Our DPA is a standalone contract that sits alongside the Terms of Service. You don't need to negotiate to sign it — request a countersigned copy below and we'll return it within one business day.
DomusOS is the Processor for customer data; the customer (you) is the Controller. Our current sub-processor register is shared with signed customers on request and updated with 30 days' notice before any change.
Personal data processed under the DPA includes account holders, invited family members, and advisors. Aggregator-sourced financial data is included.
We commit to the technical and organizational measures described in Annex II — TLS 1.3 in transit, AES-256 at rest, per-tenant KMS, MFA enforced for staff, and the security program described in our trust center.
Standard Contractual Clauses (2021/914) are incorporated by reference for transfers of EEA/UK/Swiss personal data. UK and Swiss addenda included.
We notify affected customers within 72 hours of confirming a personal data breach. Includes incident scope, affected data, and remediation steps.
You may request, once per year, written responses to a standard security questionnaire (CAIQ / SIG-Lite) and — for Practice customers — a controlled on-site review with reasonable notice.
On termination, we export your data on request and delete all copies within 30 days (plus 35 days of backup decay).
For California customers, DomusOS qualifies as a Service Provider. We do not sell or share personal information. CCPA-specific provisions are appended.
See also: Privacy Policy · Terms of Service