Sub-Processors

Hardline Lending, Inc.(“Hardline,” “we”) operates a software marketplace that connects private real-estate Borrowers with private Lenders. To deliver the Service we engage a limited set of third-party vendors (“sub-processors”) that process personal information on our behalf and under our written instructions. We engage sub-processors only where doing so is necessary to provide the Service, to meet a legal obligation, or to operate the business securely (for example, hosting infrastructure, identity verification, database storage, and transactional email).

Each sub-processor is contractually bound to process personal information only for the purposes we specify, to maintain appropriate safeguards under the Gramm-Leach-Bliley Act Safeguards Rule (16 C.F.R. Part 314), and to comply with applicable state privacy laws, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), and the comprehensive privacy statutes of Colorado, Connecticut, Virginia, Utah, Oregon, Indiana, Texas, Tennessee, Montana, Iowa, Delaware, New Jersey, New Hampshire, Maryland, Kentucky, Rhode Island, Nebraska, and Minnesota.

To exercise privacy rights (access, deletion, correction, portability, opt-out of sale or sharing, limit use of sensitive personal information), use our Privacy Choices page or email privacy@hardlinelending.com.

The following table lists every sub-processor that has access to personal information processed through the Service as of the effective date of this page. Hardline does not engage any sub-processor that is not listed here.

“Attestation” reflects the most recent third-party audit report Hardline has received from the vendor. Hardline reviews these reports annually under our Safeguards Rule program.

The categories below correspond to the categories used in Section 3 of our Privacy Policy, which mirrors the CCPA/CPRA enumerated categories.

• Identifiers (name, email, IP address, account ID) — Supabase, Stripe, Vercel, Resend
• Customer records / commercial information (deal data, term sheets, Lender-Borrower communications) — Supabase, Resend (subject lines and bodies)
• Government identifiers (driver’s license, passport) — Stripe only (Stripe Identity); not stored on Hardline systems
• Biometric identifiers (selfie/liveness for ID verification) — Stripe only; covered by our Biometric Policy
• Internet or network activity (browsing within the Service, auth logs) — Vercel, Supabase
• Geolocation (coarse, IP-derived) — Vercel
• Professional or employment-related information (Lender accreditation, Borrower business identity) — Supabase
• Inferences — not derived or shared with any sub-processor; Hardline does not perform profiling for targeted advertising or automated decision-making with legal effect

Hardline does not sell personal information and does not share personal information for cross-context behavioral advertising. No sub-processor on this list is authorized to do so on our behalf.

Before authorizing any new sub-processor to process personal information, Hardline requires:

• Executed Data Processing Addendum — imposing the CCPA/CPRA “service provider” restrictions, GLBA Safeguards § 314.4(f) flow-through, and comprehensive-state-law flow-through.
• Independent security attestation — SOC 2 Type II, ISO/IEC 27001, or equivalent third-party attestation covering the systems that will process Hardline data.
• Breach-notification commitment — binding contractual commitment to notify Hardline within seventy-two (72) hours of any actual or reasonably suspected security incident.
• Audit rights — contractual right for Hardline (or its independent auditor) to audit the vendor’s controls on reasonable notice, or to review attestation reports in lieu of a direct audit, at least annually.
• Data-deletion commitment — obligation to return or delete all Hardline data within thirty (30) days following termination, with written confirmation.
• U.S. data residency by default — personal information processed in the United States unless the vendor offers a documented cross-border-transfer mechanism that Hardline has reviewed.

Consistent with our obligations under 16 C.F.R. § 314.4(f)(3), Hardline periodically assesses each sub-processor’s security program: annual review of the most recent SOC 2 Type II or equivalent attestation; event-triggered out-of-cycle review on any publicly reported security incident, regulatory enforcement, change of control, or material change in service; and on-request direct-audit exercise where Hardline has reasonable concern about safeguards adequacy.

As of the effective date, all sub-processors process Hardline personal information in data centers located in the United States. Vercel operates a global edge network that may cache static, non-authenticated content at points of presence outside the United States; this caching does not include personal information that requires authentication to access.

If a future sub-processor processes personal information outside the United States, Hardline will (i) update this page with the destination jurisdiction; (ii) confirm a lawful transfer mechanism is in place; and (iii) provide thirty (30) days’ advance notice under Section 4. Hardline does not market to or knowingly accept users resident outside the United States.

To raise a concern about a sub-processor, request a copy of an executed DPA, or request additional attestation information:

privacy@hardlinelending.com — we respond within fifteen (15) business days.