Data Processing Addendum
This Data Processing Addendum ("DPA") is incorporated into and forms part of the Agent Subscription Agreement (the "Agreement") between Sentrust Corp ("Sentrust," "Service Provider," "Processor") and the subscribing agent, team, or brokerage ("you," "Business," "Controller"). It governs Sentrust's Processing of Personal Information on your behalf. If it conflicts with the Agreement on data-protection matters, this DPA controls.
1. Definitions
- "CCPA" — the California Consumer Privacy Act, as amended by the CPRA, and its regulations.
- "Personal Information," "Business," "Service Provider," "sell," "share," "process," and "consumer" have the meanings given in the CCPA.
- "Visitor Personal Information" — Personal Information about open-house visitors that Sentrust processes through the Service on your behalf (e.g., sign-in contact details).
- "Sub-processor" — a third party engaged by Sentrust to process Personal Information in connection with the Service.
2. Roles and scope
For Visitor Personal Information collected through the open-house sign-in, you are the Business/Controller and Sentrust is your Service Provider/Processor. Sentrust processes Visitor Personal Information only to provide the Service and only on your documented instructions, which consist of the Agreement, this DPA, and your configuration and use of the Service. The subject matter, duration, nature, and purpose of processing, and the categories of Personal Information and data subjects, are described in Annex A.
3. Sentrust's obligations as Service Provider
- Purpose limitation. Sentrust will process Visitor Personal Information solely to perform the Service and for the business purposes specified in Annex A. Sentrust will not sell or share it, will not retain, use, or disclose it for any purpose other than performing the Service (including not for a commercial purpose other than providing the Service), will not retain, use, or disclose it outside the direct business relationship with you, and will not combine it with Personal Information from other sources except as permitted by the CCPA. Sentrust certifies that it understands and will comply with these restrictions.
- Instructions. Sentrust will process only on your documented instructions and will inform you if, in its opinion, an instruction violates applicable privacy law.
- Confidentiality. Sentrust ensures personnel authorized to process Personal Information are bound by confidentiality.
- Security. Sentrust maintains appropriate technical and organizational measures (see Annex B) designed to protect Personal Information.
- Assistance with consumer requests. Taking into account the nature of processing, Sentrust will assist you, by appropriate measures, in responding to consumer requests to know, access, delete, correct, or opt out, and will promptly forward to you any such request it receives directly.
- Breach notification. Sentrust will notify you without undue delay (and in any event within 72 hours) after becoming aware of a breach of security leading to the unauthorized access, disclosure, or loss of Personal Information, and will provide information reasonably available to help you meet your notification obligations.
- Deletion or return. On termination of the Service, Sentrust will delete or return Personal Information as provided in the Agreement, subject to retention required by law; anonymized/aggregated data that no longer identifies any person may be retained.
- Demonstrating compliance. Sentrust will make available information reasonably necessary to demonstrate compliance with this DPA and, on reasonable notice and no more than once per year (or after a breach), allow you or your mandated auditor to conduct a reasonable assessment, subject to confidentiality.
4. Sub-processors
You authorize Sentrust to engage the Sub-processors listed in Annex C to process Personal Information in connection with the Service. Sentrust imposes data-protection obligations on each Sub-processor that are substantially the same as those in this DPA and remains responsible for their performance. Sentrust will give you notice of any intended addition or replacement of a Sub-processor and a reasonable opportunity to object on reasonable data-protection grounds.
5. Data subject rights & anonymity
Feedback Data is collected and returned to you only in anonymized/aggregated form; Sentrust does not provide you raw, individually identifiable feedback, and both parties will not attempt to re-identify it. Sentrust supports the anonymity safeguards described in Annex B, including separating visitor identity from feedback and suppressing results below a minimum response threshold.
6. International transfers
Personal Information is processed in the United States.
7. Liability & term
This DPA is subject to the limitations and exclusions of liability in the Agreement. It takes effect when the Agreement does and continues for as long as Sentrust processes Personal Information on your behalf.
Annex A — Details of processing
- Subject matter: provision of the open-house sign-in, feedback collection, and reporting Service.
- Duration: the term of the Agreement.
- Nature and purpose: collecting visitor sign-in contact details and anonymous feedback, generating reports for you, and making visitor contact details available to you for your follow-up.
- Categories of Personal Information: identifiers (name, email, phone), and commercial information (property interest/timeline) the visitor chooses to provide.
- Categories of data subjects: open-house visitors who sign in or submit feedback.
- Retention: as described in the Privacy Policy.
Annex B — Technical & organizational security measures
- Encryption of Personal Information in transit and at rest.
- Access controls and least-privilege access; authentication for administrative access.
- Logging and monitoring of access to Personal Information.
- Anonymity architecture: visitor identity is stored separately from feedback content with no join key, and feedback is exposed only in aggregate above a minimum response threshold (N ≥ 4).
- Data-processing terms with Sub-processors; secure development and change-management practices.
- An incident-response process for security events.
Annex C — Sub-processors
- Netlify — application hosting and storage.
- Tally — form collection (sign-in and feedback).
- Stripe — payment processing for your subscription (agent billing).
- Spacemail — transactional email (winner and account notifications).
Part of the Agent Subscription Agreement. Contact: privacy@sentrust.ai.