Processing roles
Clarify controller, processor, customer, and service-provider roles by product use case.
§ Legal - DPA
Data processing addendum.
How CORE data processing, security measures, subprocessors, and deletion obligations should be reviewed during procurement.
Data processing terms should follow the actual data path.
Borrower documents, extracted facts, generated credit work, and audit events need clear processing roles, security measures, and retention/deletion expectations.
Processing roles + TOMs + subprocessors§ DPA Scope
What data-processing review should cover.
Security measures
Tie technical and organizational measures to the security posture and product architecture.
Subprocessors
List hosting, infrastructure, analytics, communications, and AI-related subprocessors in an approved schedule.
§ Fit
DPA topics buyers ask about
The DPA should give legal and security teams a concrete path for reviewing how sensitive credit data moves through CORE.
01
Subprocessor schedule
02
TOMs/security appendix
03
Data subject request process
04
Deletion and retention terms
05
Breach notice language
§ Path
Data-processing review flow
Map the data
Identify borrower files, extracted facts, generated work product, account data, and audit events.
Match controls
Connect data categories to security measures, retention expectations, and subprocessors.
Attach to contract
Use the DPA and security appendix in the procurement packet for formal review.
§ Next Step
Need diligence materials?
Security and data processing questions can route through contact while the public DPA is finalized.