Skip to main content

Unified Loan System · Legal · v1.0-2026-05-06

Data Processing Agreement

Effective 2026-05-06.

1. Scope

This Data Processing Agreement (the “DPA”) supplements the Master SaaS Agreement between Unified Loan System and Customer (the “MSA”) and governs Unified Loan System’s processing of personal information on Customer’s behalf in connection with the Service. Capitalized terms not defined here have the meaning given in the MSA. In the event of a conflict between this DPA and the MSA with respect to data protection, this DPA controls.

2. Definitions

“Borrower NPI” means non-public personal information about a consumer as defined under the Gramm-Leach-Bliley Act (15 U.S.C. § 6809) and Regulation P, including names, Social Security numbers, dates of birth, financial account numbers, asset and income data, and consumer credit information. “Process” has the meaning given in 15 U.S.C. § 6809 and applicable state consumer-privacy laws.

3. Roles of the Parties

With respect to Borrower NPI submitted to the Service, Customer is the data controller (or, where applicable, the “business” under California consumer-privacy law) and Unified Loan System is the data processor (or “service provider”). Unified Loan System will Process Borrower NPI only on documented instructions from Customer, including instructions reflected in the configuration of the Service.

4. Processing Instructions

Customer instructs Unified Loan System to Process Borrower NPI as necessary to (a) provide and maintain the Service; (b) prevent, detect, and respond to security incidents and fraud; (c) comply with Unified Loan System’s legal obligations; and (d) carry out tasks Customer expressly initiates within the Service (such as document classification, e-signature delivery, lender submission, and Plaid-mediated bank verification). Unified Loan System will not Sell or Share Borrower NPI as those terms are defined under the California Consumer Privacy Act.

5. Confidentiality

Unified Loan System will require all personnel authorized to Process Borrower NPI to be subject to a duty of confidentiality and to receive appropriate training on the handling of Borrower NPI.

6. Security Measures

Unified Loan System implements and maintains technical and organizational measures designed to protect Borrower NPI against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Specifically:

  • Encryption in transit (TLS 1.2 or higher) and at rest for borrower data stores.
  • Role-based access controls; per-broker tenancy isolation enforced at the application layer.
  • Multi-factor authentication, session liveness re-checks, device-binding alerts, and phishing-resistant passkeys for high-value flows (Plaid, sensitive document downloads).
  • Automated audit logging of access to Borrower NPI, including data export and disclosure-related events, retained for the period required by applicable law.
  • Regular vulnerability monitoring, dependency-update review, and breach-notification procedures.

7. Sub-Processors

Unified Loan System engages sub-processors to provide the Service, including infrastructure, cloud storage, identity verification, vision OCR, e-signature, transactional email, and bank-data aggregation services. Customer authorizes Unified Loan System’s use of the sub-processors listed at verispect.ai/sub-processors. Unified Loan System will impose contractual data-protection obligations on each sub-processor that are no less protective than those set out in this DPA.

8. Plaid Flow-Down Terms

The Service integrates with Plaid, Inc. for borrower-permissioned bank-data and identity verification. Customer’s use of Plaid features is additionally subject to the Plaid End User Privacy Policy and Plaid’s flow-down customer terms (the “Plaid Flow-Down Terms”). Customer must accept the Plaid Flow-Down Terms inside the Unified Loan System console before any Plaid feature is enabled. Customer’s Plaid Flow-Down Terms acceptance is recorded with the version, timestamp, IP, and user agent for audit replay.

9. Data Subject Requests

Unified Loan System will provide reasonable assistance to enable Customer to fulfill Customer’s obligations to respond to data-subject requests (including borrower requests to access, correct, delete, or export their information). Customer is responsible for verifying the identity of requesters and for the underlying decision whether to grant the request.

10. Security Incidents

Unified Loan System will notify Customer without undue delay after becoming aware of a confirmed Security Incident affecting Borrower NPI Processed under this DPA, and will provide information reasonably needed for Customer to meet its own notification obligations under applicable law.

11. Audits

Once per year, on at least thirty (30) days’ written notice, Customer (or an independent auditor of Customer’s choosing, subject to confidentiality) may audit Unified Loan System’s compliance with this DPA. Unified Loan System may satisfy this obligation by providing recent third-party audit reports (e.g., SOC 2 Type II or equivalent) when available.

12. Data Return and Deletion

Upon termination of the MSA, Customer may request return of its Borrower NPI in a portable format. Unified Loan System will delete or anonymize Borrower NPI within ninety (90) days of termination, unless retention is required by applicable law or for the establishment, exercise, or defense of legal claims.

13. International Transfers

Unified Loan System Processes Borrower NPI in the United States. Unified Loan System does not transfer Borrower NPI outside the United States without Customer’s prior written consent.

14. Liability

The limitations of liability set out in the MSA apply to this DPA. Each party’s liability under this DPA is subject to those limitations.

Questions? Contact us at legal@verispect.ai. See also the Master SaaS Agreement, Privacy Policy, and Terms of Service.

    Data Processing Agreement · Unified Loan System