1. Parties and Roles
This DPA is between the financial-institution creditor (the “Creditor”) that has signed or is evaluating a pilot or master services agreement with Debt Digest, Inc., a Delaware corporation (“Debt Digest” or “Processor”). The Creditor is the financial institution under the GLBA and the controller of NPI it places on the platform. Debt Digest is the Creditor’s service provider under the GLBA Safeguards Rule and acts on the Creditor’s documented instructions.
2. Scope and Subject Matter
Debt Digest processes NPI on behalf of the Creditor for the limited purpose of delivering the platform, including pre-charge-off intervention (Intercept), post-charge-off recovery workflows (Recovery), settlement-firm intermediation (Tollbooth), and any related communications, payment processing, dispute handling, and audit-logging functions configured by the Creditor.
3. Categories of Data and Data Subjects
Categories of NPI processed: consumer name, contact details, date of birth, last four digits of Social Security number, account identifiers, outstanding balance, charge-off date, days past due, payment history, communication and dispute history, hardship-program self-attestation (if submitted), and payment-method tokens (held by the payment processor, not by Debt Digest).
Data subjects: the consumers whose accounts the Creditor places on the platform.
4. Processor Obligations
Debt Digest will:
- Process NPI only on the documented instructions of the Creditor and only for the purposes set out in the pilot or master services agreement and Section 2 of this DPA.
- Not sell NPI and not use NPI for cross-context behavioral advertising or for any purpose unrelated to the Service.
- Ensure that personnel with access to NPI are subject to a written confidentiality obligation and access controls under the principle of least privilege.
- Maintain the technical, administrative, and physical safeguards described in Section 5, consistent with the GLBA Safeguards Rule (16 CFR Part 314) and NCUA service-provider expectations (12 CFR Part 748) where the Creditor is a federally insured credit union.
- Assist the Creditor, on reasonable request, in responding to consumer inquiries, dispute notices, regulator forwardings, and audit requests within the timeframes in Section 7.
- Cooperate with the Creditor’s annual vendor due-diligence review.
- Return or securely delete NPI on termination of the governing agreement, subject to retention required by applicable law and the audit-log retention described in Section 6.
5. Safeguards
Debt Digest maintains an information-security program designed to meet the GLBA Safeguards Rule requirements. Controls in production include:
Encryption in transit and at rest
TLS 1.2 or higher on all network traffic. Database-level encryption at the managed PostgreSQL layer.
Strong authentication
scrypt password hashing, JWT short-lived sessions, progressive rate limiting and lockout on auth endpoints, magic-link single-use enforcement.
Tenant-scoped access
Every database query and API route is scoped to the Creditor’s tenant. Cross-tenant reads are blocked at the route, query, and middleware layers.
Role-based access control
Five-tier RBAC (read_only, analyst, admin, owner) with per-route gates and separation of duties on sensitive admin actions.
Audit logging
Append-only audit log captures administrative access, consumer-facing events, FDCPA / Reg F decision points, and security events. Retained 36 months post-termination.
Secure development
OWASP Top 10 (2021) sweep on every release wave; ESLint + dead-code lint gate; pre-push QC check; dependency vulnerability scanning.
Backup and recovery
Daily managed-database backups via Neon. Point-in-time recovery within retention window. Annual restoration test.
Incident response
Documented IR procedure with named contacts, severity tiers, and notification SLA (see Section 7).
6. Data Retention and Deletion
NPI is retained for the term required by the pilot or master services agreement and any applicable federal or state record-retention statute, whichever is longer. Audit-log entries supporting FDCPA, Reg F, and TCPA compliance are retained for a minimum of thirty-six (36) months post-termination of the governing agreement. On written instruction from the Creditor, Debt Digest will export and securely delete NPI within forty-five (45) days, subject to legal hold and audit-log retention.
7. Breach and Incident Notification
72-hour notice
GLBA incident response
Breach notification within 72 hours.
Debt Digest will notify the Creditor without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a security incident that has resulted in or is reasonably likely to result in unauthorized access to, use of, or disclosure of the Creditor’s NPI. Notification will include: nature of the incident, categories and approximate volume of affected NPI, likely consequences, mitigating measures taken, and a designated contact for follow-up.
Debt Digest will cooperate with the Creditor’s incident-response, regulator-notification, and consumer-notification obligations under federal and state law, including the GLBA interagency guidance on response programs and applicable state breach-notification statutes.
8. Subprocessors
Debt Digest engages the following subprocessors, each under a written agreement that requires the subprocessor to maintain safeguards no less protective than those in this DPA:
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing and creditor payout. | United States |
| SendGrid (Twilio) | Transactional email delivery (notices, communications, magic-link sign-in). | United States |
| Neon, Inc. | Managed PostgreSQL database hosting (encrypted at rest). | United States |
| Railway Corp. | Application hosting (web and API tier) and request-log retention. | United States |
Debt Digest will provide at least thirty (30) days’ prior written notice (via this page or directly) before adding or replacing a subprocessor that processes Creditor NPI. The Creditor may object on reasonable data-protection grounds during the notice period.
9. Audit Rights
On reasonable advance notice and not more than once per twelve (12) months (except where required by a regulator or as a result of a security incident), Debt Digest will make available to the Creditor (a) the most recent independent security assessment summary, (b) the published security posture at /security, (c) the current subprocessor list, and (d) a counsel-facing diligence packet sufficient for the Creditor’s vendor-management program. On-site audits may be conducted by mutual agreement at the Creditor’s cost.
10. International Transfers
NPI is processed exclusively in the United States by Debt Digest and the subprocessors listed in Section 8. Debt Digest will not transfer NPI outside the United States without prior written instruction from the Creditor.
11. Term and Survival
This DPA takes effect on the effective date of the underlying pilot or master services agreement and remains in effect for the duration of that agreement and for any tail period in which Debt Digest retains NPI under Section 6. Sections 4, 5, 6, 7, and 9 survive termination for so long as Debt Digest retains any Creditor NPI.
12. Order of Precedence
In the event of a conflict between this DPA and the pilot or master services agreement signed between the parties, the signed agreement controls. In the event of a conflict between this DPA and the public-facing Privacy Policy with respect to NPI processed on behalf of the Creditor, this DPA controls.
13. Counsel Contact
Redlines, diligence questionnaires, and DPA execution requests should be directed to legal@debt-digest.com. Security incident reports and regulator forwardings should be directed to security@debt-digest.com and compliance@debt-digest.com. General contact: pgvanderwolk@gmail.com.