Cache

Data Processing Agreement

Data Processing Agreement for Enterprise Customers

This agreement governs how Cache processes personal data on behalf of our enterprise customers.

Last updated: February 2026

This Data Processing Agreement ("DPA") forms part of the Master Service Agreement or Terms of Service ("Agreement") between Cache, Inc. ("Cache", "Processor") and the entity agreeing to these terms ("Customer", "Controller"). This DPA applies to the extent that Cache processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

For purposes of this DPA, the following definitions apply:

  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data. For purposes of this DPA, Customer is the Controller of Customer Data.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller. For purposes of this DPA, Cache is the Processor of Customer Data.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed under this DPA.
  • "Personal Data" means any information relating to a Data Subject that is processed by Cache as part of the Services, including but not limited to names, email addresses, financial account information, and transaction data.
  • "Customer Data" means all Personal Data that Cache processes on behalf of Customer in connection with the Services.
  • "Sub-processor" means any third party engaged by Cache to process Customer Data on behalf of Customer.
  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and other applicable data protection legislation.

2. Scope of Processing

Cache shall process Customer Data only as necessary to provide the Services and as documented in this DPA and the Agreement.

2.1 Subject Matter

The subject matter of processing is the provision of financial management and data aggregation services as described in the Agreement.

2.2 Categories of Data Subjects

Personal Data may relate to the following categories of Data Subjects:

  • Customer's employees and authorized users
  • Individuals whose financial data is processed through the Services
  • Customer's customers, vendors, and business partners (if applicable)

2.3 Types of Personal Data

The following types of Personal Data may be processed:

  • Contact information (name, email address, phone number)
  • Account credentials and authentication data
  • Financial account information and transaction history
  • Usage data and activity logs

2.4 Duration of Processing

Cache shall process Customer Data for the duration of the Agreement, unless otherwise agreed in writing or required by applicable law.

3. Processor Obligations

Cache shall:

  • 3.1 Process Customer Data only on documented instructions from Customer, unless required by applicable law. If Cache is required by law to process Customer Data, Cache shall inform Customer of that legal requirement before processing unless prohibited by law.
  • 3.2 Ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • 3.3 Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of Personal Data, ongoing confidentiality of processing systems, ability to restore availability of data, and regular testing of security measures.
  • 3.4 Assist Customer in ensuring compliance with Data Protection Laws, taking into account the nature of processing and the information available to Cache.
  • 3.5 At the choice of Customer, delete or return all Customer Data to Customer after the end of the provision of Services, unless applicable law requires storage of the Personal Data.
  • 3.6 Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

4. Sub-processors

Customer provides general authorization for Cache to engage Sub-processors to process Customer Data, subject to the requirements of this Section.

4.1 Current Sub-processors

The following Sub-processors are authorized as of the effective date of this DPA:

Sub-processorLocationPurpose
Amazon Web Services, Inc.United StatesCloud infrastructure and data hosting
Plaid Inc.United StatesFinancial account connectivity and data aggregation
Stripe, Inc.United StatesPayment processing and billing
Twilio Inc. (SendGrid)United StatesTransactional email delivery

4.2 Sub-processor Requirements

Cache shall impose data protection obligations on any Sub-processor that are no less protective than those in this DPA. Cache shall remain responsible for the acts and omissions of its Sub-processors.

4.3 Notification of Changes

Cache shall notify Customer of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance. Customer may object to the use of a new Sub-processor on reasonable grounds relating to data protection. If Customer objects and Cache cannot accommodate the objection, Customer may terminate the affected Services without penalty.

5. Data Subject Rights

Cache shall assist Customer in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

5.1 Notification

If Cache receives a request from a Data Subject regarding Customer Data, Cache shall promptly notify Customer and shall not respond to the request directly, except to confirm that the request relates to Customer, unless legally required to do so.

5.2 Assistance

Taking into account the nature of the processing, Cache shall assist Customer by appropriate technical and organizational measures to fulfill Customer's obligation to respond to Data Subject requests. Cache may charge reasonable fees for assistance beyond standard support.

6. Data Breach Notification

Cache shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Data.

6.1 Breach Notification Content

The notification shall include, to the extent known:

  • A description of the nature of the breach, including categories and approximate number of Data Subjects and records concerned
  • Contact details for obtaining further information
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach and mitigate its effects

6.2 Cooperation

Cache shall cooperate with Customer and take reasonable steps as directed by Customer to assist in the investigation, mitigation, and remediation of any Personal Data breach.

7. International Data Transfers

Cache may transfer Customer Data outside the European Economic Area ("EEA"), United Kingdom, or Switzerland only as permitted under Data Protection Laws.

7.1 Standard Contractual Clauses

For transfers of Personal Data from the EEA to countries not deemed adequate by the European Commission, the parties agree to incorporate the Standard Contractual Clauses adopted by the European Commission (Module Two: Controller to Processor) as incorporated by reference into this DPA.

7.2 Supplementary Measures

Cache implements supplementary technical and organizational measures to ensure an adequate level of protection for transferred Personal Data, including encryption in transit and at rest, access controls, and security monitoring.

8. Audit Rights

Customer may audit Cache's compliance with this DPA, subject to the following conditions:

8.1 Audit Procedures

  • Customer shall provide at least 30 days written notice of any audit request
  • Audits shall be limited to once per calendar year unless required by a supervisory authority or following a material breach
  • Customer shall bear the costs of any audit, unless the audit reveals material non-compliance by Cache
  • Auditors must execute confidentiality agreements acceptable to Cache

8.2 Third-Party Certifications

Cache shall make available its SOC 2 Type II report and other relevant certifications upon request. Customer agrees that review of these certifications may satisfy audit requirements under this Section, unless Customer has specific reasonable grounds requiring additional audit.

9. Term and Termination

9.1 Term

This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, this DPA shall automatically terminate, subject to Section 9.2.

9.2 Data Return and Deletion

Upon termination of the Agreement, Customer may request return of Customer Data in a commonly used format within 30 days of termination. Following the 30-day period, or upon Customer's earlier instruction, Cache shall delete all Customer Data in accordance with its standard deletion procedures, unless applicable law requires retention.

9.3 Survival

Provisions of this DPA that by their nature should survive termination shall survive, including confidentiality obligations and liability provisions.

DPA Execution

To execute this DPA or request a signed copy for your records, contact:
legal@usecache.com

For enterprise inquiries:
enterprise@usecache.com

Cache, Inc.
251 Little Falls Drive
Wilmington, DE 19808