Data Processing Agreement

Last Updated: October 22, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between MaintainRentals and its customers regarding the processing of personal data.

1. Definitions

  • Controller: The customer who determines the purposes and means of processing
  • Processor: MaintainRentals, processing data on behalf of the Controller
  • Data Subject: The individual whose personal data is being processed
  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data
  • Supervisory Authority: Independent public authority responsible for data protection
  • Sub-processor: Third party engaged by MaintainRentals to process data
  • Data Breach: Breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure

2. Roles and Responsibilities

Controller Responsibilities
  • Determine the purposes and means of processing personal data
  • Provide clear instructions for data processing
  • Obtain and maintain valid consent where required
  • Ensure legal basis for processing exists
  • Notify data subjects of processing activities
Processor Responsibilities
  • Process data only according to Controller's documented instructions
  • Implement appropriate technical and organizational security measures
  • Assist Controller in fulfilling data subject rights requests
  • Notify Controller of data breaches without undue delay
  • Provide information necessary to demonstrate compliance

3. Categories of Personal Data

The following categories of personal data may be processed under this DPA:

Property Owner Data
  • Contact information (name, email, phone, address)
  • Financial information (banking details, payment history)
  • Property ownership and management data
  • Contract and agreement information
Tenant Data
  • Personal details (name, contact information, date of birth)
  • Identification documents and references
  • Lease and occupancy information
  • Rental payment and financial history
Sensitive Data
  • Special categories of data as defined by GDPR Article 9
  • Additional protections and safeguards apply

4. Processing Activities

Personal data is processed for the following purposes:

  • Property Management: Managing rental properties and tenant relationships
  • Payment Processing: Collecting and processing rent payments
  • Maintenance Coordination: Scheduling and tracking property maintenance
  • Communication: Sending notifications and lease documents
  • Reporting: Generating financial and occupancy reports
  • Document Management: Storing and managing lease agreements
  • Security: Fraud prevention and account protection
  • Legal Compliance: Meeting regulatory requirements

5. International Data Transfers

Personal data may be transferred internationally subject to appropriate safeguards:

Transfer Mechanisms
  • Standard Contractual Clauses: EU-approved model clauses
  • Adequacy Decisions: Countries deemed adequate by EU Commission
  • Binding Corporate Rules: For intra-group transfers
  • Certification Schemes: Approved certification mechanisms
Transfer Locations
  • Primary: United States (with appropriate safeguards)
  • Cloud Services: AWS, Google Cloud, Microsoft Azure
  • Backup: Geographically distributed data centers

6. Security Measures

MaintainRentals implements comprehensive security measures to protect personal data:

Technical Measures
  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • Access Controls: Role-based access with principle of least privilege
  • Authentication: Multi-factor authentication for administrative access
  • Network Security: Firewalls, intrusion detection, and DDoS protection
Organizational Measures
  • Staff Training: Regular security awareness and data protection training
  • Regular Audits: Annual security audits and penetration testing
  • Incident Response: Documented procedures for security incidents
  • Business Continuity: Backup and disaster recovery procedures
Compliance Certifications
  • SOC 2 Type II: Security, availability, and confidentiality controls
  • ISO 27001: Information security management systems
  • PIPEDA Compliance: Personal Information Protection and Electronic Documents Act
  • Canadian Privacy Standards: Office of the Privacy Commissioner guidelines

7. Data Subject Rights

MaintainRentals will assist Controllers in fulfilling data subject rights requests:

Rights Supported
  • Access: Provide copies of personal data being processed
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Delete personal data (right to be forgotten)
  • Restriction: Limit processing of personal data
  • Portability: Provide data in structured, machine-readable format
  • Objection: Object to processing based on legitimate interests
Response Times
  • Acknowledgment: Within 5 business days of receipt
  • Substantive Response: Within 30 days (may be extended for complex requests)
  • Urgent Issues: Prioritized response for data breaches or legal requirements

8. Data Breach Notification

In the event of a data breach, MaintainRentals will:

Notification Timeline
  • Internal Detection: Notify internal team within 2 hours of discovery
  • Controller Notification: Notify Controller within 24 hours of breach confirmation
  • Supervisory Authority: Notify relevant authority within 72 hours where required
  • Data Subjects: Notify affected individuals without undue delay where required
Notification Contents
  • Description of the nature of the breach
  • Categories and approximate number of data subjects affected
  • Categories and approximate volume of personal data affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact information for further inquiries

9. Sub-Processors

MaintainRentals may engage the following categories of sub-processors:

Current Sub-Processors
  • Cloud Infrastructure: AWS, Google Cloud Platform, Microsoft Azure
  • Payment Processing: Stripe, PayPal, Square
  • Email Services: SendGrid, Mailgun, Amazon SES
  • Document Services: DocuSign, HelloSign, Adobe Sign
  • Analytics: Google Analytics, Mixpanel, Segment
  • Customer Support: Intercom, Zendesk, Help Scout
Sub-Processor Changes
  • Controller will be notified of new sub-processors via email
  • 30-day notice period for new sub-processors
  • Controller may object to new sub-processors within the notice period

10. Governing Law and Jurisdiction

This DPA is governed by the same law as the main agreement between the parties. For EU data subjects, GDPR applies to the processing of personal data.

Dispute Resolution
  • Parties will attempt to resolve disputes amicably
  • Mediation or arbitration may be used for unresolved disputes
  • Courts of competent jurisdiction for legal proceedings

11. Term and Termination

This DPA remains in effect until:

  • Termination of the main service agreement
  • Written agreement by both parties
  • Material breach that is not remedied within 30 days
Post-Termination Obligations
  • Return or delete all personal data upon termination
  • Provide written confirmation of data deletion
  • Retain data for legal compliance if required

12. Contact Information

For questions about this DPA or data processing activities, please contact:

Data Protection Officer

dpo@maintainrentals.com

Privacy Team

privacy@maintainrentals.com

Supervisory Authority: For complaints, you may contact your local data protection authority.

This Data Processing Agreement is effective as of October 22, 2025 and forms part of the Terms of Service.