Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between ZSR Ventures, LLC ("Processor," "we," or "us") and the entity or individual subscribing to the Service ("Controller," "you," or "Customer") for the provision of the Underwriting Analyst platform (the "Service"), as described in our Terms of Service.

This DPA applies where and only to the extent that the Processor processes Personal Data on behalf of the Controller in the course of providing the Service, and such Personal Data is subject to applicable data protection laws including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable privacy regulations.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, erasure, or destruction.
• "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope & Roles

The Controller determines the purposes and means of processing Personal Data through the Service. The Processor processes Personal Data only on behalf of and in accordance with the documented instructions of the Controller. For the purposes of this DPA:

• Subject matter: Provision of the Underwriting Analyst platform, including AI-powered analysis, property management, accounting, tenant portal, fund administration, and payroll features.
• Duration: Processing continues for the duration of the Controller's subscription to the Service, plus any data retention period specified in our Privacy Policy.
• Nature and purpose: Storage, organization, retrieval, AI-powered analysis, and presentation of data entered by the Controller and its authorized users.
• Categories of Data Subjects: The Controller's employees, tenants, investors, vendors, and other individuals whose data the Controller enters into the Service.
• Types of Personal Data: Names, email addresses, mailing addresses, phone numbers, tax identification numbers, Social Security numbers, financial account information, lease details, employment and payroll data, and investment records, as determined by the Controller's use of the Service.

3. Controller Obligations

The Controller shall:

• Ensure that it has a lawful basis to transfer Personal Data to the Processor for processing in accordance with this DPA.
• Provide all necessary notices to, and obtain all necessary consents from, Data Subjects as required by applicable law.
• Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.
• Comply with all applicable data protection laws in its use of the Service and its instructions to the Processor.

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country, unless required by applicable law.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 6.
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller, as described in Section 5.
• Assist the Controller in responding to Data Subject requests to exercise their rights under applicable data protection law.
• Assist the Controller in ensuring compliance with obligations related to security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultation with supervisory authorities.
• At the choice of the Controller, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA.

5. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The following sub-processors are currently engaged:

• Microsoft Azure (Microsoft Corporation) — Cloud infrastructure, data storage, and hosting. Data location: United States.
• Anthropic (Anthropic, PBC) — AI model provider for document analysis, underwriting reports, and AI chat features. Data location: United States.
• Stripe (Stripe, Inc.) — Payment processing for subscriptions and tenant payments. Data location: United States.

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of sub-processors at least fourteen (14) days in advance, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds relating to data protection, the parties shall discuss the matter in good faith. If no resolution is reached, the Controller may terminate the affected portion of the Service.

The Processor shall impose data protection obligations on any sub-processor that are no less protective than those set out in this DPA by way of a written contract.

6. Security Measures

The Processor has implemented and shall maintain appropriate technical and organizational measures to protect Personal Data, including:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256 via Azure Storage Service Encryption).
• Access controls: Role-based access controls, multi-tenant data isolation, and least-privilege access for personnel.
• Authentication: Secure password hashing, optional multi-factor authentication, and account lockout protections.
• Secrets management: Encryption keys and API credentials managed through Azure Key Vault; no credentials stored in application configuration files.
• Audit logging: Comprehensive audit trail of data access and modifications maintained in a dedicated audit database.
• Incident response: Documented incident response procedures, including breach detection, containment, and notification processes.
• Business continuity: Regular database backups and disaster recovery procedures.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected.
• The name and contact details of the Processor's point of contact for further information.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to requests from Data Subjects exercising their rights under applicable data protection law, including the right of access, rectification, erasure, restriction of processing, data portability, and the right to object. The Processor shall promptly notify the Controller if it receives a request from a Data Subject directly, and shall not respond to such request without the Controller's prior written consent unless required by applicable law.

9. International Data Transfers

The Service is hosted in the United States. If the Controller is located outside the United States or transfers Personal Data of Data Subjects located in the European Economic Area, United Kingdom, or Switzerland, the parties agree that such transfer shall be governed by the Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission, which are incorporated by reference into this DPA. The Controller may request a copy of the applicable Standard Contractual Clauses by contacting us.

10. Audits

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. Such audits shall be conducted with reasonable advance notice (at least thirty (30) days), during normal business hours, and shall not unreasonably interfere with the Processor's business operations. The Controller shall bear the costs of any audit it initiates.

11. Term & Termination

This DPA shall remain in effect for the duration of the Controller's subscription to the Service. Upon termination of the Service agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data within thirty (30) days, unless applicable law requires continued storage. The Processor shall certify deletion upon the Controller's request.

12. Limitation of Liability

The total liability of each party under this DPA shall be subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of its obligations under applicable data protection law to the extent such limitation is not permitted by law.

13. Contact Information

For questions about this DPA, to request execution of a DPA for your organization, or to report a data protection concern, please contact us at:

ZSR Ventures, LLC
Email: [email protected]