Trust
Data Processing Addendum
Standard U.S. data-processing terms. The client-specific schedule must be completed before a live workflow handles Client Personal Data.
Effective July 15, 2026 · Version 2026-07-15
1. Scope and roles
This Data Processing Addendum ("DPA") supplements the Services Agreement between Preeminent Capital, LLC d/b/a Peak Leverage ("Peak Leverage") and Client. It applies when Peak Leverage processes personal data for Client to provide the services ("Client Personal Data"). Client is the business or controller and Peak Leverage is its service provider, contractor, or processor as those terms are used in applicable U.S. state privacy laws.
This generic DPA does not establish HIPAA, GLBA, GDPR, or other specially regulated compliance. If a service requires one of those regimes, the parties must sign an addendum that names the law and required safeguards before processing begins.
2. Instructions and limits
Peak Leverage will process Client Personal Data only to provide the services, follow Client’s documented lawful instructions, secure and support the system, prevent fraud or misuse, and comply with law. It will not sell Client Personal Data, share it for cross-context behavioral advertising, retain, use, or disclose it outside the business relationship, or combine it with unrelated personal data except as permitted by applicable law.
Client determines whether the processing is lawful, supplies required notices and choices, obtains necessary consent, and gives instructions consistent with law. Peak Leverage will notify Client if it reasonably believes an instruction violates applicable privacy law, unless law prohibits notice.
3. Required client-specific schedule
Before launch, the parties will complete a written schedule identifying the services and duration; data subjects; personal-data fields; purposes; systems and storage locations; subprocessors; access roles; retention and deletion; transfers; approved sensitive categories; security controls; and Client’s privacy contact. Until that schedule is approved, the workflow must use synthetic or nonpersonal test data.
4. Restricted data by default
Unless the completed schedule expressly permits a category and documents appropriate safeguards, Client will not provide and Peak Leverage will not intentionally process Social Security numbers, payment-card data, medical records, biometric data, government identification, precise geolocation, privileged matter files, information about children, or other specially regulated or highly sensitive data.
5. Confidentiality and access
Peak Leverage will limit Client Personal Data access to personnel and approved providers who need it for the services. Anyone with access must be bound by confidentiality and receive appropriate privacy and security instructions. Peak Leverage remains responsible for its personnel’s compliance with this DPA.
6. Security
Peak Leverage will maintain reasonable administrative, technical, and organizational safeguards appropriate to the nature of Client Personal Data and the documented risk. Controls will include, as applicable, least-privilege access, multifactor authentication for administrative access, managed secrets, encryption in transit, provider-supported encryption at rest, logging, secure development and change control, backups, vulnerability and patch management, and incident-response procedures.
Client is responsible for its own accounts, endpoints, personnel, permissions, instructions, and security controls unless the schedule assigns a control to Peak Leverage. No security program eliminates all risk.
7. Subprocessors
Client generally authorizes Peak Leverage to use subprocessors needed for the services. Expected providers include Cloudflare, HubSpot, Cal.com, SavvyCal, Stripe, OpenAI, and Anthropic when the relevant service uses them. The client-specific schedule will identify which providers actually process Client Personal Data and for what purpose.
Peak Leverage will require materially appropriate data-protection terms and remain responsible for subprocessor performance under this DPA. It will provide advance email notice before adding or replacing a subprocessor that will process Client Personal Data. Client may object promptly on documented data-protection grounds. The parties will seek a practical alternative; if none is reasonably available, either may end the affected service.
8. Individual requests
If Peak Leverage receives a request concerning Client Personal Data, it will direct the requester to Client unless law requires otherwise. Taking into account the nature of processing, Peak Leverage will provide reasonable assistance so Client can respond to verified access, correction, deletion, portability, or opt-out requests. Client is responsible for the response and its legal basis.
9. Security incidents
Peak Leverage will notify Client without unreasonable delay and, when reasonably practicable, within 72 hours after confirming unauthorized access to, acquisition of, or disclosure of Client Personal Data that compromises its security, confidentiality, or integrity (a "Security Incident"). An unsuccessful attempt that does not compromise Client Personal Data is not a Security Incident.
Initial notice may be preliminary. Peak Leverage will provide available information about the nature, affected data and people, likely consequences, containment, remediation, and a response contact, and will update Client as material facts develop. Client controls notices to individuals and regulators unless law assigns that duty to Peak Leverage.
10. Return and deletion
At Client’s request or when the affected service ends, Peak Leverage will provide one reasonable standard export of available Client Personal Data and delete or return service copies within the period stated in the client-specific schedule, ordinarily following the 30-day handoff window. Peak Leverage may retain copies required by law or reasonably needed for security, accounting, disputes, or backups, subject to continued protection and no further use except for that purpose. Backup copies may remain until they age out through normal recovery cycles.
11. Compliance help and audits
Peak Leverage will provide reasonably available information needed to demonstrate compliance with this DPA and answer one reasonable security questionnaire per year. It will reasonably assist with legally required assessments and consultations in light of the processing and information available to it.
On-site or invasive audits are limited to those required by law, a regulator, or a substantiated material incident. They require reasonable advance notice, confidentiality, qualified independent reviewers, minimal disruption, and no access to another client’s information. Client pays audit costs unless the audit finds Peak Leverage materially breached this DPA.
12. Government requests and location
Unless prohibited by law, Peak Leverage will notify Client of a legally binding request for Client Personal Data and reasonably redirect the requester to Client. Peak Leverage and its providers may process information in the United States and other locations identified in the client-specific schedule. The parties will add a required transfer mechanism before a transfer subject to non-U.S. restrictions.
13. Order, liability, and duration
This DPA controls only a conflict about Client Personal Data. The Services Agreement otherwise controls, including its liability limits, indemnity, dispute, and general terms. This DPA begins with the Services Agreement and continues while Peak Leverage processes Client Personal Data, including retained protected copies.
Client-specific schedule to complete
Client and project; processing purpose and duration; people and data fields; approved sensitive categories; source and destination systems; Peak Leverage storage, logs, queues, and backups; subprocessors and locations; access roles; security controls; retention, export, and deletion; incident contacts; Client privacy contact; approvals; and effective date.
No live workflow should launch until this schedule is complete and approved by both parties.
Contact
Preeminent Capital, LLC d/b/a Peak Leverage, 1150 E Riverside Dr. #910664, St. George, UT 84791, USA. Email: mike@peakleverage.com.