable fee for any assistance not strictly required by Data Protection Legislation.
2.7 Notification Obligations
Ply will, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of Customer Personal Data relating to such individual. Ply will forward such Data Subject requests relating to Customer Personal Data to Customer and Customer will be responsible for responding to any such request using the functionality of Services. Ply will provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request, to the extent legally permitted and to the extent Customer does not have access to such Customer Personal Data through its use or receipt of the Services. Ply will not be liable in cases where Customer fails to respond to the Data Subject's request completely, correctly, or in a timely manner. Notwithstanding the foregoing, nothing in this Section 2.7 will restrict Ply from responding to a request from a Data Subject where it is required to do so under the Data Protection Legislation.
2.8 General Authorization for Subprocessors
Customer generally authorizes the use of subprocessors to process Customer Personal Data in connection with fulfilling Ply's obligations under the Agreement and/or this DPA and explicitly approves the list of subprocessors located at https://trust.getply.com/subprocessors.
2.9 New Subprocessors
When Ply engages a new subprocessor to Process Customer Personal Data, Ply will, at least ten (10) days before the new subprocessor Processes any Customer Personal Data, notify Customer by updating its list of subprocessors located at https://trust.getply.com/subprocessors and give Customer the opportunity to object to such subprocessor. Customer may sign up on the website to receive notifications of changes to the subprocessor list. If Customer has reasonable grounds to object to Ply's change in subprocessors related to data protection concerns, Customer shall notify Ply promptly within thirty (30) days after receipt of Ply's notice. Ply will use reasonable efforts to find an acceptable, reasonable, alternate solution; otherwise, Customer may suspend or terminate the Services.
2.10 Ply Obligations
Ply will remain liable for the acts and omissions of its subprocessors to the same extent Ply would be liable if performing the services of each subprocessor directly. Ply will contractually impose data protection obligations on its subprocessors that are at least equivalent to those data protection obligations imposed on Ply under this DPA.
2.11 Audit Rights
Upon Customer's written request to hi@getply.com no more than once per year, Ply will provide a copy of its then most recent third-party audits or certifications, as applicable, or any summaries thereof, such that Customer may reasonably verify Ply's compliance with the technical and organizational measures required under this DPA. Where required by the applicable Data Protection Legislation, Ply will allow Customer, or a mutually agreed upon independent auditor appointed by Customer, to conduct an audit (including inspection), no more than once per year upon eight weeks' notice sent to hi@getply.com complete with a detailed audit plan describing the proposed scope, duration, and start date of the audit. Ply will contribute to such audits whose sole purpose will be to verify Ply's compliance with its obligations under this DPA. The auditor must execute a written confidentiality agreement acceptable to Ply before conducting the audit. The audit must be conducted during Ply's normal business hours, subject to Ply's policies, and may not unreasonably interfere with Ply's business activities. Any audits are at Customer's sole cost and expense. Customer will promptly notify Ply with information regarding any non-compliance discovered during the course of an audit.
2.12 Limits on Auditing Party
Nothing in this DPA will require Ply to disclose to an independent auditor or Customer, or to allow an independent auditor or Customer to access: (a) any data of any other user or customer of Ply; (b) Ply's internal accounting or financial information; (c) any trade secret of Ply; (d) any premises or equipment not controlled by Ply; or (e) any information that, in Ply's reasonable opinion, could: (i) compromise the security of Ply's systems or premises; (ii) cause Ply to breach its obligations under Data Protection Legislation or the rights of any third-party; or (iii) any information that an independent auditor seeks to access for any reason other than the good faith fulfillment of Customer's rights under the Data Protection Legislation. Customer will contractually impose, and designate Ply as a third-party beneficiary of, any contractual terms that prohibit any independent auditor from disclosing the existence, nature, or results of any audit to any party other than Customer unless such disclosure is required by applicable law.
2.13 Third Party Data Sources
Customer acknowledges that Ply obtains certain Personal Data from third-party providers for the purpose of providing executive research and due diligence services. Ply warrants that: (a) such data is obtained from providers who represent that they have lawful rights to provide the data; (b) Ply will process such data only for Customer's legitimate business purposes; and (c) Ply will implement appropriate safeguards for data obtained from external sources. Customer is responsible for ensuring its use of such third-party sourced data complies with applicable Data Protection Legislation.
3. Privacy Laws
3.1 Applicability
As of the Effective Date of this DPA, Ply may not meet the statutory thresholds for coverage under the CCPA or certain other U.S. state privacy laws. However, to provide clarity and consistency in our data protection practices, the provisions in this Section 3 apply to the extent that Ply's processing of Customer Personal Data is subject to applicable Data Protection Legislation. Ply will promptly notify Customer if it determines that it meets the CCPA or other applicable thresholds. The parties acknowledge that these provisions will become effective automatically upon Ply meeting such thresholds, without requiring amendment to this DPA. If Ply does not currently meet such thresholds, Customer and Ply agree to process Customer Personal Data in compliance with applicable Data Protection Legislation.
3.2 Compliance Assurance
If the provision of information provided pursuant to Section 2.11 above does not fulfill the requirements of the applicable Data Protection Legislation, Customer has the right to take reasonable and appropriate steps to ensure that Ply uses Customer Personal Data consistent with Customer's obligations under applicable Data Protection Legislation.
3.3 Compliance Remediation
Ply shall promptly notify Customer after determining that it can no longer meet its obligations under applicable Data Protection Legislation. Upon receiving notice from Ply in accordance with this section, Customer may direct Ply to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.
3.4 Limitations on Processing
Ply will Process Customer Personal Data solely as described in the Agreement, this DPA (including Appendix 1) and any applicable Order. Except as expressly permitted therein or by applicable Data Protection Legislation, Ply is prohibited from (a) Selling or Sharing Customer Personal Data, (b) retaining, using, or disclosing Customer Personal Data for any other purpose, (c) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the parties, and (d) combining Customer Personal Data with Personal Data obtained from, or on behalf of, sources other than Customer or its Users, except as expressly permitted under applicable Data Protection Legislation.
3.5 Deletion Requests
Ply shall not be required to delete any Customer Personal Data to comply with a Data Subject's request directed by Customer if retaining such information is specifically permitted by applicable Data Protection Legislation; provided, however, that in such case, Ply will promptly inform Customer of the exceptions relied upon under applicable Data Protection Legislation and Ply shall not use Customer Personal Data retained for any purpose other than provided for by that exception.
3.6 Deidentified Data
In the event that Customer discloses or makes available deidentified data (as such term is defined in the applicable Data Protection Legislation) to Ply, Ply shall not attempt to reidentify the information.
3.7 Sale of Data
The parties acknowledge and agree that the exchange of Personal Data between the parties does not form part of any monetary or other valuable consideration exchanged between the parties with respect to the Agreement or this DPA.
4. Security
4.1 Ply Personnel
Ply will inform its personnel engaged in the Processing of Customer Personal Data of the confidential nature of the Customer Personal Data, and subject them to obligations of confidentiality that survive the termination of that individual's engagement with Ply.
4.2 Third Party Disclosure
Ply will not disclose Customer Personal Data to any third party unless authorized by Customer or required by law. If a government entity (including a law enforcement agency) or Supervisory Authority demands access to Customer Personal Data, Ply will attempt to redirect the requestor to request the data directly from Customer or notify Customer prior to disclosure, in each case unless prohibited by law.
4.3 Security
Ply will implement commercially reasonable technical and organizational measures to safeguard Customer Personal Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
5. Security Breach
5.1 Notification Obligations
Upon becoming aware of any Security Incident affecting Customer Personal Data, the parties shall notify each other without undue delay and shall provide timely updates and information relating to the Security Incident as it becomes known or as is reasonably requested by the other party. Such information will include the nature of the Security Incident, the categories and number of Data Subjects affected, the categories and amount of Customer Personal Data affected, the likely consequences of the Security Incident, and the measures taken or proposed to be taken to address the Security Incident and mitigate possible adverse effects. Ply's obligations in this Section 5 do not apply to incidents that are caused by Customer or Users or to unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
5.2 Manner of Notification
Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer's business, technical or administrative contacts by any means Ply selects, including via email. It is Customer's sole responsibility to maintain accurate contact information on Ply's systems at all times. Furthermore, it is Customer's sole responsibility to notify the relevant Supervisory Authority and, when applicable, the Data Subjects of a Security Incident as required under applicable Data Protection Legislation. Ply will promptly comply with reasonable requests by Customer to assist it with meeting such notification requirements to the extent Ply is legally permitted and able to do so. Notwithstanding the foregoing, nothing in this Section 5.2 will restrict Ply from notifying the relevant Supervisory Authority or Data Subjects of a Security Incident where it is required to do so under the Data Protection Legislation.
6. Miscellaneous
6.1 Term of DPA
This DPA will remain in effect until, and automatically expire upon, deletion of all Customer Personal Data as described in this DPA.
6.2 Deletion of Customer Personal Data
Ply will delete Customer Personal Data in its possession in accordance with the terms of the Agreement, subject to its automated deletion schedule and back-up policy. Ply has no obligation to retain any portion of Customer Personal Data after such period except to the extent that Ply is required under applicable law to keep a copy of the Customer Personal Data.
6.3 Amendment
This DPA may only be amended by mutual written agreement between the parties.
6.4 Claims
Any claim or remedy Customer may have against Ply, its subsidiaries, employees, agents, or subprocessors, arising under or in connection with this DPA, whether in contract, tort (including negligence) or under any other theory of liability, shall be subject to the limitations and exclusions of liability in the Agreement to the maximum extent permitted by law. Accordingly, any reference in the Agreement to the liability of a party means the aggregate liability of that party under and in connection with the Agreement and this DPA together. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless otherwise required by applicable Data Protection Legislation.
6.5 Severability
If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
6.6 Order of Precedence
In the event of any conflict or inconsistency between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA will take precedence to the extent of such conflict or inconsistency.