Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of any agreement, subscription, or use of the TaxWallet Platform (“Agreement”).

This DPA is entered into between:

• Controller: The tax professional, tax firm, or entity using TaxWallet to collect, manage, or process taxpayer information.

• Processor: TaxWallet, operated on proprietary infrastructure developed by Jadee (“TaxWallet”, “we”, “us”, “our”).

This DPA governs the processing of personal data submitted by Controller to the Platform, in compliance with applicable U.S. federal law, IRS regulations, FTC Safeguards Rule, GLBA, GDPR, and international privacy statutes.

“Personal Data” means any information relating to an identified or identifiable individual, including taxpayers, dependents, spouses, staff, or authorized account users.

“Processing” means any operation performed on Personal Data, including collection, storage, retrieval, transmission, destruction, or analysis.

“Sub-processor” means any third party engaged by TaxWallet to process Personal Data on TaxWallet’s behalf.

“Platform” includes the web dashboard, mobile apps, APIs, AI/OCR systems, integrations, communication tools, and associated infrastructure.

Controller is solely responsible for determining the purposes, legality, and means by which Personal Data is processed.

Processor processes Personal Data only on behalf of Controller and only in accordance with Controller instructions or as required by law.

Controller is responsible for obtaining all legally required consent and authorization before uploading Personal Data to the Platform.

Controller acknowledges that misuse, inaccurate input, or illegal transmission of Personal Data remains the sole responsibility of Controller.

TaxWallet processes the following categories of Personal Data on behalf of Controller:

• Identification information (names, SSNs/ITINs, DOB, dependents, phone numbers, addresses).

• Tax documentation (W-2, 1099, 1098, receipts, identity documents, PDFs, scanned files).

• Device data (mobile device ID, crash logs, OS metadata).

• Electronic signature records, ESIGN disclosures, timestamps, and IP logs.

• AI/OCR input artifacts and extracted data (subject to professional verification).

• Banking-product application data where applicable.

• All audit logs and workflow history generated by Controller’s use of the Platform.

Processor will process Personal Data solely to:

• Provide access to the Platform and user authentication.

• Facilitate tax preparation, review, storage, and secure transmission.

• Support e-filing processes with IRS and state agencies.

• Provide document upload, retrieval, OCR, AI-assisted extraction, and workflow automation.

• Deliver communication tools, notifications, and support.

• Maintain system security, fraud detection, and compliance auditing.

• Provide infrastructure hosting, backup, redundancy, and availability services.

Controller warrants and represents that:

• All Personal Data submitted to the Platform has been lawfully obtained.

• Controller has secured all necessary taxpayer consents.

• Controller will not upload data in violation of federal, state, privacy, or identity-theft laws.

• Controller is fully responsible for reviewing, verifying, and approving all tax-return data, including AI/OCR outputs.

• Controller is solely liable for errors arising from misuse, fraudulent returns, improper filing, or negligent data handling.

Processor assumes no responsibility for the accuracy of data uploaded or for filing obligations of Controller.

Processor shall:

• Process Personal Data strictly per Controller instructions.

• Maintain administrative, technical, and physical safeguards compliant with IRS Publication 4557, NIST, FTC Safeguards Rule, SOC 2, and GLBA.

• Ensure access to Personal Data is limited to trained, authorized personnel.

• Maintain audit logs of access, signature activity, and workflow events.

• Notify Controller without undue delay of any confirmed security breach.

• Assist Controller in meeting privacy obligations to the extent commercially reasonable.

Processor does not guarantee legal compliance on behalf of Controller or act as Controller’s legal or tax advisor.

Controller authorizes Processor to engage Sub-processors for hosting, security, infrastructure, OCR/AI processing, communication, banking integrations, and identity verification.

Processor will ensure Sub-processors are bound by confidentiality, security, and data protection obligations no less stringent than those in this DPA.

A current list of Sub-processors is available upon request.

Processor implements industry-leading security controls, including:

• Encryption at rest (AES-256) and in transit (TLS 1.2+).

• Zero-trust architecture and multi-factor authentication.

• Role-based access controls and anomaly detection.

• Continuous monitoring, penetration testing, and intrusion prevention.

• Immutable audit logging for compliance and investigatory purposes.

Despite robust safeguards, Processor does not guarantee absolute security, and Controller is responsible for maintaining secure devices, networks, and credentials.

In the event of a confirmed data breach affecting Personal Data, Processor will:

• Notify Controller without undue delay.

• Provide available details and ongoing updates.

• Cooperate with reasonable Controller requests necessary for legal compliance.

Controller holds sole responsibility for notifying affected taxpayers unless otherwise required by law.

All Personal Data is stored and processed within the United States unless otherwise specified.

For international transfers, Processor uses Standard Contractual Clauses (SCCs) or equivalent legal mechanisms.

Processor does not guarantee compatibility with foreign filing regulations unless explicitly stated.

When GDPR, CCPA, or equivalent rights apply, Processor will assist Controller as reasonably necessary to:

• Fulfill access requests.

• Correct inaccurate data.

• Delete data (subject to IRS and regulatory retention rules).

• Respond to objections or restrictions.

Processor will not respond directly to Data Subjects unless legally required.

Processor retains Personal Data only as long as necessary to:

• Provide Platform services.

• Fulfill regulatory and tax-industry retention obligations.

• Maintain audit and fraud-prevention records.

Upon termination of Controller’s account, Processor will delete or return Personal Data except where retention is legally required (IRS, state, financial, or audit laws).

Processor maintains SOC 2-aligned controls and industry certifications appropriate for tax software.

Controller may request compliance documentation reasonably available.

Physical or remote audits by Controller require:

• 60 days prior written notice,

• Mutual agreement,

• Reimbursement of Processor expenses,

• And may be denied if duplicative or intrusive.

Processor may provide SOC summaries or third-party audit attestations as an alternative to direct audits.

Controller assumes full responsibility for:

• Accuracy and legality of Personal Data submitted.

• Tax advice, tax preparation, filing, and professional obligations.

• Fraudulent filings, unauthorized submissions, or identity theft within Controller accounts.

• Misuse or misinterpretation of AI/OCR output.

Processor is not liable for:

• Controller errors, negligence, or misuse.

• Third-party outages (IRS, states, banking partners, identity verification vendors).

• Data losses or delays caused by Controller’s systems or networks.

Processor’s aggregate liability shall not exceed the total fees paid by Controller in the preceding 12 months.

Controller shall indemnify and defend Processor against claims arising from Controller’s unlawful or unauthorized data processing.

Upon termination of services:

• Controller may request deletion or export of Personal Data.

• Processor will delete or anonymize Personal Data except where retention is legally mandated.

• Access credentials and tokens will be disabled.

All obligations regarding confidentiality, security, and indemnification survive termination.

This DPA supersedes all prior data-processing terms.

Updates may be issued to reflect legal or operational changes.

Continued use of the Platform constitutes acceptance of any revised DPA.

TaxWallet Legal & Compliance Office

Email: support@taxwallet.ai

We respond promptly to compliance, privacy, and regulatory inquiries.