Data Processing Agreement (DPA)
Effective Date: May 16, 2026 Last Updated: May 25, 2026 Version: 1.1.0 (reconciled with Terms of Service v1.3.0 + Privacy Policy v1.3.0; adds 5G.31 scope-clarification for Sign in with Apple + Sign in with Google identity providers — these handle landlord identity only, NOT Tenant Personal Data, so the §4 sub-processor obligations do not contractually apply to them. AI-drafted, pending California attorney sign-off per ROADMAP 6P.10)
This Data Processing Agreement ("DPA") forms an integral part of the Terms of Service entered into between you ("Customer," "Controller," or "you") and ClearDeduct ("we," "us," "Processor," or "Service Provider"). It governs the processing of Personal Data that you, acting as Controller, upload to or generate through the ClearDeduct Service (the "Service") concerning your tenants and other third-party data subjects.
By accepting the Terms of Service at signup, you accept this DPA. If you require a signed counter-party version, contact privacy@cleardeduct.com with subject line "DPA Request".
1. Definitions
For the purposes of this DPA, the following terms have the meanings set out below. Capitalized terms not otherwise defined in this DPA have the meanings given to them in the Terms of Service.
- "Applicable Data Protection Law" means all data-protection and privacy laws applicable to the processing of Personal Data under this DPA, including but not limited to: the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"); the EU General Data Protection Regulation 2016/679 ("GDPR"); the UK Data Protection Act 2018 and UK GDPR ("UK GDPR"); and California Assembly Bill 2801 / Civil Code §1950.5(g) ("AB 2801").
- "Controller" (under GDPR) and "Business" (under CCPA/CPRA) mean the entity that determines the purposes and means of processing Personal Data. For Tenant Personal Data uploaded through the Service, you are the Controller / Business.
- "Processor" (under GDPR) and "Service Provider" (under CCPA/CPRA) mean the entity that processes Personal Data on behalf of the Controller. ClearDeduct is the Processor / Service Provider for Tenant Personal Data.
- "Personal Data" has the meaning given to "personal data" under GDPR and "personal information" under CCPA/CPRA, and includes Sensitive Personal Information ("SPI") such as the precise geolocation embedded in photograph EXIF metadata.
- "Tenant Personal Data" means Personal Data of your tenants and other natural persons whose information you upload to the Service (including names, contact details, lease dates, photographs of dwellings, deduction descriptions).
- "Sub-processor" means any third party engaged by ClearDeduct to process Tenant Personal Data on our behalf.
- "Data Subject Request" means a verifiable request submitted by a data subject (typically a tenant) exercising rights granted under Applicable Data Protection Law (e.g., right to know, delete, correct, opt-out, limit).
- "Personal Data Breach" has the meaning given to that term under GDPR Article 4(12) and California Civil Code §1798.82 (as amended by Senate Bill 446).
2. Scope and Roles
2.1 Bifurcated Roles
For Personal Data processed under this Agreement, the parties acknowledge the following bifurcated role allocation:
| Personal Data Category | Customer's Role | ClearDeduct's Role |
|---|---|---|
| Customer Account Data (your email, password, billing information, profile) | Data Subject | Business (CCPA) / Controller (GDPR) — governed by Privacy Policy §1.1 |
| Tenant Personal Data (uploaded by Customer) | Business (CCPA) / Controller (GDPR) | Service Provider (CCPA) / Processor (GDPR) — governed by this DPA |
This DPA exclusively governs the second category. Processing of Customer Account Data is governed by ClearDeduct's Privacy Policy.
2.2 Lawful Basis
You represent and warrant that:
- (a) You have a lawful basis under Applicable Data Protection Law to upload Tenant Personal Data to the Service;
- (b) Where required, you have provided tenants with a Notice at Collection identifying ClearDeduct as a Service Provider and the AB 2801 compliance purpose of the processing;
- (c) You have established the legal and contractual relationships with your tenants necessary to enable ClearDeduct's processing under this DPA.
3. Description of Processing
3.1 Subject Matter
ClearDeduct processes Tenant Personal Data to deliver the Service: documenting rental-unit condition through timestamped/geolocated photographs, generating AB 2801 compliance reports, tracking the 21-day security-deposit deadline, and securely sharing reports with tenants per Customer instructions.
3.2 Duration
The processing duration is the term of the Customer's subscription, plus the four-year statutory retention period for Finalized Dispositions (as defined in Terms of Service §4.5) required by California Civil Code §1950.5(g)(1)–(2) and Cal. Code Civ. Proc. §337.
3.3 Nature and Purpose
The nature of processing includes: collection, organization, structuring, storage, retrieval, generation of derivative documents (AB 2801 reports), transmission to tenants (via secure share links), and erasure. The purpose is solely to enable the Customer to fulfill its obligations under California AB 2801 and related landlord-tenant law.
3.4 Categories of Personal Data
| Category | Examples |
|---|---|
| Identification data | Tenant name, email address, telephone number (if provided by Customer) |
| Tenancy data | Lease dates, deposit amount, property address |
| Photographic data | Move-in / move-out / post-repair photographs of the rental unit |
| Sensitive Personal Information | Precise geolocation (GPS coordinates in photo EXIF metadata, classified as SPI under CPRA §1798.140(ae)(2)(F)) |
| Derivative compliance artifacts | Move-In Condition Report, Pre-Inspection Notice, Move-Out Disposition Statement, itemized deductions |
3.5 Categories of Data Subjects
Natural persons whose Personal Data is processed under this DPA are: (i) tenants of residential rental properties managed by the Customer, and (ii) other natural persons whose images may incidentally appear in property photographs.
4. Sub-Processors
4.1 General Authorization
You grant ClearDeduct general written authorization under GDPR Article 28(2) and CPRA §1798.140(d) to engage the Sub-processors listed in Privacy Policy §5.1 (and incorporated by reference in Terms of Service §16.1) to process Tenant Personal Data on your behalf.
The current Sub-processor list, with purposes and locations, is maintained in Privacy Policy §5.1. As of the Effective Date, the list includes: Supabase (database / storage), Stripe (subscription billing), Resend (transactional email), Vercel (web hosting), Expo / Apple APNs / Google FCM (push notifications), Sentry (crash reporting), and Cloudflare (DNS / email routing).
4.1a Identity Provider Scope Exclusion
Privacy Policy §5.1 additionally discloses two identity sub-processors — Sign in with Apple (Apple Inc.) and Sign in with Google (Google LLC) — that authenticate the landlord at signup and login on cleardeduct.com. These identity providers do not process Tenant Personal Data under any circumstance; their scope is strictly limited to landlord email address, display name (as transmitted by the provider at OAuth handshake), and standard OAuth/OIDC authentication artifacts (PKCE codes, ID tokens, refresh tokens).
Accordingly, the Sub-processor obligations enumerated in §4.2 below (written data-protection agreements, liability flow-down, processing-purpose restrictions, breach notification, etc.) are designed for and apply to Sub-processors that handle Tenant Personal Data. They are not contractually applicable to Apple's or Google's identity verification services, which are governed instead by each provider's own published terms (Apple — developer.apple.com/sign-in-with-apple; Google — developers.google.com/identity) and by Privacy Policy §5.1a. Sign-In with Apple / Google is also entirely optional — landlords may always create accounts using email + password without invoking either identity provider.
4.2 Sub-processor Obligations
ClearDeduct will:
- (a) Enter into a written agreement with each Sub-processor that imposes data-protection terms no less protective than those of this DPA;
- (b) Remain liable to you for the acts and omissions of Sub-processors that breach the terms of their engagement;
- (c) Prohibit each Sub-processor from selling, sharing, or using Tenant Personal Data for cross-context behavioral advertising, profiling, or proprietary model training.
4.3 Notification of Changes and Right to Object
ClearDeduct will notify you (via email or in-app notification) at least fourteen (14) days prior to adding or replacing a Sub-processor that handles Tenant Personal Data. You may object on legitimate data-protection grounds within that 14-day period. If ClearDeduct cannot reasonably accommodate your objection, your sole and exclusive remedy is to terminate your subscription for convenience under Terms of Service §8.2(f) prior to the new Sub-processor processing your data.
5. Data Subject Rights Assistance
5.1 General
Taking into account the nature of the processing, ClearDeduct will assist you, by appropriate technical and organizational measures, in fulfilling your obligation to respond to Data Subject Requests under Applicable Data Protection Law (including CCPA/CPRA §§1798.100 et seq. and GDPR Articles 12–22).
5.2 Procedure
If ClearDeduct receives a Data Subject Request directly from one of your tenants, ClearDeduct will:
- (a) Promptly inform you of the request (within five business days);
- (b) Not respond to the request directly unless instructed by you or required by law;
- (c) Provide the technical means (in-app export and deletion tools, manual extraction if needed) to enable you to respond within statutory deadlines (CCPA: 45 days; GDPR: 30 days).
5.3 Statutory Override for AB 2801 Retention
Where a tenant Data Subject Request seeks deletion of Finalized Dispositions (as defined in Terms of Service §4.5) within the four-year statutory retention period, ClearDeduct, on the Customer's behalf, will invoke the CCPA §1798.105(d)(8) "legal obligation" exception and decline the deletion request. Unperfected Documentation (also defined in §4.5) is not subject to this override and will be deleted on request.
6. Personal Data Breach Notification
6.1 ClearDeduct's Obligations
ClearDeduct will notify you of any confirmed Personal Data Breach affecting Tenant Personal Data without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.
The notification will contain (to the extent then known):
- (a) The nature of the breach, including the categories and approximate number of data subjects and records affected;
- (b) The likely consequences of the breach;
- (c) The measures taken or proposed to address the breach and mitigate its effects;
- (d) The contact details of ClearDeduct's privacy team (privacy@cleardeduct.com) for further information.
6.2 California Statutory Timelines
Where the breach falls within the scope of California Civil Code §1798.82 (as amended by Senate Bill 446, effective January 1, 2026):
- ClearDeduct will assist you in providing notification to affected California residents within the statutory thirty (30) calendar day consumer-notification window;
- Where the breach affects more than 500 California residents, ClearDeduct will assist you with the fifteen (15) calendar day submission to the California Attorney General following consumer notification.
6.3 GDPR Statutory Timelines
Where the breach falls within the scope of GDPR Article 33, ClearDeduct's 72-hour notification to you supports your separate obligation to notify the competent supervisory authority within 72 hours.
7. Security, Confidentiality, and Data Return / Destruction
7.1 Security Measures
ClearDeduct will implement and maintain appropriate technical and organizational security measures consistent with industry standards and Applicable Data Protection Law, including those described in Privacy Policy §9 (encryption in transit TLS 1.2+, encryption at rest AES-256, Row-Level Security, role-based access, audit logging, weekly dependency scanning).
7.2 Personnel Confidentiality
ClearDeduct will ensure that personnel authorized to process Tenant Personal Data are bound by appropriate confidentiality obligations (whether by contract or statute).
7.3 Return / Destruction at End of Processing
Upon termination of the Customer's subscription (whether for convenience or for cause), the data destruction protocol is governed by Terms of Service §4.5 (Data Lifecycle) and §8.2 (Termination), which distinguish between Unperfected Documentation (deleted after the 30-day grace period or immediately on termination for cause) and Finalized Dispositions (retained for the four-year statutory period under Civil Code §1950.5(g)(1)–(2)).
Upon expiration of the four-year statutory retention period for a specific tenancy's Finalized Dispositions, ClearDeduct will permanently destroy the data within 90 days. The Customer may request a final export prior to destruction via privacy@cleardeduct.com.
7.4 Audit Rights
ClearDeduct will make available to the Customer, on reasonable request and no more frequently than once per calendar year, information necessary to demonstrate compliance with this DPA. ClearDeduct may satisfy this obligation by providing third-party audit reports (such as Supabase's SOC 2 or equivalent reports for our infrastructure providers) or, where reasonably necessary, by permitting a Customer-conducted audit subject to mutually agreed terms (including confidentiality, scope limitations, and reimbursement of reasonable costs).
8. International Data Transfers
The Service is operated from the United States. Tenant Personal Data may be transferred to and processed in the United States and other jurisdictions where Sub-processors operate (see Privacy Policy §6).
For transfers originating from the EEA, UK, or Switzerland, ClearDeduct relies on the European Commission's Standard Contractual Clauses (2021/914/EU) and, where applicable, the UK International Data Transfer Addendum, supplemented with the technical safeguards described in §7.1 above. By accepting this DPA, the Customer (acting on behalf of any EEA / UK / Swiss data subjects whose Personal Data the Customer uploads) agrees to be bound by Module Two (Controller-to-Processor) of the SCCs as incorporated herein by reference.
9. Liability and Limitations
9.1 Limitation of Liability
The liability of each party under this DPA is subject to the Limitation of Liability set forth in Terms of Service §14, including the statutory carve-outs under California Civil Code §1668 for gross negligence, willful misconduct, fraud, and personal injury.
9.2 Customer Indemnification
The Customer indemnification obligations set forth in Terms of Service §15 apply to claims arising from or relating to the Customer's processing of Tenant Personal Data, including but not limited to:
- (a) The Customer's failure to provide statutorily required notices to tenants;
- (b) The Customer's failure to obtain necessary consents prior to uploading Tenant Personal Data;
- (c) Any claim by a tenant that Customer's use of the Service infringed the tenant's privacy rights;
- (d) The Customer's bad-faith security-deposit deductions or evidentiary fabrication.
10. Term, Termination, and Survival
10.1 Term
This DPA is effective upon the Customer's acceptance of the Terms of Service and remains in effect for the duration of the Customer's subscription, plus the four-year statutory retention period for any Finalized Dispositions.
10.2 Survival
The provisions of this DPA that by their nature should survive termination of the Customer's subscription (including but not limited to §6 Personal Data Breach Notification, §7.3 Return / Destruction, §7.4 Audit Rights, §9 Liability) expressly survive the termination of the Customer's subscription until the underlying Tenant Personal Data is legally and permanently destroyed in accordance with §7.3 and the statutory schedule in Privacy Policy §7.1.
This survival is reinforced by Terms of Service §8.3 (Effect of Termination and Survival of Obligations).
11. Order of Precedence
In the event of any conflict between this DPA and the Terms of Service or Privacy Policy with respect to the processing of Tenant Personal Data, this DPA shall prevail. In all other respects, the Terms of Service control.
12. Notices and Counter-Party Execution
For matters arising under this DPA (including Data Subject Requests, Sub-processor objections, breach notifications, audit requests), contact privacy@cleardeduct.com.
If you require a counter-party-signed copy of this DPA for your records or for enterprise procurement review, request via the same email with subject line "Signed DPA Request". ClearDeduct will deliver a signed counter-party version within ten (10) business days following review.
This Data Processing Agreement is provided in English. Translations are for convenience only; the English version controls in the event of any discrepancy. This DPA is an AI-drafted template pending review by a licensed California attorney (per ROADMAP 6P.10 — California SaaS attorney full review triggered at MRR ≥ $500/mo).