Skip to main content

Data Processing Addendum

Version 1.0.0 · Effective 2026-05-22 · Last updated 2026-05-22

DATA PROCESSING ADDENDUM

Lease Velocity LLC

Notice: This document was drafted with AI assistance and has not been reviewed by a licensed attorney. The Company recommends obtaining a Georgia-licensed attorney one-shot review prior to executing or publishing this document.

Effective Date: the date Customer accepts the Agreement

This Data Processing Addendum (this “DPA”) is incorporated by reference into the SaaS Customer Agreement (the “Agreement”) between Lease Velocity LLC (“Company,” “Lease Velocity,” or “Processor”) and the customer identified on the applicable Order Form or signup record (“Customer” or “Controller”). This DPA governs the Parties’ respective obligations with respect to personal information that Customer collects, controls, or causes to be processed through the Service, where Lease Velocity acts as a processor or service provider. Capitalized terms not defined in this DPA have the meanings given in the Agreement.

In the event of a conflict between this DPA and the Agreement with respect to the processing of personal information, this DPA controls. The Service is offered only to customers operating residential rental properties located in the United States; this DPA accordingly addresses U.S. state comprehensive privacy laws and does not address the General Data Protection Regulation (EU/UK), the UK GDPR, or other non-U.S. privacy frameworks. If Customer’s use of the Service extends to non-U.S. data subjects, the Parties will negotiate a separate addendum to address applicable cross-border requirements.

1. DEFINITIONS

“Applicable Privacy Law” means each U.S. federal, state, or local law or regulation governing the processing of personal information that is applicable to Customer’s and Company’s respective activities under the Agreement, including without limitation the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, “CCPA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, and analogous laws of other U.S. states as they take effect.

“Customer Personal Information” means personal information that Company processes on Customer’s behalf in connection with the Service, including Applicant Data and Resident Data (each as defined in the Agreement) and similar information of Customer’s end users.

“Data Subject” means an identified or identifiable natural person whose personal information is included in Customer Personal Information, including a Customer’s applicants, residents, and end users.

“Process” or “Processing” means any operation performed on personal information, including collection, recording, storage, retrieval, use, disclosure, transmission, alteration, restriction, erasure, or destruction.

“Security Incident” means a confirmed breach of Company’s security leading to the unauthorized access to, acquisition of, alteration of, loss of, or destruction of Customer Personal Information.

“Service Provider,” “Processor,” “Controller,” “Business,” “Sale,” and “Share” have the meanings given to such terms in Applicable Privacy Law.

“Subprocessor” means a third party engaged by Company to Process Customer Personal Information in connection with the Service.

2. ROLES AND SCOPE OF PROCESSING

2.1 Roles.

As between the Parties, Customer is the Controller / Business and Company is the Processor / Service Provider with respect to Customer Personal Information. Company processes Customer Personal Information solely on behalf of Customer and in accordance with Customer’s documented instructions, the Agreement, and Applicable Privacy Law. Customer’s use of the Service in accordance with the Documentation constitutes Customer’s documented instructions to Company.

2.2 Subject Matter, Duration, Nature, and Purpose of Processing.

The subject matter of the Processing is the provision of the Service. The duration of the Processing is the term of the Agreement plus any post-termination retention period described in the Agreement or this DPA. The nature of the Processing includes hosting, transmission, display, modification, generation, storage, deletion, and disclosure of Customer Personal Information as needed to operate the Service. The purpose of the Processing is to enable Customer to market its rental properties, accept and evaluate rental applications, screen applicants (through third-party vendors), onboard and manage residents, accept payments, and otherwise operate Customer’s residential-rental business through the Service.

2.3 Categories of Data Subjects.

Customer Personal Information may relate to the following categories of Data Subjects:

  • Customer’s employees, contractors, and other authorized personnel who use the Service;

  • applicants and prospective tenants who interact with Customer’s property marketing sites or submit rental applications through the Service;

  • residents and other lawful occupants of Customer’s rental properties;

  • guarantors, co-applicants, and emergency contacts identified by applicants or residents; and

  • third parties referenced in maintenance requests, communications, or other Service workflows.

2.4 Categories of Personal Information.

Customer Personal Information may include the following categories:

  • Identifiers and contact information (name, email address, telephone number, postal address);

  • Employment and income information submitted as part of a rental application;

  • Rental history, references, and prior-landlord information;

  • Lease and tenancy information (unit assignment, term, rent, deposit, payment history, lease documents);

  • Communications metadata (email logs, SMS metadata, voice-agent operational signals; voice recordings are retained by Company’s voice-agent Subprocessor, not by Company);

  • Maintenance request information, including photographs;

  • Vehicle, pet, guest, and emergency-contact information;

  • Payment and ledger information (transaction identifiers, amounts, last-four digits of payment instruments; full card or bank account numbers are not collected or stored by Company);

  • Verification reference identifiers and status information returned by identity-verification, background-check, and income-verification vendors. Sensitive personal information (such as social security numbers, dates of birth, driver’s license numbers, government-ID images, biometric images, and credit-report or background-check content) is processed by the applicable third-party vendor and is not stored by Company except as opaque reference identifiers and status enums; and

  • Device, connection, and usage data described in the Privacy Policy.

3. PROCESSOR AND SERVICE PROVIDER OBLIGATIONS

Company makes the following commitments with respect to Customer Personal Information for purposes of Applicable Privacy Law:

  • No Sale or Sharing. Company does not Sell or Share Customer Personal Information. Company does not retain, use, or disclose Customer Personal Information for any purpose other than the specific purposes set forth in the Agreement and this DPA, including any “commercial purpose” other than performing the Service.

  • No Use Outside the Direct Business Relationship. Company does not retain, use, or disclose Customer Personal Information outside of the direct business relationship between Customer and Company, except as permitted by Applicable Privacy Law.

  • No Combining. Company does not combine Customer Personal Information with personal information received from or on behalf of any other person, or collected from Company’s own interaction with a Data Subject, except as permitted by Applicable Privacy Law (such as for the limited purpose of detecting security incidents, protecting against fraudulent or illegal activity, or performing services on behalf of Customer).

  • Confidentiality. Company ensures that personnel authorized to Process Customer Personal Information are bound by written confidentiality obligations or are subject to a statutory duty of confidence.

  • Compliance with Applicable Privacy Law. Company complies with Applicable Privacy Law applicable to its provision of the Service and provides at least the level of privacy protection required of a Processor or Service Provider thereunder. Company will notify Customer if Company determines that it can no longer meet its obligations under Applicable Privacy Law.

  • Cooperation with Audits. Subject to reasonable confidentiality protections, Company will, upon Customer’s reasonable request and not more than once in any twelve (12)-month period (except where required more often by Applicable Privacy Law or following a Security Incident), make available to Customer information reasonably necessary to demonstrate Company’s compliance with this DPA. Company’s response may take the form of a written summary, a completed industry-standard questionnaire (such as a SIG Lite or CAIQ), or, where reasonably appropriate, a meeting with Company’s designated security personnel. Customer’s on-site inspection rights, if any, are subject to advance written notice of at least thirty (30) days, are limited to once per twelve (12)-month period, must be conducted during normal business hours, and may not unreasonably interfere with Company’s operations.

4. SECURITY MEASURES

Company implements and maintains appropriate administrative, technical, and physical safeguards designed to protect Customer Personal Information against unauthorized access, acquisition, alteration, loss, destruction, or disclosure, taking into account the nature of the Customer Personal Information, the state of the art, the cost of implementation, and the risks presented by the Processing. Current safeguards include:

  • Encryption in Transit. All HTTP traffic between users and the Service is encrypted using TLS. HSTS is enabled with a long max-age and preload.

  • Encryption at Rest. Customer Personal Information stored in the Service’s primary database is encrypted at rest using the database provider’s native encryption. Multi-factor-authentication secrets are additionally encrypted at the application layer using AES-256-GCM. Passwords are stored as bcrypt hashes with a salt and a work factor of at least twelve (12). Certain other identifiers (such as multi-factor trust-device fingerprints, magic-link tokens, and invite tokens) are stored as one-way hashes.

  • Access Controls. Access to production systems is limited to authorized personnel on a need-to-know basis. Multi-tenant isolation is enforced at the application layer through organization- and property-scoped queries on all privileged data. Multi-factor authentication is supported for Customer-side users and may be required for Company-side administrators.

  • Logging and Monitoring. Security-relevant events (such as authentication events, privileged actions, and access to applicant or resident records) are recorded in a structured audit log. Application errors are tracked through a centralized error-tracking provider. Critical write routes are protected by rate limiting and bot-fingerprint signals.

  • Vulnerability Management. Company maintains processes to monitor for, assess, and remediate vulnerabilities in the Service and its dependencies, including by tracking security advisories for open-source components.

  • Data Minimization. The Service is designed to minimize Company’s handling of sensitive personal information. Sensitive identifiers (such as social security numbers, dates of birth, driver’s license numbers, government-ID images, and credit-report content) are routed directly to specialized third-party vendors through hosted flows, and Company stores only opaque reference identifiers, status enums, and timestamps.

  • Personnel Practices. Personnel with access to Customer Personal Information are subject to written confidentiality obligations and are provided with appropriate security awareness.

  • Backups and Continuity. Customer Personal Information is backed up consistent with the underlying database provider’s commercial backup arrangements.

Company may update its security safeguards from time to time, provided that any update will not materially reduce the overall level of security protecting Customer Personal Information.

5. SUBPROCESSORS

5.1 General Authorization.

Customer authorizes Company to engage Subprocessors to Process Customer Personal Information in connection with the Service. Company enters into a written agreement with each Subprocessor that imposes data-protection obligations substantially similar to those set forth in this DPA, including obligations to Process Customer Personal Information only for the purpose of providing the contracted service and to implement appropriate technical and organizational security measures.

5.2 Current Subprocessors.

Company’s current Subprocessors are set forth in Annex A to this DPA. All Subprocessors process Customer Personal Information in the United States.

5.3 Notice of New Subprocessors; Right to Object.

Company will provide Customer with notice (which may be by email, in-product notification, or update to a publicly maintained Subprocessor list referenced on the Service) at least thirty (30) days before adding a new Subprocessor that Processes Customer Personal Information. If Customer has a reasonable, documented data-protection objection to a new Subprocessor, Customer may notify Company in writing within thirty (30) days of the notice. The Parties will work together in good faith to resolve the objection. If the Parties cannot resolve the objection, Customer may terminate the affected Subscription on written notice to Company, as Customer’s sole remedy.

5.4 Subprocessor Liability.

Company remains responsible for the acts and omissions of its Subprocessors with respect to their Processing of Customer Personal Information to the same extent as if Company performed such acts or omissions itself, subject to the limitations of liability in the Agreement.

6. ASSISTANCE WITH DATA SUBJECT REQUESTS

6.1 Routing of Requests.

If Company receives a request from a Data Subject to exercise a right under Applicable Privacy Law with respect to Customer Personal Information, Company will, where Company can reasonably identify the applicable Customer, refer the Data Subject to Customer or otherwise route the request to Customer, and will not respond to the Data Subject directly except to confirm receipt and acknowledge the referral.

6.2 Self-Service and Cooperation.

Customer is primarily responsible for responding to Data Subject requests. Company provides tools within the Service that enable Customer to access, correct, export, and delete Customer Personal Information. Where Customer is unable to satisfy a Data Subject request using such tools, Company will provide commercially reasonable assistance to Customer, taking into account the nature of the Processing and the information available to Company. Company may charge a reasonable fee for assistance beyond a commercially reasonable level of cooperation.

7. SECURITY INCIDENTS

Company will notify Customer without undue delay, and in any event within seventy-two (72) hours, after Company becomes aware of a Security Incident involving Customer Personal Information. The notification will include, to the extent then known by Company: (a) a description of the nature of the Security Incident; (b) the categories of Customer Personal Information affected; (c) the likely consequences of the Security Incident; and (d) the measures taken or proposed to address and mitigate the Security Incident. Company will provide further updates as additional information becomes available. Company will also cooperate reasonably with Customer’s investigation of and response to the Security Incident, taking into account the nature of the Processing and the information available to Company. Company’s notification of, or response to, a Security Incident under this Section is not an acknowledgment by Company of any fault or liability with respect to the Security Incident.

8. RETURN AND DELETION OF CUSTOMER PERSONAL INFORMATION

During the term of the Agreement, Customer may export Customer Personal Information through the standard export functions of the Service. Within thirty (30) days following termination of the Agreement, Customer may continue to export Customer Personal Information. After such thirty (30)-day period, Company may delete Customer Personal Information from active production systems in the ordinary course, subject to: (a) ongoing retention required by Applicable Privacy Law or other applicable law; (b) the application-purge cycle described in the Privacy Policy (under which application payloads are retained for seven (7) years from submission and then purged, with a summary audit record preserved); (c) ledger-integrity requirements applicable to payment and transaction records; and (d) retention of Customer Personal Information in backups in accordance with Company’s ordinary backup-rotation schedule, which Customer Personal Information will be deleted in the ordinary course of backup rotation.

9. SENSITIVE INFORMATION; FIELDS NOT TO BE SUBMITTED

Customer agrees not to submit, store, or otherwise Process through the Service any of the following categories of information except where the Service expressly supports them through designated vendor-hosted flows: full social security numbers, full driver’s license numbers, dates of birth, credit scores, full payment card numbers, full bank account numbers, government-issued identification images, selfie or biometric images, raw credit-report or background-check content, protected health information regulated under the Health Insurance Portability and Accountability Act (HIPAA), education records regulated under the Family Educational Rights and Privacy Act (FERPA), and personal information of a child under thirteen (13) years of age. Company has no obligation to monitor Customer’s submissions, but may, in its discretion, suspend or remove submissions that violate this Section.

10. LIABILITY AND MISCELLANEOUS

10.1 Liability.

Each Party’s liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. The Parties acknowledge that Customer Personal Information may include information about Data Subjects who are not parties to the Agreement; nothing in this DPA confers any third-party-beneficiary rights upon any Data Subject.

10.2 Conflict.

In the event of a conflict between this DPA and the Agreement with respect to Customer Personal Information, this DPA controls. In the event of a conflict between this DPA and any non-binding document (such as a vendor questionnaire or marketing material), this DPA controls.

10.3 Amendments.

Company may update this DPA from time to time to reflect changes in Applicable Privacy Law, the Subprocessor list, or the Service. Where an update materially changes Company’s commitments to Customer with respect to Customer Personal Information, Company will provide reasonable notice (which may be by email or in-product notification) in advance of the update taking effect.

10.4 Governing Law.

This DPA is governed by and construed in accordance with the laws of the State of Georgia, without regard to its conflict-of-laws principles, and is subject to the venue and dispute-resolution provisions of the Agreement.

10.5 Survival.

The provisions of this DPA that by their nature should survive termination of the Agreement (including those relating to security, confidentiality, deletion, and liability) survive termination.

ANNEX A

Subprocessors

Note: Company may update this list from time to time in accordance with Section 5 of this DPA. The list below reflects Subprocessors in use as of the date this DPA was last updated. All Subprocessors process Customer Personal Information in the United States. Company has not independently verified each large-language-model and AI-vendor Subprocessor’s data-retention or model-training practices as of the Effective Date; for the avoidance of doubt, Company does not send sensitive personal information (such as social security numbers, dates of birth, driver’s license numbers, or credit scores) to any large-language-model or AI-image-generation vendor.

Region: All Subprocessors process Customer Personal Information in the United States.

SubprocessorPurposeData Categories Processed
Vercel, Inc.Hosting, serverless function execution, blob storage, edge caching, AI gateway routingAll Service traffic and content (including any Customer Personal Information transiting the Service)
Neon, Inc.Primary relational database (Postgres)All structured Customer Personal Information stored in the Service’s database
Upstash, Inc.Cache, rate limiting, ephemeral key-value storeSession identifiers, rate-limit counters, transient state
Stripe, Inc. (platform)Subscription billing for Customer; identity-verification fee processingCustomer billing details (last-four digits of payment method, identifiers, subscription metadata); identity-verification reference identifiers
Stripe, Inc. (Stripe Connect)Marketplace payment processing for resident-facing payments routed through Customer’s Stripe Connect accountPayment metadata for rent, deposits, application fees, late fees, and other property charges
Resend, Inc.Transactional and nurture email delivery; email-event webhook processingRecipient email addresses and message content; delivery, bounce, and complaint events
Twilio Inc.Inbound and outbound voice telephony; SMS messaging; Twilio Verify for password-reset OTPsPhone numbers; SMS message content; voice call routing metadata; OTP delivery
Vapi, Inc.Real-time voice-agent AI for Customer-side voice calls (LLM, TTS, recording retention)Voice call audio (retained by Vapi); voice operational signals (passed back to Service in redacted form)
Anthropic, PBCLarge-language-model inference (via Vercel AI Gateway) for property descriptions, blog topic prompts, ticket categorization, amenity descriptions, and rent-roll header mappingOperational text (property descriptions, blog topics, ticket bodies). Sensitive personal information is not sent to this vendor.
OpenAI, OpenAI, L.L.C.AI image generation (via Vercel AI Gateway) for blog covers and logosOperational image prompts. Sensitive personal information is not sent to this vendor.
Replicate, Inc.AI image enhancement and upscalingImage content submitted by Customer for enhancement
Checkr, Inc.Background-check screening (FCRA-regulated)Applicant email and Customer onboarding token. Checkr handles background-check report content; Company stores only Checkr reference identifiers.
Plaid Inc.Income verification (feature is gated; not active by default)Where enabled, opaque Plaid reference identifiers and normalized status. Bank account credentials and transaction content are not stored by Company.
HomeJab, Inc.Property photography fulfillment (vendor partner)Property address and Customer contact information for photo-shoot scheduling
Mapbox, Inc.Geocoding and interactive maps on property sitesProperty addresses
Google LLC (Google Maps)Static map rendering on property sitesProperty addresses
Functional Software, Inc. (Sentry)Application error and performance monitoring; CSP violation trackingDiagnostic technical data, stack traces, and contextual error data (which may incidentally include Customer Personal Information present at the point of error)
Vercel, Inc. (Web Analytics)Page-view analytics on the SiteAggregated page-view metrics
GitHub, Inc.Source-code hosting and build pipeline (build-time only; not in runtime path)Source code only; no Customer Personal Information stored in source code