FundedTax
Start your 14-day trial

Data Processing Addendum

Last updated: 2026-05-31

This Data Processing Addendum ("DPA") forms part of and is incorporated by reference into the FundedTax Terms of Service. It applies where FundedTax processes personal data on behalf of a Customer (for example, a business or tax professional handling tax records for a trader client). Capitalized terms not defined here have the meaning given in the Terms. If there is a conflict between the Terms and this DPA regarding the processing of personal data, this DPA controls.

This Data Processing Addendum is available to business and tax-professional customers on request and is being finalized with counsel. The Article 28 clause headings and annexes below describe how FundedTax processes personal data on a Customer's behalf. To execute a DPA, contact privacy@fundedtax.com.

1. Roles and scope

For most individual users, FundedTax acts as controller of account and tax-record data (see the Privacy Policy). This DPA governs the separate case where, for the data described in Annex I, the Customer acts as controller (or as processor for its own client) and FundedTax acts as processor (or subprocessor). FundedTax processes Customer Personal Data only to provide and support the Service and on the Customer's documented instructions. The Customer is responsible for the lawful basis for its processing and for notices owed to data subjects.

2. Processor commitments (Article 28(3))

FundedTax will:

  • Process Customer Personal Data only on the Customer's documented instructions, including for transfers, unless required by law (with notice where lawful).
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational measures under GDPR Article 32 (see Annex II).
  • Engage subprocessors only under Article 28(2) and (4): general authorization with 30-day advance notice and a right to object (see the Subprocessors page).
  • Assist the Customer, by appropriate measures, to respond to data-subject rights requests.
  • Assist the Customer with security, breach notification, data-protection impact assessments, and prior consultation (Articles 32 to 36).
  • Delete or return Customer Personal Data at the Customer's choice at the end of the services, subject to legal retention (see Annex I retention).
  • Make available information necessary to demonstrate compliance and allow for and contribute to audits.

3. Subprocessors

The Customer provides general authorization for the subprocessors listed on the Subprocessors page. FundedTax will give at least 30 days' advance notice of any new or replacement subprocessor that processes Customer Personal Data (shorter where urgent security, availability, or legal reasons require) and the Customer may object on reasonable data-protection grounds.

4. International transfers

FundedTax serves US-based customers during early access. Before processing EU, UK, or Swiss personal data on a Customer's behalf, FundedTax will incorporate the applicable EU Standard Contractual Clauses module, the UK Addendum/IDTA, and the Swiss adaptation, and complete a transfer impact assessment. Operator access from Pakistan is disclosed as an international transfer.

5. Personal-data breach notification

FundedTax will notify the Customer without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, with the known facts, the affected data categories, mitigation steps, and a point of contact, and will provide further information as it becomes available.

Annex I: Description of processing

  • Subject matter and duration: processing of prop-firm payout records, transaction categorizations, and expense entries to provide the Service, for the term of the subscription plus the retention windows in the Privacy Policy.
  • Nature and purpose: parsing of imported CSV payout data, draft categorization of income and expenses, automated tax calculations from user-entered values, 1099-NEC reconciliation, and generation of Schedule C summary worksheets.
  • Categories of data subjects:the trader whose records are processed (or, for a business Customer, that Customer's trader clients).
  • Categories of personal data: contact email, filing status, US state of residence, prop-firm payout amounts and dates, user-entered expense vendors / notes / amounts, and manually entered prior-year tax values (prior-year total tax, prior-year AGI threshold status, year-to-date withholding). FundedTax is designed not to request and does not intentionally collect SSNs, ITINs, EINs, or other taxpayer identification numbers.
  • Special categories: none intended or requested.
  • Retention:tax records up to 7 years from the end of the corresponding tax year; account data for the subscription plus 90 days; deletion or return at the Customer's choice on termination, subject to backup cycles and legal holds (see the Privacy Policy).

Annex II: Technical and organizational measures

Summarized on the Security page: TLS 1.2+ in transit, encryption at rest, automated redaction of taxpayer-identifier patterns at the persistence boundary, need-to-know access controls, and a deliberately narrow data surface with no taxpayer-identifier fields.

Annex III: Subprocessor list

See the canonical Subprocessors page.

Contact

DPA questions and signature requests: privacy@fundedtax.com.

Product scopeInformational software, not tax advice. Founder is not a CPA/EA. You or your CPA file the return.