Skip to main content

Data Processing Agreement

Effective: April 1, 2026

Incline Labs LLC · Atlanta, GA

1. Scope

This Data Processing Agreement ("DPA") applies to all personal data processed by TaxAside (operated by Incline Labs LLC) on behalf of the merchant ("Controller") in connection with the TaxAside platform and services. This DPA supplements the Terms of Service and Privacy Policy.

2. Definitions

  • Controller — the merchant who determines the purposes and means of processing.
  • Processor — Incline Labs LLC, which processes personal data on behalf of the Controller.
  • Personal Data — any information relating to an identified or identifiable natural person.
  • Processing — any operation performed on personal data.
  • Sub-Processor — any third party engaged by TaxAside to process personal data.
  • Data Subject — the individual to whom personal data relates.

3. Processing Purpose

TaxAside processes personal data solely for the purpose of providing sales tax compliance services: calculating sales tax based on POS transaction data, managing daily set-aside transfers, preparing and filing sales tax returns with state and local authorities, and remitting tax payments on behalf of the Controller.

4. Data Categories

Categories of data processed:

  • Business owner names, email addresses, phone numbers
  • Business names, EIN, state tax registration numbers, business addresses
  • Daily sales totals, tax amounts collected, transaction counts from POS systems
  • Bank account references (last four digits only — full account numbers are tokenized via Increase)

5. Sub-Processors

TaxAside engages the following sub-processors:

  • Increase — ACH payment processing (banking infrastructure for daily set-asides and tax payments)
  • Stripe — subscription billing and payment processing
  • Clerk — authentication and identity management
  • Supabase — database hosting and management
  • Vercel — frontend hosting and edge delivery
  • AWS — backend application hosting and compute

Each sub-processor is bound by data protection obligations no less protective than this DPA. TaxAside will notify the Controller of any intended changes to sub-processors with at least 14 days' notice. The Controller may object by providing written notice within 14 days.

6. Security Measures

TaxAside implements:

  • Encryption of all data in transit (TLS 1.3) and at rest (AES-256)
  • Application-level envelope encryption for OAuth tokens
  • Tokenization of bank account numbers
  • Role-based access controls with principle of least privilege
  • Audit logging of all data access and modifications
  • Regular security assessments and penetration testing
  • SOC 2 Type II compliance on our roadmap

7. Data Subject Rights

TaxAside will assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection law, including access, rectification, erasure, restriction, portability, and objection. TaxAside will forward any data subject requests received directly to the Controller without undue delay.

8. Data Breach Notification

In the event of a personal data breach, TaxAside will notify the Controller within 72 hours of becoming aware. Notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address and mitigate the breach. TaxAside will cooperate with the Controller in investigation and remediation.

9. Data Retention and Deletion

Tax filing records are retained for seven (7) years per IRS record-keeping requirements. Account data is retained during the subscription plus 90 days. Upon Controller request, TaxAside will delete personal data within 90 days, subject to legal retention obligations. Tax records subject to mandatory retention will be securely stored and access-restricted until the retention period expires.

10. International Transfers

All data is processed in US-based infrastructure. If data must be transferred outside the United States, TaxAside will ensure appropriate safeguards are in place in accordance with applicable data protection law.

11. Audit Rights

The Controller may request documentation of TaxAside's compliance with this DPA. TaxAside will make available relevant security certifications, audit reports, and compliance documentation upon reasonable request. On-site audits may be conducted with 30 days' advance notice, during business hours, and subject to reasonable confidentiality obligations.

12. Term

This DPA is co-terminus with the Service Agreement between the Controller and TaxAside. Upon termination of the Service Agreement, TaxAside's obligations under this DPA continue with respect to any personal data retained in accordance with the data retention provisions.