Data Processing Addendum

Data Processing Addendum

Effective Date: June 3, 2026

Last updated: June 1, 2026

Who We AreRIA Compliance Technology
Who This CoversRegistered investment advisers and broker-dealers using our platform
What This IsOur written commitment on how we handle your clients’ data
Regulatory BasisRegulation S-P (17 CFR 248.30), as amended in 2024 (smaller-entity compliance date June 3, 2026)
Effective DateJune 3, 2026
Last UpdatedJune 1, 2026

What This Document Is, and Why You Need It in Your Vendor File

Amended Regulation S-P requires every registered investment adviser to obtain written confirmation from its vendors that they will notify the firm within 72 hours of a data breach. This document is that confirmation from RIA Compliance Technology. Print it, sign it, and file it in your Reg S-P vendor oversight records. If an SEC examiner asks whether you have documented your vendor’s data security obligations, this is the document you produce.

1. Who We Are and What We Do With Your Data

RIA Compliance Technology provides compliance technology to registered investment advisers and broker-dealers. Our platform archives your emails, text messages, and social media communications, monitors your trade data, and provides compliance calendar and reporting tools.

When you use our platform, we handle data that belongs to your clients — things like names, account information, and communications. We want to be clear about our role: we are a service provider. That means we process your clients’ data on your behalf, under your direction, and only for the purpose of providing our services to you. We are not the owner of that data and we do not use it for our own purposes.

In legal terms, you are the data controller and we are the data processor. This document sets out what that means in practice.

2. What We Will Never Do With Your Data

We will never do any of the following with your clients’ nonpublic personal information:

  • Sell your clients’ data to anyone
  • Share your clients’ data with third-party marketing firms
  • Use your clients’ data for advertising or behavioral tracking
  • Use your clients’ data to build profiles for any purpose other than providing our services to you
  • Retain your clients’ data after you stop using our platform, beyond the periods required by SEC/FINRA record retention rules
  • Transfer your clients’ data outside the United States without telling you first

3. Our Breach Notification Commitment

The 72-Hour Rule — What It Means and What We Commit To

Amended Regulation S-P requires service providers like RIA Compliance Technology to notify you within 72 hours of becoming aware of any unauthorized access to your clients’ data. Your ability to meet your own 30-day customer notification deadline under Reg S-P depends on us notifying you promptly. Here is our formal commitment.

If we ever become aware of a security incident that involves your clients’ data, we commit to the following:

  • We will notify your Chief Compliance Officer or other administrators within 72 hours of becoming aware of the incident.
  • Our initial notification will tell you what happened, when we discovered it, what data may be affected, how many clients may be affected, and what we are doing to stop it.
  • We will send follow-up updates as we learn more, and provide a final written summary when the incident is resolved.
  • We will cooperate fully with your incident response process, including providing records and staff access as you reasonably need.
  • We will require our own vendors (sub-processors) to notify us of any breach within 48 hours.

Notifications will be sent to your designated CCO and the administrator contact on record.

4. How We Protect Your Clients’ Data

We maintain a written security program designed to protect your clients’ data. Here is what that includes, in plain terms.

Technical protections

  • All data is encrypted when it travels across the internet (TLS 1.2 or higher).
  • Data is encrypted at rest where technically feasible.
  • Only staff who need access to your data to do their job can access it.
  • We require multi-factor authentication for administrative access to systems holding your data.
  • We log and monitor who accesses your data and flag unusual activity.
  • We test our security regularly and apply patches promptly.

Operational protections

  • Every employee with access to your data signs a confidentiality agreement.
  • We train all staff on data security obligations at least once a year.
  • We have a written incident response plan and conduct breach response exercises.
  • We review our security program at least annually and update it when needed.

If you ask us once a year for a summary of our security practices or a copy of our security certifications, we will provide it. We may also satisfy this by sharing a current SOC 2 Type II report or equivalent if we have one.

5. Our Vendors and Sub-Processors

We use a small number of third-party vendors to help us deliver our platform — things like cloud hosting infrastructure. We call these vendors “sub-processors.” Here is how we manage them:

  • We only use sub-processors that have appropriate data security controls in place.
  • Every sub-processor with access to your clients’ data is contractually required to protect that data to the same standard we are committed to here.
  • We require every sub-processor to notify us of a breach within 48 hours so we can meet our 72-hour obligation to you.
  • We do not allow sub-processors to use your clients’ data for any purpose other than helping us deliver our services to you.
  • We maintain a current list of our material sub-processors.
  • We will give you at least 30 days’ notice before adding a new sub-processor that will have access to your clients’ data.

6. Your Rights and Our Responsibilities

You are the data controller — meaning you are responsible for your clients’ data and your clients’ privacy rights. We are your service provider. Here is how we support you.

If a client asks to access, correct, or delete their data

We will help you respond to those requests. If we receive a request directly from one of your clients, we will forward it to you within 5 business days rather than responding ourselves — because you are the controller, not us.

Important note on deletion requests for archived communications

Some of the communications we archive for you (emails, texts, social media) are required by SEC and FINRA rules to be retained for specific periods. We cannot delete those records on request if doing so would violate your regulatory retention obligations. If a client asks to delete archived communications, you as the CCO need to determine whether a regulatory hold applies before directing us to delete.

If you have a regulatory examination

If you are examined by the SEC, FINRA, or a state regulator and they ask about our platform or our data handling, we will cooperate with your examination and provide documentation they reasonably need about how we protect client data.

What happens to your data when you leave

When you stop using our platform, we will retain your data for up to 90 days so you have time to export it. Within 30 days of your written request, we will delete your data and give you written confirmation that deletion is complete.

7. Privacy Laws We Follow

We have designed this agreement to meet the requirements of the following laws. Because we use California law as our minimum standard, this document covers you regardless of what state you operate in.

LawWhat It Means for You
Regulation S-P (amended 2024)Requires RIAs to have written service-provider agreements including a 72-hour breach notification requirement. This document satisfies that requirement.
Gramm-Leach-Bliley Act (GLBA)Federal law requiring financial firms to protect customer nonpublic personal information. We treat all your clients’ data as NPI subject to GLBA protections.
California CCPA/CPRAThe strictest U.S. state privacy law. We operate to this standard for all clients, not just California firms — no sale of data, no sharing for marketing, and full consumer-rights support.
Other state privacy laws (VA, CO, TX, etc.)Because we follow the California standard, we already meet or exceed the requirements of all other current U.S. state privacy laws.

8. Legal Terms

8.1 This document is part of your agreement with us

When you sign up for RIA Compliance Technology and accept our Terms of Service, you are also accepting this Data Processing Addendum. This DPA is incorporated into our Terms of Service by reference. If there is ever a conflict between this DPA and our Terms of Service on a data protection matter, this DPA wins.

8.2 We can update this document

If we need to update this DPA — for example, because a law changes or our services change — we will give you at least 30 days’ notice before the new version takes effect. We will post updates at riacomptech.com/dpa. If you continue using our platform after the effective date of an update, that means you accept it.

8.3 Governing law and arbitration

This agreement shall be governed, construed, and enforced in accordance with the laws of the State of Arizona, without regard to its conflict-of-laws rules. Any controversy arising out of this agreement shall be settled by binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules. The number of arbitrators shall be one; the place of arbitration shall be Arizona; and Arizona law shall apply.

8.4 Indemnification and limitation of liability

Indemnification and limitation of liability are governed by our Terms of Service and are not modified by this DPA. Nothing in this DPA expands or reduces those provisions, except that it confirms the data-security and breach-notification obligations set out above. Our breach-notification commitment in Section 3 applies regardless of any limitation of liability in the Terms of Service.

Acceptance

By accepting our Terms of Service at riacomptech.com, you agree to the terms of this Data Processing Addendum.

RIA Compliance Technology

END OF DPA

If you have any questions or concerns regarding this Agreement, please contact us:

Ready To Get Compliance
Done Fast And Off Your Plate?

Learn More