← Legal

Data Processing Addendum

Effective Date: June 1, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between the firm ("Firm" or "Controller") and Secord Fintech Inc. ("Journey.tax", "Processor") and governs Journey.tax's processing of personal data and tax return information submitted by the Firm through the Journey.tax platform (the "Service").

1. Roles

The Firm is the controller of client data submitted to the Service. Journey.tax acts as processor and service provider, and as an auxiliary service provider in connection with tax return preparation under IRC § 7216 and Treasury Regulation § 301.7216-2.

2. Purpose limitation

Journey.tax will process client data solely to provide the Service in accordance with the Firm's documented instructions, including those contained in the agreement and the Service configuration. Journey.tax will not sell client data, will not use client data for its own commercial purposes, and will not use client data to train third-party AI models.

3. AI and OCR subprocessing

The Service may use AI and OCR subprocessors to extract, classify, and route information from firm- and client-submitted documents. These subprocessors are bound by contractual confidentiality and purpose-limitation terms and are prohibited from using client data for their own purposes or for model training.

4. Subprocessors

Journey.tax uses the following subprocessors to provide the Service:

  • Supabase — cloud hosting and database services (United States).
  • Email delivery, SMS delivery, document storage, and AI/OCR processing providers as listed in the Service.

Journey.tax remains responsible for its subprocessors' performance of obligations under this DPA.

5. Security

Journey.tax maintains an information security program with administrative, technical, and physical safeguards consistent with the FTC Safeguards Rule and IRS Publication 4557, including:

  • Encryption in transit and at rest.
  • Role-based access controls and least-privilege provisioning.
  • Multi-factor authentication for administrative access.
  • Time-limited signed URLs for document access.
  • Centralized logging, monitoring, and alerting.

6. Breach notice

Journey.tax will notify the Firm without undue delay after becoming aware of a personal data breach affecting client data and will reasonably cooperate with the Firm's investigation and notification obligations.

7. Deletion and return

Upon termination of the Service and at the Firm's written request, Journey.tax will delete or return client data in accordance with the Service's data lifecycle and applicable legal retention obligations.

8. International transfers

Client data is processed in the United States. Where data is transferred from another jurisdiction, the parties will rely on appropriate transfer mechanisms recognized by applicable law.

9. Compliance and audits

Journey.tax will make available to the Firm information reasonably necessary to demonstrate compliance with this DPA, including, on reasonable request and subject to confidentiality, summaries of third-party security assessments.

10. Contact

DPA questions may be sent to admin@journey.tax.

Journey.tax is operated by Secord Fintech Inc., 8470 Enterprise Cir, Lakewood Ranch, FL 34202 · 727-362-6858 · admin@journey.tax