Data Processing Addendum

This Data Processing Addendum ("DPA") is entered into between Charcom (operated by [OPERATOR LEGAL NAME] as a sole proprietorship in Ontario, Canada — the "Processor") and the Subscriber (the "Controller") for the processing of personal information collected via the Subscriber's Tenant Site (including Lead Data) and any other personal information of End Users that Charcom processes on the Subscriber's behalf. This DPA is incorporated by reference into the Terms of Service and applies automatically to every Subscriber.

1. Subject matter, duration, nature and purpose

• Subject matter — the operation of the Charcom multi-tenant realtor-website platform.
• Duration — for the duration of the Subscriber's subscription, plus the retention windows described in the Privacy Policy.
• Nature of processing — collection, storage, transmission, transformation (e.g., resizing images, formatting text), display, access control, and deletion.
• Purpose of processing — to render the Tenant Site, capture and surface leads, deliver email notifications, run booking flows, host content, and provide related Service functionality.

2. Types of data

• Identifiers (name, email, phone)
• Contact details and address (where provided)
• Inquiry text and metadata (timestamps, source page, UTM parameters)
• Booking and showing-request details
• Optional uploaded attachments

3. Categories of data subjects

• End Users of the Tenant Site (prospects, leads, current and former clients, members of the public)
• Subscribers' staff (where the Subscriber adds team members in future feature releases)

4. Processor obligations

Charcom shall:

• (a) Process personal information only on the documented instructions of the Controller, including with regard to international transfers, except where required to do so by law (in which case Charcom will inform the Controller before processing, unless prohibited from doing so).
• (b) Ensure that personnel authorized to process the data are bound by confidentiality.
• (c) Implement appropriate technical and organizational security measures, including TLS in transit, encryption at rest via Supabase, Row-Level Security tenant isolation, principle of least privilege for staff access, audit logging, and regular security reviews.
• (d) Assist the Controller in responding to data-subject requests (access, correction, deletion, portability) within reasonable timeframes.
• (e) Notify the Controller within 72 hours of becoming aware of a personal-information breach affecting that Controller's data.
• (f) Make available to the Controller all information necessary to demonstrate compliance with this DPA, subject to confidentiality protections.

5. Sub-processors

The Subscriber authorizes Charcom to engage the sub-processors listed in the Privacy Policy and at /legal/sub-processors. Charcom shall:

• (a) Maintain a current list of sub-processors;
• (b) Provide at least 30 days' written notice of any new or replacement sub-processor;
• (c) Allow the Controller a reasonable period to object to a new sub-processor on legitimate grounds. If Charcom and the Controller cannot resolve the objection, the Controller may terminate the Service and receive a pro-rata refund of unused prepaid amounts.

6. International transfers

The Subscriber acknowledges that personal information processed under this DPA may be transferred to and processed in the United States and other jurisdictions outside Canada by sub-processors listed above. Charcom relies on the contractual safeguards offered by each sub-processor, including the EU Standard Contractual Clauses where applicable, and on the adequacy of those providers' privacy programs.

7. Audit rights

The Controller may, upon at least 30 days' written notice and no more than once per calendar year (except where required by a regulator or following a confirmed breach), audit Charcom's compliance with this DPA. Audits shall be conducted at the Controller's cost, during normal business hours, in a manner that does not materially disrupt Charcom's operations, and subject to confidentiality. Charcom may satisfy audit requests by providing a SOC 2, ISO 27001, or equivalent third-party report once available.

8. Return or deletion of data

Upon termination of the Service, Charcom shall, at the Controller's choice and reasonable request:

• (a) Export the Controller's data via the tools provided in the dashboard; AND/OR
• (b) Delete the Controller's data within 90 days following termination (subject to retention windows for backups and legal records as described in the Privacy Policy).

9. Liability

Liability under this DPA is subject to the same limitations of liability set out in the Terms of Service, Section 14. The Controller and Processor agree that the cap and exclusions in the Terms of Service apply equally to claims arising under this DPA.

10. Conflict

In the event of any conflict between this DPA and the Terms of Service with respect to data processing, this DPA controls.

11. Contact

Privacy and DPA matters: [PRIVACY_EMAIL] Legal matters: [LEGAL_EMAIL]