CORPORATE IDENTIFICATION AND DATA CONTROLLER
FactWagon Enterprise Solutions (hereinafter referred to as “FactWagon,” “Company,” “we,” “us,” or “our”) operates the enterprise.factwagon.com platform (the “Platform”), providing institutional-grade financial infrastructure, B2B software solutions, and enterprise technology services to corporate clients, financial institutions, and business entities globally.
Principal Place of Business and Data Processing Hub:
FactWagon Enterprise Solutions
10 South First Street
San Jose, California 95113
United States of America
Email: privacy@factwagon.com
Data Controller Status:
FactWagon Enterprise Solutions acts as the Data Controller (under GDPR) and Business (under CCPA/CPRA) with respect to Personal Data collected through the Platform and in connection with the provision of Enterprise Services. As Data Controller, we determine the purposes and means of processing Personal Data and bear primary responsibility for compliance with applicable data protection laws.
Regulatory Framework Compliance:
This Privacy Policy demonstrates our commitment to compliance with global data protection regulations, including:
- General Data Protection Regulation (GDPR) – European Union, European Economic Area, United Kingdom, Switzerland
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
- Virginia Consumer Data Protection Act (VCDPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Utah Consumer Privacy Act (UCPA)
- Personal Information Protection and Electronic Documents Act (PIPEDA) – Canada
- Other applicable federal, state, provincial, and international data protection legislation
1. SCOPE AND APPLICABILITY
1.1 Covered Entities and Activities
This Privacy Policy applies to all Personal Data collected, processed, stored, or transmitted through:
(a) The enterprise.factwagon.com Platform, including web interfaces, mobile applications, and application programming interfaces (APIs);
(b) Enterprise Services including fintech infrastructure, institutional lending solutions, supply chain finance platforms, and corporate compliance technology;
(c) Marketing communications, business development activities, and commercial inquiries;
(d) Customer support interactions, technical assistance, and account management;
(e) Contractual relationships with Institutional Clients, Enterprise Partners, and Business Entities.
1.2 Institutional Client Base
Our Platform serves sophisticated business users including:
- Financial institutions (banks, credit unions, alternative lenders)
- Institutional investors and private equity firms
- Corporate treasury departments and CFO offices
- Supply chain finance providers and trade finance platforms
- Fintech companies and technology infrastructure providers
- Professional services firms (law, accounting, consulting)
- Enterprise software companies and SaaS platforms
1.3 Excluded Activities
This Privacy Policy does not apply to:
(a) Third-party websites, platforms, or services linked from our Platform;
(b) Employee, contractor, or vendor personal data governed by separate HR and procurement policies;
(c) Data processing activities where FactWagon acts solely as a Data Processor or Service Provider on behalf of clients.
2. DATA COLLECTION SCOPE AND CATEGORIES
2.1 Institutional Business Information
FactWagon collects comprehensive business and institutional data necessary to provide Enterprise Services:
Corporate Entity Information:
- Legal entity name, trade names, and doing-business-as (DBA) designations
- Jurisdiction of incorporation, registration numbers, and tax identification numbers (EIN, VAT)
- Corporate structure, parent company relationships, and subsidiary affiliations
- Principal place of business, registered office addresses, and operational locations
- Business licenses, regulatory registrations, and industry certifications
- Annual revenue, employee count, and operational scale indicators
Authorized Representative Data:
- Full names, professional titles, and organizational roles
- Corporate email addresses and direct business telephone numbers
- Professional credentials, certifications, and educational background
- Signature authority, contractual capacity, and decision-making powers
Financial and Credit Information:
- Financial statements (balance sheets, income statements, cash flow statements)
- Credit reports, credit scores, and payment history from commercial bureaus (Dun & Bradstreet, Experian Business, Equifax)
- Banking relationships, depository institutions, and account information
- Existing debt obligations, credit facilities, and debt service coverage ratios
- Asset valuations, collateral descriptions, and lien positions
- Revenue projections, financial forecasts, and business plans
2.2 Institutional Lending Inquiry Data
For entities seeking commercial debt, working capital financing, or institutional lending solutions:
Loan Application Information:
- Requested loan amount, term structure, and intended use of proceeds
- Collateral descriptions, asset valuations, and security interests
- Personal guarantees, co-borrowers, and creditworthiness assessments
- Historical financial performance and projected debt service capacity
- Industry risk factors, competitive positioning, and market dynamics
Underwriting Documentation:
- Business tax returns (Form 1120, 1120S, 1065) for preceding 3-5 years
- Bank statements demonstrating cash flow and deposit activity
- Accounts receivable aging reports and accounts payable schedules
- Inventory valuations, fixed asset registers, and depreciation schedules
- Customer concentration analysis and supplier dependency assessments
- Lease agreements, equipment financing arrangements, and material contracts
Credit Decision Data:
- Internal credit scoring models and risk rating methodologies
- Third-party credit bureau reports and commercial credit scores
- Industry benchmarking and peer group financial comparisons
- Loan committee decisions, approval conditions, and covenant requirements
2.3 Fintech API Integration Data
For technology companies integrating with FactWagon’s financial infrastructure APIs:
Technical Integration Information:
- API keys, authentication tokens, and cryptographic certificates
- Webhook endpoints, callback URLs, and notification preferences
- Request/response logs, API call volumes, and usage patterns
- Error rates, latency metrics, and performance statistics
- IP addresses, server configurations, and network architecture
Transactional Data:
- Payment processing records, transaction identifiers, and settlement details
- Account verification results (micro-deposits, Plaid integration, bank account validation)
- KYC/AML screening results, identity verification outcomes, and compliance flags
- Fraud detection signals, risk scoring outputs, and transaction monitoring alerts
2.4 Supply Chain Finance Documentation
For enterprises utilizing supply chain finance, invoice factoring, or trade finance solutions:
Supplier and Buyer Information:
- Trading partner identities, business relationships, and payment terms
- Purchase orders, invoices, packing slips, and shipping documentation
- Payment histories, dispute records, and credit terms
- Supply chain mapping, critical supplier dependencies, and concentration risks
Receivables and Payables Data:
- Accounts receivable aging, invoice aging, and collection performance
- Factoring agreements, discount rates, and advance rates
- Payment prioritization, cash application, and reconciliation data
2.5 Enterprise Infrastructure Requirements
For clients engaging infrastructure consulting, cloud migration, or technology advisory services:
IT Environment Assessment Data:
- Current infrastructure architecture diagrams and technology inventories
- Application portfolios, software licensing, and SaaS subscriptions
- Data center locations, colocation agreements, and hosting arrangements
- Network topology, bandwidth utilization, and connectivity requirements
- Cybersecurity posture assessments, vulnerability scan results, and penetration test findings
- Disaster recovery plans, business continuity procedures, and backup strategies
Technology Vendor Information:
- Existing vendor relationships, contract terms, and service level agreements
- Vendor performance metrics, incident histories, and escalation procedures
- Technology roadmaps, planned migrations, and modernization initiatives
2.6 Corporate ESG Compliance Queries
For organizations seeking Environmental, Social, and Governance (ESG) compliance consulting:
ESG Metrics and Disclosures:
- Carbon emissions data (Scope 1, 2, 3), energy consumption, and renewable energy usage
- Diversity, equity, and inclusion (DEI) statistics, workforce demographics, and pay equity analyses
- Board composition, governance structures, and executive compensation frameworks
- Supply chain labor practices, human rights due diligence, and ethical sourcing policies
- Regulatory compliance records, environmental permits, and sustainability certifications
ESG Reporting Data:
- Sustainability reports prepared under GRI, SASB, TCFD, or CDP frameworks
- ESG ratings from third-party agencies (MSCI, Sustainalytics, ISS)
- Materiality assessments, stakeholder engagement records, and impact measurements
2.7 Automatically Collected Technical Data
Device and Browser Information:
- IP addresses (IPv4 and IPv6), device identifiers, and hardware specifications
- Operating system, browser type/version, and screen resolution
- Language preferences, timezone settings, and geolocation data (city/region level)
Usage and Behavioral Data:
- Pages accessed, features utilized, and navigation patterns
- Session duration, frequency of access, and user engagement metrics
- Search queries, filter selections, and content interactions
- Form submissions, file uploads, and transaction histories
Performance and Diagnostic Data:
- Page load times, server response latency, and error logs
- JavaScript exceptions, API failures, and system crashes
- Network connectivity issues, timeout events, and retry attempts
3. LEGAL BASIS FOR DATA PROCESSING
3.1 GDPR Legal Bases (EEA/UK/Switzerland Users)
For Personal Data subjects in the European Economic Area, United Kingdom, and Switzerland, FactWagon processes data based on:
Contractual Necessity (Article 6(1)(b) GDPR):
Processing necessary to perform contracts with Institutional Clients, including service delivery, payment processing, and contractual obligations fulfillment.
Legitimate Interests (Article 6(1)(f) GDPR):
Processing necessary for legitimate business interests including:
- Fraud prevention, security monitoring, and risk management
- Business analytics, product development, and service optimization
- Marketing to existing clients and business development activities
- Compliance with non-legal professional standards and industry best practices
Legal Obligation (Article 6(1)(c) GDPR):
Processing required to comply with legal obligations including:
- Anti-money laundering (AML) and know-your-customer (KYC) regulations
- Tax reporting, financial services regulations, and securities laws
- Court orders, regulatory investigations, and lawful government requests
Consent (Article 6(1)(a) GDPR):
Explicit consent for marketing communications, optional data collection, and non-essential cookies.
3.2 CCPA/CPRA Legal Framework (California Users)
Under California law, FactWagon collects and processes Personal Information for business purposes including:
- Performing services on behalf of clients
- Detecting security incidents and protecting against fraud
- Debugging and repairing functionality
- Undertaking internal research for technology development
- Verifying quality and safety standards
4. INFRASTRUCTURE, HOSTING, AND DATA PROCESSING LOCATIONS
4.1 San Jose Operations Hub
FactWagon’s primary data processing operations are centralized at our San Jose, California headquarters located in the heart of Silicon Valley’s technology corridor. This strategic location provides:
High-Performance Infrastructure:
Direct connectivity to major internet exchange points (IXPs), Tier 1 network providers, and cloud service provider points of presence (PoPs) ensures sub-10ms latency for North American clients and optimized global connectivity.
Secure Data Handling:
State-of-the-art data center facilities featuring:
- N+1 redundant power systems with uninterruptible power supplies (UPS) and backup generators
- Precision cooling systems maintaining optimal operating temperatures
- Multi-layered physical security including biometric access controls, 24/7 monitoring, and security personnel
- Fire suppression systems (clean agent and pre-action sprinklers)
- Seismic bracing and earthquake-resistant infrastructure design
Fintech and Enterprise Workload Optimization:
Infrastructure specifically architected for:
- High-frequency financial transaction processing with microsecond precision
- Real-time risk analytics and algorithmic credit decisioning
- Large-scale data aggregation supporting supply chain finance platforms
- API gateway infrastructure handling 100,000+ requests per second
- Enterprise-grade database clusters supporting ACID compliance and strong consistency
4.2 Geographic Data Processing Locations
Primary Data Center: San Jose, California (Tier III certified facility)
Disaster Recovery Site: Hillsboro, Oregon (geographically diverse, 600+ miles separation)
European Operations: Dublin, Ireland (GDPR-compliant EU data residency)
Asia-Pacific Node: Singapore (regional compliance with PDPA and local regulations)
Data Residency Commitments:
For clients subject to data localization requirements, FactWagon implements geographic processing restrictions ensuring Personal Data remains within specified jurisdictions. Contractual data processing agreements specify permissible processing locations and restrict cross-border transfers absent appropriate safeguards.
4.3 Cloud Infrastructure Partners
FactWagon leverages enterprise-grade cloud infrastructure providers:
Amazon Web Services (AWS): Primary cloud provider with US-West-1 (California) region designation
Google Cloud Platform (GCP): Complementary services utilizing us-west1 (Oregon) region
Microsoft Azure: Hybrid cloud capabilities with West US 2 (Washington) deployment
All cloud service providers maintain SOC 2 Type II, ISO 27001, and PCI DSS certifications. Data Processing Agreements incorporating Standard Contractual Clauses are executed with all cloud providers supporting international data transfers.
5. INSTITUTIONAL DATA HANDLING AND SECURITY MEASURES
5.1 Bank-Grade Encryption Protocols
FactWagon implements military-grade encryption standards exceeding financial services industry requirements:
Data in Transit:
- TLS 1.3 encryption for all client-server communications with Perfect Forward Secrecy (PFS)
- Minimum 256-bit cipher strength (AES-256-GCM, ChaCha20-Poly1305)
- Certificate pinning and HSTS (HTTP Strict Transport Security) enforcement
- Mutual TLS (mTLS) authentication for API communications
Data at Rest:
- AES-256 encryption for all database storage, file systems, and backup media
- Hardware Security Modules (HSM) providing FIPS 140-2 Level 3 validated key management
- Envelope encryption with customer-managed keys (CMK) and key rotation policies
- Encrypted disk volumes for virtual machines and container storage
Key Management:
- Separation of duties with split-knowledge key administration
- Cryptographic key lifecycle management including generation, rotation, revocation, and destruction
- Key escrow procedures for business continuity and disaster recovery
- Annual cryptographic audits by third-party security assessors
5.2 SOC 2 Type II Compliance Standards
FactWagon maintains SOC 2 Type II attestation demonstrating organizational controls across five Trust Services Criteria:
Security: Controls preventing unauthorized access including:
- Network segmentation with demilitarized zones (DMZ) and private VLANs
- Next-generation firewalls (NGFW) with intrusion prevention systems (IPS)
- Web application firewalls (WAF) protecting against OWASP Top 10 vulnerabilities
- Multi-factor authentication (MFA) mandatory for all administrative access
- Privileged access management (PAM) with session recording and just-in-time provisioning
Availability: Controls ensuring system accessibility including:
- 99.95% uptime commitment with financial service credits for breaches
- Geographically distributed infrastructure with active-active failover
- Load balancing with health checks and automatic failover
- Capacity monitoring with auto-scaling based on demand
- Disaster recovery tested quarterly with documented runbooks
Processing Integrity: Controls ensuring accurate, complete, timely processing including:
- Input validation and data sanitization preventing injection attacks
- Transaction logging with immutable audit trails
- Reconciliation procedures detecting processing errors
- Version control and change management for code deployments
Confidentiality: Controls protecting confidential information including:
- Role-based access control (RBAC) with least-privilege principle
- Data classification framework (Public, Internal, Confidential, Restricted)
- Non-disclosure agreements (NDAs) with employees and contractors
- Secure data disposal procedures (NIST 800-88 media sanitization standards)
Privacy: Controls protecting Personal Data including:
- Privacy impact assessments (PIAs) for new processing activities
- Data minimization and purpose limitation enforcement
- Consent management and preference centers
- Breach notification procedures compliant with 72-hour GDPR requirement
Annual Audits:
Independent Certified Public Accountants (CPAs) conduct annual SOC 2 Type II examinations evaluating control design and operational effectiveness over 12-month observation periods. Attestation reports available to clients under NDA.
5.3 Commercial Debt Applicant Data Protection
Recognizing the sensitivity of credit information, FactWagon implements enhanced controls:
Credit Report Handling:
- Permissible purpose verification before accessing consumer or commercial credit reports
- Fair Credit Reporting Act (FCRA) compliance for consumer credit data
- Encrypted storage with access limited to underwriting personnel
- Audit logging of all credit report accesses with business justification
Financial Document Security:
- Secure document upload portals with virus scanning and malware detection
- Encrypted document storage with document-level access controls
- Automatic redaction of Social Security Numbers (SSN) and account numbers in logs
- Secure document sharing with watermarking and download restrictions
Data Retention Limits:
- Credit application data retained for 7 years post-application per regulatory requirements
- Declined applications purged after 2 years absent legal hold
- Approved loans retained for loan term plus 7 years for statute of limitations protection
5.4 Corporate ESG Compliance Data Security
ESG data often contains competitively sensitive information requiring specialized protection:
Confidentiality Safeguards:
- Segregated data stores isolated from general platform infrastructure
- Additional encryption layer for ESG metrics and sustainability reports
- Restricted access limited to ESG consultants with signed confidentiality agreements
- Redaction capabilities removing company-identifying information for benchmarking
Third-Party Audit Support:
- Secure data rooms for ESG auditors and verification bodies
- Granular permission controls for external stakeholder access
- Activity monitoring and download tracking for audit trail purposes
6. COOKIES AND TRACKING TECHNOLOGIES
6.1 Purpose of Tracking Technologies
FactWagon deploys cookies, web beacons, and similar technologies exclusively to optimize B2B user experience and support financial data modeling for institutional clients:
Essential Platform Functionality:
- Session management and secure authentication
- Load balancing and performance optimization
- Security protection (CSRF tokens, bot detection)
B2B User Experience Enhancement:
- Dashboard personalization and saved preferences
- Feature adoption tracking identifying underutilized capabilities
- Navigation path analysis optimizing enterprise workflows
- A/B testing of interface designs for institutional users
Financial Data Modeling:
- Anonymized usage patterns informing credit risk models
- Aggregated industry benchmarking data supporting underwriting decisions
- Predictive analytics identifying loan default risk factors
- Portfolio performance analysis for institutional lenders
6.2 Cookie Categories
| Category | Purpose | Duration | Legal Basis |
|---|---|---|---|
| Strictly Necessary | Authentication, security, session management | Session to 90 days | Legitimate Interest |
| Performance Analytics | Platform optimization, error tracking | 24 months | Consent (GDPR) / Legitimate Interest |
| Functional | User preferences, customization | 12 months | Consent / Legitimate Interest |
| Marketing | B2B advertising, campaign attribution | 13 months | Consent |
6.3 Managing Cookie Preferences
Cookie Consent Management:
Initial Platform access presents granular cookie consent options allowing acceptance or rejection of non-essential categories. Preferences modifiable via “Cookie Settings” in footer or account preferences.
Browser Controls:
Standard browser settings enable cookie blocking, deletion, or third-party cookie restrictions. Note that blocking essential cookies will impair Platform functionality.
Opt-Out Tools:
- Google Analytics Opt-Out: tools.google.com/dlpage/gaoptout
- NAI Opt-Out: optout.networkadvertising.org
- DAA Opt-Out: optout.aboutads.info
7. THIRD-PARTY DATA DISCLOSURE
7.1 Verified Financial Underwriters
FactWagon may share credit application data with:
Commercial Lenders:
Banks, credit unions, alternative lenders, and institutional investors participating in loan syndications or purchasing loan participations. Shared data includes complete credit applications, financial statements, and underwriting analysis.
Credit Bureaus:
Dun & Bradstreet, Experian Business, Equifax Business for credit report retrieval and trade payment reporting. Authorization obtained per Fair Credit Reporting Act (FCRA) permissible purposes.
Loan Servicers:
Third-party servicers managing loan administration, payment processing, and collections. Data sharing governed by servicing agreements with confidentiality provisions.
7.2 Compliance Auditors
External auditors and regulatory examiners may receive access to Personal Data:
External Auditors:
Independent accounting firms conducting SOC 2, financial statement, or operational audits receive controlled access to relevant records under executed engagement letters with confidentiality clauses.
Regulatory Examiners:
Federal and state financial regulators, banking supervisors, and consumer protection agencies may examine records during regulatory examinations. Disclosures comply with lawful examination authority.
Compliance Consultants:
Specialized AML/KYC, sanctions screening, and regulatory compliance consultants receive limited data access necessary for compliance assessments under non-disclosure agreements.
7.3 Institutional Partners
Strategic business partners supporting service delivery:
Technology Infrastructure Providers:
Cloud hosting providers (AWS, GCP, Azure), CDN providers (Cloudflare, Akamai), and managed security service providers (MSSPs) process data as subprocessors under Data Processing Agreements.
Payment Processors:
Bank partners, ACH processors, wire transfer networks, and payment gateways facilitating financial transactions. PCI DSS compliant processors operate under executed Business Associate Agreements.
API Integration Partners:
Fintech platforms, banking-as-a-service (BaaS) providers, and financial data aggregators integrated via APIs. Data shared limited to minimum necessary for specific integrations.
Professional Service Providers:
Legal counsel, accountants, investment bankers, and business consultants engaged for specialized expertise receive data under attorney-client privilege, work product doctrine, or contractual confidentiality.
7.4 Disclosure Limitations and Safeguards
All third-party disclosures are subject to:
Contractual Protections:
- Data Processing Agreements (DPA) or Business Associate Agreements (BAA)
- Confidentiality and non-disclosure provisions
- Purpose limitation restricting use to specified services
- Security requirement minimums matching FactWagon standards
- Audit rights permitting assessment of third-party controls
Data Minimization:
Only Personal Data necessary for specific disclosed purposes is shared. Bulk transfers avoided in favor of targeted, purposeful disclosures.
Restricted Onward Transfer:
Third parties prohibited from further disclosure absent explicit authorization or legal requirement.
8. DATA SUBJECT RIGHTS
8.1 GDPR Rights (EEA/UK/Switzerland)
Data subjects have rights to:
Access: Obtain confirmation of processing and copies of Personal Data
Rectification: Correct inaccurate or incomplete Personal Data
Erasure: Request deletion (“right to be forgotten”) subject to legal retention requirements
Restriction: Limit processing under specified circumstances
Portability: Receive Personal Data in structured, machine-readable format
Object: Object to processing based on legitimate interests or direct marketing
Withdraw Consent: Revoke consent for consent-based processing
Lodge Complaint: File complaints with supervisory authorities
Exercise Rights:
Email: privacy@factwagon.com | Subject: “GDPR Data Subject Request”
Response Timeline: 30 days (extendable 60 days for complex requests)
8.2 CCPA/CPRA Rights (California Residents)
California residents have rights to:
Know: Categories and specific pieces of Personal Information collected
Delete: Request deletion of Personal Information
Correct: Rectify inaccurate Personal Information
Opt-Out: Opt-out of sale/sharing for cross-context behavioral advertising
Limit: Limit use of Sensitive Personal Information
Non-Discrimination: Exercise rights without discriminatory treatment
FactWagon Does Not Sell Personal Information:
We do not sell Personal Information as defined under CCPA/CPRA. Marketing cookies may constitute “sharing” for targeted advertising; opt-out available via cookie settings.
Exercise Rights:
Email: privacy@factwagon.com | Subject: “California Privacy Rights Request”
Toll-Free: 1-888-FACTWAGON
Response Timeline: 45 days (extendable 45 days with notice)
8.3 Verification Procedures
To protect against fraudulent requests, FactWagon implements reasonable verification procedures:
- Email confirmation to registered account email addresses
- Multi-factor authentication for account holders
- Matching provided information against account records
- Additional documentation for non-account holders (government ID, utility bills)
9. DATA RETENTION
Operational Data: Retained during active client relationship plus 7 years
Financial Records: 7 years from transaction date per IRS and GLBA requirements
Credit Applications: 7 years from application date or loan payoff
Marketing Data: Until opt-out request or 3 years of inactivity
System Logs: 90 days for security logs; 30 days for performance logs
Backup Data: Incremental backups 30 days; full backups 1 year
Legal holds override standard retention schedules during litigation or investigations.
10. INTERNATIONAL DATA TRANSFERS
Transfer Mechanisms:
- Standard Contractual Clauses (SCCs) approved by European Commission
- UK International Data Transfer Agreement (IDTA)
- Swiss Federal Data Protection Authority approved clauses
- Adequacy decisions where applicable
Supplementary Measures:
Additional safeguards include encryption, access controls, and contractual restrictions addressing government access concerns raised by Schrems II decision.
11. CHANGES TO THIS PRIVACY POLICY
FactWagon reserves the right to modify this Privacy Policy upon 30 days’ notice via email and Platform posting. Material changes adverse to data subjects require affirmative consent.
12. CONTACT INFORMATION
FactWagon Enterprise Solutions
Data Protection Officer
10 South First Street
San Jose, California 95113
United States of America
Email: privacy@factwagon.com
Phone: +1 (408) 555-FACT
Data Protection Officer: dpo@factwagon.com
Response Commitment: Privacy inquiries answered within 5 business days; data subject rights requests processed within statutory timeframes.