Data Processing Agreement

Controller: The user who uploads, submits, or controls personal data on the platform.

Processor: NeverBrokered, Inc., which processes data on behalf of the Controller to provide platform services.

Sub-processors: Third-party service providers engaged by NeverBrokered to assist in data processing, including Supabase/AWS (database and storage infrastructure), Vercel (application hosting), and Stripe (payment processing).

NeverBrokered processes personal data solely to facilitate buyer-seller communications, secure document storage, transaction coordination, deal management, and verification workflows on the platform.

Data processed under this agreement may include:

• Business financial records (P&Ls, tax returns, bank statements, lease agreements)
• Personal contact information (name, email, phone number)
• Deal correspondence and messages exchanged through the platform
• Verification and identity documents submitted for badge or credential purposes

NeverBrokered processes personal data only under documented user instructions and as necessary to provide the requested platform functionality. We do not process data for any purpose outside the scope of services described in our Terms of Service.

NeverBrokered maintains the following security measures:

• Encryption at rest (AES-256) and in transit (TLS) for all stored data
• Row-level security (RLS) policies ensuring users can only access their own data
• Role-based access controls for platform administrators
• Audit logging for sensitive data access and administrative actions
• Secure authentication via JWT tokens
• Regular security reviews and access control audits

The following Sub-processors are engaged for service delivery:

• Supabase (AWS) — Database, authentication, and file storage
• Vercel — Application hosting and deployment
• Stripe — Payment and subscription processing
• Anthropic — AI-powered informational features (copilot, analysis tools)

NeverBrokered will notify users of material changes to Sub-processors. Sub-processors are contractually bound to equivalent data protection obligations.

Financial documents and transaction-related files are automatically scheduled for deletion 90 days after a deal is closed or cancelled. Users may request earlier deletion at any time by contacting privacy@neverbrokered.com.

Account data is retained for the duration of the account and deleted within 30 days of an account deletion request, except where retention is required by law.

Users may exercise the following rights by contacting us:

• Access: Request a copy of personal data we hold
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of personal data
• Portability: Request data in a structured, machine-readable format

Requests will be addressed within 30 days. Contact: privacy@neverbrokered.com

In the event of a confirmed personal data breach, NeverBrokered will notify affected Controllers without undue delay and within 72 hours of confirmation. Notification will include the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address the breach.

Liability related to data processing activities under this DPA is subject to the same limitations, disclaimers, and allocation framework stated in the Terms of Service.

Upon account closure or service termination, all applicable personal data will be deleted within 30 days, except where retention is legally required. Users will receive confirmation of deletion upon request.