Data Processing Agreement
Last updated: Version 1.2 · June 26, 20261. Purpose and Scope
This Data Processing Agreement ("DPA") supplements and is incorporated into the Master Service Agreement ("MSA") between Resolve Concierge LLC, an Arizona limited liability company ("Provider" / "Processor") and the integration company ("Client" / "Controller"). It governs how Provider processes personal data on behalf of Client in connection with the Resolve platform ("Platform").
This DPA is intended to satisfy the data processing agreement requirements of applicable data protection laws including the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and substantially similar state and national privacy laws.
This DPA applies only to the extent Provider processes Personal Data on Client's behalf that is subject to applicable data protection law, and only for the duration of and in connection with the MSA. Provider's obligations under this DPA are commensurate with the nature and scale of the Platform and a small-business provider.
2. Definitions
- Personal Data: Any information that identifies or can identify a natural person, as defined under applicable data protection law.
- Data Subject: The natural person whose Personal Data is being processed — in this context, Client's end users (homeowners).
- Controller: The party that determines the purposes and means of processing Personal Data (Client).
- Processor: The party that processes Personal Data on behalf of the Controller (Provider).
- Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- Sub-processor: A third party engaged by Provider to process Personal Data in connection with delivering the Platform.
- Security Incident: Any unauthorized access, disclosure, alteration, or destruction of Personal Data.
3. Roles of the Parties
Client as Controller: Client determines why and how Personal Data about its End Users is collected and used. Client is responsible for ensuring it has a lawful basis for sharing End User data with Provider and for providing End Users with appropriate privacy disclosures.
Provider as Processor: Provider processes Personal Data only as instructed by Client (through configuration of the Platform) and as necessary to deliver the Platform services. Provider does not sell, rent, or use Personal Data for its own marketing purposes.
Client Data Accuracy and Configuration: Client is solely responsible for the accuracy, completeness, appropriateness, and lawfulness of all Personal Data and content it uploads, enters, or configures within the Platform. This includes but is not limited to: residence profiles, device configurations, uploaded documents, service notes, End User-to-residence assignments, and document scope classifications (company-wide vs. residence-specific). Any data exposure, privacy incident, or harm to Data Subjects resulting from Client's misconfiguration — such as uploading confidential documents to an incorrect scope, assigning End Users to wrong residences, or providing inaccurate device or home data — is solely Client's responsibility as Controller. Provider processes data as configured by Client and bears no liability for outcomes resulting from Client's data entry, categorization, or configuration decisions.
4. Details of Processing
Categories of Data Subjects
Residential end users (homeowners and household members) of Client's smart home integration services.
Categories of Personal Data
- Account identifiers: name, email address, phone number
- Residence information: address, property details, room layouts
- Device and system inventory: device names, models, configurations, installation notes
- Conversation content: chat messages, support inquiries, troubleshooting history
- Photos and media: images uploaded during support sessions (home interiors, equipment)
- Usage data: session timestamps, feature usage, escalation records
- Service history: technician notes, maintenance records
Purposes of Processing
- Providing AI-powered support responses to End User inquiries
- Routing and managing escalations to Client's support team
- Storing and retrieving device configurations and home context for AI responses
- Generating service reports and usage analytics for Client
- Improving service quality (aggregated, de-identified analytics only)
Duration
Personal Data is processed for the duration of the MSA. Upon termination, data is retained for up to 30 days during the export window, then permanently deleted per Section 9 below.
5. Provider Obligations
Provider agrees to:
- Process Personal Data only on documented instructions from Client (i.e., the configuration and use of the Platform), except where required by applicable law
- Ensure personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
- Implement and maintain the technical and organizational security measures described in Section 7
- Not transfer Personal Data outside the Client's country of operation except as described in Section 8
- Assist Client in responding to Data Subject rights requests as described in Section 6
- Notify Client of Security Incidents as described in Section 10
- Delete or return Personal Data upon termination per Section 9
- Make available, on reasonable request, information reasonably necessary to demonstrate compliance with this DPA, subject to the limits in Section 13
6. Data Subject Rights
If Provider receives a request from an End User exercising their rights (access, rectification, erasure, portability, restriction of processing, or objection), Provider will promptly forward the request to Client. Provider will assist Client with fulfilling such requests to the extent technically feasible within the Platform.
Client is responsible for responding to Data Subject rights requests. Provider will provide reasonable assistance, to the extent technically feasible within the Platform, within a reasonable period following Client's written instruction. Provider may charge for assistance that requires more than minimal effort.
7. Security Measures
Provider implements and maintains commercially reasonable technical and organizational security measures designed to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. These measures currently include, but are not limited to, the following. Provider reserves the right to modify, update, or replace specific security measures as technology, threats, and industry best practices evolve, provided that the overall level of data protection is not materially diminished:
Access Control
- All data is access-controlled by company tenant ID — no cross-tenant data access is possible
- Row-Level Security (RLS) is enforced at the database layer on all tables
- Storage buckets are private — files require authenticated, tenant-scoped access
- Admin accounts support multi-factor authentication (TOTP)
- API routes require valid session tokens; sensitive administrative actions are logged
Data in Transit and at Rest
- All data in transit is encrypted using TLS 1.2 or higher
- Data at rest is encrypted using AES-256 (managed by Supabase/AWS)
- Storage objects (photos, documents) use private, signed URLs with time-limited expiry
Operational Security
- Rate limiting applied to all API endpoints and authentication flows
- Audit logging of administrative actions (document uploads, escalations, configuration changes)
- SSRF protections on webhook integrations
- Content Security Policy headers on all web responses
8. Sub-processors
Client authorizes Provider to engage the following sub-processors to deliver the Platform. Provider will give Client at least 30 days' prior written notice (by email and/or by updating this page) before authorizing any new sub-processor that will process Personal Data. Client may object in writing within that period on reasonable, good-faith data-protection grounds; the parties will work in good faith to resolve the concern, and if they cannot, Client's sole remedy is to terminate the affected services without penalty for the unused, prepaid portion of the term. If Client does not object within the notice period, the new sub-processor is deemed authorized.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, storage | USA (AWS us-east-1) |
| Vercel, Inc. | Application hosting and edge delivery | USA / Global CDN |
| OpenRouter, Inc. | AI model API routing | USA |
| Google LLC (Gemini) | AI language model (text, vision) and text embeddings | USA / Global |
| Resend, Inc. | Transactional email delivery | USA |
| Domotz, Inc. | Live device / network monitoring (only when configured by Client) | USA / EU |
Chat messages and support content are transmitted to AI sub-processors for processing. Provider does not send full End User profiles or system inventory to AI services — only the relevant context needed to answer each support query.
AI Provider Data Practices: AI sub-processors receive data through their commercial API services. Based on AI sub-processors' published API terms as of the date of this DPA, such terms generally state that API data is not used for model training. However, Provider does not control and cannot guarantee the data handling, retention, or training practices of AI sub-processors beyond their published policies. Client acknowledges that AI sub-processor terms may change over time and that Provider's obligation is limited to selecting sub-processors with commercially reasonable data handling practices and notifying Client of material changes to the sub-processor list. Provider is not liable for changes to AI sub-processor policies or data handling practices that occur after engagement.
Optional voice feature: The voice feature is disabled by default. If Client chooses to enable it, voice audio is additionally processed by third-party speech-to-text and text-to-speech providers solely to transcribe and voice the conversation; Provider will identify those providers on request. No voice audio is processed while the feature is off.
9. Data Deletion and Return
Upon termination or expiration of the MSA, Provider will:
- Make Client Content (device configurations, documents, conversation history) available for export via the administrative dashboard for 30 days following the termination date
- Permanently delete Personal Data from the Platform's active systems within 30 days of the termination date, except for residual copies that are not readily accessible or are pending routine deletion in the ordinary course
- Delete data from backups within 90 days (consistent with standard backup rotation schedules)
- Provide written confirmation of deletion upon Client's request
Provider may retain Personal Data beyond these periods only where required by applicable law, and only to the minimum extent required.
10. Security Incident Notification
In the event of a Security Incident affecting Personal Data, Provider will:
- Notify Client without undue delay after becoming aware of the incident, and use reasonable efforts to do so within 72 hours
- Provide available information about the nature of the incident, the categories and approximate number of Data Subjects affected, and the likely consequences
- Describe the measures taken or proposed to address the incident and mitigate its effects
- Cooperate with Client in any required regulatory notification or Data Subject communication
Notification to Client does not constitute an acknowledgment of fault or liability. Client is responsible for any regulatory notifications required by applicable law in its jurisdiction.
11. International Data Transfers
The Platform is hosted in the United States. If Client is located in the European Economic Area, the United Kingdom, or another jurisdiction with data transfer restrictions, Client acknowledges that Personal Data will be transferred to and processed in the United States.
Provider relies on appropriate safeguards for such transfers, including:
- Standard Contractual Clauses ("SCCs") as published by the European Commission (available upon request)
- The UK International Data Transfer Agreement ("IDTA") (available upon request)
To request a copy of the applicable transfer mechanism, contact legal@resolveconcierge.com.
12. CCPA Service Provider Terms
To the extent Provider processes Personal Data of California residents on Client's behalf, Provider acts as a "Service Provider" under the CCPA. Provider agrees to:
- Not sell or share Personal Data for cross-context behavioral advertising
- Not retain, use, or disclose Personal Data for any purpose other than providing the Platform services specified in the MSA
- Comply with applicable sections of the CCPA and assist Client in responding to Consumer rights requests
13. Audit Rights
No more than once in any twelve (12) month period, and upon at least 30 days' written notice, Provider will respond to a reasonable written security questionnaire or provide reasonable written documentation describing its security measures, under confidentiality (NDA) and at Client's expense.
The written questionnaire/documentation process above is the primary audit mechanism. Provider does not provide penetration testing, direct access to Provider's production systems, or third-party audit reports (such as SOC 2), and may satisfy a request by directing Client to its published Security overview. Where an on-site inspection is strictly required by applicable data protection law (including Article 28(3)(h) GDPR / UK GDPR) and the documentation provided does not reasonably satisfy that requirement, Provider will permit, no more than once in any twelve (12) month period, a focused inspection limited to the matters legally required, during normal business hours, on at least 30 days' prior written notice, by Client or an independent third-party auditor (not a Provider competitor) bound by confidentiality, at Client's sole expense, and subject to reasonable scope and security conditions that protect other customers' data. An expanded audit right is otherwise available only under a separate enterprise agreement.
14. Liability
Each party's obligations and aggregate liability under this DPA are subject to, and count toward, the limitations, exclusions, and caps on liability set out in the MSA. Nothing in this DPA increases or expands Provider's liability beyond what is stated in the MSA. In the event of any conflict between this DPA and the MSA regarding liability, the MSA controls.
Data protection questions? Contact our Data Protection team at legal@resolveconcierge.com