Data Processing Addendum

CoreFolio creates de-identified, aggregated derivatives from paid Digital Binder content under the license granted in Terms § Service improvement and aggregate insights, and only for accounts that have opted into the relevant consent layer.

Standard. Our de-identification methodology meets or exceeds the HIPAA Safe Harbor standard at 45 CFR § 164.514(b)(2). Although the Digital Binder does not carry electronic protected health information (see Terms § Business associate status), we hold ourselves to the strictest published de-identification standard available so that every state privacy regime — CCPA, CPRA, VCDPA, CPA, CTDPA, TDPSA — is satisfied without per-state branching.

What gets stripped.Direct identifiers of the practice or any individual at the practice — account email, practice name, officer names, vendor names, free-text fields, IP and device identifiers, geographic specifics smaller than US state, and any value the Safe Harbor list at § 164.514(b)(2)(i) calls out — are removed before any row enters the derivatives layer.

What gets generalized. Quasi-identifiers (practice size, EHR vendor category, US region) are generalized to the coarsest bucket that preserves analytic usefulness. Specifics are dropped when generalization is insufficient.

Cell-size floor for any published statistic. CoreFolio publishes no statistic computed over fewer than 20 distinct practices. When a published slice would fall below this floor, the slice is suppressed rather than rounded or interpolated. The 20-practice floor may be raised on a per-publication basis; it is never lowered.

CoreFolio relies on the following subprocessors to deliver the service. None of these vendors are sent identified binder content for any service-improvement, benchmark, or ML purpose — the derivative pipeline runs against data that has already been de-identified per the methodology above.

• Supabase— managed Postgres hosting. Stores the binder rows, audit log, and account records. Data processed exclusively in US regions.
• Stripe— payment processing and subscription billing. Receives the customer email and billing details; receives no binder content.
• Resend— transactional and newsletter email delivery. Receives the customer email and the rendered email body only.
• Plausible Analytics— cookieless page-view analytics on marketing routes only. Never loads on /assess/* or /binder/* (see the Privacy notice, § No third-party scripts on assessment routes).
• Vercel— application hosting and edge networking. The application code runs in US regions.

When CoreFolio adds a new subprocessor, or replaces one of the vendors above with a materially different one, we provide 30 days’ advance notice to active subscribers by email. Subscribers may cancel within the notice window if they object to the change, with a pro-rated refund of any prepaid period that extends past the cancellation effective date. See Terms § Refunds for the standard refund posture.

Raw binder content. Per Terms § What happens to your data when you cancel, raw binder content is retained while the subscription is active, exportable for 30 days after cancellation, and permanently deleted after that 30-day window.

De-identified derivatives.Derivatives created from binder content while the user’s consent covered the relevant layer are retained indefinitely. After Safe Harbor de-identification, derivatives are no longer the practice’s data and survive cancellation by design (see Terms § Service improvement and aggregate insights).

Audit log. Account-event records (sign-in, subscription change, consent change, cancellation) are retained for up to 7 yearsfor CoreFolio’s security, billing-investigation, and regulatory-correspondence needs. The audit log carries no binder content, no assessment answers, and no raw email addresses — only the opaque account id and the event type, with structured metadata for events that have a structured payload (such as consent diffs).

• Encryption in transit. All traffic between the browser and CoreFolio is encrypted with TLS 1.2 or higher.
• Encryption at rest. Binder content is encrypted at rest in Supabase using AES-256.
• Access controls.Production database access is limited to CoreFolio’s engineering account holders, gated by per-user credentials, with least-privilege roles and an immutable audit log of administrative actions.
• Backups.Daily encrypted backups with a minimum 7-day retention window through Supabase’s managed backup service.
• Incident-response window. CoreFolio targets notification of any confirmed security incident affecting customer data to the affected customers within 72 hours of discovery, with a fuller written incident report within a reasonable additional window.
• Logging hygiene.Application logs use email fingerprints — never raw email — for account references. Binder content never appears in any log line. See the engineering rule set under .cursor/rules/security-and-privacy.mdc for the operational standard.

CoreFolio is a US-only service in v1. All subprocessors named above run in US regions, and the application is served from US edge locations. If CoreFolio expands availability to non-US customers, this section will be updated with the relevant data-residency commitments and subscribers will receive notice under § Notice of subprocessor changes.

Every consent change is logged in the account’s audit trail. Subscribers may view the current state of their data-use settings at the data-use settings page. The structured diff CoreFolio writes on each change includes the prior and new state of each consent layer, the policy version the user accepted, and a timestamp.

Once each calendar year CoreFolio publishes a one-page summary of how de-identified binder data was used in the preceding year — how many templates were revised, which industry benchmarks (if any) were published, cell-size compliance, and whether any identified practice data was shared with any third party (the standing commitment is “no”). The first transparency note publishes at the end of the calendar year following spec 113’s production launch.

Questions about this addendum — or a procurement review of CoreFolio — may be sent to legal@corefolio.ai. A postal address for service of process will be added to this section before paid launch.