Data Processing Addendum

Capitalized terms not defined here have the meaning given to them in the Agreement or in applicable Data Protection Law.

• Data Protection Law , all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR (collectively, “GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other comparable U.S. state privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, etc.).
• Personal Data , any information relating to an identified or identifiable natural person that Customer or Customer’s Authorized Users submit to the service or that DealDesk processes on Customer’s behalf in connection with the Agreement.
• Customer Data , documents (including lease PDFs and attachments), abstract outputs, LOIs, financial models, comps, deal records, photos, and other content Customer or its Authorized Users upload to or generate within the service. Customer Data may contain Personal Data.
• Processing , any operation performed on Personal Data, including collection, storage, use, transmission, and deletion.
• Subprocessor , any third party engaged by DealDesk to process Personal Data in connection with providing the service.
• Data Subject , the natural person to whom Personal Data relates.
• Authorized User , an individual to whom Customer has issued credentials to access the service (e.g., a broker on Customer’s team).

Customer is the “Controller” (or “Business” under CCPA/CPRA) of the Personal Data within Customer Data. DealDesk is the “Processor” (or “Service Provider” under CCPA/CPRA), processing Personal Data only on Customer’s documented instructions. Customer’s use of the service in accordance with the Agreement constitutes its instructions for processing.

For account data DealDesk needs to operate its own business (e.g., billing records, support tickets, sign-in audit logs), DealDesk acts as an independent Controller and processes that data under the Privacy Policy.

Subject matter

The provision of the DealDesk service to Customer pursuant to the Agreement.

Nature and purpose of processing

Hosting, storing, transmitting, displaying, and analyzing Customer Data so that Customer and its Authorized Users can abstract leases, draft letters of intent, build financial models, manage comps and deal pipeline, send approved emails through optional Gmail integration, and otherwise use the features described in the pricing page and product documentation.

Duration

For the term of the Agreement plus the post-termination retention window described in Section 10 below.

Categories of Personal Data

• Authorized User identifiers: name, email, hashed password or OAuth identity, profile image, role within Customer’s organization.
• Authentication and audit data: sign-in timestamps, IP address, browser/device metadata, session identifiers.
• Personal Data contained inside Customer Data, for example, names, contact information, signatures, or financial details that may appear in lease documents, LOIs, and email correspondence Customer chooses to process through the service.
• Optional Gmail integration metadata: OAuth refresh token scoped to gmail.send, and the bodies of outbound emails Customer composes and sends through DealDesk.
• Billing identifiers passed to Stripe: name, email, billing address, payment-method tokens. DealDesk does not see or store full card numbers.

Categories of Data Subjects

• Customer’s Authorized Users (brokers and staff).
• Counterparties referenced in Customer Data (landlords, tenants, co-brokers, signatories).
• Recipients of emails sent through the optional Gmail integration.

DealDesk shall:

• Process Personal Data only in accordance with Customer’s documented instructions (including those given through use of the service) and applicable Data Protection Law. If DealDesk believes an instruction violates law, it will inform Customer.
• Ensure that personnel authorized to process Personal Data are bound by written confidentiality obligations.
• Implement and maintain the technical and organizational measures described in Section 6 below.
• Not sell Personal Data and not “share” it for cross-context behavioral advertising as those terms are defined under CCPA/CPRA. Not retain, use, or disclose Personal Data outside the direct business relationship between DealDesk and Customer or for any purpose other than the specific business purpose of providing the service.
• Not combine Personal Data received from Customer with personal data received from any other source, except as permitted under applicable law for security, debugging, or to comply with legal obligations.

Customer is responsible for the accuracy, quality, and legality of Customer Data and for the means by which it acquired Personal Data. Customer represents that it has all rights, consents, and lawful bases necessary to upload Customer Data to the service and have it processed as described in this DPA. Customer is responsible for determining whether the service is appropriate for any particular category of Personal Data it chooses to upload.

DealDesk maintains technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures include:

• TLS 1.2+ encryption in transit for all traffic between Authorized Users, the service, and Subprocessors.
• Encryption at rest for the production database and object storage (AES-256 or equivalent, managed by Subprocessors).
• Row-level security (“RLS”) and tenant isolation in the primary database. RLS is enabled on every table holding customer data, with policies that scope rows to the caller’s organization (using a my_org_ids() membership lookup) and an additional can_mutate_in_org() check on writes. Application-layer org_id scoping validated by database triggers provides a second layer of enforcement.
• OAuth refresh tokens (including Gmail tokens) stored encrypted; least-privilege scopes only.
• Multi-factor authentication required for all DealDesk personnel accessing production systems; least-privilege access for service credentials.
• Secrets stored in Subprocessor-provided secret managers, never in source control.
• Application and infrastructure logging retained for a rolling window (currently up to 30 days) to support incident response and abuse detection.
• Regular dependency-vulnerability scanning and patching of the application stack.
• Periodic review of Subprocessor security posture, including reliance on their published audit reports (e.g., SOC 2 Type II, ISO 27001) where available.

These measures may be updated from time to time provided that the overall level of security is not materially reduced.

Customer authorizes DealDesk to engage the Subprocessors listed below to process Personal Data on Customer’s behalf. Each Subprocessor is bound by data-protection terms substantially equivalent to those in this DPA and is limited to processing only what its role requires.

The most current list is maintained on this page and is deemed updated on the “Last updated” date above. DealDesk will provide at least 30 days’ advance notice before adding a new Subprocessor or replacing one in a way that materially expands the categories of Personal Data processed. Notice will be given by email to Customer’s billing contact and/or by an in-product banner. Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, Customer may terminate the affected portion of the service for convenience without further liability.

DealDesk and its Subprocessors are based in the United States, and Personal Data is primarily processed in the United States. Where DealDesk transfers Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision under Data Protection Law, DealDesk relies on an appropriate transfer mechanism, including, where applicable, the EU Standard Contractual Clauses (Module 2: Controller-to-Processor and Module 3: Processor-to-Processor), the UK International Data Transfer Addendum, and the Swiss Federal Data Protection and Information Commissioner’s adopted SCCs, which are incorporated by reference and shall apply with the following deemed selections: the optional docking clause applies; Clause 9 Option 2 (general written authorization for sub-processors with 30-day notice); Clause 17 Option 1 with the law of Ireland; Clause 18(b) the courts of Ireland.

If DealDesk receives a request from a Data Subject relating to Personal Data processed on Customer’s behalf, DealDesk will, where permitted by law, refer the Data Subject to Customer and notify Customer without undue delay.

Taking into account the nature of the processing, DealDesk will provide reasonable assistance to Customer (through self-service tools where available, otherwise on request) in fulfilling Customer’s obligations to respond to Data Subject rights requests under Data Protection Law, and in conducting Data Protection Impact Assessments and consultations with supervisory authorities.

DealDesk will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of a Personal Data Breach affecting Customer’s Personal Data. The notification will, to the extent available, describe the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach. DealDesk will reasonably cooperate with Customer to mitigate harm and meet any notification obligations Customer owes under Data Protection Law.

Customer’s audit rights are satisfied through DealDesk’s provision of, on request and subject to confidentiality: (a) responses to reasonable written security questionnaires once per twelve-month period; (b) summary security documentation for the application and infrastructure; and (c) any current Subprocessor audit reports (e.g., SOC 2 Type II, ISO 27001) DealDesk has obtained. Where Data Protection Law requires more, the parties will agree in good faith on the scope, timing, and cost of an on-site or remote audit, conducted no more than once per twelve-month period absent a Personal Data Breach.

During the term of the Agreement, Customer can export its Customer Data through self-service tools in the product (including PDF, CSV, and JSON exports). On termination or expiration of the Agreement, Customer may request export of its remaining Customer Data within 30 days. After that window, DealDesk will delete Customer Data from active production systems within 30 days, and from rolling backups within ninety (90) days, except where retention is required by law or for the establishment, exercise, or defense of legal claims, in which case the data will be isolated and protected from further processing until deletion is possible.

Each party’s liability arising out of or relating to this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits liability that cannot be limited under applicable law (for example, certain Data Subject claims under GDPR).

This DPA takes effect when Customer accepts the Agreement (or, if signed separately, on the date of countersignature) and remains in effect until the Agreement terminates and all Personal Data has been returned or deleted under Section 12. In the event of a conflict between this DPA and the Agreement on a data-protection matter, this DPA controls. Where the EU SCCs apply, they prevail over any conflicting term in this DPA or the Agreement. Otherwise, this DPA is governed by the same law and venue as the Agreement.

Privacy or data-protection inquiries, breach reports, and requests for a counter-signed DPA: email andrewbframe@gmail.com. DealDesk is operated by Andrew Frame as a sole proprietorship based in California, United States.