Legal — Agency Tier
This Data Processing Addendum ("DPA") supplements the Fundory.ai Terms of Service (the "Agreement") between Brownmine Enterprises LLC d/b/a Fundory.ai ("Fundory") and the Agency tier subscriber ("Agency" or "Customer"). This DPA applies whenever Fundory processes Client Data on behalf of Agency in connection with the Agency tier of the Service.
To the extent of any conflict between this DPA and the Agreement, this DPA controls with respect to the processing of Client Data.
"Agreement" means the Fundory.ai Terms of Service and any related order form between Fundory and Agency.
"Applicable Laws" means the laws of the United States and the State of Georgia, including the California Consumer Privacy Act (as amended), as applicable to the processing of Client Data.
"Client" means a nonprofit organization, business, or other entity for which Agency uses the Service to manage grant pipelines, generate proposals, or perform related services.
"Client Data" means personal information and organizational information of a Client (or its personnel and beneficiaries) that Agency submits to or has processed by the Service.
"Personal Information" has the meaning given in Applicable Laws and includes information that identifies, relates to, describes, or is reasonably capable of being associated with a particular individual.
"Process" or "Processing" means any operation performed on Client Data, including collection, storage, use, disclosure, modification, transmission, or deletion.
"Sub-Processor" means a third party engaged by Fundory to process Client Data on its behalf.
As between Fundory and Agency, Agency is the controller (or business) of Client Data, and Fundory is the processor (or service provider) acting on Agency's documented instructions. Agency is solely responsible for determining the lawful basis on which Client Data is collected and disclosed to Fundory.
Agency represents and warrants that it has obtained all necessary authorizations, consents, and rights from each Client to (a) submit Client Data to the Service, (b) permit Fundory to process Client Data as described in this DPA and the Agreement, and (c) generate proposals and other Generated Output on behalf of the Client.
Fundory will process Client Data solely (a) to provide the Service to Agency and its Clients, (b) as further documented in the Agreement, this DPA, or other written instructions from Agency, and (c) as required by Applicable Laws. The duration, nature, purpose, types of data, and categories of data subjects are described in Schedule A.
If Fundory believes an instruction from Agency violates Applicable Laws, Fundory will inform Agency without undue delay and may suspend the relevant processing until the matter is resolved.
Fundory will ensure that personnel authorized to process Client Data are bound by appropriate confidentiality obligations and have received appropriate training on data protection.
Access to Client Data within Fundory is limited to personnel who require access to perform their duties.
Fundory will maintain reasonable and appropriate administrative, technical, and physical safeguards designed to protect Client Data against unauthorized access, alteration, disclosure, or destruction. Current measures include:
Fundory may update its security measures from time to time, provided that the level of protection is not materially decreased.
Agency authorizes Fundory to engage Sub-Processors to assist in providing the Service. Fundory will impose contractual obligations on each Sub-Processor that are substantially similar to those in this DPA, including with respect to confidentiality and security.
The current list of Sub-Processors includes:
| Sub-Processor | Location | Purpose |
|---|---|---|
| OpenAI, LLC | United States | Large language model processing |
| Stripe, Inc. | United States | Payment processing |
| Amazon Web Services, Inc. | United States | Cloud hosting and storage |
Fundory will notify Agency of new Sub-Processors at least thirty (30) days before authorizing them to process Client Data. Agency may object on reasonable data-protection grounds within fifteen (15) days of notice. If the parties cannot resolve the objection, Agency's sole remedy is to terminate the Service for the affected functionality without refund of fees already paid.
Fundory remains responsible for the acts and omissions of its Sub-Processors with respect to the obligations under this DPA.
Agency acknowledges that Fundory uses Customer Data, which includes Client Data submitted to the Service, to train, fine-tune, evaluate, and improve its AI models and the Service, as described in the Agreement and Privacy Policy. Agency represents that it has secured the necessary authorizations from its Clients for this use. Where reasonably practicable, Fundory applies de-identification, aggregation, and access controls before using Client Data for training purposes. Sub-Processors providing AI infrastructure are contractually prohibited from using Client Data to train their own general-purpose models.
Fundory will, taking into account the nature of the processing, provide reasonable assistance to Agency in responding to verifiable requests from data subjects (or their Clients) to exercise rights under Applicable Laws, including rights to know, access, correct, and delete Personal Information.
If Fundory receives a request directly from a data subject regarding Client Data, Fundory will, where lawful, redirect the request to Agency without responding substantively, except to acknowledge receipt and provide Agency's contact information.
Fundory will notify Agency without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed unauthorized acquisition of, access to, or disclosure of Client Data caused by a breach of Fundory's security measures (a "Security Incident").
The notification will include, to the extent then known, (a) a description of the nature and scope of the Security Incident, (b) the categories of Client Data affected, (c) the measures taken or proposed to address the incident, and (d) a point of contact for further inquiries.
Fundory will reasonably cooperate with Agency in investigating, mitigating, and remediating the Security Incident. Fundory's notification of, or response to, a Security Incident is not an admission of fault or liability.
Fundory will make available to Agency, upon reasonable written request, summary documentation reasonably necessary to demonstrate compliance with this DPA, such as security policy summaries, third-party audit reports (if available), and security questionnaire responses.
To the extent required by Applicable Laws and subject to reasonable confidentiality obligations, Agency may audit Fundory's compliance with this DPA no more than once per twelve-month period, with at least thirty (30) days' advance written notice, during normal business hours, in a manner that does not unreasonably interfere with Fundory's operations. Fundory may satisfy audit requests by providing recent third-party audit reports where available.
Agency may export Client Data through the Service's standard export functionality at any time during the term of the Agreement.
Upon termination of the Agreement and at Agency's written request submitted within thirty (30) days after termination, Fundory will delete or return Client Data in its possession, except to the extent retention is required by Applicable Laws or for legitimate business purposes (such as backups, audit logs, financial records, or de-identified data already incorporated into AI model improvements).
If Agency does not submit a request within the thirty-day window, Fundory will retain Client Data in accordance with the retention practices described in the Privacy Policy until Agency requests deletion.
Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement. The aggregate liability of either party arising out of this DPA and the Agreement, taken together, is governed by the limitations in the Agreement and is not increased by the existence of this DPA.
This DPA takes effect when Agency subscribes to the Agency tier and remains in effect for so long as Fundory processes Client Data on behalf of Agency.
In case of conflict, this DPA controls over the Agreement with respect to processing of Client Data; the Agreement controls in all other respects.
This DPA is governed by the laws of the State of Georgia, consistent with the Agreement.
Fundory may update this DPA from time to time to reflect changes in Applicable Laws, sub-processors, or operational practices, with at least thirty (30) days' prior notice. Continued use of the Agency tier after the effective date constitutes acceptance.
If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full effect.
Subject Matter. Processing of Client Data necessary to provide grant discovery, eligibility scoring, proposal generation, and pipeline management features of the Service to Agency on behalf of its Clients.
Duration. For the duration of the Agreement and as described in Section 10.
Nature and Purpose. Hosting, storage, processing, AI-based analysis, generation of drafts and reports, and related operational activities.
Categories of Data Subjects. Authorized users of Agency; leadership personnel of Client organizations identified in submitted profiles; individuals identified in documents Agency uploads on behalf of Clients.
Categories of Personal Information. Names, business contact details, professional roles, organization affiliation, EIN, organizational financial data, and any additional information voluntarily included in uploaded materials.
Sensitive Information. Agency should not submit sensitive personal information (such as government identifiers other than EIN, health information, or biometric data) unless authorized and necessary for the Service.
© 2026 Brownmine Enterprises LLC. All rights reserved.