Data Processing Agreement

This Data Processing Agreement is entered into between AUM Pulse, Inc., an Arizona corporation ("AUM Pulse," "Processor") and the Customer that has executed an Order under the Terms of Service ("Customer," "Controller"). The Parties have entered into the Terms of Service, under which AUM Pulse provides the Service to Customer. In the course of providing the Service, AUM Pulse processes Personal Data on Customer's behalf. This DPA governs that processing and forms part of, and is incorporated into, the Terms of Service.

01Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Terms of Service.

Applicable Data Protection Law

All laws and regulations applicable to the Parties' processing of Personal Data, including the EU GDPR and its UK and Swiss equivalents, the CCPA as amended by the CPRA, and any other applicable state, federal, or foreign data-protection laws.

Controller / Processor / Data Subject / Personal Data / Processing / Personal Data Breach

Have the meanings given under Applicable Data Protection Law. Where Applicable Data Protection Law uses different terminology (e.g., "Business" and "Service Provider" under the CCPA), the parallel terms apply.

Customer Personal Data

The Personal Data described in Schedule B that AUM Pulse processes on Customer's behalf in the course of providing the Service.

Subprocessor

Any third party engaged by AUM Pulse to process Customer Personal Data in the course of providing the Service.

SCCs

The Standard Contractual Clauses for the transfer of personal data to third countries approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and, where applicable, the corresponding UK and Swiss addenda.

02Scope, Roles, and Subject Matter

2.1 Roles

For Customer Personal Data processed in the course of providing the Service, Customer is the Controller and AUM Pulse is the Processor. This DPA does not govern AUM Pulse's processing of advisor account data (account identification, firm-level configuration, integration credentials), with respect to which AUM Pulse acts as Controller as described in the Privacy Policy.

2.2 Subject matter, nature, purpose, and duration

Subject matter and nature. Provision of the Service as described in the Terms of Service, including meeting-bot creation via Recall.ai, synthesis of meeting transcripts via Anthropic's Claude API, generation of the synthesized pre-call brief and structured intelligence on the prospect record, computation of the Vital™ relationship-health metric, and maintenance of the advisor-correction audit trail.
Purpose. To enable Customer's Advisors to prepare for and conduct meetings with prospects, and to support Customer's recordkeeping obligations under SEC Rule 204-2(a)(11) and other applicable rules.
Duration. For the duration of the Term, plus any post-termination period during which AUM Pulse retains Customer Personal Data as provided in Section 12.
Categories of Personal Data and Data Subjects. As set forth in Schedule B.

03Documented Instructions

AUM Pulse will process Customer Personal Data only on documented instructions from Customer, unless required to do otherwise by applicable law. Customer's documented instructions comprise:

the Terms of Service and any Order;
this DPA;
Customer's configuration and use of the Service through its Advisors' authenticated sessions; and
any additional written instructions Customer provides to AUM Pulse from time to time, consistent with this DPA.

AUM Pulse will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

04Confidentiality

AUM Pulse will ensure that personnel authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Section 6.3 of the Terms of Service (Confidentiality) is incorporated into this DPA by reference and applies to Customer Personal Data as Customer's Confidential Information regardless of marking.

05Security of Processing

AUM Pulse will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the nature, scope, context, and purposes of processing. The current measures are set forth in Schedule C. AUM Pulse may update its technical and organizational measures from time to time, provided that no update will materially reduce the protection afforded to Customer Personal Data.

06Subprocessors

6.1 General authorization

Customer authorizes AUM Pulse to engage the Subprocessors listed in Schedule A. Each Subprocessor receives only the Customer Personal Data necessary to perform its function, and is bound by a written agreement imposing data-protection obligations no less protective than those in this DPA. AUM Pulse remains fully liable to Customer for the performance of each Subprocessor's data-protection obligations.

6.2 New Subprocessors

AUM Pulse will provide Customer with at least thirty (30) days' advance written notice before adding any new Subprocessor that materially affects the processing of Customer Personal Data. The notice will identify the proposed Subprocessor, the function it will perform, and the categories of Customer Personal Data it will receive.

6.3 Objection to new Subprocessors

Customer may object in good faith to the engagement of a new Subprocessor on reasonable data-protection grounds by written notice within fifteen (15) days of AUM Pulse's notice. The Parties will discuss the objection in good faith. If the Parties cannot resolve the objection within thirty (30) days of Customer's objection, Customer may terminate the affected Order; AUM Pulse will refund any prepaid fees for the period after the effective date of termination.

07International Transfers

AUM Pulse's primary infrastructure and the infrastructure of its Subprocessors are operated in the United States. Where a transfer of Customer Personal Data from the EEA, UK, or Switzerland to a third country occurs and Applicable Data Protection Law requires a transfer mechanism, the Parties will rely on the SCCs (Module Two: Controller-to-Processor), which are deemed incorporated into this DPA by reference.

AUM Pulse does not commit to a specific data-residency configuration in this DPA. Customers with EU, UK, or Swiss Data Subjects should raise the applicable transfer mechanism with AUM Pulse at onboarding.

08Personal Data Breach Notification

AUM Pulse will notify Customer of any Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within seventy-two (72) hours of AUM Pulse becoming aware of the breach. The notification will include, to the extent then known:

the nature of the breach, including categories of Customer Personal Data and approximate number of Data Subjects and records affected;
the likely consequences of the breach;
the measures taken or proposed to address the breach and mitigate its possible adverse effects; and
a point of contact at AUM Pulse from whom further information can be obtained.

Where it is not possible to provide all information at the same time, AUM Pulse may provide information in phases without undue further delay. AUM Pulse will cooperate with Customer and provide reasonable assistance to enable Customer to investigate and respond to the breach, including any required notifications to supervisory authorities or Data Subjects.

09Data Subject Rights Assistance

9.1 Access requests

At Customer's documented instruction, AUM Pulse will produce a copy of the Customer Personal Data AUM Pulse holds about the requesting Data Subject in a structured, commonly used, and machine-readable format.

9.2 Deletion requests

At Customer's documented instruction, AUM Pulse will execute deletion of the requesting Data Subject's Personal Data through the remove_prospect Postgres function, which: (a) verifies the prospect record belongs to the calling Advisor's firm; (b) cancels any Google Calendar or Outlook Calendar follow-up events created by AUM Pulse for the prospect before completing the meeting-history deletion; and (c) cascades deletion through all related tables. Deletion takes effect immediately at the application layer. Customer Personal Data persists in encrypted physical backups for up to eight (8) days, after which it is unrecoverable. Customer acknowledges this backup window and accepts that AUM Pulse cannot purge Customer Personal Data from physical backups on demand.

9.3 Correction requests

At Customer's documented instruction, AUM Pulse will correct Customer Personal Data held in the prospect record. Where the correction concerns a synthesized claim, AUM Pulse records the correction through the advisor-correction audit-trail mechanism. The audit trail captures the action, the responsible Advisor, the timestamp, and the prior and corrected states of the claim, and is retained as adviser-prepared recordkeeping evidence consistent with SEC Rule 204-2(a)(11).

9.4 Other rights

AUM Pulse will provide reasonable assistance to Customer in responding to requests for portability, objection, restriction, and other rights under Applicable Data Protection Law.

9.5 Direct requests from Data Subjects

If AUM Pulse receives a Data Subject request directly, AUM Pulse will inform the requesting Data Subject that the request must be directed to Customer (the Controller), and notify Customer of the request. AUM Pulse will not respond to the Data Subject substantively without Customer's documented instruction, except as required by Applicable Data Protection Law.

10Data Protection Impact Assessment and Prior Consultation

AUM Pulse will provide reasonable assistance to Customer with any data-protection impact assessment Customer is required to carry out under Applicable Data Protection Law, and with any prior consultation with a supervisory authority that may result. AUM Pulse may, in its discretion, recover its reasonable costs for assistance that exceeds the documentation AUM Pulse makes generally available to its customers.

11Audit Rights

Customer's right to audit AUM Pulse's compliance with this DPA is satisfied by the following, no more than once per twelve (12)-month period:

AUM Pulse will make available to Customer, on request, the most recent attestation reports for AUM Pulse's Subprocessors, to the extent those reports are made available by the Subprocessor;
AUM Pulse will make available to Customer, on request, AUM Pulse's own attestation reports, if and when AUM Pulse obtains them; and
AUM Pulse will make available to Customer, on request, the technical and organizational measures documentation referenced in Schedule C, including the 2026-04-19 RLS audit artifact, and respond to reasonable security questionnaires within thirty (30) days.

On-site audits and direct inspection of AUM Pulse's infrastructure are not granted under this DPA. More frequent audits may be undertaken following a confirmed Personal Data Breach or where required by a competent supervisory authority.

12Return and Deletion of Personal Data at Termination

On termination or expiration of the Terms of Service or the affected Order, AUM Pulse will, at Customer's choice expressed in writing within thirty (30) days of the termination effective date:

Return Customer Personal Data to Customer in a structured, commonly used, and machine-readable format; or
Delete Customer Personal Data through the application-layer deletion mechanism described in Section 9.2.

If Customer does not exercise its choice within the thirty (30)-day window, AUM Pulse will delete Customer Personal Data. The Section 9.2 backup-window acknowledgment applies. The advisor-correction audit trail is retained following deletion of the underlying Personal Data, consistent with SEC Rule 204-2(a)(11). AUM Pulse may retain Customer Personal Data to the extent required by applicable law, subject to the confidentiality and security obligations in this DPA.

13Liability

The Parties' liability under or in connection with this DPA is subject to, and forms part of the aggregate liability cap established by, Section 10 of the Terms of Service. The liability cap, the exclusion of consequential damages, and the carve-outs in Section 10 of the Terms of Service apply on an aggregate basis across both the Terms of Service and this DPA, not separately to each.

The carve-outs in Section 10.3 of the Terms of Service apply equally to claims arising under this DPA. Nothing in this Section limits a Data Subject's rights under Applicable Data Protection Law or any rights or remedies that Applicable Data Protection Law makes unwaivable.

14Term, Termination, and Survival

This DPA takes effect on the date the Terms of Service take effect and continues for the duration of the Terms of Service. On termination of the Terms of Service, this DPA terminates automatically, except that the provisions that by their nature should survive termination (including Sections 4, 8, 12, 13, and the obligations associated with retained audit-trail rows under Section 9.3) survive for as long as AUM Pulse retains any Customer Personal Data or related records.

15General Provisions

Order of precedence. In the event of a conflict between this DPA and any other agreement between the Parties, this DPA controls with respect to the processing of Customer Personal Data. The Terms of Service control on all other matters.
Governing law and venue. The governing law and venue provisions of Section 11 of the Terms of Service apply to this DPA: Arizona governing law, Maricopa County courts as exclusive venue, thirty (30)-day pre-litigation informal-resolution requirement, and jury-trial waiver.
Notices. Notices under this DPA may be sent through the notice mechanism in Section 12 of the Terms of Service.
Amendment. This DPA may be amended only by a written instrument signed by both Parties, except that AUM Pulse may unilaterally update Schedule A consistent with Section 6 and update Schedule C consistent with Section 5.
Severability. If any provision of this DPA is held unenforceable, the remainder remains in effect, and the unenforceable provision is modified to the minimum extent necessary to make it enforceable while preserving the Parties' intent.

AUM Pulse, Inc.

4802 E. Ray Road Ste #31

Phoenix, AZ 85044

admin@aumpulse.com

ASchedule A — Subprocessors

The following Subprocessors process Customer Personal Data on AUM Pulse's behalf. Each Subprocessor receives only the data necessary to perform its function. This Schedule is current as of the version date at the top of this DPA.

No Subprocessor uses Customer Personal Data to train AI models · AUM Pulse does not sell Customer Personal Data

Subprocessor	Function & data received	Compliance
Recall.ai	Meeting-bot platform. Receives meeting audio (≤24 hours via timed-retention; typically deleted within minutes of synthesis) and Recall-generated transcripts (deleted from AUM Pulse infrastructure post-synthesis; never retained on AUM Pulse infrastructure).	SOC 2 Type 2 ISO 27001 GDPR CCPA
Supabase	Managed Postgres database, edge-function runtime, and authentication. Receives all Customer Personal Data covered in Schedule B.	SOC 2 Type 2 ISO 27001 HIPAA-capable
Anthropic	Synthesis API (Claude). Receives transcript prose in transit only. 7-day commercial API log retention. Not used for model training.	Commercial Terms
Vercel	Frontend hosting. Receives HTTP traffic to the AUM Pulse application; no direct database access.	SOC 2 Type 2 ISO 27001 GDPR/CCPA
Sentry	Error monitoring. Receives HTTP method, URL pathname, exception stack trace, user identifier only. No request payload, no headers, no IP, no prospect content.	SOC 2 Type 2
Calendly	Booking webhook source. Receives booking details the prospect submits to the Advisor's Calendly booking form.	Calendly trust center
OnceHub	Alternative booking webhook source. Receives booking details the prospect submits to the Advisor's OnceHub booking form.	OnceHub trust center
Google LLC Google Calendar	Advisor-opt-in calendar integration — read advisor calendar busy-time metadata and create/update/delete post-call follow-up events on the Advisor's Google Calendar. View detailed data description Inbound to AUM Pulse: OAuth-scoped access to metadata of the Advisor's own calendar events from the next 14 days (start and end times, busy/free flag, attendee count without identities, hashed title fingerprint — not raw event titles, descriptions, attendee identities, or meeting content). Identity claims (email, name, verified-email flag) during the OAuth handshake. Outbound from AUM Pulse (post-call follow-up events): Title formatted as <MeetingType> with <FirstName>; start and end times in the Advisor's IANA timezone; prospect added as attendee using prospect email; event description containing prospect first name, a deep-link URL to the AUM Pulse prospect record (opaque pseudonymous UUID), and Advisor's Zoom URL if set; visibility set to private; reminders use the Advisor's own Google Calendar default-reminder settings. The prospect's last name, phone, investable assets, fee figures, goals, concerns, Advisor notes, and synthesized intelligence are not included in the event payload.	SOC 2 Type 2 ISO 27001 GDPR/CCPA
Microsoft Corporation Outlook Calendar	Advisor-opt-in calendar integration — OAuth credential surface, calendar read sync (30-minute cron), and post-call follow-up event write path via Microsoft Graph. View detailed data description Inbound — OAuth handshake: Identity claims (id, displayName, mail or userPrincipalName) from Microsoft Graph's /me endpoint; advisor's tenant ID for operational identification. Inbound — Phase 2 read sync (30-minute cron): Narrow projection of the Advisor's primary Outlook calendar from the next 14 days — event start and end times (UTC), boolean busy/free signal, attendee count without identities, SHA-256 hash of event title. Raw event titles, bodies, and attendee identities are not stored. Outbound — Phase 3 write path: Subject formatted as <MeetingType> with <FirstName>; start and end times with IANA timezone passthrough; prospect added as attendee using prospect email; event body containing prospect first name, a deep-link URL to the AUM Pulse prospect record (opaque UUID), and Advisor's Zoom URL if set; sensitivity set to private; no reminder overrides — Advisor's own Outlook account-level defaults apply. Cancellation uses Microsoft Graph's POST /me/events/{id}/cancel so cancellation propagates to attendees. The prospect's last name, phone, investable assets, fee figures, goals, concerns, Advisor notes, and synthesized intelligence are not included in the event payload.	SOC 2 ISO 27001 GDPR/CCPA
Cloudflare	DNS-only proxy. Receives DNS query patterns only. Configured in DNS-only mode — does not terminate TLS and has no payload visibility.	Cloudflare trust center

BSchedule B — Categories of Personal Data and Data Subjects

B.1 Data Subjects

The Data Subjects are the prospects, leads, and clients of Customer (the prospective and existing investment-advisory clients of Customer's Advisors) whose information is entered into or generated by the Service.

B.2 Categories of Personal Data

Contact information. First name, last name, email address, and optionally phone number.
Advisor-supplied financial estimates. An estimate of the prospect's investable assets typed by the Advisor. AUM Pulse does not query any custodian, brokerage, or banking system.
Advisor-authored notes. Free-text notes equivalent in scope to a standard CRM notes field.
Booking context. Booking platform, platform event identifier, UTM tracking parameters from trackable booking links, and advisor-recorded referral relationships.
Meeting metadata. Meeting date, time, type, duration, scheduling platform, and lifecycle timestamps.
Synthesized intelligence from meetings. The pre-call brief, the "don't do" note, the psychological-state routing signal, the structured claim arrays (goals, concerns, financial picture — each with a verbatim excerpt capped at 280 characters), and a per-meeting talk-ratio aggregate.
Vital™ metric. A relationship-health score derived from non-conversational signals (meeting recency, stage progression, meeting outcomes, engagement patterns). Computed without reading any meeting transcript or synthesized text content.
Audit trail. Advisor corrections to synthesized claims, retained as adviser-prepared recordkeeping evidence consistent with SEC Rule 204-2(a)(11).

B.3 Categories of Personal Data not collected

Government-issued identifiers (Social Security numbers, tax identification numbers, dates of birth).
Custodial financial data (account numbers, routing numbers, holdings, positions, balances, transaction history, capital gains, time-series financial data).
Actual transferred assets at close.
Meeting audio — recorded by Recall.ai on Recall.ai's infrastructure; never retained on AUM Pulse infrastructure.
Raw meeting transcripts — exist only in edge-function memory during synthesis; never written to any database or external destination.
Uploaded files — AUM Pulse provides no file-upload interface.
Protected Health Information — AUM Pulse is not configured as a HIPAA-covered service.
Home addresses or precise geolocation.

B.4 Special Categories of Personal Data

AUM Pulse does not solicit or design the Service to process special categories of Personal Data under Article 9 of the GDPR. Customer is responsible for ensuring that special categories of Personal Data are not entered into the Service except where Customer has a lawful basis under Applicable Data Protection Law.

CSchedule C — Technical and Organizational Measures

These measures are current as of the version date at the top of this DPA. AUM Pulse may update these measures consistent with Section 5.

C.1 Access controls — row-level security

Every public-schema table in AUM Pulse's Postgres database is protected by row-level security (RLS) policies that scope reads and writes to the user's firm at the database layer. The RLS posture was independently audited table-by-table on April 19, 2026. All four CRITICAL findings were closed before any external Advisor accessed the system. The audit artifact is available to Customer on request.

C.2 Authentication

Advisor authentication is managed by Supabase Auth. Service-role access is restricted to edge functions running in Supabase's managed environment; service-role credentials are stored as Supabase Edge Function Secrets and are not exposed to the frontend or to Advisor sessions.

C.3 Encryption at rest

All data stored in AUM Pulse's Postgres database is encrypted at rest using AES-256 by the underlying Supabase infrastructure. The scope covers all database files, indexes, write-ahead logs, and backups. Encryption is always enabled and cannot be reconfigured by the customer.

C.4 Encryption in transit

All HTTP traffic to and from AUM Pulse is encrypted using TLS 1.2 or higher. The frontend is served over a Vercel-provisioned SSL certificate. All outbound API calls from edge functions use HTTPS. Webhook handlers additionally verify HMAC or static-secret signatures before any payload parsing.

C.5 Multi-layer prohibition on sensitive financial data

The prohibition on echoing custodial financial data is multi-layered: no dedicated schema columns hold such values; the synthesis prompt bars the language model from echoing such values even if heard in the transcript; and no file-upload primitive is invoked anywhere in the codebase.

C.6 Transcript handling

Transcript content is never persisted on AUM Pulse infrastructure; never logged to console, breadcrumbs, audit tables, or response bodies; exists only in edge-function memory during synthesis; and is discarded when the function returns. On synthesis success, the Recall recording is deleted via API call as defense in depth on top of Recall.ai's 24-hour timed-retention floor.

C.7 Observability PII discipline

All AUM Pulse edge function errors flow through a shared Sentry wrapper that attaches only HTTP method and URL pathname to Sentry events — never request bodies, headers, query strings, or client IP addresses. A beforeSend hook strips any Authorization header. On the frontend, AUM Pulse attaches only the user identifier (no name, no email) to Sentry events. Sentry Session Replay is intentionally disabled.

C.8 Backup and disaster recovery

AUM Pulse is on the Supabase Pro plan, which provides eight (8) days of daily physical backups managed by Supabase, encrypted at rest.

C.9 Personnel

Personnel authorized to process Customer Personal Data are bound by written confidentiality obligations consistent with Section 4 of this DPA and the underlying Terms of Service Section 6.3. Production access is limited to personnel with a documented operational need.

C.10 Incident response

AUM Pulse maintains an incident-response process covering detection (Sentry alerts and Supabase platform alerts), triage, containment, notification to affected Customers within seventy-two (72) hours of confirmed Personal Data Breach, and post-incident review.