DPA for firm and business customers.

The Processor processes Personal Data to provide the Taxottic service to the Controller and its end users (clients, employees) as described in the Terms. The DPA remains in effect for the term of the Customer's subscription plus the deletion period in Section 8.

Hosting, storing, retrieving, transmitting, and computing tax forecasts on Personal Data the Customer or its end users submit, including: name, email, tax profile, business profile, income / expense entries, bank transaction metadata, and conversations with Bella.

• The Customer's authorised users (employees, partners).
• The Customer's end clients (when the Customer is a tax-prep firm).

The Customer is the Controller. Techno Optics LLC is the Processor. Where required by law, both parties shall comply with their respective obligations under GDPR (EU 2016/679), UK GDPR, and CCPA / CPRA.

• Process Personal Data only on documented Controller instructions (the Terms + this DPA + in-product configuration).
• Ensure persons authorised to process the data are bound by confidentiality.
• Implement the security measures listed in our Security overview.
• Notify the Controller without undue delay (and within 72 hours) of becoming aware of a Personal Data breach.
• Assist the Controller in responding to data-subject requests and in conducting Data Protection Impact Assessments.
• Make available the information needed to demonstrate compliance.
• Delete or return Personal Data after the end of the service per Section 8.

The Controller authorises the use of the subprocessors listed at /legal/subprocessors. The Processor will give 30 days' notice (in-app banner + that page) before adding or replacing a subprocessor; the Controller may terminate the subscription if it reasonably objects.

Personal Data is hosted in the United States. For transfers from the EEA, UK, or Switzerland, the parties rely on the Standard Contractual Clauses (Module 2: controller to processor) issued by the European Commission, incorporated by reference. The UK Addendum applies to UK transfers; the Swiss FDPIC's amendments apply to Swiss transfers.

On termination, the Processor will delete all Personal Data within 30 days from production systems and within 90 days from encrypted backups, unless retention is required by law. The Controller may export its data via the official year-end export at any time before termination.

The Processor will provide its most recent SOC 2 report (under NDA) on request, no more than once per year except when required by law or following a security incident. On- site audits may be arranged with reasonable notice and at the Controller's expense, scoped to the Personal Data processed under this DPA.

To execute a counter-signed DPA on letterhead, write to privacy@taxottic.com. By using Taxottic with multi-user / firm features, you accept the terms above.