Data Processing Agreement
Last Updated: January 2025
This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between:
The entity agreeing to these terms (the "Company" or "Data Controller")
and
ResiDesk, Inc.
222 Broadway, Suite 1903
New York NY 10038
(the "Processor" or "ResiDesk")
(together the "Parties")
WHEREAS
(A) The Company acts as a Data Controller.
(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Processor.
(C) The Parties seek to implement a data processing agreement that complies with applicable data protection laws, including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms used in this Agreement shall have the following meaning:
"Agreement" means this Data Processing Agreement;
"Company Personal Data" means any Personal Data processed by Processor on behalf of Company pursuant to the Principal Agreement;
"Data Protection Laws" means the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and to the extent applicable, the data protection or privacy laws of any other jurisdiction;
"Services" means the AI-powered resident communication and property management services ResiDesk provides;
"Subprocessor" means any third party engaged by Processor to process Personal Data on behalf of the Company.
1.2 The terms "Controller", "Data Subject", "Personal Data", "Personal Data Breach", and "Processing" shall have the same meaning as in applicable Data Protection Laws.
2. Processing of Company Personal Data
2.1 Processor shall:
(a) comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and
(b) not Process Company Personal Data other than on the Company's documented instructions.
2.2 The Company instructs Processor to process Company Personal Data for the purpose of providing the Services.
2.3 Categories of Personal Data processed include: resident names, contact information, lease information, ledger balances, and maintenance records. Processor does not process payment card data.
3. Processor Personnel
Processor shall take reasonable steps to ensure the reliability of personnel who have access to Company Personal Data, ensuring that access is limited to those who need it to perform the Services and that all such individuals are subject to confidentiality obligations.
4. Security
4.1 Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit and at rest, access controls, and regular security monitoring.
4.2 Processor's infrastructure is hosted on SOC 2 Type 2 compliant platforms (Heroku and Amazon Web Services).
5. Subprocessing
5.1 The Company authorizes Processor to engage the following Subprocessors:
| Category | Subprocessor | Location |
|---|---|---|
| Cloud Infrastructure | Heroku (Salesforce), Amazon Web Services | United States |
| AI/ML Services | OpenAI, Anthropic, Google, Groq | United States |
| Monitoring | New Relic, Bugsnag | United States |
5.2 Processor shall notify Company of material changes to Subprocessors by updating this Agreement.
6. Data Subject Rights
6.1 Processor shall assist the Company in responding to requests from Data Subjects to exercise their rights under Data Protection Laws.
6.2 Processor shall promptly notify Company if it receives a request from a Data Subject and shall not respond except on documented instructions from Company or as required by applicable law.
7. Personal Data Breach
7.1 Processor shall notify Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data, providing sufficient information to allow Company to meet any notification obligations.
7.2 Processor shall cooperate with Company to assist in the investigation and remediation of each such Personal Data Breach.
8. Deletion of Company Personal Data
8.1 Upon termination of the Principal Agreement, Processor shall, within 30 business days, delete Company Personal Data unless retention is required by applicable law.
9. Audit Rights
9.1 Processor shall make available to the Company, upon request, information necessary to demonstrate compliance with this Agreement, including SOC 2 audit reports and security questionnaire responses.
10. Data Transfers
10.1 Company Personal Data is processed and stored within the United States. Processor shall not transfer Company Personal Data outside the United States without the prior written consent of the Company.
11. CCPA Provisions
11.1 To the extent Company Personal Data is subject to the CCPA, Processor certifies that it is a "Service Provider" as defined by the CCPA and shall:
(a) Process Personal Data only for the business purposes specified in this Agreement;
(b) Not sell or share Personal Data;
(c) Not retain, use, or disclose Personal Data outside the direct business relationship.
12. General Terms
12.1 Confidentiality. Each Party shall keep this Agreement and Confidential Information received about the other Party confidential.
12.2 Notices. All notices under this Agreement must be in writing and delivered to the addresses set forth herein or to such other address as notified by either Party.
13. Governing Law and Jurisdiction
13.1 This Agreement is governed by the laws of the State of Delaware, United States.
13.2 Any dispute arising in connection with this Agreement shall be submitted to the exclusive jurisdiction of the courts of Delaware.
IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.
Company
Signature
Name
Title
Date Signed
ResiDesk, Inc.
Signature
Name
Title
Date Signed
Related Documents:
Privacy Policy: hello.theresidesk.com/privacy-policy
Terms of Use: hello.theresidesk.com/terms-of-use
ResiDesk, Inc. · 651 N Broad St, Suite 201, Middletown, DE 19709 · hello@theresidesk.com