Data Processing Agreement

Effective March 1, 2026 — Last updated March 16, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller") and TaxBlitz ("Processor"). It governs the processing of Personal Data in connection with TaxBlitz services.

1. Definitions

Controller: The customer ("you") who determines the purposes and means of processing personal data through TaxBlitz.
Processor: TaxBlitz (operated by FinACEverse), which processes personal data on behalf of the Controller.
Personal Data: Any data relating to an identified or identifiable natural person, including names, TINs (SSN/EIN), addresses, and financial payment amounts.
Sub-processor: A third party engaged by TaxBlitz to process Personal Data on behalf of the Controller.
Processing: Any operation performed on Personal Data: collection, storage, transmission, deletion, or any other use.

2. Scope of Processing

TaxBlitz processes Personal Data solely to provide the tax form generation, IRS filing, TIN matching, eDelivery, and print & mail services described in the Terms of Service.

Categories of data processed: payer names, payer TINs, recipient names, recipient TINs, payment amounts, addresses, form types, filing records, and delivery records.

Categories of data subjects: individual payees, independent contractors, employees, and business entities identified on tax forms.

Processing duration: for the duration of the service agreement plus the configured retention period (default: 7 years).

3. Controller Obligations

The Controller warrants that: (a) it has a lawful basis for processing the Personal Data; (b) it has provided appropriate privacy notices to data subjects; (c) all data submitted is accurate and complete; (d) it complies with applicable data protection laws.

The Controller is responsible for ensuring that recipients, payees, and other data subjects have been appropriately informed about the processing of their Personal Data through TaxBlitz.

4. Processor Obligations

TaxBlitz shall: (a) process Personal Data only on documented instructions from the Controller; (b) ensure persons authorized to process data are bound by confidentiality obligations; (c) implement appropriate technical and organizational security measures; (d) assist the Controller in responding to data subject requests; (e) delete or return all Personal Data upon termination, subject to legal retention requirements; (f) make available all information necessary to demonstrate compliance.

5. Security Measures

TaxBlitz implements the following technical and organizational measures to protect Personal Data:

✓AES-256-GCM encryption for all PII fields at rest
✓TLS 1.3 encryption for all data in transit
✓TOTP-based two-factor authentication (2FA) for all user accounts
✓Role-based access control (RBAC) with principle of least privilege
✓JWT token authentication with configurable expiration
✓Rate limiting and abuse prevention on all API endpoints
✓PII masking in application logs and user interfaces
✓Automated daily database backups with 30-day retention
✓Breach detection and notification system
✓Audit logging of all data access and modifications
✓Account lockout after failed authentication attempts
✓IP-based session validation

6. Sub-processors

TaxBlitz currently uses the following sub-processors:

Sub-processor	Purpose	Location
Fly.io	Cloud infrastructure and hosting	United States
Neon / PostgreSQL	Database hosting	United States
Azure AI Services	Document intelligence and AI extraction	United States
Lob	Print & mail delivery service	United States
Cashfree	Payment processing	India
USPS Web Tools	Address validation	United States
Intuit (QuickBooks)	Accounting data integration	United States

TaxBlitz will notify the Controller at least 30 days before engaging new sub-processors. The Controller may object to new sub-processors within 14 days. If the objection cannot be reasonably resolved, the Controller may terminate the agreement.

7. International Data Transfers

Personal Data is primarily processed and stored in the United States. For any transfers to countries not deemed adequate by applicable data protection authorities, TaxBlitz relies on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms.

The Controller acknowledges that IRS filing inherently requires data processing within the United States.

8. Data Subject Rights

TaxBlitz will assist the Controller in responding to data subject requests under GDPR, CCPA, or other applicable law, including: right of access, right to rectification, right to erasure (subject to IRS retention requirements), right to restriction of processing, and right to data portability.

Data subject requests should be directed to privacy@taxblitz.io. TaxBlitz will respond within 30 days.

9. Breach Notification

TaxBlitz will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. Notification will include: (a) nature of the breach; (b) categories and approximate number of data subjects affected; (c) likely consequences; (d) measures taken or proposed to mitigate the breach.

10. Data Retention and Deletion

Personal Data is retained for the configured retention period (default: 7 years, configurable per organization). Upon expiration or upon Controller request, data is securely deleted using cryptographic erasure within 30 days.

TaxBlitz may retain anonymized, aggregated data for analytics purposes after deletion of Personal Data.

IRS-filed forms and filing records may be subject to mandatory retention periods under US tax law.

Request a Signed DPA

Enterprise customers can request a countersigned copy of this DPA for their records.

Request Signed DPA