Data Processing Addendum
Version: 1.0
Effective Date: December 31, 2025
Last Updated: December 31, 2025
1. Introduction
This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between Full Circle Asset Recovery LLC ("Processor," "we," "us," or "our") and you ("Controller," "you," or "your") for the use of our asset recovery platform (the "Service").
This DPA applies when we process personal data on your behalf in connection with the Service. It describes the data protection obligations of both parties and supplements any other agreements between us regarding data protection.
2. Definitions
- "Controller" means the entity that determines the purposes and means of Processing Personal Data.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is Processed.
- "Personal Data" means any information relating to a Data Subject.
- "Processing" means any operation performed on Personal Data (collection, storage, use, disclosure, etc.).
- "Processor" means the entity that Processes Personal Data on behalf of the Controller.
- "Security Incident" means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
3. Roles and Responsibilities
3.1 Role Clarification
The roles under this DPA depend on the context of the processing:
- Full Circle as Processor: When we process claimant, heir, or case data on behalf of attorneys or law firms using our platform to manage their client matters, the attorney/firm is the Controller and Full Circle is the Processor.
- Full Circle as Controller: When we process data for our own business purposes (e.g., marketing, lead generation, platform analytics, employee data), Full Circle is the Controller.
- Joint Controller: In some cases, such as coordinated attorney-client services, both parties may act as joint Controllers with respect to certain processing activities.
This DPA primarily governs scenarios where Full Circle acts as Processor. For processing where Full Circle is Controller, our Privacy Policy applies.
3.2 Controller Responsibilities
When you are the Controller, you are responsible for:
- Ensuring lawful basis for Processing Personal Data
- Providing required notices to Data Subjects
- Responding to Data Subject requests (with our assistance)
- Complying with applicable data protection laws
- Ensuring instructions to us are lawful
3.3 Processor Responsibilities
When acting as Processor, we will:
- Process Personal Data only on your documented instructions
- Ensure personnel are bound by confidentiality obligations
- Implement appropriate security measures
- Assist you in responding to Data Subject requests
- Notify you of Security Incidents without undue delay
- Delete or return Personal Data upon termination
- Make information available to demonstrate compliance
4. Scope of Processing
4.1 Subject Matter
Processing of Personal Data necessary to provide asset recovery services, including case management, heirship verification, document processing, and financial tracking.
4.2 Duration
Processing continues for the duration of the Agreement, plus any retention period required by law or specified in the Agreement.
4.3 Categories of Data Subjects
- Claimants and prospective claimants
- Heirs and beneficiaries
- Property owners (former and current)
- Attorney network members
- Platform users and administrators
4.4 Types of Personal Data
- Contact information (name, email, phone, address)
- Identification documents
- Financial information (bank accounts, transaction data)
- Property and case information
- Family relationship data (for heirship verification)
- Professional credentials (for attorneys)
- Vital records (birth, death, marriage certificates)
5. Security Measures
We implement appropriate technical and organizational measures to protect Personal Data, including:
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest where technically appropriate
- Access Controls: Role-based access control (RBAC) limits access to authorized personnel
- Authentication: Secure authentication mechanisms including password hashing
- Audit Logging: Access to Personal Data is logged for security and compliance
- Infrastructure Security: Hosting on enterprise-grade cloud infrastructure with security certifications
- Employee Training: Personnel receive data protection and security training
- Incident Response: Documented procedures for responding to Security Incidents
Note: Specific security implementations may vary by environment and are subject to ongoing improvement. We do not guarantee absolute security.
6. Sub-processors
You authorize us to engage Sub-processors to assist in providing the Service. We maintain contracts with Sub-processors imposing data protection obligations comparable to this DPA.
6.1 Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Cloud infrastructure, storage, and computing | United States |
| Plaid Inc. | Bank account verification and financial data aggregation | United States |
| Intuit QuickBooks | Financial management and accounting | United States |
| TransUnion (TLOxp) | Identity verification and skip tracing | United States |
| DocuSign | Electronic signature services | United States |
| ICE Mortgage Technology (SiteXPro) | Property data and valuations | United States |
| Sentry | Error tracking and monitoring | United States |
| Mailgun Technologies | Email delivery services | United States |
| Slack Technologies | Team notifications and communications | United States |
| OpenAI / Anthropic | AI/ML processing for case evaluation | United States |
6.2 Sub-processor Changes
We will provide at least 30 days' notice before adding or replacing Sub-processors by updating this page. You may object to a new Sub-processor by contacting us within 14 days of notification.
6.3 Sub-processor Updates
To receive notifications of Sub-processor changes, please contact us at privacy@fullcircleassetrecovery.com to subscribe to our Sub-processor notification list.
7. International Data Transfers
Personal Data may be transferred to and processed in the United States and other countries where our Sub-processors operate. We ensure appropriate safeguards are in place for such transfers, including:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Protection Addendums with Sub-processors
- Supplementary measures where required
8. Data Subject Rights
We will assist you in responding to Data Subject requests to exercise their rights, including:
- Access to Personal Data
- Rectification of inaccurate data
- Erasure ("right to be forgotten")
- Data portability
- Objection to processing
- Restriction of processing
If we receive a request directly from a Data Subject, we will promptly forward it to you unless legally prohibited.
9. Security Incidents
Upon becoming aware of a confirmed Security Incident affecting Personal Data that we process on your behalf, we will:
- Notify you without undue delay after confirming the incident (target: within 72 hours of confirmation, where feasible)
- Provide information about the nature of the incident, categories of data affected, and approximate number of Data Subjects impacted
- Describe likely consequences and mitigation measures taken or proposed
- Cooperate with your investigation and notification obligations
- Take reasonable steps to mitigate effects and prevent recurrence
Scope and Exceptions:
- The notification period begins upon our confirmation of a Security Incident (not upon initial suspicion or investigation)
- The 72-hour target may be extended if required by law enforcement or regulatory authority
- This section applies only to Personal Data we process as Processor on your behalf, not to our own Controller processing
- Unsuccessful attacks (e.g., blocked intrusions, unsuccessful phishing attempts) that do not result in unauthorized access do not constitute Security Incidents requiring notification
10. Data Deletion and Return
Upon termination of the Agreement or upon your request, we will:
- Delete Personal Data within 90 days, unless retention is required by law
- Provide a copy of your data upon request (in a standard format)
- Certify deletion upon request
We may retain data in anonymized or aggregated form for analytics, provided it cannot be used to identify individuals.
11. Audits and Compliance
We will make available information reasonably necessary to demonstrate compliance with this DPA. This may include:
- Security questionnaire responses
- Third-party audit reports (SOC 2, ISO 27001) where available
- Data processing documentation
Audits requiring access to our systems or premises must be mutually agreed upon, subject to confidentiality obligations and reasonable notice.
12. Liability
Liability under this DPA is subject to the limitations and exclusions set forth in the Agreement. Each party is liable for damages caused by its breach of this DPA.
13. Changes to This DPA
We may update this DPA from time to time. Material changes will be notified via email or through the Service. Continued use after changes constitutes acceptance.
14. Contact Information
For questions about this DPA or data processing:
Data Protection Contact: privacy@fullcircleassetrecovery.com
Address:
Full Circle Asset Recovery LLC
Attn: Data Protection
721 Belmont St, Suite 1A
Brockton, MA 02301