Credenza is the verified identity platform for interior design's trade market. Designers create one verified trade profile to apply across every participating brand, manage every trade account in one dashboard, and generate compliant resale certificates in seconds. Vendors get automated trade verification, configurable approval rules, and a resale certificate engine that eliminates manual review and protects them in an audit.

Are you the Credenza that does Web3 or sports?

No. Credenza Labs, Inc. is a software platform for the interior design industry. We are unrelated to other companies sharing the Credenza name.

Is Credenza a marketplace?

No. We're infrastructure—not a marketplace. Credenza is built to empower your trade relationships, not intercept them. Designers source from the brands they choose; vendors keep their direct relationships with their trade buyers.

How is Credenza different from Shopify Plus B2B?

Credenza complements your commerce stack rather than replacing it. Shopify Plus B2B handles trade pricing and tax-exempt checkout once a buyer is approved—Credenza is the identity, verification, and compliance layer that gets buyers approved in the first place.

How is Credenza priced?

Designers use Credenza free—no credit card, no trial window, no seat limit. Vendor pricing is a monthly subscription, tiered based on the volume of applications and certificates processed and the features included. We don't take a percentage of sales, transactions, or designer spend.

Is Credenza live today?

Yes for designers—the platform is live and free to use today. To-the-trade brands are joining now ahead of public launch.

Data Processing Addendum

Last Updated: 2026-06-11

This Data Processing Addendum ("DPA") forms part of, and is subject to, the Credenza Terms of Use at usecredenza.com/terms-of-use and the End-User License Agreement (together, the "Agreement") between Credenza Labs, Inc., a Delaware corporation ("Credenza," "we," or "Processor"), and the customer entity that has entered into the Agreement ("Customer," "you," or "Controller"). This DPA governs the Processing of Personal Data by Credenza on Customer's behalf in connection with the Credenza platform and services (the "Services").
In the event of a conflict between this DPA and the rest of the Agreement with respect to the Processing of Personal Data, this DPA controls. Capitalized terms not defined here have the meanings given in the Agreement.

1. Definitions

"Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, as applicable, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), and U.S. state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA").
"Controller," "Processor," "Data Subject," "Personal Data," "Personal Data Breach," "Processing," "Sub-processor," and "Supervisory Authority" have the meanings given in the GDPR, and their equivalents under other Data Protection Laws (for example, "Business," "Service Provider," and "Consumer" under the CCPA).
"Customer Personal Data" means Personal Data contained within Customer Content that Credenza Processes on Customer's behalf in providing the Services.
"Standard Contractual Clauses" or "SCCs" means (a) the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914 (the "EU SCCs"); and (b) the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner (the "UK Addendum").
"Sub-processor" means any third party engaged by Credenza to Process Customer Personal Data.

2. Roles and Scope

2.1. Roles. As between the parties, Customer is the Controller (or, where Customer itself acts as a processor for a third party, the processor) of Customer Personal Data, and Credenza is the Processor (or sub-processor). Each party will comply with its obligations under Data Protection Laws.
2.2. Scope of Processing. Credenza will Process Customer Personal Data only (a) to provide, secure, maintain, and improve the Services in accordance with the Agreement; (b) as otherwise documented in Customer's lawful instructions; and (c) as required by applicable law (in which case Credenza will, unless legally prohibited, inform Customer of that requirement before Processing). The Agreement, this DPA, and Customer's use and configuration of the Services constitute Customer's complete and final documented instructions. The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex I.
2.3. Customer Responsibilities. Customer is responsible for the accuracy and lawfulness of Customer Personal Data and for establishing a legal basis for the Processing, including providing any required notices to and obtaining any required consents from Data Subjects. Customer will not provide Credenza with Personal Data outside the scope described in Annex I, and will not instruct Credenza to Process Personal Data in violation of Data Protection Laws.

3. Credenza Obligations

3.1. Instructions. Credenza will Process Customer Personal Data only on Customer's documented instructions, including with respect to international transfers, unless required by applicable law. Credenza will not process an instruction that, in its opinion, violates Data Protection Laws.
3.2. Confidentiality. Credenza will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations and have received appropriate data-protection training, and will limit access to those personnel who need it to provide the Services.
3.3. Security. Credenza will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. A description of these measures is set out in Annex II.
3.4. Sub-processors. Customer hereby provides general written authorization for Credenza to engage Sub-processors to Process Customer Personal Data. The current Sub-processors are listed in Annex III. Credenza will (a) impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA; (b) remain liable to Customer for each Sub-processor's performance of its obligations; and (c) give Customer notice of any intended addition or replacement of a Sub-processor with a reasonable opportunity to object on reasonable data-protection grounds. If Customer reasonably objects, the parties will work in good faith to resolve the objection; if they cannot, Customer may terminate the affected Services as its sole remedy.
3.5. Assistance with Data Subject Requests. Taking into account the nature of the Processing, Credenza will assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfill Customer's obligation to respond to requests by Data Subjects to exercise their rights (such as access, rectification, erasure, restriction, portability, and objection). If Credenza receives such a request directly, it will, unless legally prohibited, promptly notify Customer and not respond except on Customer's instructions or as legally required.
3.6. Assistance with Compliance. Taking into account the nature of the Processing and the information available to Credenza, Credenza will provide reasonable assistance to Customer with its obligations regarding security of Processing, Personal Data Breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities under Data Protection Laws.
3.7. Personal Data Breach. Credenza will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide Customer with information reasonably available to it to assist Customer in meeting any breach-notification obligations. Credenza's notification is not an acknowledgment of fault or liability.
3.8. Deletion or Return. Upon termination or expiry of the Services, and at Customer's choice, Credenza will delete or return Customer Personal Data and delete existing copies, except to the extent retention is required by applicable law, in which case Credenza will continue to protect that Personal Data in accordance with this DPA. Deletion of Customer Personal Data in the ordinary course (for example, when Customer deletes records) occurs as described in the Privacy Policy and Documentation.
3.9. Audit. Credenza will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, no more than once per twelve (12) months (unless required by a Supervisory Authority or following a Personal Data Breach), on reasonable prior written notice, during business hours, subject to confidentiality obligations, and in a manner that does not disrupt Credenza's operations or compromise the security of other customers' data. Credenza may satisfy this obligation by providing relevant third-party audit reports, certifications, or security documentation where available.

4. International Data Transfers

4.1. To the extent Credenza Processes Customer Personal Data that is subject to GDPR, UK GDPR, or FADP in a country that has not received an adequacy decision, the parties agree that the applicable Standard Contractual Clauses are incorporated into this DPA by reference and apply to such transfers, with Customer as data exporter and Credenza as data importer.
4.2. For EU transfers, Module Two (Controller to Processor) of the EU SCCs applies (or Module Three (Processor to Processor) where Customer is itself a processor). The optional docking clause applies; the audit/Sub-processor terms of this DPA satisfy Clauses 8.9 and 9; the general Sub-processor authorization in Section 3.4 applies under Clause 9(a) Option 2; Customer's choice of governing law and forum (Section 8) applies where permitted; and Annexes I–III of this DPA populate the corresponding Annexes of the SCCs.
4.3. For UK transfers, the UK Addendum applies to and amends the EU SCCs as set out in that Addendum. For Swiss transfers, references in the EU SCCs are interpreted to give effect to the FADP, with the Swiss Federal Data Protection and Information Commissioner as the competent authority.
4.4. If the Standard Contractual Clauses or any transfer mechanism is invalidated or superseded, the parties will work in good faith to implement an alternative lawful transfer mechanism.

5. CCPA and U.S. State Privacy Terms

5.1. To the extent Credenza Processes Personal Data on Customer's behalf that is subject to the CCPA or analogous U.S. state laws, Credenza acts as a Service Provider (or Processor / Contractor, as applicable). Credenza will Process such Personal Data only for the business purposes of providing the Services as specified in the Agreement.
5.2. Credenza will not (a) sell or share (as those terms are defined under the CCPA) Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified in the Agreement, or as otherwise permitted by the CCPA; (c) retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties; or (d) combine Customer Personal Data with Personal Data received from other sources, except as permitted by the CCPA.
5.3. Credenza certifies that it understands and will comply with the restrictions in this Section. Customer may take reasonable and appropriate steps to ensure Credenza's compliance and to stop and remediate unauthorized use of Personal Data.

6. AI and Automated Processing

6.1. Certain Services use third-party artificial-intelligence providers to analyze publicly available business information (such as website and social-media content) as part of trade-application verification. As described in Annex II and the Privacy Policy, Credenza limits the Personal Data sent to these providers and does not transmit sensitive identifiers (such as EIN, state tax identification numbers, resale-certificate numbers, or designer contact details) to them.
6.2. Credenza configures its AI Sub-processors, where contractually available, to operate under zero-data-retention or no-training terms, such that Customer Personal Data is not used to train the provider's models. Verification outputs are informational and do not constitute solely automated decisions producing legal or similarly significant effects on Data Subjects; Customer remains responsible for human review of, and any decisions based on, verification results.

7. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement, and any reference to a party's liability means the aggregate liability of that party under the Agreement and this DPA together. This Section does not limit liability that cannot be limited under Data Protection Laws or the Standard Contractual Clauses.

8. Term, Governing Law, and Miscellaneous

8.1. Term. This DPA takes effect on the effective date of the Agreement and continues until Credenza has ceased all Processing of Customer Personal Data. Provisions that by their nature should survive termination will survive.
8.2. Governing Law. This DPA is governed by the law of the State of Florida and the state and federal courts located in Florida, except (a) to the extent Data Protection Laws or the Standard Contractual Clauses require otherwise, and (b) the SCCs are governed by the law and subject to the forum specified in the SCCs.
8.3. Order of Precedence. With respect to the Processing of Personal Data: this DPA prevails over the rest of the Agreement, and the Standard Contractual Clauses prevail over this DPA. The Annexes are an integral part of this DPA.
8.4. Changes. Credenza may update this DPA on prospective notice to reflect changes in the Services, Sub-processors, or Data Protection Laws, provided no update will materially reduce the protections for Customer Personal Data. The version is identified by the "Last Updated" date above in YYYY-MM-DD format.
8.5. Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect.

Annex I — Details of Processing

A. List of Parties

Data Exporter / Controller: Customer, the entity that entered into the Agreement, acting through its authorized users. Contact: the administrative contact on the Customer account.
Data Importer / Processor: Credenza Labs, Inc., a Delaware corporation. Contact: privacy@usecredenza.com.

B. Subject Matter and Duration. Processing of Customer Personal Data for the duration of the Agreement and as described in Section 3.8 (deletion or return).
C. Nature and Purpose of Processing. Hosting, storage, transmission, and display of Customer Content; generation of resale and exemption documents; trade-application intake and automated verification; vendor–designer account management and communications; billing; analytics and product improvement; and security and fraud prevention—all as necessary to provide the Services.
D. Categories of Data Subjects.

Customer's authorized users and personnel (vendor team members; firm owners, members, authorized signers, and accountants).
Designers and design-firm applicants who apply to or interact with the Customer through the Services.

E. Categories of Personal Data.

Identification and contact data: name, business email, phone number, title/role.
Business and professional data: firm/business name, business type, website URL, social-media handle, years in business, professional memberships, trade references.
Documents and identifiers used for tax exemption: business address, tax identification numbers, resale-certificate data, uploaded certificate files, and electronic signatures.
Account, usage, billing, and communications metadata.

F. Sensitive Data. The Services are not intended to Process special categories of Personal Data. Customer should not submit such data except as strictly necessary and lawful.
G. Frequency. Continuous, for the duration of the Agreement.
H. Retention. For the duration of the Agreement and thereafter as described in Section 3.8 and the Privacy Policy, or as required by applicable law (for example, certain audit-log and financial records).

Annex II — Technical and Organizational Security Measures

Credenza maintains a security program that includes, at a minimum, the following measures, which may be updated as the Services evolve provided protection is not materially reduced:

Access control and authentication. Passwordless magic-link authentication for users; role-based access; the principle of least privilege for personnel; multi-factor authentication for administrative access to production systems.
Tenant isolation and data segregation. Row-Level Security enforced at the database layer scopes data to the owning firm or vendor; service-role credentials are confined to server-side functions and are never exposed to client applications.
Encryption. Encryption of Personal Data in transit (TLS) and at rest using industry-standard mechanisms provided by Credenza's hosting Sub-processors.
Data minimization for AI processing. Sensitive identifiers (EIN, state tax identification numbers, resale-certificate numbers, and designer contact details) are validated locally and are not transmitted to third-party AI providers; only the limited business information needed for analysis is sent. AI providers are engaged under zero-data-retention or no-training terms where available.
Secrets management. API keys and credentials are stored as environment secrets, never in source code or client bundles.
Logging and monitoring. Append-only audit logging of significant actions; operational monitoring and alerting; session-health monitoring for integrated services.
Resilience. Use of managed, redundant cloud infrastructure with backups; idempotent and recoverable processing for critical workflows.
Secure development. Code review, dependency management, and migration-based, reviewed schema changes; staging-first deployment with verification before production.
Sub-processor diligence. Engagement of reputable Sub-processors bound by data-protection terms no less protective than this DPA.

Annex III — Sub-processors

Customer authorizes the following Sub-processors. Credenza will update this list and notify Customer of additions or replacements in accordance with Section 3.4.

Sub-processor	Purpose / Service Provided	Processing Location
Supabase	Database, authentication, file storage, and serverless functions hosting	United States
Vercel	Frontend application hosting and content delivery	United States / Global edge
Fly.io	Hosting for the authenticated profile-verification microservice	United States
Stripe	Subscription billing and payment processing	United States
Shopify	Commerce-platform integration for connected vendor stores	Canada / United States (global)
Anthropic (Claude)	AI analysis of public business website and social-media content for verification	United States
OpenAI	Vision-model classification of public profile content within the verification microservice	United States
Sentry (Functional Software, Inc.)	Application error monitoring and diagnostics	United States
Resend	Transactional email delivery and authentication email	United States
Serper.dev	Public news/press search to support verification	United States

Note: Some entries (for example, search and directory lookups) may process limited business identifiers rather than Personal Data. The list reflects providers used in delivering the Services and is maintained as the source of truth for Sub-processor notice and objection under Section 3.4.

Contact

Privacy and data-protection inquiries regarding this DPA may be directed to:
Credenza Labs, Inc.
Email: privacy@usecredenza.com