Back to Legal Dashboard

Dpa

Homeland Development Services LLC

Data Processing Addendum (DPA)

Homeland Development Services LLC

Service Dashboard Data Processing Addendum

Effective Date: January 15, 2026

Version: 1.0

This Data Processing Addendum ("DPA") is entered into between Homeland Development Services LLC ("HDS," "Processor," "we") and the Customer ("Controller," "you") and supplements the End-User License Agreement ("Agreement") between the parties.

---

§ 1. Definitions

1.1 Data Protection Terms

In this DPA:

"Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including:

  • California Consumer Privacy Act (CCPA)
  • California Privacy Rights Act (CPRA)
  • General Data Protection Regulation (GDPR)
  • Other applicable U.S. state privacy laws
  • Any successor or amending legislation

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Personal Data" means any information relating to a Data Subject that is processed by HDS as part of the Services.

"Process" or "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, modification, or deletion.

"Sub-Processor" means any third party engaged by HDS to process Personal Data on behalf of Customer.

"Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

1.2 Role Definitions

"Controller" means the entity that determines the purposes and means of Processing Personal Data (Customer).

"Processor" means the entity that Processes Personal Data on behalf of the Controller (HDS).

---

§ 2. Scope and Purpose

2.1 Scope of Processing

This DPA applies to all Processing of Personal Data by HDS on behalf of Customer in connection with the Services.

2.2 Categories of Data Subjects

Personal Data processed under this DPA may relate to:

  • Customer's employees and contractors
  • Customer's tenants and their personnel
  • Customer's vendors and their representatives
  • Customer's clients and end-users
  • Any other individuals whose data Customer submits to the Services

2.3 Categories of Personal Data

Categories of Personal Data processed may include:

  • Contact information (names, email addresses, phone numbers)
  • Employment information (job titles, departments, roles)
  • Facility information (store locations, addresses)
  • Work order details (descriptions, notes, attachments)
  • Financial data (invoices, payment information)
  • System usage data (login history, access logs)
  • Any other Personal Data submitted by Customer

2.4 Processing Purposes

HDS processes Personal Data solely for the purposes of:

  • Providing the Services as described in the Agreement
  • Maintaining and improving the Services
  • Providing technical support
  • Complying with legal obligations
  • Generating anonymized analytics (as permitted by the Agreement)

---

§ 3. Controller Obligations

3.1 Lawful Basis

Customer warrants that it has a lawful basis under applicable Data Protection Laws for Processing Personal Data and for instructing HDS to Process such data.

3.2 Data Subject Rights

Customer is responsible for responding to Data Subject requests regarding their Personal Data. HDS will assist Customer in fulfilling such requests as described in Section 6.

3.3 Instructions

Customer shall provide documented instructions to HDS regarding the Processing of Personal Data. The Agreement constitutes Customer's initial instructions.

3.4 Accuracy

Customer is responsible for ensuring the accuracy and completeness of Personal Data submitted to the Services.

---

§ 4. Processor Obligations

4.1 Processing Instructions

HDS shall Process Personal Data only:

  • In accordance with Customer's documented instructions
  • As necessary to perform the Services under the Agreement
  • As required by applicable law

If HDS believes an instruction infringes Data Protection Laws, HDS will promptly notify Customer.

4.2 Confidentiality

HDS ensures that persons authorized to Process Personal Data:

  • Have committed to confidentiality obligations
  • Receive appropriate training on data protection requirements
  • Process Personal Data only as instructed

4.3 Security Measures

HDS implements appropriate technical and organizational measures to protect Personal Data, including those described in Schedule A to this DPA.

4.4 Sub-Processing

HDS shall:

  • Not engage Sub-Processors without Customer's prior authorization
  • Maintain an up-to-date list of Sub-Processors
  • Ensure Sub-Processors are bound by data protection obligations at least as protective as this DPA
  • Remain liable for Sub-Processor compliance

4.5 Assistance

HDS shall provide reasonable assistance to Customer in:

  • Responding to Data Subject requests
  • Conducting data protection impact assessments
  • Consulting with supervisory authorities
  • Ensuring compliance with security obligations

4.6 Deletion and Return

Upon termination of the Services:

  • Customer may export Personal Data within 60 days
  • HDS will delete Personal Data within 30 days after the export period
  • HDS may retain data as required by law, with continued protection

---

§ 5. Security Measures

5.1 Technical Measures

HDS implements the following technical security measures:

  • Encryption in Transit: TLS 1.2 or higher for all data transmission
  • Encryption at Rest: AES-256 encryption for stored data
  • Access Controls: Role-based access with least-privilege principles
  • Authentication: Multi-factor authentication for administrative access
  • Logging: Comprehensive audit logging of data access and modifications
  • Backups: Daily encrypted backups with geographic redundancy

5.2 Organizational Measures

HDS implements the following organizational security measures:

  • Security awareness training for all personnel
  • Background checks for employees with data access
  • Documented security policies and procedures
  • Regular security assessments and audits
  • Incident response procedures

5.3 Physical Security

Data is hosted on infrastructure with:

  • Physical access controls
  • 24/7 monitoring and surveillance
  • Environmental controls (fire suppression, climate control)
  • Redundant power supplies

---

§ 6. Data Subject Requests

6.1 Request Handling

If HDS receives a request from a Data Subject regarding their Personal Data, HDS will:

  • Promptly notify Customer (within 5 business days)
  • Not respond directly to the Data Subject unless authorized by Customer
  • Provide reasonable assistance to Customer in responding

6.2 Customer Access

HDS provides Customer with self-service tools to:

  • Access Personal Data stored in the Services
  • Correct inaccurate Personal Data
  • Delete Personal Data (subject to legal retention requirements)
  • Export Personal Data in a portable format

6.3 Costs

Reasonable assistance with Data Subject requests is included in the Services. HDS may charge reasonable fees for assistance exceeding normal support scope.

---

§ 7. Security Incidents

7.1 Notification

HDS will notify Customer of any Security Incident without undue delay and in no event later than 72 hours after becoming aware of the incident.

7.2 Notification Content

Security Incident notifications will include, to the extent known:

  • Description of the nature of the Security Incident
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Contact point for further information
  • Likely consequences of the Security Incident
  • Measures taken or proposed to address the incident

7.3 Cooperation

HDS will cooperate with Customer's investigation of any Security Incident and provide reasonable assistance in:

  • Assessing the impact of the incident
  • Fulfilling Customer's notification obligations
  • Implementing remediation measures

7.4 Documentation

HDS will document all Security Incidents, including facts, effects, and remedial actions taken.

---

§ 8. Sub-Processors

8.1 Current Sub-Processors

Customer authorizes HDS to use the Sub-Processors listed in Schedule B to this DPA.

8.2 Sub-Processor Changes

HDS will provide Customer with 14 days advance notice before engaging a new Sub-Processor, via email to designated contacts.

8.3 Objection Right

Customer may object to a new Sub-Processor by notifying HDS within 14 days of the notice. Parties will work in good faith to resolve objections. If no resolution is reached, Customer may terminate the affected Services.

8.4 Sub-Processor Agreements

HDS ensures all Sub-Processors are bound by:

  • Confidentiality obligations
  • Data protection requirements at least as protective as this DPA
  • Appropriate security measures

---

§ 9. International Data Transfers

9.1 Transfer Mechanisms

If Personal Data is transferred outside the jurisdiction where it was collected, HDS ensures appropriate safeguards are in place, which may include:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules
  • Other approved transfer mechanisms

9.2 U.S. Data Hosting

The primary Services are hosted within the United States. Customer acknowledges and consents to Processing within the U.S.

9.3 GDPR Transfers

For Personal Data subject to GDPR transferred from the European Economic Area:

  • HDS relies on Standard Contractual Clauses (Module 2: Controller to Processor)
  • Additional safeguards as required by supervisory authority guidance

---

§ 10. Audits and Compliance

10.1 Documentation

HDS will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA.

10.2 Third-Party Audits

HDS undergoes periodic third-party security audits and assessments. Summaries of audit results are available upon request under NDA.

10.3 Customer Audits

Upon reasonable request and subject to confidentiality obligations, Customer may:

  • Request additional compliance documentation
  • Conduct or commission audits of HDS's Processing activities
  • Audits shall be conducted during normal business hours with reasonable advance notice

10.4 Audit Costs

Customer bears the costs of audits it initiates. HDS may charge reasonable fees for time spent assisting with audits exceeding normal support scope.

---

§ 11. Duration and Termination

11.1 Duration

This DPA remains in effect for the duration of the Agreement.

11.2 Survival

Obligations regarding confidentiality, data deletion, and provisions that by their nature should survive, shall survive termination of this DPA.

11.3 Post-Termination Processing

After termination:

  • HDS will continue to comply with this DPA for any retained Personal Data
  • Retention is limited to legal requirements and pending obligations
  • HDS will securely delete Personal Data when retention is no longer required

---

§ 12. Liability

12.1 Agreement Terms

The liability provisions of the Agreement apply to this DPA.

12.2 Sub-Processor Liability

HDS is liable for the acts and omissions of its Sub-Processors as if they were HDS's own acts and omissions.

---

§ 13. Contact Information

Data Protection Inquiries

Email: privacy@hdsok.com

Security Incidents

Email: security@hdsok.com

Phone: (405) 555-0123 (after-hours emergency line available)

DPA Requests

Email: legal@hdsok.com

---

§ Schedule A: Technical and Organizational Security Measures

A.1 Access Control

  • Role-based access control (RBAC)
  • Unique user identifiers
  • Password complexity requirements
  • Multi-factor authentication for administrative access
  • Automatic session timeout

A.2 Data Encryption

  • TLS 1.2+ for data in transit
  • AES-256 for data at rest
  • Encrypted backups

A.3 Network Security

  • Firewall protection
  • Intrusion detection systems
  • DDoS mitigation
  • Regular vulnerability scanning

A.4 Application Security

  • Secure development lifecycle (SDLC)
  • Code review processes
  • Security testing (SAST/DAST)
  • Dependency vulnerability monitoring

A.5 Operational Security

  • Centralized logging and monitoring
  • Security information and event management (SIEM)
  • Incident response procedures
  • Business continuity planning

A.6 Physical Security

  • Data center access controls
  • Environmental controls
  • 24/7 monitoring
  • Redundant infrastructure

A.7 Personnel Security

  • Background verification
  • Confidentiality agreements
  • Security awareness training
  • Access provisioning and de-provisioning procedures

---

§ Schedule B: Authorized Sub-Processors

| Sub-Processor | Purpose | Location |

|---------------|---------|----------|

| Supabase Inc. | Database hosting, storage, and authentication infrastructure | United States |

| Vercel Inc. | Application hosting and content delivery | United States (global CDN) |

| Clerk Inc. | User authentication and identity management | United States |

| Intuit Inc. (QuickBooks) | Financial data synchronization (when enabled by Customer) | United States |

| Postmark (Wildbit LLC) | Transactional email delivery | United States |

| Amazon Web Services | Infrastructure (as used by sub-processors) | United States |

Last Updated: January 15, 2026

---

This Data Processing Addendum is incorporated by reference into the End-User License Agreement. In case of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

© 2026 Homeland Development Services LLC. All rights reserved.