Data Processing Agreement

This Data Processing Agreement governs Plenifi's processing of personal data on behalf of its users, in accordance with applicable data protection legislation.

Last updated: April 17, 2026

1. Definitions

In this Data Processing Agreement ("DPA"), the following terms shall have the meanings set out below:

  • "Controller" means the natural person (the user) who determines the purposes and means of the processing of Personal Data by using the Service.
  • "Processor" means Plenifi, Inc., which processes Personal Data on behalf of the Controller in the course of providing the Service.
  • "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, email address, financial account data, transaction records, and investment holdings.
  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.
  • "Sub-processor" means any third party engaged by Plenifi to process Personal Data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
  • "Service" means the Plenifi personal finance application and related services as described in the Terms of Service.
  • "Data Protection Legislation" means all applicable laws relating to the processing of Personal Data, including the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial privacy legislation, and where applicable, the General Data Protection Regulation (GDPR).

2. Scope and Purpose of Processing

2.1 Subject Matter

This DPA applies to the processing of Personal Data by Plenifi in connection with the provision of its personal finance aggregation service.

2.2 Nature of Processing

Plenifi processes Personal Data for the following purposes:

  • Aggregation of banking, credit, and investment account data from financial institutions via Plaid and SnapTrade
  • Calculation and display of net worth, cash flow, budgets, and investment performance
  • Household-level data aggregation where users have invited other members
  • Detection and categorization of transactions, including recurring transaction identification
  • Storage and retrieval of historical financial data for trend analysis

2.3 Categories of Data Subjects

Data subjects include registered users of the Service and members of their households.

2.4 Types of Personal Data

The Personal Data processed includes:

  • Identity data: name, email address
  • Account data: hashed passwords, session tokens, authentication preferences
  • Financial account data: institution names, account names, account types, account mask numbers, balances
  • Transaction data: dates, amounts, merchant names, categories
  • Investment data: holdings, positions, quantities, market values, investment transactions
  • Usage data: page views, feature interaction events, browser/device information

3. Roles and Responsibilities

3.1 Controller Obligations

The Controller (user) is responsible for:

  • Ensuring a lawful basis exists for the processing of their Personal Data
  • Providing accurate information during account registration
  • Managing household membership and determining which accounts are shared
  • Notifying household members about the processing of shared financial data

3.2 Processor Obligations

Plenifi, as Processor, shall:

  • Process Personal Data only in accordance with the Controller's documented instructions (i.e., the user's account configuration and this DPA)
  • Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
  • Implement appropriate technical and organizational security measures as described in Section 4
  • Engage Sub-processors only in accordance with Section 5
  • Assist the Controller in responding to Data Subject requests as described in Section 6
  • Delete or return all Personal Data upon termination, as described in Section 8
  • Make available all information necessary to demonstrate compliance with this DPA

4. Security Measures

Plenifi implements the following technical and organizational measures to protect Personal Data:

4.1 Encryption

  • All data at rest is encrypted using AES-256 encryption
  • All data in transit is encrypted using TLS 1.3
  • Session tokens are encrypted using JWE (JSON Web Encryption)
  • Passwords are hashed using industry-standard one-way algorithms and are never stored in plaintext

4.2 Access Controls

  • Production database access is restricted to authorized personnel via role-based access controls
  • All application queries are scoped to the authenticated user's household
  • Two-factor authentication is available for user accounts
  • Financial institution credentials are never transmitted to or stored by Plenifi — they are handled directly by Plaid and SnapTrade

4.3 Infrastructure

  • Application data is stored in PostgreSQL on Railway with encrypted storage volumes
  • Background job processing uses Redis with access restricted to internal services
  • Application logs do not contain financial data (balances, transactions, holdings)
  • Infrastructure monitoring and alerting is in place for unauthorized access attempts

4.4 Operational Security

  • Regular review of access permissions and security configurations
  • Dependency vulnerability monitoring and patching
  • Secure development practices including code review for all changes

5. Sub-processors

5.1 Authorized Sub-processors

The Controller authorizes Plenifi to engage the following Sub-processors:

Sub-processor Purpose Location Data Processed
Plaid, Inc. Banking and credit data aggregation United States Connection tokens; returns account balances, transactions, and institution data
SnapTrade, Inc. Brokerage and investment data aggregation Canada Connection tokens; returns holdings, positions, and investment transactions
Railway Corp. Application and database hosting United States All application data (encrypted at rest)
PostHog, Inc. Product analytics United States Anonymized usage events; no financial data

5.2 Sub-processor Changes

Plenifi will notify the Controller of any intended addition or replacement of Sub-processors by updating this DPA and providing email notification at least 30 days in advance. The Controller may object to a new Sub-processor by contacting privacy@plenifi.com within 14 days of notification. If the objection cannot be resolved, the Controller may terminate the Service.

5.3 Sub-processor Obligations

Plenifi ensures that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. Plenifi remains fully liable for the acts and omissions of its Sub-processors.

6. Data Subject Rights

Plenifi will assist the Controller in fulfilling Data Subject requests, including:

  • Right of access: Data Subjects may request a copy of their Personal Data through account settings or by contacting privacy@plenifi.com
  • Right to rectification: Data Subjects may correct inaccurate personal information through account settings
  • Right to erasure: Data Subjects may request deletion of their account and all associated data. Deletion is processed within 30 days from active systems and 90 days from encrypted backups
  • Right to data portability: Data Subjects may export their data in a machine-readable format through account settings
  • Right to restriction: Data Subjects may disconnect individual financial institutions to stop further data processing from those sources
  • Right to withdraw consent: Data Subjects may disable analytics data collection at any time through account settings

Plenifi will respond to verified Data Subject requests within 30 days.

7. Data Breach Notification

7.1 Notification to Controller

In the event of a Personal Data breach, Plenifi shall notify affected Controllers without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects affected
  • The categories of Personal Data involved
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects

7.2 Cooperation

Plenifi shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any data breach. Plenifi will maintain records of data breaches, including the facts, effects, and remedial actions taken.

8. International Data Transfers

Personal Data may be transferred to and processed in countries outside the Controller's jurisdiction, specifically Canada and the United States (where Sub-processors are located). Plenifi ensures that such transfers are conducted in compliance with applicable Data Protection Legislation by:

  • Ensuring Sub-processors maintain adequate security measures
  • Binding Sub-processors to data protection obligations consistent with this DPA
  • Processing data in accordance with PIPEDA and, where applicable, Standard Contractual Clauses approved under applicable regulations

9. Term and Termination

9.1 Duration

This DPA remains in effect for as long as the Controller maintains an active Plenifi account.

9.2 Effect of Termination

Upon termination of the Service:

  • Plenifi shall cease all processing of the Controller's Personal Data
  • The Controller may export their data prior to account deletion
  • Plenifi shall delete the Controller's Personal Data from active systems within 30 days
  • Plenifi shall delete the Controller's Personal Data from encrypted backups within 90 days
  • Plenifi shall provide written confirmation of deletion upon request

9.3 Survival

Obligations relating to confidentiality, data breach notification, and cooperation with regulatory authorities shall survive termination of this DPA.

10. Liability

Plenifi's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law.

11. Governing Law

This DPA is governed by the laws of the Province of Newfoundland and Labrador, Canada, and the federal laws of Canada applicable therein. Any dispute arising from this DPA shall be subject to the exclusive jurisdiction of the courts located in St. John's, Newfoundland and Labrador, Canada.

12. Contact

For questions regarding this DPA or to exercise any rights described herein, contact: