Data Processing Addendum

Controller: Customer — the entity or individual who creates an account and uploads entry data to the Service. Customer determines the purposes and means of processing their importers’ personal data.

Processor: Beverly Knits LLC d/b/a un-tariff — processes personal data on behalf of Customer solely to provide the Service as described in the Terms of Service and this DPA.

un-tariff acts as a processor, not a controller, with respect to personal data contained in ACE export files and related entry data uploaded by Customer.

un-tariff processes the following categories of personal data on Customer’s behalf:

• ACE export data — entry numbers, HTS codes, declared values, entry dates, country of origin, and IEEPA classification status.
• Importer of record identifiers (EIN/IRS numbers) to the extent present in uploaded entry data.
• Contact metadata associated with Customer’s account (email address, IP address).

Processing is limited to: estimating IEEPA refund amounts; generating CAPE CSV files; and maintaining audit logs. un-tariff will not process Customer data for any other purpose without Customer’s written instruction.

un-tariff engages the following sub-processors. Customer consents to these sub-processors by accepting the Terms of Service:

• Supabase — database storage and row-level security. Personal data stored in encrypted Postgres hosted on AWS us-east-1.
• Vercel — application and API hosting. Processes request metadata in the course of serving the application.
• Stripe — payment processing. Handles payment card data; does not receive entry or ACE export data.
• Resend — transactional email delivery. Receives Customer email address and email content for delivery.

un-tariff will notify Customer of any intended addition or replacement of sub-processors with reasonable advance notice. Customer may object in writing within 14 days.

un-tariff implements technical and organizational measures aligned with ISO 27001 information security principles. Note: un-tariff does not currently hold an ISO 27001 certificate — this section describes the operational controls in place, not a certified framework.

• Access control — row-level security (RLS) enforces tenant isolation at the database layer. Application accounts use short-lived JWTs with least-privilege scopes.
• Encryption — data encrypted in transit (HTTPS/TLS 1.2+) and at rest (AES-256 via Supabase).
• Audit logging — all classification, estimation, and CAPE generation events are written to an append-only audit_events table with actor, timestamp, and rule IDs fired.
• Vulnerability management — dependencies reviewed on each deployment; critical CVEs patched within 72 hours.

[Placeholder: formal security audit and certificate details to be added by counsel prior to external-tenant launch.]

Upon termination of an engagement (defined as 90 days after the last active session or Customer-requested cancellation, whichever is earlier), un-tariff will permanently delete all Customer personal data from its systems and instruct sub-processors to do the same.

Deletion is confirmed by a record in the audit_events log with event type data_purge, timestamped and scoped to the Customer’s tenant identifier.

Customer may request early deletion at any time by contacting privacy@beverlyknits.com. Early deletion will be completed within 30 days.

In the event of a personal data breach affecting Customer data, un-tariff will notify Customer without undue delay and in any event within 72 hours of becoming aware of the breach, consistent with GDPR Article 33 and applicable US state breach notification laws.

Notification will include, to the extent known at the time: the nature of the breach; categories and approximate number of data subjects affected; likely consequences; and measures taken or proposed to address the breach.

Breach notifications will be sent to the email address on file for the Customer account and to privacy@beverlyknits.com.