This Data Processing Agreement (“DPA”) forms part of, and is governed by, the Terms of Use between Fiscle LLC (“Fiscle”) and the customer organization that has accepted those Terms (“Customer”). It applies to Fiscle's processing of Customer Personal Data in connection with the Service.
1. Definitions.
Capitalized terms used but not defined in this DPA have the meanings given in the Terms of Use.
- “Controller” means the entity that determines the purposes and means of Processing Personal Data.
- “Processor” means the entity that Processes Personal Data on behalf of the Controller.
- “Personal Data” means information relating to an identified or identifiable natural person, processed by Fiscle on Customer's behalf in connection with the Service (“Customer Personal Data”).
- “Processing” (and “Process”) means any operation performed on Personal Data, whether or not by automated means.
- “Subprocessor” means a third party engaged by Fiscle to Process Customer Personal Data in connection with the Service.
- “Sub-processing” means Processing carried out by a Subprocessor.
- “Security Incident” means a confirmed breach of Fiscle's security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Personal Data.
2. Roles of the parties.
Customer is the Controller of Customer Personal Data. Fiscle is the Processor and Processes Customer Personal Data only on Customer's behalf and on Customer's documented instructions.
3. Scope of processing.
Fiscle Processes Customer Personal Data only as necessary to provide the Service and as further instructed by Customer through the Service's configuration.
- Subject matter: provision of the Fiscle workflow automation Service.
- Nature and purpose: ingestion, organization, computation, and storage of Customer-supplied financial and program data to produce Customer's configured deliverables.
- Categories of data subjects: Customer's personnel and authorized users; and Customer's program participants and beneficiaries to the extent Customer chooses to upload data about them.
- Types of Personal Data: names, contact information, role and account metadata; and program enrollment data and financial information that Customer chooses to upload (excluding Protected Health Information, which Customer is prohibited from uploading under the Terms of Use).
- Duration: the term of Customer's subscription to the Service, plus a return-or-deletion window of up to 30 days following termination.
4. Customer instructions.
Fiscle Processes Customer Personal Data only on Customer's documented instructions, which are set by (a) the Terms of Use and this DPA, (b) Customer's configuration of the Service, and (c) any additional written instructions Customer provides to Fiscle. Fiscle will inform Customer if, in its opinion, an instruction infringes applicable data protection law, and may decline to act on such an instruction.
5. Confidentiality.
Fiscle ensures that personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations and have received appropriate training on the protection of Personal Data and the operation of the Service.
6. Security measures.
Fiscle implements and maintains technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These include, at a minimum:
- Encryption in transit using TLS 1.3.
- Encryption at rest using AES-256.
- Logical isolation of each Customer's data at the database layer, designed to prevent cross-organization access.
- Role-based access controls within the Service, enforced at the database layer.
- Multi-factor authentication required on all internal Fiscle administrative systems (hosting, database, source control, email, banking).
- Audit logging of workflow runs, verifications, and administrative actions, with user attribution and timestamps.
- Incident response plan with defined detection, containment, eradication, recovery, and notification procedures (see Section 10).
Additional detail on Fiscle's security posture is published at fiscle.ai/security.
7. Subprocessors.
Customer authorizes Fiscle to engage Subprocessors to Process Customer Personal Data in connection with the Service. Fiscle's current list of Subprocessors, including their function and location, is published at fiscle.ai/subprocessors. Fiscle remains responsible for each Subprocessor's performance of its obligations under this DPA and imposes data protection obligations on each Subprocessor that are no less protective than those in this DPA.
Fiscle provides at least 30 days advance email notice to account administrators before engaging a new Subprocessor. If Customer reasonably objects to a new Subprocessor on data-protection grounds, Customer may terminate the Service within the notice window and receive a pro-rata refund of pre-paid fees for the unused subscription period, as further described in the Terms of Use.
8. AI processing.
Fiscle uses third-party AI providers (currently Anthropic, listed at fiscle.ai/subprocessors) to process Customer Personal Data during workflow execution and Assistant interactions. Such AI providers process Customer Personal Data solely to generate the requested outputs and do not use Customer Personal Data to train foundation models or shared learning systems, per their commercial terms incorporated by reference. AI-generated outputs are produced only within the scope of Customer-authorized workflows. The current list of AI providers and their data-handling commitments is published at fiscle.ai/subprocessors.
9. Data subject requests.
Taking into account the nature of the Processing, Fiscle assists Customer by providing reasonable technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to data subject rights requests (including requests to access, correct, delete, restrict, or port Personal Data). Reasonable assistance is provided at no additional charge. If a data subject contacts Fiscle directly with a request relating to Customer Personal Data, Fiscle will promptly forward the request to Customer and will not respond to the data subject directly except as required by law.
10. Security incidents.
Fiscle notifies Customer of any confirmed Security Incident affecting Customer Personal Data without undue delay, and in any event no later than 72 hours after becoming aware of the Security Incident. The notification will include, to the extent then known: the nature of the Incident, the categories and approximate volume of Personal Data affected, the likely consequences, and the measures Fiscle has taken or proposes to take to address the Incident and mitigate its effects. Fiscle will provide Customer with timely updates as additional information becomes available, and will reasonably cooperate with Customer's investigation and notification obligations.
11. Audit rights.
On at least 30 days advance written notice, and not more than once in any 12-month period (except following a Security Incident or as required by a regulator), Customer may audit Fiscle's compliance with this DPA. Audits are conducted at Customer's expense, during regular business hours, in a manner that does not interfere with Fiscle's normal business operations, and subject to reasonable confidentiality protections. Fiscle may satisfy audit requests by providing existing third-party reports, attestations, independent security assessments where available, or written responses to a reasonable security questionnaire, where these address the scope of the proposed audit.
12. Return or deletion of data.
On termination or expiration of Customer's subscription, Fiscle will, at Customer's election, return or delete all Customer Personal Data in Fiscle's possession or control within 30 days, except where applicable law requires continued retention. Customer may export its data through the Service at any time prior to deletion.
13. International transfers.
Fiscle Processes and stores Customer Personal Data exclusively within the United States. Fiscle does not transfer Customer Personal Data outside the United States.
14. Liability.
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Use, including the aggregate cap on liability stated therein.
15. Conflict.
In the event of any conflict or inconsistency between this DPA and the Terms of Use, this DPA controls with respect to matters relating to the Processing of Customer Personal Data. In all other matters, the Terms of Use control.
16. Effective date.
This DPA takes effect on Customer's acceptance of the Terms of Use and remains in effect for as long as Fiscle Processes Customer Personal Data.
Questions? Reach out.
If you have questions about this DPA, email us at privacy@fiscle.ai.
Fiscle LLC, a California limited liability company.
Version 2026-05-08, effective 2026-05-08.