DATA PROCESSING AGREEMENT

Last Updated: November 16, 2025

This Data Processing Agreement (“DPA”) is entered into as of [DATE] between Oat Financial, Inc. (“Provider”) and the entity or any affiliate or subsidiary of the entity bound (“Customer”) by the OatFi Master Services Agreement, Master License Agreement, or any other agreement, order form, or other contractual arrangement between Provider and Customer (herein, the “Agreement”). Provider and Customer are together the “Parties”, and each a “Party”. This DPA shall govern all transfers and Processing of data between Provider and Customer. 

This DPA forms an integral part of, and is hereby incorporated by reference into, the Agreement – whether executed prior to, concurrently with, or after this DPA. 

In the course of Provider providing products and services to Customer, pursuant to the Agreement, Customer may disclose, and Provider may Process, data, including personal information, on behalf of Customer. The parties agree to comply with the provisions of this DPA with respect to the Processing of all Personal Data collected on behalf of or submitted by Customer in relation to the provision or receipt of products and/or services.  The parties also agree to comply with all applicable Data Protection Laws (as defined herein).

DEFINITIONS

“Authorized Persons” means Provider employees, contractors, agents, and auditors who have a need-to-know or otherwise access Personal Data to enable Provider to perform its obligations under the Agreement and this DPA, and who are bound in writing by confidentiality and other obligations sufficient to protect Personal Data in accordance with the terms and conditions of this Agreement.

“Personal Data” means any personal data or personal information, as defined by Data Protection Laws, that Provider processes on behalf of Customer.

“Data Protection Laws” means any law, statute, subordinate legislation, regulation, order, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements of any Regulatory Authority which relates to the protection of individuals with regard to the Processing of data, whether in effect now or in the future.  It shall include, but is not limited to, the California Consumer Privacy Act and California Privacy Rights Act (“CPRA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act (“CPA”); the Connecticut Data Privacy Act (“CDPA”); the Utah Consumer Privacy Act (“UCPA”); the European Union General Data Protection Regulation (EU) 2016/679 (“GDPR”); and the other data protection laws and regulations of the European Union, the European Economic Area and their member states, and the United Kingdom.

“Data Subject Request” means a request made by a Data Subject, consumer, or other individual conferred rights under Data Protection Laws.

“Affiliate”, “Business Purpose”, “Consent”, “Contractor”, “Consumer”,  “Personal Information”, “Controller”, “Processor”, “Processing”, “Data Subject”, “Sensitive Data”, “Special Categories of Data”, and “Sub-processor” if appearing in this DPA shall have the same meaning as in the Data Protection Laws.

“Regulatory Authority” means any local, state, national, or multinational agency, department, official, parliament, public or statutory person, government or professional body, regulatory authority or supervisory authority, or board or other body responsible for administering Data Protection Laws.

“Security Incident” means any data breach as defined by applicable Data Protection Laws, or any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data on systems managed or otherwise controlled by Provider.

1. ROLES OF THE PARTIES

1.1 Provider will Process Personal Data under this DPA as a Processor in accordance with Attachment A.

1.2 Provider acknowledges that it is a “Service Provider,” as defined in the CPRA or other applicable Data Protection Laws. Provider will not collect, use, retain, disclose, sell, or otherwise make Personal Data available for any purpose other than for the specific purposes set forth in the Agreement. 

2. RESPONSIBILITY AND TERM

2.1 Provider will Process Personal Data only as set forth by Customer for the term set forth in the Agreement. 

2.2 Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third parties unless the Customer, the Agreement, or this DPA specifically authorizes the disclosure, or as required by domestic law, court, or Regulatory Authority. 

2.3 Provider will reasonably assist Customer with meeting compliance obligations under Data Protection Laws, Data Subject rights compliance, security, DPIAs, and prior consultations. 

2.4 Provider will promptly notify Customer of any changes to Data Protection Laws that may reasonably be interpreted as adversely affecting Provider’s performance of the Agreement or this DPA.

2.5 Provider must promptly comply with any written instructions from Customer requiring Provider to amend, transfer, delete, or otherwise Process the Personal Data, or to stop, mitigate, or remedy any unauthorized Processing. 

3. REPRESENTATIONS AND WARRANTIES

3.1 Customer represents and warrants that:

(a) Customer has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Personal Data and any processing instructions it issues to Provider; 

(b) Customer has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Provider to process Personal Data for the purposes described in the Agreement;

(c) Customer has the sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data;

(d) Customer has ensured that Provider’s processing of the Personal Data in accordance with Customer’s instructions will not cause Provider to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws;

(e) Customer will only give Provider the minimum necessary amount of Personal Data necessary to achieve the purposes of the Agreement and this DPA; and

(f) Customer will only give Provider Personal Data in compliance with this DPA.

(g) Any Personal Data Customer provides to or processes via Provider-provided products or services does not and will not contain any Social Security numbers or other government-issued identification numbers; protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional, or other health-related data subject to protection under applicable laws and regulations; health insurance information; biometric information; passwords for online accounts; credentials to any financial accounts; tax return data; any payment card information subject to the Payment Card Industry Data Security Standard; personal data of children under 13 years of age; or any other information that falls within any special categories of data or is considered sensitive information (as defined in Applicable Data Protection Laws).

4. AUTHORIZED PERSONS

4.1 Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all Authorized Persons with access to the Personal Data. Provider shall ensure that Authorized Persons shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

4.2 Provider will ensure that access to Personal Data by Authorized Persons is limited to those Authorized Persons who require such access to perform the purposes outlined under this DPA.

4.3 Provider or Authorized Persons shall not: 

(a) Access the Personal Data for any purpose other than as necessary to perform its obligations to Customer and Authorized Persons; or 

(b) Use any system access information or log-in credentials to gain unauthorized access to Personal Data or Provider’s systems, or to exceed the scope of any authorized access.

5. SECURITY 

5.1 Provider will at all times implement appropriate technical and organizational measures to protect Personal Data.

5.2 To the extent the Services are provided at Customer’s facilities and systems, Customer will at all times implement appropriate technical and organizational measures against unauthorized or unlawful Processing, access, copying, modification, reproduction, display, or distribution of Personal Data in accordance with Data Protection Laws. Customer must document those measures in writing and periodically review them at least annually to ensure they remain current and complete. 

6. SECURITY INCIDENTS

6.1 Upon becoming aware of a Security Incident, Provider shall: 

(a) Notify Customer without undue delay or as otherwise required by Data Protection Laws; and

(b) Promptly take reasonable steps to contain and investigate any Security Incident.

6.2 Provider’s notification of or response to a Security Incident under this Section shall not be construed as an acknowledgment by Provider of any fault or liability with respect to the Security Incident.

7. SUB-PROCESSORS

7.1 Customer agrees that Provider may engage Sub-processors to process Personal Data as necessary to provide the Services. A list of all of Provider’s Sub-processors is available at https://trust.oatfi.com/subprocessors (the “Sub-processor Site”). Provider will update the Sub-processor Site if and when Provider makes changes to its Sub-processors. If Customer objects to the engagement of any Sub-processor, Customer may terminate the Agreement and cancel the Services (as defined in the Agreement) by providing written notice to Provider and pay Provider for all amounts due and owing under the Agreement as of the date of such termination. Customer should regularly check the Sub-processor Site to be aware of any changes to the list of Provider’s Sub-processors. Failure of Customer to object to a Sub-processor constitutes authorization to proceed.

7.2 Provider will enter into a written contract with each Sub-processor that provides no less protection than the protections in this DPA, to the extent applicable to providing Customer with products and services. 

8. INQUIRIES BY DATA SUBJECTS 

8.1 Provider will inform Customer of all Data Subject Requests involving Personal Data, and take reasonable measures to enable Customer to comply with the rights of Data Subjects under Data Protection Laws.

8.2 Provider will reasonably assist Customer, at no additional cost to Customer, with meeting compliance obligations under Data Protection Laws, taking into account the nature of Provider’s Processing and the information available to Provider, including in relation to Data Subject rights, data protection impact assessments, and reporting to and consulting with the relevant Regulatory Authority under Data Protection Laws. 

9. RECORDS AND AUDIT

9.1 Provider shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, no more than once annually, at no additional cost to Provider so that Customer may assess compliance with this DPA. 

9.2 Upon Provider’s written request, Customer shall make available to Provider (or its authorized third-party independent auditor) information demonstrating Customer’s compliance with the obligations set forth in this DPA in the form of certifications, reports and audit reports for the Services.

10. RETURN OR DESTROY DATA UPON TERMINATION

10.1 Upon termination or expiration of the Agreement, Provider shall (at Customer’s election) delete or return to Customer all Personal Data in its possession or control, except that this requirement shall not apply to the extent Provider is required by applicable law to retain some or all of the Personal Data, or as otherwise specified by the Agreement. 

11. DATA TRANSFERS

11.1 Provider acknowledges that the provision of the products and/or services under the Agreement may require the transfer or Processing of Personal Data in countries outside the United States from time to time.

11.2 In the event that such international transfer is authorized by both Parties, Parties will agree on a legal data transfer mechanism consistent with data protection law.

11.3 Should a change in Data Protection Laws occur, or a decision of a competent authority be made which might affect the validity of an international transfer or adequacy of an international transfer method, Parties agree to promptly address any agreements necessary to restore the validity, adequacy, or compliance of such international transfers under Data Protection Laws. If any transfer mechanisms must be changed for compliance with Data Protection Laws, parties shall enter into a separate, written agreement detailing the new transfer methods. 

12. COOPERATION WITH REGULATORY AUTHORITIES

12.1 Provider shall notify Customer within a reasonable time of all inquiries from a Regulatory Authority that Provider receives which relate to the Processing of Personal Data, the Agreement, or either party's obligations under this DPA, unless prohibited from doing so by Data Protection Laws or by a Regulatory Authority.

12.2 Provider shall provide Customer with such assistance and information as Customer may reasonably request in order for Customer to comply with any obligation to carry out a data protection impact assessment (DPIA) or consult with a Regulatory Authority pursuant to Articles 35 and 36 of GDPR, respectively.  

13. LIMITATION OF LIABILITY & INDEMNIFICATION

13.1 The limitations of liability and indemnification provisions are as set forth in the Agreement, except the limitations shall not apply with respect to any of Customer’s violation of this DPA. 

 

ATTACHMENT A

A. LIST OF PARTIES

Provider: Oat Financial, Inc. 

Address: 

Oat Financial, Inc.

Attn: Legal Department

25 Kent Ave, Suite 401

Brooklyn, NY 11249

Role: Processor

Customer: As set forth in the Agreement. 

Role: Controller

B. DESCRIPTION OF TRANSFER

Data Subjects: Customer Data Subjects. 

Subject Matter of Processing: Personal Data identified in the Agreement.

Duration of Processing: Duration of the Agreement.

Nature and Purpose of Processing: Provider will Process Personal Data for the purposes of providing services to Customer in accordance with the Agreement and this DPA.

Type of Data: Personal Data.

Special Categories of Data/Sensitive Data: Customer may not give Provider any special category, sensitive, or other similar data without written approval from Provider. 

Ready to get started? Get in touch.

Get started
Products
Accounts PayableAccounts ReceivableCharge Cards
Solutions
Use CasesInfrastructure PartnersCase Studies
Developers
Documentation
Company
About UsCareersNewsroom
Privacy PolicyTerms of ServiceTrust Center

Oat Financial, Inc. is a financial technology company, not a bank or FDIC-insured depository institution. Banking services are provided by Grasshopper Bank, N.A.; Member FDIC. The FDIC's deposit insurance coverage only protects against the failure of an FDIC-insured bank.

Oat Financial, Inc. is a licensed lender under the California Financing Law (CFL) and is registered with the Nationwide Mortgage Licensing System (NMLS). NMLS ID: 2347616.

All financing products are subject to approval and applicable terms and conditions. APR and fees may vary based on funding type, state regulations, and applicant qualifications. All credit decisions are made by Oat Financial, Inc. in compliance with applicable lending laws and regulations.