Black Business Credit and Capital - BlackCorporations.Online
Get Started for $0

Black Business Credit & Capital

Data Processing Addendum

For B2B customers and partners

Effective date: May 2, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Black Business Credit & Capital (“Processor”) and the business customer (“Controller”) and governs the processing of personal data where applicable privacy regulations (including GDPR, UK GDPR, and CCPA/CPRA) require such an addendum.

1. Definitions and Roles

  • Controller: The business customer that determines the purposes and means of processing personal data (you, the B2B client).
  • Processor: Black Business Credit & Capital, which processes personal data on behalf of the Controller in connection with business formation and related services.
  • Data Subject: Any identified or identifiable natural person whose personal data is processed under this DPA.
  • Personal Data: Any information relating to an identified or identifiable natural person, as defined under applicable law.
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

2. Processing Details

Subject matterBusiness formation services, consulting, and related service delivery
DurationFor the term of the service agreement, plus any legally required retention period thereafter
Nature & purposeProcessing necessary to provide business formation, consulting, and related services as directed by the Controller
Categories of dataName, email, phone, address, government identifiers (as required for filings), payment data, business information
Data subjectsBusiness owners, officers, registered agents, and authorized representatives of the Controller

The Processor will process personal data only on documented instructions from the Controller and will promptly inform the Controller if any instruction infringes applicable data protection law.

3. Subprocessors

The Controller grants general authorization for the Processor to engage the following subprocessors. The Processor will inform the Controller of any intended changes and provide the opportunity to object.

SubprocessorLocationProcessing Activity
SquareUnited StatesPayment processing
Cash App (Block, Inc.)United StatesPayment processing
Vercel, Inc.United States / Global CDNWebsite hosting and infrastructure
In-house marketingUnited StatesEmail marketing (opt-in only; no external ad networks)

4. Security Measures

The Processor implements and maintains appropriate technical and organizational security measures, including:

  • Encryption of personal data in transit (TLS/HTTPS) and at rest where applicable.
  • Access controls limiting personal data access to authorized personnel only.
  • Use of PCI-compliant payment processors (Square, Cash App) — full card data is never stored on our servers.
  • Regular review of security practices and vendor security postures.
  • Procedures for testing and evaluating the effectiveness of security measures.

5. Assistance with Data Subject Access Requests (DSARs)

The Processor will assist the Controller in fulfilling Data Subject requests (access, rectification, erasure, restriction, portability, objection) to the extent technically feasible. The Controller remains responsible for responding to Data Subjects. The Processor will forward any DSAR received directly from a Data Subject to the Controller within 5 business days of receipt.

DSARs can be submitted via our DSAR form or by contacting info@blackstock.exchange.

6. Deletion / Return of Data on Termination

Upon termination of the service agreement, and at the Controller’s written request, the Processor will delete or return all personal data processed on behalf of the Controller within 30 days, unless retention is required by applicable law. The Processor will certify such deletion in writing upon request.

7. Audit Rights

The Controller may audit the Processor’s compliance with this DPA upon reasonable written notice (at least 30 days), no more than once per year, and subject to reasonable confidentiality protections. The Processor may satisfy audit requests by providing relevant certifications, third-party audit reports, or equivalent documentation.

8. Notification of Subprocessor Changes

The Processor will provide at least 30 days’ written notice before adding or replacing a subprocessor. The Controller may reasonably object to a new subprocessor within that period. If the parties cannot resolve the objection, either party may terminate the affected services without penalty.

Contact

To request a DPA countersignature or for data processing inquiries, contact:
Black Business Credit & Capital
76 Winnet Drive, Dayton, Ohio 45415
Email: info@blackstock.exchange
Phone: 323-452-5225

← Back to BlackCorporations.Online