LeaseLeads SaaS Data Processing Addendum

This Data Processing Addendum (“DPA”) addresses the processing and transfer of Client Data, including personal information of individual Data Subjects under Applicable Law and contracts, in connection with the Services provided by Company, and any third parties or Affiliates acting on Company’s, and Client (each a “Party” and collectively, “the Parties”) under any LeaseLeads-based agreement (“Agreement”). To the extent the terms of this DPA conflict with the Addendum with regard to the processing of Client Data, the terms of this DPA shall prevail.

LEASELEADS DATA PROCESSING OVERVIEW

This Data Processing Addendum, including its annexes, is entered into by and between LeaseLeads and Customer and applies where and to the extent LeaseLeads Processes Customer Personal Data on behalf of Customer in connection with the Services or Products purchased. Capitalized terms not defined in this DPA have the meanings given to them in the Agreement.

This Data Processing Addendum is entered into by and between LeaseLeads and Customer and becomes effective through an LeaseLeads “order” or “agreement” under which this DPA supplements and forms part of either of the activities. “Any” LeaseLeads Agreement between the parties governing Customer’s use of the Services.

Scope and relationship to the Addendum

Applicability. This DPA applies only to Customer Personal Data that LeaseLeads Processes as a Processor or Service Provider on behalf of Customer in connection with the Services.

Order of precedence. If there is a conflict between this DPA and the Agreement with respect to the Processing of Customer Personal Data, this DPA controls solely for that subject matter. In all other respects, the Agreement controls.

Liability and commercial terms. Any liability arising out of or relating to this DPA, the Services, Product or LeaseLeads’ processing of Customer Personal Data is subject to the exclusions, disclaimers, remedies, and limitations of liability set forth in the Agreement. To the maximum extent permitted by law, LeaseLeads’ total aggregate liability arising out of or relating to this DPA and the Services will not exceed the fees paid or payable by Customer to LeaseLeads for the affected Services during (maximum) of two months preceding the event giving rise to the claim (or as stated in the agreement). LeaseLeads will not be liable for lost, delayed, duplicated, misrouted, crossed, incomplete, inaccurate, or undelivered leads, communications, applications, appointments, or other records, including any failure to transmit, receive, synchronize, or integrate data with Customer systems, property management software, customer relationship management platforms, telecommunications providers, or other third-party services. LeaseLeads does not guarantee any minimum number, quality, accuracy, completeness, conversion rate, leasing performance, or business value of leads generated through or interacting with the Services through the Product. 

Where the Product are provided through an embed, widget, script, iframe, or similar integration placed on a website not hosted, built, owned, or controlled by LeaseLeads, Customer remains solely responsible for the website’s design, content, traffic, accessibility, performance, functionality, placement and configuration of the embed, marketing activity, tracking, consent mechanisms, and overall user experience. LeaseLeads will not be liable for leads failing to submit, failing to reach Customer, performing below Customer expectations, or not being “on par” with prior or projected results where such outcome relates to the Customer-controlled website, website provider, advertising, traffic sources, embed placement, configuration, or other circumstances outside LeaseLeads’ reasonable control. 

LeaseLeads will also not be liable for downtime, service interruptions, data loss, server failures, infrastructure failures, unauthorized access, hacking, malware, denial-of-service attacks, or other security events caused by third parties, Customer systems, Customer credentials, Customer configurations, subprocessors, internet or telecommunications providers, or circumstances outside LeaseLeads’ reasonable control. In no event will LeaseLeads be liable for lost profits, lost revenue, lost leasing opportunities, loss of goodwill, business interruption, replacement services, or any indirect, incidental, special, exemplary, punitive, or consequential damages. This DPA does not expand either party’s liability beyond the liability expressly established in the Agreement. 

Definitions

For purposes of this DPA:

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a party, where “control” means ownership or control of more than fifty percent of the voting interests of the relevant entity.

“Applicable Data Protection Law” means a privacy or data-protection law that is legally applicable to LeaseLeads’ Processing of Customer Personal Data under the Agreement. The term does not include a law solely because Customer, a Customer affiliate, property owner, website visitor, or other third party is subject to that law, unless the law independently applies to LeaseLeads’ Processing or LeaseLeads expressly agrees in writing to comply with it. 

“Controller” means the entity that determines the purposes and means of Processing Personal Data, including equivalent concepts such as “business” where applicable.

“Customer Personal Data” means Personal Data Processed by LeaseLeads on behalf of Customer in connection with the Services, excluding Account Data and Service Usage Data to the extent LeaseLeads Processes those categories as an independent Controller.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

“Personal Data” means any information that is defined as personal data, personal information, personally identifiable information, or similar term under Applicable Data Protection Law.

“Process” or “Processing” means any operation performed on Personal Data, whether by automated means or not, including collection, storage, use, disclosure, analysis, transmission, deletion, or destruction.

“Processor” means the entity that Processes Personal Data on behalf of a Controller, including equivalent terms such as “service provider” or “contractor” where applicable.

“Security Incident” means a confirmed breach of LeaseLeads’ security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by LeaseLeads or its Subprocessors in connection with the Services. Security Incident does not include unsuccessful attempts or activities that do not materially compromise Customer Personal Data, such as unsuccessful login attempts, port scans, pings, malware blocked by controls, or denial-of-service attempts that do not result in unauthorized access.

“Services” means the LeaseLeads website platform, AI-powered virtual leasing assistant, leasing automation software, related integrations, implementation, support, and associated services provided under the Agreement.

“Subprocessor” means any third party engaged by LeaseLeads to Process Customer Personal Data on behalf of Customer in connection with the Services.

“U.S. Privacy Laws” means the subset of Applicable Data Protection Laws applicable to residents of the United States, including the CCPA/CPRA and analogous state privacy laws.

Capitalized terms not defined in this DPA have the meanings given in the Agreement.

Roles of the parties

Customer as Controller or upstream Processor. As between the parties, Customer acts as the Controller of Customer Personal Data, or as a Processor acting on behalf of another Controller with authority to appoint LeaseLeads as a downstream Processor or subprocessor.

LeaseLeads as Processor. LeaseLeads acts as a Processor with respect to Customer Personal Data subject to this DPA and will Process Customer Personal Data only on Customer’s documented instructions and as otherwise permitted by Applicable Data Protection Law.

LeaseLeads as independent Controller for certain data. This DPA does not apply to Personal Data that LeaseLeads Processes as an independent Controller, including:

  • account, billing, contract, and business-contact information relating to Customer personnel;
  • support and relationship-management information;
  • website visitor data collected on LeaseLeads’ own public marketing sites;
  • telemetry, logs, and usage data to the extent such data is used by LeaseLeads for security, fraud prevention, service operations, billing, capacity planning, and legal compliance in its capacity as an independent Controller; and
  • Aggregated or Deidentified Data that no longer constitutes Personal Data under Applicable Data Protection Law.

Customer instructions

Customer instructs LeaseLeads to Process Customer Personal Data as necessary to:

  • provide, secure, and support the Services and Product;
  • perform the Agreement and applicable Orders;
  • implement Customer configurations, settings, integrations, and feature selections;
  • respond to support requests and technical issues initiated by Customer;
  • prevent fraud, abuse, or security threats relating to the Services; and
  • satisfy applicable law, court order, or regulatory obligation, in which case LeaseLeads will inform Customer unless legally prohibited from doing so.

This DPA, the Agreement, applicable Orders, Customer’s use of the Services, and Customer’s documented requests through the Services or support channels together constitute Customer’s documented instructions.

If LeaseLeads reasonably believes an instruction violates Applicable Data Protection Law, LeaseLeads may suspend the affected Processing and will notify Customer to the extent legally permitted and the agreement.

LeaseLeads obligations

LeaseLeads will:

Process only on instructions. Process Customer Personal Data only on Customer’s documented instructions, except where otherwise required by law and the set within the agreement.

Confidentiality. Ensure that persons authorized to Process Customer Personal Data are bound by confidentiality obligations.

Need-to-know access. Limit access to Customer Personal Data to personnel and contractors who need such access to perform the Services.

Reasonable assistance. Provide reasonable assistance, taking into account the nature of the Processing and information available to LeaseLeads, for Customer to respond to Data Subject requests and to meet Customer’s obligations under Applicable Data Protection Law.

No sale or targeted-ad use. To the extent required by U.S. Privacy Laws, LeaseLeads will not sell or share Customer Personal Data, retain, use, or disclose Customer Personal Data outside the direct business relationship with Customer except as permitted by the Agreement, this DPA, or Applicable Data Protection Law, and will Process Customer Personal Data solely for the limited and specified purposes described in the Agreement and this DPA.

Deidentified data. LeaseLeads may compile or create Aggregated or Deidentified Data from data processed in connection with the Services only where such data cannot reasonably identify Customer or any Data Subject, and only for lawful business purposes such as analytics, security, service improvement, benchmarking, and product planning or for “the” Customer (within the agreement) reporting.

Security measures

LeaseLeads will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature of the Services, the sensitivity of the data, the state of the art, implementation cost, and the risks presented by the Processing.

Without limiting the foregoing, LeaseLeads will maintain security measures materially consistent with those described in Annex C.

LeaseLeads may update its security measures from time to time, provided such updates do not materially diminish the overall security of the Services.

AI processing

If Customer enables or uses AI-enabled features of the Services, LeaseLeads may Process Customer Personal Data using AI tools and providers solely for the limited purposes of providing those features, including:

  • generating or drafting responses to leasing inquiries;
  • summarizing or classifying conversations, leads, or requests;
  • extracting structured information from customer-provided content or third-party systems;
  • supporting voice, audio, or speech-enabled experiences; and
  • improving the quality, reliability, safety, and administration of LeaseLeads’ AI-enabled service functionality.

No LeaseLeads model training on Customer Personal Data. LeaseLeads will not use Customer Personal Data to train any LeaseLeads-owned general-purpose foundation model.

Third-party AI configurations. Where LeaseLeads uses third-party AI providers in business or enterprise configurations that offer controls intended to limit provider training on customer content, LeaseLeads will use commercially reasonable efforts to maintain those controls for Customer Personal Data processed through the applicable Service feature.

Human review and regulated decisions. Customer is solely responsible for reviewing AI-generated outputs before relying on them for legal, compliance, leasing, fair-housing, pricing, screening, or any other decision that produces legal or similarly significant effects concerning an individual. Unless otherwise expressly agreed in writing, Customer will not use the Services as the sole basis for such decisions.

Sensitive use cases. Customer will not provide, and will not instruct LeaseLeads to Process through AI-enabled features, any Special Category Data, biometric identifiers, government-issued identification numbers, payment-card data, protected health information, or children’s data unless such Processing is expressly authorized in writing by LeaseLeads and supported by the applicable Service configuration.

Customer obligations

Customer is responsible for:

Lawful basis and notices. Providing all notices and obtaining all rights, consents, permissions, and authorizations necessary for LeaseLeads to lawfully Process Customer Personal Data.

Customer instructions. Ensuring that its instructions comply with Applicable Data Protection Law.

Appropriate use. Determining whether the Services and LeaseLeads’ security measures are appropriate for Customer’s intended use and legal obligations.

Customer systems and integrations. Maintaining valid rights and credentials for the third-party systems, APIs, feeds, applications, and data sources that Customer authorizes LeaseLeads to access.

Customer-authorized third-party systems. Customer specifically authorizes LeaseLeads, solely as necessary to provide the Services, to access, retrieve, receive, transmit, display, and otherwise Process Customer Personal Data from or to Customer-authorized third-party property management, leasing, CRM, touring, analytics, call-tracking, and related systems, including the following if enabled by Customer: Engrain, Entrata, Funnel, ILoveLeasing, Knock, ManageAmerica, MarketConnect, MassElemental Systems, OnSite, RealPage, RentCafe/Yardi, RentManager, and ResMan. These platforms are treated as Customer-authorized third-party systems, not LeaseLeads Subprocessors, unless separately listed in Annex B.

Security of Customer environment. Protecting Customer credentials, deciding which users may access the Services, and securing Customer-controlled devices, systems, websites, and integrations.

Data Subject requests

Taking into account the nature of the Processing, LeaseLeads will provide commercially reasonable assistance to Customer in responding to verified Data Subject requests relating to Customer Personal Data, to the extent Customer cannot reasonably fulfill those requests through the Services or its own systems.

If LeaseLeads receives a Data Subject request relating to Customer Personal Data, LeaseLeads may redirect the requester to Customer and will not respond substantively except:

  • on Customer’s documented instructions;
  • as required by law; or
  • to confirm that the request should be directed to Customer.

Customer remains responsible for responding substantively to Data Subject requests.

Security incidents

LeaseLeads will notify Customer without undue delay after confirming a Security Incident affecting Customer Personal Data.

To the extent reasonably available, the notice will include:

  • the nature of the Security Incident;
  • the categories of Customer Personal Data affected;
  • the measures taken or proposed to contain, mitigate, investigate, or remediate the Security Incident; and
  • any other information reasonably necessary for Customer to comply with Applicable Data Protection Law.

LeaseLeads may provide information in phases as it becomes available.

LeaseLeads’ notification of, or response to, a Security Incident will not be construed as an admission of fault or liability.

Customer remains responsible for notifying regulators, individuals, business partners, landlords, property owners, prospects, residents, or other third parties where required by law, except to the extent the parties expressly agree otherwise in writing.

Subprocessors

Customer provides general authorization for LeaseLeads to engage Subprocessors in accordance with this section.

LeaseLeads will:

  • enter into a written agreement with each Subprocessor imposing data-protection obligations that are no less protective than those set out in this DPA, to the extent applicable to the nature of the services provided by that Subprocessor; and
  • remain responsible for each Subprocessor’s Processing of Customer Personal Data to the same extent LeaseLeads would be responsible if it performed the Processing directly, subject to the Agreement’s limitations of liability.

LeaseLeads will maintain an up-to-date list of its Subprocessors, including the list in Annex B and any successor page designated by LeaseLeads.

Changes to Subprocessors. If LeaseLeads intends to add or replace a Subprocessor in a manner that would materially affect the Processing of Customer Personal Data, LeaseLeads “may” but not required to provide notice to customers by updating the subprocessor list, emailing subscribed customers, or by other reasonable means.

Objections. Customer may object to a new Subprocessor by providing written notice within the notice period, provided the objection is based on reasonable grounds relating to data protection. The parties will work in good faith to address the objection but LeaseLeads is not required to make changes to current Subprocessors (or new).

Available remedies. If the parties cannot resolve the objection within a reasonable period, LeaseLeads may, at its option:

  • not appoint the proposed Subprocessor;
  • continue to use the proposed Subprocessor;
  • provide a commercially reasonable alternative;
  • modify or limit the affected feature; or
  • permit Customer to terminate the affected Service feature or affected Order on written notice. Any such termination will be Customer’s sole and exclusive remedy for the unresolved objection, and Customer will remain responsible for fees accrued and up to 3 months of current operations before the effective date of termination. 

Audits and compliance information

Upon Customer’s written request no more than once annually, LeaseLeads will make available, subject to reasonable confidentiality obligations:

  • a then-current summary of LeaseLeads’ security practices;
  • responses to reasonable security questionnaires;
  • then-current third-party audit reports, certifications, or summaries, if available; and
  • other information reasonably necessary to demonstrate compliance with this DPA.

If the information above is not sufficient for Customer to meet a legal audit requirement, and only where required by Applicable Data Protection Law, Customer may request a remote audit or inspection by Customer or an independent auditor bound by confidentiality obligations only if approved by LeaseLeads. 

Any audit must:

  • be limited in scope to Customer Personal Data and the Services used by Customer;
  • avoid disruption to LeaseLeads’ business or exposure of data relating to other customers;
  • occur during normal business hours with reasonable prior notice;
  • occur no more than once annually unless required by law or after a confirmed Security Incident affecting Customer; and
  • be conducted at Customer’s expense, unless the audit reveals material noncompliance by LeaseLeads with this DPA.

LeaseLeads is not required to approve audits, disclose trade secrets, penetration-test details, information that would compromise security, or data relating to other customers.

Data protection assessments and regulatory cooperation

Taking into account the nature of the Processing and information available to LeaseLeads, LeaseLeads will provide commercially reasonable assistance to Customer with data protection impact assessments, transfer assessments, and consultations with regulators to the extent required by Applicable Data Protection Law and relevant to LeaseLeads’ Processing of Customer Personal Data under the Agreement.

Deletion, return, and retention

During the term of the Agreement, Customer may access, export, correct, or delete Customer Personal Data using the functionality of the Services, where available.

Upon expiration or termination of the Agreement, LeaseLeads will, at Customer’s choice and subject to the Agreement:

  • return Customer Personal Data in a commercially reasonable format where technically feasible; or
  • delete Customer Personal Data from active systems within a commercially reasonable period, unless retention is required by law.

Notwithstanding the foregoing, LeaseLeads may retain:

  • Customer Personal Data required to comply with law, regulation, tax, accounting, legal hold, or dispute-resolution obligations; and
  • Customer Personal Data contained in routine backups, archives, or disaster-recovery systems, provided such retained data remains protected under this DPA and is not further Processed except as required by law or as part of routine backup restoration and rotation.

Unless otherwise agreed in writing or required by law, LeaseLeads will target deletion from active production systems within ninety days after the effective termination date, and routine backup copies will be overwritten or expire under LeaseLeads’ standard backup lifecycle.

International and restricted data transfers

The Services are primarily designed for use by customers and properties located in the United States. Unless LeaseLeads expressly agrees otherwise in a separate writing signed by an authorized representative of LeaseLeads, Customer will not use the Services to intentionally collect, submit, transmit, or otherwise Process Personal Data of individuals located in the European Economic Area, United Kingdom, Switzerland, or any other jurisdiction that requires a data-transfer mechanism, data-localization arrangement, local representative, or materially different privacy or security obligations.

Customer is responsible for determining whether its use of the Services or Product involves Personal Data subject to laws outside the United States and for notifying LeaseLeads in writing before initiating such Processing. Customer represents that it will not represent to any person, regulator, client, property owner, resident, or other third party that LeaseLeads has agreed to comply with the GDPR, UK GDPR, Swiss data-protection law, or any international privacy framework unless LeaseLeads has expressly agreed to that obligation in writing.

This DPA does not constitute a certification, representation, or warranty that LeaseLeads complies with the GDPR, UK GDPR, SOC-2, HIPPA, Swiss data-protection law, any adequacy framework, or any international data-localization or transfer regime. 

If Customer requests Processing that LeaseLeads reasonably believes would require Standard Contractual Clauses, a transfer impact assessment, international data residency, supplementary safeguards, regulatory registration, or other material compliance measures, LeaseLeads may decline, suspend, restrict, or condition the affected Processing. Any additional terms, technical measures, services, fees, or transfer mechanisms must be separately agreed in writing before the affected Processing begins.

Customer is solely responsible for any unauthorized international use of the Services and for claims, investigations, costs, or obligations resulting from Customer’s failure to comply with this section, subject to the indemnification and liability provisions of the Agreement.

 

Term and termination

This DPA remains in effect for as long as LeaseLeads Processes Customer Personal Data on behalf of Customer under the Agreement.

This DPA automatically terminates when LeaseLeads no longer Processes Customer Personal Data on behalf of Customer and has completed return or deletion obligations under this DPA, subject to permitted retention.

Annex A Processing Activities

The annex below is structured to satisfy the processing-description expectations enterprise customers typically have in a modern SaaS DPA, while keeping the detail level practical for a website-publishable form. [7]

Subject matter of the Processing

The provision of LeaseLeads’ Leasing Engine platform, LeaseLeads Template & Website Platform, AI-powered virtual leasing assistant, leasing automation software, property website hosting and management (analytics, content delivery, communications tools, integrations, support, and related services under the Agreement.

Nature and purpose of the Processing

LeaseLeads may Process Customer Personal Data to:

  • host, operate, secure, and support the Services;
  • enable website forms, leasing inquiries, scheduling flows, and prospect interactions;
  • synchronize data with Customer-authorized property management, CRM, touring, and analytics systems;
  • deliver communications by email, SMS, voice, chat, or web interface;
  • power AI-enabled leasing-assistant and automation functions selected by Customer;
  • generate analytics, dashboards, performance insights, and operational reporting for Customer;
  • prevent abuse, detect fraud, troubleshoot incidents, and maintain service reliability; and
  • comply with law and enforce the Agreement.

Duration of the Processing

For the term of the Agreement, plus any period reasonably necessary for transition, deletion, backup rotation, legal retention, or post-termination obligations described in the Agreement and this DPA.

Categories of Data Subjects

Depending on how Customer uses the Services, Data Subjects may include:

  • prospective residents, applicants, and other leasing prospects;
  • current residents and occupants;
  • guarantors, co-applicants, or emergency contacts, where submitted by Customer or a Data Subject;
  • Customer personnel, leasing agents, marketing personnel, and property staff;
  • property owners, managers, and authorized representatives;
  • website visitors and users interacting with Customer-hosted or Customer-branded sites, forms, chat experiences, or communication channels; and
  • other individuals whose Personal Data Customer or its authorized systems submit to the Services.

Categories of Personal Data

Depending on Customer’s configuration and use, Customer Personal Data may include (but not limited):

  • name, email address, phone number, and communication preferences;
  • property preferences, unit preferences, move-in timing, tour preferences, and related leasing-intent information;
  • message content, inquiry details, free-form form submissions, chat transcripts, voice transcripts, call metadata, SMS content, and support-style interactions submitted through Customer experiences;
  • property, pricing, availability, floor-plan, amenity, media, and lead-source information associated with an inquiry or resident journey;
  • application-status and guest-card information;
  • IP address, browser/device data, cookie identifiers, session data, referral URLs, event metadata, and usage telemetry associated with Customer-hosted sites or tools;
  • landlord-, operator-, or property-team account and access data; and
  • any other Personal Data Customer chooses to submit or instruct LeaseLeads to access from Customer-authorized third-party systems.

Special categories and sensitive data

The Services are not intended for routine Processing of Special Category Data, payment-card data, Social Security numbers, driver’s-license numbers, biometric identifiers, or protected health information. Customer must not submit such data unless expressly authorized in writing by LeaseLeads for a supported use case. If Customer elects to submit such data with authorization, Customer remains responsible for identifying the lawful basis, required notices, and any supplementary controls required by law.

Frequency of transfer

Continuous or event-driven, depending on Customer’s use of the Services, integrations, communications, and enabled automations. Rates may vary.

Customer-authorized third-party systems

For clarity, Customer may instruct LeaseLeads to Process Customer Personal Data from or to Customer-authorized systems such as Engrain, Entrata, Funnel, ILoveLeasing, Knock, ManageAmerica, MarketConnect, MassElemental Systems, OnSite, RealPage, RentCafe/Yardi, RentManager, and ResMan. These systems are treated as Customer-controlled systems unless separately listed as Subprocessors in Annex B.

Annex B Subprocessors

The list below incorporates the providers identified in your request and attached chart and is organized in a format that can be published on LeaseLeads’ website. The provider-function descriptions are grounded in the vendors’ current public materials. [8]

Approved Subprocessors

  • DigitalOcean
    Purpose: Cloud hosting, compute, managed databases, object storage, backups, and related infrastructure used to operate the Services.
    Categories of Data: Website content, application data, databases, logs, backups, stored assets, and related Customer Personal Data processed through hosted infrastructure.
    Processing Location: United States and other DigitalOcean regions selected by LeaseLeads for service deployment and storage. [9]
  • RunCloud
    Purpose: Server orchestration, deployment, configuration management, patching, operational monitoring, and administration of cloud-hosted application environments.
    Categories of Data: Limited operational access to hosted environments, server metadata, logs, and Customer Personal Data resident in customer-serving application environments as necessary for managed administration.
    Processing Location: Customer-selected cloud regions and vendor-managed control-plane locations associated with the connected server environment. [10]
  • bunny.net
    Purpose: Content delivery network, edge caching, media and asset delivery, performance optimization, and related edge-network services.
    Categories of Data: IP addresses, request metadata, cached assets, content delivery logs, and related Personal Data necessary to serve website content.
    Processing Location: Global edge network and vendor-managed locations used to deliver and cache content. [11]
  • Mailgun Technologies, Inc.
    Purpose: Transactional email delivery, email event handling, and related messaging infrastructure for service notifications and leasing communications.
    Categories of Data: Email addresses, message content, message metadata, delivery events, and related communication records.
    Processing Location: Primarily United States, subject to provider infrastructure routing. [12]
  • Twilio Inc.
    Purpose: Transactional SMS, messaging, voice calling, call-routing, call-notification, and related communications infrastructure.
    Categories of Data: Phone numbers, SMS content, message metadata, call metadata, audio where applicable, and related communication records.
    Processing Location: United States and global provider-managed telecommunications and cloud infrastructure, depending on the communication feature used. [13]
  • OpenAI
    Purpose: AI text processing, summarization, classification, conversational response generation, content analysis, and related AI-enabled features used in the Services.
    Categories of Data: Text prompts, inquiry content, chat or transcript content, structured inputs, outputs, and limited support data submitted through AI-enabled features.
    Processing Location: United States and other supported regions made available through OpenAI’s infrastructure and affiliates. OpenAI states that business and API data is not used for training by default. [14]
  • ElevenLabs
    Purpose: Voice synthesis, text-to-speech, speech-related AI features, audio rendering, and related voice-enabled functionality where enabled by Customer.
    Categories of Data: Text submitted for speech generation, audio inputs and outputs, transcripts, and voice feature interaction data.
    Processing Location: United States by default, with European data residency and Zero Retention Mode available for qualifying enterprise configurations. ElevenLabs states that enterprise data is not trained on by default. [15]

Subprocessor updates

LeaseLeads may update this list from time to time in accordance with the Subprocessors section of the DPA.

Annex C Security Measures

The schedule below is drafted as a practical security exhibit that enterprise customers will usually recognize, without overpromising named certifications or highly specific controls that may change over time. [16]

LeaseLeads will maintain security measures designed to include, as appropriate to the Services:

Access controls

  • role-based or need-to-know access to production systems and Customer Personal Data;
  • authentication controls for administrative access;
  • multi-factor authentication for privileged access where supported;
  • periodic review of privileged access.

Data security

  • encryption in transit using industry-standard protocols;
  • encryption at rest for production data stores where supported by the underlying platform or service architecture;
  • logical separation of customer environments or data access controls appropriate to a multi-tenant SaaS environment;
  • backup and recovery procedures appropriate to the Services.

System security

  • change-management and deployment controls for production systems;
  • vulnerability and patch-management processes appropriate to the infrastructure and software stack;
  • logging and monitoring of relevant systems and administrative events;
  • malware protection and endpoint controls, as appropriate.

Operational security

  • incident-response procedures for security events and Security Incidents;
  • vendor management and reasonable diligence for material subprocessors;
  • confidentiality obligations for personnel with access to Customer Personal Data;
  • security awareness measures appropriate to employee roles.

Availability and resilience

  • backups, restore capability, and disaster-recovery or business-continuity procedures appropriate to the Services;
  • monitoring for service availability and operational anomalies;
  • measures intended to preserve ongoing confidentiality, integrity, availability, and resilience of processing systems.

Testing and evaluation

  • periodic review and testing of security controls, as appropriate to the Services and LeaseLeads’ risk profile;
  • remediation tracking for identified material issues.

Physical and infrastructure security

  • reliance on commercially reasonable physical and environmental controls implemented by LeaseLeads’ hosting and infrastructure providers for the environments in which Customer Personal Data is stored or processed.

No absolute-security guarantee

LeaseLeads will implement commercially reasonable administrative, technical, and organizational safeguards appropriate to the nature of the Services and the Customer Personal Data Processed. However, Customer acknowledges that no security measure, system, software, network, hosting environment, transmission method, or data-storage method can be guaranteed to be completely secure, uninterrupted, error-free, or immune from unauthorized access, cyberattack, malware, ransomware, denial-of-service attack, vulnerability, data loss, or other security incident.

LeaseLeads does not warrant or guarantee that the Services will prevent, detect, block, or remediate every security threat or vulnerability, or that Customer Personal Data will never be accessed, disclosed, altered, lost, corrupted, or destroyed. LeaseLeads will not be responsible for security incidents, vulnerabilities, or losses caused by Customer systems, credentials, users, configurations, integrations, websites, third-party services, hosting or infrastructure providers, telecommunications providers, malicious third parties, or events outside LeaseLeads’ reasonable control.

Any liability relating to security, privacy, data loss, unauthorized access, or a Security Incident remains subject to the exclusions, disclaimers, remedies, and limitations of liability in the Agreement and this DPA.

[2] Business data privacy, security, and compliance | OpenAI

https://openai.com/business-data/

[3] [8] AI-Native Cloud | DigitalOcean

https://www.digitalocean.com/products

[4] [6] [16]  Data Processing Addendum | Atlassian 

https://www.atlassian.com/legal/data-processing-addendum

[9] Legal – Data Processing Agreement

https://www.digitalocean.com/legal/data-processing-agreement

[10] RunCloud – PHP Cloud Server Management Panel

https://runcloud.io/

[11] bunny.net – The Global Edge Platform that truly Hops

https://bunny.net/

[12] Transactional Email API Service For Developers – Transactional Email API Service For Developers | Mailgun

https://www.mailgun.com/

[13] Data Protection Addendum | Twilio

https://www.twilio.com/en-us/legal/data-protection-addendum

[14] OpenAI Sub-processor list | OpenAI

https://openai.com/policies/sub-processor-list/

[15] ElevenLabs — Discover our Data Processing Addendum (DPA)

https://elevenlabs.io/ko/dpa