Draft — pending legal review

These documents are scaffolds operating as plain-language defaults while Firstfruits is in family alpha. Before public launch on August 1, 2026, they'll be replaced with a counsel-reviewed version. Email hello@firstfruits.app with concerns.

Legal

Data Processing Addendum.

Last updated: April 29, 2026

This DPA applies to households or organizations subject to GDPR, CPRA, or similar regulation. For most US-based families using Firstfruits personally, the Privacy Policy is the controlling document. If you need a counter-signed DPA for institutional use (e.g., a Christian school or church administering Firstfruits subscriptions for member families), email hello@firstfruits.app — we'll execute one based on the structure below.

1. Roles.

Subscriber is the data controller for household financial data. ITABWODI LLC (operator of Firstfruits) is the data processor. Sub-processors are listed in the Privacy Policy.

2. Processing scope + purpose.

We process subscriber data only to (a) deliver the contracted service, (b) provide support, (c) bill, and (d) comply with law. We process no longer or for any other purpose without instruction.

3. Security.

Encryption in transit (TLS 1.2+) and at rest (AES-256). Access controlled via authenticated sessions and role-based permissions. Audit log on every financial mutation. Annual review of sub-processor SOC 2 reports. Backup retention 30 days.

4. Sub-processors.

The current sub-processor list is provided to subscribers under the executed DPA on request. We notify subscribers via email at least 30 days before adding a new sub-processor that processes household financial data.

5. Data subject rights.

We assist subscribers in responding to data subject requests (access, correction, deletion, portability). The product surfaces most of these natively (export to CSV, inline edit, delete-with- confirmation, account closure).

6. Breach notification.

Without undue delay (within 72 hours of becoming aware), we notify affected subscribers of any personal data breach involving household financial data, including known facts and remediation steps.

7. International transfers.

All data is stored in the United States. For EU / UK subscribers: we rely on Standard Contractual Clauses and the UK Addendum.

8. Term + return.

This DPA lasts for the duration of the subscription. On termination, we return or delete subscriber data within 30 days, per subscriber's election.

9. Audit.

We provide our most recent SOC 2 Type II report (from our subprocessors), our security overview, and answers to standard security questionnaires on reasonable request.

10. Counter-signature.

For institutional subscribers (churches, schools), we counter-sign a Word/PDF version of this DPA on request. Email hello@firstfruits.app.