Data Processing Agreement

1.1. In this DPA, the following terms have the meanings set out below:

• "Controller" means the Subscriber (realtor, brokerage, or other entity) that determines the purposes and means of the processing of personal data through the Service. The Controller is the Data Controller with respect to all Applicant data and Subscriber Data processed through the Service.
• "Processor" means Chippi Inc., which processes personal data on behalf of the Controller in connection with the provision of the Service.
• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates, including Applicants who submit data through intake forms.
• "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
• "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data, including GDPR, CCPA, and other relevant data protection legislation.

2.1. The Processor shall process Personal Data only for the purpose of providing the Service to the Controller, as described in the Terms of Service.

2.2. The categories of Personal Data processed include:

• Applicant contact information (name, email, phone number).
• Housing preferences and requirements submitted through intake forms.
• Employment and financial information (if collected by the Controller through intake forms).
• Lead scoring data and AI-generated advisory outputs.
• Deal pipeline information and tour scheduling data.
• Communications sent through the Service (email and SMS).

2.3. The categories of Data Subjects include Applicants, prospective buyers, prospective renters, and other individuals whose data the Controller collects through the Service.

2.4. Processing activities include storage, retrieval, organization, AI scoring analysis, notification delivery (email and SMS), and deletion of Personal Data as necessary to provide the Service.

3.1. The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational security measures to protect Personal Data, including encryption in transit and at rest, access controls, and regular security assessments.
• Not engage a Sub-Processor without prior written authorization from the Controller (which may be given generally in this DPA for the Sub-Processors listed in Section 4).
• Assist the Controller in responding to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, and objection.
• Assist the Controller in ensuring compliance with obligations regarding data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
• At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless storage is required by applicable law.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.
• Not sell Personal Data. Under no circumstances will the Processor sell Personal Data or use it for any purpose other than providing the Service.
• Not use Personal Data for AI training. Personal Data will not be used to train, improve, or develop artificial intelligence models.

4.1. The Controller hereby provides general written authorization for the Processor to engage the following Sub-Processors:

4.2. The Processor shall ensure that each Sub-Processor is bound by data protection obligations no less protective than those set out in this DPA.

4.3. The Processor shall notify the Controller of any intended changes to Sub-Processors (additions or replacements) at least 30 days in advance, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected services.

4.4. The Processor shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

5.1. The Controller is primarily responsible for responding to Data Subject requests, as the Controller determines the purposes and means of processing.

5.2. If the Processor receives a request from a Data Subject directly, the Processor shall promptly notify the Controller and shall not respond to the request without the Controller's authorization, unless required by applicable law.

5.3. The Processor shall provide the Controller with reasonable assistance in fulfilling Data Subject requests, including:

• Providing tools within the Service for the Controller to access, export, correct, and delete Applicant data.
• Assisting with data portability requests by providing data in a structured, commonly used, machine-readable format.
• Implementing technical measures to facilitate the exercise of Data Subject rights.

5.4. The Processor shall respond to Controller requests for assistance with Data Subject rights within a reasonable timeframe, not to exceed 15 business days.

6.1. The Processor shall notify the Controller of any confirmed Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach.

6.2. The notification shall include, to the extent available:

• A description of the nature of the Data Breach, including the categories and approximate number of Data Subjects and records affected.
• The name and contact details of the Processor's point of contact for further information.
• A description of the likely consequences of the Data Breach.
• A description of the measures taken or proposed to address the Data Breach, including measures to mitigate its possible adverse effects.

6.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.

6.4. The Processor shall document all Data Breaches, including the facts, effects, and remedial actions taken, and make this documentation available to the Controller upon request.

7.1. Upon termination or expiration of the Terms of Service, the Processor shall:

• Provide the Controller with the ability to export their data for a period of 30 days following termination.
• After the 30-day export period, permanently and irreversibly delete all Personal Data processed on behalf of the Controller, including all copies and backups.
• Confirm deletion in writing upon the Controller's request.

7.2. The Processor may retain Personal Data beyond the deletion period only to the extent required by applicable law, and shall inform the Controller of any such requirement.

7.3. Any Personal Data retained for legal compliance purposes shall continue to be protected in accordance with this DPA and shall be deleted as soon as the legal requirement expires.

8.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws.

8.2. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

• The Controller shall provide at least 30 days' written notice of any audit request.
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
• The Controller shall bear the costs of the audit, unless the audit reveals a material breach by the Processor.
• The auditor shall be bound by appropriate confidentiality obligations.
• Audits shall be limited to once per 12-month period, unless a Data Breach or regulatory investigation necessitates an additional audit.

8.3. The Processor may satisfy audit requirements by providing the Controller with relevant third-party audit reports, certifications, or compliance documentation, where available.

9.1. The Processor shall not transfer Personal Data to a country outside the United States without ensuring that appropriate safeguards are in place, as required by applicable data protection laws.

9.2. Where required, the Processor shall enter into standard contractual clauses or rely on other approved transfer mechanisms to ensure the lawfulness of international data transfers.

10.1. The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service.

10.2. The Controller acknowledges that it is responsible for its own compliance with applicable data protection laws, including ensuring a lawful basis for processing and obtaining necessary consents from Data Subjects.

11.1. This DPA shall remain in effect for the duration of the Terms of Service and for as long as the Processor processes Personal Data on behalf of the Controller.

11.2. Sections 6, 7, 8, and 10 shall survive termination of this DPA.

For questions about this Data Processing Agreement, please contact us:

Chippi Inc.
Email: help@usechippi.com
Website: usechippi.com