Skip to main content
Skip to content
Make It Compound
← Security & Trust

Data Processing Agreement

Last updated: June 3, 2026

Note: This DPA forms part of the Terms & Conditions and applies whenever you, as a coach, connect a client to your Compound dashboard. A counter-signed copy is available on request at privacy@makeitcompound.com. This document is provided for transparency and should be reviewed by your own legal counsel before you rely on it for a specific compliance obligation.

1. Roles of the parties

For personal data relating to clients you invite and connect to your dashboard (“Client Personal Data”), you (the Coach) act as the data controller and Make It Compound acts as a data processorprocessing that data on your documented instructions. For Make It Compound's own platform operations (account creation, billing, security), Make It Compound acts as an independent controller as described in the Privacy Policy.

2. Subject matter, duration, nature & purpose

  • Subject matter: Make It Compound's provision of the Compound for Coaches platform.
  • Duration: For as long as an active coach–client connection exists and you maintain an account, plus any retention period required by law.
  • Nature & purpose: Hosting, displaying (read-only to you), storing, and securing Client Personal Data so you can deliver financial-coaching services to that client.

3. Categories of data subjects & personal data

  • Data subjects: Your clients who accept a connection and use Compound.
  • Personal data: Identity and contact data (name, email); financial-account metadata, balances, and transactions retrieved via Plaid; budgets, goals, and savings data; and coaching interaction records (notes, action items, messages). No special-category data is requested. Bank credentials are never seen by Make It Compound — only tokenised access via Plaid, encrypted at rest.

4. Processor obligations

Make It Compound will:

  • Process Client Personal Data only on your documented instructions, including the operation of the platform as configured, unless required by law.
  • Ensure personnel authorised to process data are bound by confidentiality.
  • Implement the technical and organisational security measures described in Section 6.
  • Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations.
  • At your choice, delete or return Client Personal Data at the end of the engagement, subject to legal retention requirements.
  • Make available the information necessary to demonstrate compliance and allow for reasonable audits (see Section 8).

5. Sub-processors

You provide general authorisation for Make It Compound to engage the sub-processors listed on our sub-processors page, each bound by data-protection terms no less protective than this DPA. We will give notice of any intended addition or replacement of a sub-processor and give you the opportunity to object on reasonable data-protection grounds. Business customers may request advance-notice updates at privacy@makeitcompound.com.

6. Security measures

Make It Compound maintains the measures summarised on our Security & Trust page, including: AES-256-GCM field-level encryption of sensitive values before storage; encryption in transit and at rest; per-user data isolation enforced on every query from the server-verified session; magic-link authentication with session lifetime caps and optional MFA; append-only audit logging plus a client-visible coach-access transparency log; least-data collection; and hosting on independently audited infrastructure.

7. Personal data breaches

Make It Compound will notify you without undue delay after becoming aware of a personal-data breach affecting Client Personal Data, with the information reasonably available to help you meet your own notification obligations.

8. Audits

On reasonable prior written request, and no more than once per year (unless required by a supervisory authority or following a breach), Make It Compound will provide information reasonably necessary to demonstrate compliance with this DPA, which may include third-party audit reports of our sub-processors in lieu of on-site audits.

9. International transfers

Client Personal Data is processed primarily in the United States by the providers listed on the sub-processors page. Where required, transfers are made under an appropriate transfer mechanism (such as Standard Contractual Clauses) maintained by the relevant sub-processor.

10. Return & deletion

On termination of a coach–client connection, your dashboard access to that client's data ends immediately. The client retains their own account and data. On termination of your coach account, or on your written request, Make It Compound will delete or return Client Personal Data within a reasonable period, subject to legal retention requirements. Clients may independently export or delete their own data at any time.

11. Liability & precedence

This DPA is incorporated into and subject to the Terms & Conditions. In the event of a conflict between this DPA and the Terms regarding the processing of Client Personal Data, this DPA controls. Each party's liability remains subject to the limitations set out in the Terms.

12. Contact

Make It Compound
Data protection enquiries: privacy@makeitcompound.com
Security reports: security@makeitcompound.com

← Security & Trust
Privacy PolicySub-processorsTerms