Iota-HomeIota-Home

Data Processing Addendum

Last Updated: June 7, 2026

This DPA is a working template pending legal review. A countersigned DPA may be required for enterprise customers and will govern where executed.

This Data Processing Addendum ("DPA") supplements the Terms of Service and applies where Iota-Home processes personal data on behalf of a B2B customer (the "Customer") in connection with embedded widget analytics. For that processing, the Customer is the controller and Iota-Home is the processor.

1. Scope & Roles

Iota-Home processes personal data only to provide the Services and on the Customer's documented instructions, including as set out in the Terms and this DPA.

2. Nature of Data Processed

The widget is designed to be privacy-minimal. For embedded analytics we collect event-level telemetry such as anonymous session identifiers, event type (e.g. session start, calculation), and which calculator was used. We do not collect or store visitor financial inputs, and we do not store visitor IP addresses or persistent personal identifiers as part of widget analytics.

3. Subprocessors

We use the following subprocessors to deliver the Services:

  • Supabase — database, authentication, storage.
  • Vercel — application and serverless function hosting.
  • Stripe — subscription billing and payment processing.
  • Google Analytics — marketing-site analytics (consent-gated).

We will provide notice of new subprocessors and maintain an up-to-date list on request.

4. Security Measures

  • Row-Level Security and server-enforced tenant isolation in the database.
  • Domain-locked embeds via per-tenant Content-Security-Policy enforced on every request.
  • High-entropy, rotatable embed tokens; service-role keys kept server-side only.
  • JWT-based authentication and encryption in transit (TLS).
  • Privileged billing and entitlement fields writable only by server/service-role code.

5. Confidentiality

Personnel authorized to process personal data are bound by appropriate confidentiality obligations.

6. Data Subject Requests

Taking into account the nature of the processing, we will provide reasonable assistance to the Customer in responding to data-subject requests relating to data we process on the Customer's behalf.

7. Data Breach Notification

We will notify the Customer without undue delay after becoming aware of a personal-data breach affecting the Customer's data and will provide information reasonably required for the Customer to meet its own notification obligations.

8. Return & Deletion

Upon termination, or on request, we will delete or return Customer personal data we process as a processor, except where retention is required by law. Deleting a tenant removes its configuration and associated widget analytics.

9. International Transfers

Where personal data is transferred across borders, we rely on the safeguards provided by our subprocessors and applicable transfer mechanisms. Specific mechanisms will be confirmed on legal review.

10. Contact

For data-protection inquiries: contact@iota-home.com

We value your privacy

We use Google Analytics to understand site usage. Accept to enable full analytics, or decline for cookieless tracking with anonymized data only. All mortgage calculations are stored locally in your browser and never sent to our servers. Privacy PolicyCookie Policy

Mortgage modeling for smarter decisions