Legal

Data Processing Agreement

Last updated: July 7, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between the customer entity identified in the Agreement ("Customer") and Bolt Systems, LLC, operating the Quoining platform ("Quoining," "we," "us"). It describes how Quoining processes Customer Personal Information on Customer's behalf when Customer uses the Service. The Service is currently offered only in the United States. Our core application hosting and the customer database are in AWS us-east-1 in the United States; some optional integrations Customer enables may process limited Customer data outside the United States as identified on the Sub-processors page.

1. Definitions

For purposes of this DPA, the terms below have the meanings set forth. Capitalized terms not defined here have the meanings given in the Agreement.

  • "Customer Personal Information"means personal information that Quoining processes on Customer's behalf through the Service, including identifiers, contact information, financial-account identifiers, and tax-identification numbers belonging to Customer's authorized users, employees, customers, vendors, and other individuals whose information Customer enters into the Service.
  • "Customer" means the business entity that has entered into the Agreement with Quoining.
  • "Processing" means any operation performed on Customer Personal Information, whether or not by automated means, including collection, storage, use, disclosure, retention, and deletion.
  • "Sub-processor"means any third party Quoining engages to process Customer Personal Information on Customer's behalf in connection with the Service.
  • "Security Incident" means a confirmed unauthorized access to, or unauthorized acquisition, alteration, or disclosure of, Customer Personal Information processed by Quoining or a Sub-processor.
  • "US State Privacy Laws" means the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Delaware Personal Data Privacy Act, and any other comprehensive state consumer-privacy law that applies to the Service.

2. Roles of the Parties

With respect to Customer Personal Information processed through the Service, Customer is the “business” / controller and Quoining is the “service provider” / processor (using the terminology of the applicable US State Privacy Laws). Customer determines the purposes for which Customer Personal Information is processed; Quoining processes it only on Customer's documented instructions, which consist of the Agreement, this DPA, the in-app configuration Customer applies, and any subsequent written instructions the parties agree to.

Quoining is an independent business with respect to billing, account management, security operations, and compliance with legal obligations applicable to Quoining itself. This DPA does not apply to that processing.

3. Scope & Purpose

The subject matter, duration, nature, purpose, categories of individuals, and categories of Customer Personal Information are set out in Annex A. Quoining will not retain, use, disclose, or sell Customer Personal Information for any purpose other than the specific purpose of performing the Service, will not combine Customer Personal Information with other personal information except as permitted under US State Privacy Laws, and will not sell or share (for cross-context behavioral advertising) Customer Personal Information.

4. Confidentiality

Quoining personnel who are authorized to process Customer Personal Information are bound by written confidentiality obligations. Access is limited to personnel who require it to perform the Service and is logged to the immutable audit trail described in Annex B.

5. Security Measures

Quoining maintains technical and organizational measures designed to protect Customer Personal Information against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures are appropriate to the risk and include, at a minimum:

  • Encryption. TLS 1.2 or higher for data in transit; AES-256 encryption at rest for the production database and document storage; AES-256-GCM application-layer encryption with key-rotation support for designated sensitive fields (including third-party integration credentials, Plaid access tokens, API keys, and Customer-provided tax-identification numbers).
  • Access controls. Role-based access control with per-company and per-entity scoping; multi-factor authentication available for all users; mandatory 2FA for the internal admin portal; least-privilege defaults.
  • Audit logging. Immutable application audit trail of mutations and administrative access, capturing actor identity, IP address, user agent, timestamp, and a monotonic sequence number for gap detection.
  • Vulnerability management. Static and container image scanning in CI; automated dependency-update notifications; documented patching practices.
  • Configuration validation. Required environment variables and encryption keys are validated at application startup; production will not start with missing or invalid configuration.

The full description is set out in Annex B. Quoining will not materially reduce the overall level of security applicable to the Service without notice to Customer.

6. Sub-processors

Customer provides general written authorization for Quoining to engage Sub-processors. The current list of Sub-processors is maintained at quoining.com/subprocessors.

Quoining will provide at least 30 days' advance notice before engaging a new Sub-processor that materially changes the scope of processing, by updating the Sub-processors page and emailing the account admin. Customer may object to a new Sub-processor on reasonable data-protection grounds by writing to privacy@quoining.com before the effective date. If the parties cannot resolve the objection, Customer may terminate the affected portion of the Service without penalty as its exclusive remedy.

Quoining will impose data-protection obligations on each Sub-processor that are substantially aligned with this DPA and remains responsible for each Sub-processor's performance.

7. Consumer Rights Requests

Customer is responsible for responding to requests from individuals to exercise rights granted by US State Privacy Laws (including the rights of access, correction, deletion, and portability). Quoining will assist Customer in fulfilling those requests by providing the in-app data export, deletion, and account-administration features described in the Privacy Policy and the Data Retention Policy, and by reasonable assistance for any request that cannot be completed through those self-service tools.

If Quoining receives a rights request directly from an individual whose Customer Personal Information Quoining processes on Customer's behalf, Quoining will promptly forward the request to Customer and will not respond substantively except to direct the individual to Customer, unless required to respond by law.

8. Security Incident Notification

Quoining will notify Customer without undue delay, and in any event within 72 hours of confirming a Security Incident affecting Customer Personal Information. The notification will include, to the extent then known:

  • The nature of the incident, including the categories and approximate number of individuals and records affected;
  • The name and contact details of Quoining's incident-response contact;
  • The likely consequences of the incident; and
  • The measures taken or proposed to address the incident and mitigate adverse effects.

Quoining will cooperate with Customer's reasonable investigation, mitigation, and remediation requests. Notification of a Security Incident is not an acknowledgment of fault or liability by Quoining.

9. Audit Rights

Quoining will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA. On Customer's reasonable written request, Quoining will provide (a) responses to written security questionnaires and (b) when available, current third-party security audit reports covering the Service.

If Customer reasonably believes a written audit response is insufficient to verify a specific control, the parties will agree in good faith on additional steps. Any on-site audit must be agreed in writing in advance, conducted by a qualified auditor under a written confidentiality agreement, scheduled with at least 30 days' notice during normal business hours, limited to no more than once per twelve-month period (unless required by a Security Incident or by law), and conducted in a manner that does not disrupt Quoining's operations or any other customer's data.

10. Data Return & Deletion

Customer may self-service export Customer Personal Information at any time through the in-app data export, supported CSV/PDF/Excel exports, generated report workbooks, and the public API. Customer controls copies of exported files after delivery, including any files opened in third-party spreadsheet software or shared outside the Service. On expiration or termination of the Agreement, Quoining will return or delete Customer Personal Information in accordance with the Data Retention Policy. The current account-closure schedule is summarized below; full detail and definitions live in the Data Retention Policy.

10.1 Company Account Closure

  • Days 0–30 (grace period):Closure is initiated by an authorized admin via a multi-step confirmation flow that requires re-authentication, typed company name, the literal keyword “DELETE,” and an out-of-band email one-time code. On confirmation, the Stripe subscription is paused, write access is revoked, and all admins are notified by email. Any admin can self-service restore the account during this window.
  • Days 30–120 (retention): If the grace window expires, a scheduled job sets the company to a soft-deleted state and cancels the subscription. Self-service restore is no longer available; Customer may contact support@quoining.com to request administrator-mediated recovery.
  • Day 120+ (permanent deletion): A scheduled job hard-deletes company-scoped records. Immutable audit-log rows are retained with personal identifiers redacted (the foreign-key reference to the deleted company is nulled; denormalized actor name and email survive for SOC and forensic integrity).

10.2 Individual Account Deletion

A natural-person user may delete their personal Quoining user record via Settings → Account → Delete my account. The flow requires re-authentication, typed “DELETE” confirmation, and an email one-time code. On confirmation, the user record, authentication credentials, sessions, 2FA secrets, trusted devices, password-reset tokens, and company memberships are removed via database cascade. Attribution on records the user created (bills, invoices, journal entries) is anonymized via database-level SET NULL; the records themselves remain under the custody of the company owner. Audit-log rows preserve denormalized actor name and email so the audit trail itself survives the erasure. Erasure is blocked by the Service if the user is the sole administrator of any non-closed company; the user must transfer administration or close those companies first.

Quoining may retain Customer Personal Information to the extent required by applicable law (for example, IRS recordkeeping obligations under IRC § 6001 require retention of business records for the periods specified there). Any retained data remains subject to the confidentiality and security obligations of this DPA.

11. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory, is subject to the limitations and exclusions of liability in the Agreement. This DPA does not modify those limitations, and the parties' aggregate liability under the Agreement and this DPA combined will not exceed the cap specified in the Agreement.

12. Term & Termination

This DPA takes effect when Customer first accesses or uses the Service and remains in force for the duration of the Agreement. Sections 4 (Confidentiality), 8 (Security Incident Notification), 9 (Audit Rights), 10 (Data Return & Deletion), and 11 (Liability) survive termination to the extent necessary to give effect to their purpose.

Annex A: Details of Processing

Subject Matter
Provision of the Quoining multi-entity GAAP accounting platform, including financial-data processing, reporting, bank transaction import, categorization, and related accounting services.
Duration
For the term of the Agreement between Customer and Quoining, plus the period needed to complete data return and deletion under Section 10.
Nature & Purpose
Financial-data processing, general-ledger management, accounts payable and receivable, bank reconciliation, financial reporting, AI-assisted transaction categorization, document processing, planning and forecasting, report and spreadsheet export generation, and multi-entity consolidation, as part of Customer's use of the Service.
Categories of Individuals
  • Customer's employees and authorized users
  • Customer's customers
  • Customer's vendors and suppliers
  • Other individuals whose information appears in Customer's accounting records
Categories of Customer Personal Information
  • Names and business contact information (email, phone, mailing address)
  • Financial records (invoices, bills, payments, journal entries, budgets, forecasts, and generated reports)
  • Bank and financial-account identifiers (account numbers, transaction history, balances)
  • Business tax-identification numbers (EINs) and other tax identifiers Customer enters
  • Payroll aggregates if Customer enables the Gusto integration
  • Cryptocurrency wallet addresses Customer enters
Sensitive Categories
Customer-provided tax-identification numbers and third-party integration credentials are stored using AES-256-GCM application-layer encryption in addition to encryption at rest. Quoining does not knowingly process special categories of personal information such as health data, biometric data, or precise geolocation.

Annex B: Technical & Organizational Measures

Quoining maintains the following measures. Some specific controls may evolve over time as the Service hardens; this annex describes the operating posture as of the “Last updated” date above.

Encryption

  • TLS 1.2 or higher enforced for all data in transit; HTTPS redirect at the load balancer.
  • AES-256 encryption at rest for the production PostgreSQL database (AWS RDS) and document storage (AWS S3).
  • AES-256-GCM application-layer field encryption with primary/previous key support for designated sensitive fields (third-party integration credentials, Plaid access tokens, API keys, Customer-provided tax-identification numbers). The application refuses to start in production without a valid encryption key.
  • Database credentials rotated automatically on a 90-day schedule via AWS Secrets Manager rotation.

Access Control

  • Role-based access control with per-company and per-entity scoping inside the Service.
  • Multi-factor authentication available to all users; mandatory 2FA enforcement on the internal admin portal.
  • Internal admin portal protected by IP allowlist, 4-hour absolute session maximum, 15-minute inactivity timeout, and rate limiting on destructive operations (fail-closed).
  • Session invalidation on password change.

Tenant Isolation

  • Application-layer tenancy enforcement: every server-side data-access path in the core financial modules is gated by an authentication and company-scope check before any query runs, and every list query is scoped to the caller's company and accessible entities.
  • Static contract tests in CI enforce the auth/scope pattern across server actions in the core modules and across admin-portal actions, and fail the build if any code path skips them.
  • Cross-tenant integration tests in CI seed two companies and assert that one company's authenticated session cannot read or mutate the other's records through the canonical tenant-filter primitives.
  • A database-layer second enforcement plane (Postgres row-level security) is on the roadmap as additional defense in depth and is not in production today.

Audit Logging

  • Immutable application audit trail protected by database triggers that block UPDATE and DELETE on audit rows.
  • Each audit row captures actor identity (denormalized name and email), IP address, user agent, timestamp, and a monotonic sequence number for gap detection.
  • Foreign keys from audit-log rows to the company table use RESTRICT, so customer-data deletion does not remove the audit trail.

Network & Application Security

  • Private VPC with private subnets for the application tier; database not directly reachable from the public internet.
  • AWS Web Application Firewall in front of the application load balancer with OWASP managed rules, SQL-injection detection, and per-IP rate limiting.
  • AWS GuardDuty enabled for continuous threat detection.
  • Input validation with Zod on user-submitted data; all database queries parameterized via the ORM.
  • Content Security Policy and CSRF protection on state-changing operations.

Backup & Recovery

  • Automated daily database backups with point-in-time recovery; backups encrypted at rest.
  • Document storage versioning and public-access block in place.
  • Pre-deployment database snapshot taken automatically before each production deploy.
  • ECS deployment circuit breaker auto-rolls back the application on health-check failure.

Personnel

  • Personnel with access to production data are bound by written confidentiality obligations.
  • Access is granted on a least-privilege basis and reviewed periodically.
  • Production access is logged to the immutable audit trail.

Vulnerability & Change Management

  • Container-image vulnerability scanning (Trivy, CRITICAL/HIGH gating) in CI.
  • Automated dependency-update notifications.
  • Required environment variables and secrets validated at application startup; production refuses to boot on missing or invalid configuration.

Incident Response

  • Documented incident-response runbooks covering common failure modes.
  • 72-hour Security Incident notification commitment as described in Section 8.

Hosting

  • Core application hosting and the customer database are in AWS us-east-1 in the United States. Some optional integrations Customer enables may process limited Customer data outside the United States; the current locations are documented on the Sub-processors page.
  • AWS data-center physical and environmental controls are governed by AWS's own SOC 1, SOC 2, SOC 3, and ISO 27001 reports, available from AWS.

Contact

For questions about this DPA or to exercise any rights under this agreement:

Bolt Systems, LLC

Email: legal@quoining.com