Data Processing Agreement

THIS DATA PROCESSING AGREEMENT and its Annexes (this “DPA”) is entered into pursuant to the Leo247 Terms and Conditions and associated order form(s), by and between Leonardo247, Inc., a Delaware corporation (“Leo247”) and the entity placing an order for or accessing the Services (“Customer”) (the “Agreement“). All capitalized terms herein shall have the same definitions as in the Agreement. In the event of a conflict between this DPA and the Agreement, the terms of this DPA will control. In consideration of the terms and conditions set forth below, the parties agree as follows:

1. DEFINITIONS
   “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 or “CPRA”).
   “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
   “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including without limitation the CCPA, and other applicable U.S. federal and state privacy laws, in each case as amended, repealed, consolidated, or replaced from time to time.
   “Data Subject” means the individual to whom Personal Data relates.
   “Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
   “Personal Data” means (a) any information relating to an identified or identifiable individual; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; or  (b) any information that is otherwise protected similarly as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.
   “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Leo247 and/or its Sub-Processors in connection with the provision of the Services. “Personal Data Breach” will not include activities that do not compromise the confidentiality, integrity or availability of Customer Personal Data, such as unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
   “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, or erasure of Personal Data. The terms “Process,” “Processes” and “Processed” will be construed accordingly.
   “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
   “Sensitive Personal Data” means any Personal Data designated by Data Protection Laws as sensitive or subject to data breach notification requirements.  Examples of Sensitive Personal Data include government identifiers, financial account numbers or access codes, health data, precise geolocation data, racial, ethnic or religious information or information about an individual’s sex life or sexual orientation.
   “Sub-Processor” means any Processor engaged by Leo247 to assist in fulfilling its obligations with respect to the provision of the Services under the Agreement.
2. CUSTOMER RESPONSIBILITIES
   1. Compliance with Laws. Within the scope of the Agreement and in its use of the Services, Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to Customer Personal Data and the Instructions it issues to Leo247. In particular but without prejudice to the generality of the foregoing, Customer acknowledges and agrees that it will be solely responsible for: (a) the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired such Customer Personal Data; (b) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Customer Personal Data, including obtaining any necessary consents and authorizations; (c) ensuring Customer has the right to transfer, or provide access to, the Customer Personal Data to Leo247 for Processing in accordance with the terms of the Agreement (including this DPA); (d) ensuring that Customer’s Instructions to Leo247 regarding the Processing of Customer Personal Data comply with applicable laws, including Data Protection Laws; and (e) complying with all laws (including Data Protection Laws) applicable to any communications or other content created, sent or managed through the Services. Customer will inform Leo247 without undue delay if Customer is not able to comply with its responsibilities under this Section 2 or applicable Data Protection Laws.
   2. Controller Instructions. The parties agree that the Agreement (including this DPA), together with Customer’s use of the Services in accordance with the Agreement, constitute Customer’s complete Instructions to Leo247 in relation to the Processing of Customer Personal Data, so long as Customer may provide additional instructions during the Term via an executed Order Form that are consistent with the Agreement, the nature, and lawful use of the Services.
   3. Security. Customer is responsible for independently determining whether the data security provided for in the Services adequately meets its obligations under applicable Data Protection Laws. Further, as set forth in the Agreement, Customer is also responsible for its secure use of the Services, including protecting the security of Customer Personal Data in transit to and from the Services.
   4. No Sensitive Personal Data. Customer acknowledges that the Services are not designed to Process Sensitive Personal Data. Customer shall not provide Sensitive Personal Data to Leo247 in connection with the Services and ensure that its authorized users also do not do so.
3. LEO247’S RESPONSIBILITIES
   1. Compliance with Instructions. Leo247 agrees to only Process Customer Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of Customer’s lawful Instructions, except where and to the extent otherwise required by applicable law. Leo247 shall not be responsible for compliance with any Data Protection Laws applicable to Customer or Customer’s industry that are not generally applicable to Leo247 unless otherwise agreed by the parties and memorialized in an executed Order Form.
   2. Conflict of Laws. If Leo247 should become aware that it cannot Process Customer Personal Data in accordance with Customer’s Instructions due to a legal requirement under any applicable law, Leo247 will (a) promptly notify Customer of such legal requirement to the extent permitted by the applicable law; and (b) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as Customer issues new Instructions with which Leo247 is able to comply. If this provision is invoked, Leo247 will not be liable to Customer under the Agreement for any failure to perform the applicable Services until such time as Customer issues new lawful Instructions with regard to the Processing.
   3. Security; Technical and Organizational Measures. Leo247 agrees to implement and maintain appropriate technical and organizational measures to protect Customer Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA (“Security Measures“). Notwithstanding any provision to the contrary, Leo247 may modify or update the Security Measures at its discretion as long as such modification or update does not result in a material degradation in the protection offered by the Security Measures.
   4. Confidentiality. Leo247 agrees to ensure that any personnel whom it authorizes to Process Customer Personal Data is subject to appropriate confidentiality obligations (whether a contractual, professional or statutory duty) with respect to that Customer Personal Data.
   5. Personal Data Breaches. Leo247 agrees to notify Customer without undue delay after it becomes aware of any Personal Data Breach and agrees to provide timely information relating to the Personal Data Breach as it becomes known or reasonably requested by Customer. At Customer’s request, Leo247 will promptly provide Customer with such reasonable assistance as necessary to enable Customer to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Customer is required to do so under Data Protection Laws. Customer agrees to reimburse Leo247 for the commercially reasonable costs arising from this assistance.
   6. Deletion or Return of Customer Personal Data. Leo247 agrees to delete or return all Customer Personal Data (including copies thereof) Processed pursuant to this DPA upon termination or expiration of the Term of the applicable Services and Customer’s written request. The foregoing shall apply except (a) where Leo247 is required by applicable law to retain some or all of the Customer Personal Data, or (b) where Leo247 has archived Customer Personal Data on back-up systems, which data Leo247 will securely isolate and protect from any further Processing and delete in accordance with its deletion practices.
4. DATA SUBJECT REQUESTS
   1. The parties agree that Customer shall be responsible for any and all obligations relating to responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”). To the extent that Customer is unable to independently address a Data Subject Request by itself or through the Services, then, upon Customer’s written request, Leo247 agrees to provide reasonable assistance to Customer to respond to such Data Subject Requests or requests from data protection authorities relating to the Processing of Customer Personal Data under the Agreement. Customer agrees to reimburse Leo247 for the commercially reasonable costs arising from this assistance.
   2. If a Data Subject Request or other communication regarding the Processing of Customer Personal Data under the Agreement is made directly to Leo247, it will promptly inform Customer and will advise the Data Subject to submit their request to Customer. Customer will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Customer Personal Data.
5. SUB-PROCESSORS
   1. Customer acknowledges and agrees that Leo247 may engage Sub-Processors to Process Customer Personal Data on its behalf in order to deliver the Services. Some Sub-Processors will apply to the Services as default, and some Sub-Processors will apply only to certain Services and features set forth in an applicable Order Form.
   2. Customer may request to review a list of Sub-Processors by providing written notice to Leo247, and Leo247 will promptly provide the list applicable to the Services Customer has ordered.
   3. Leo247 agrees to give Customer the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Customer Personal Data, if required by law. If Customer so notifies Leo247 of such an objection, the parties will discuss the concerns in good faith with a view to achieving a commercially reasonable resolution.
   4. Where Leo247 engages Sub-Processors, it shall impose data protection terms on the Sub-Processors that provide at least the same level of protection for Customer Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. Leo247 will be responsible for the acts and omissions of its Sub-Processors to the same extent Leo247 would be responsible if performing the services of each Sub-Processor directly under the terms of this DPA, subject to any limitations on liability set forth in the Agreement.
6. DEMONSTRATION OF COMPLIANCE. As set forth in this Section 6, Customer may provide to Leo247 a security assessment questionnaire related to Services, which Leo247 will accurately and promptly complete. The questionnaire may include questions seeking verification of compliance with the terms and conditions of this DPA. Upon request, Leo247 will also supply a copy of its most recent third-party assessment, such as an ISO 27001/2, SSAE 18 SOC 2, or similar assessment, if Leo247 has had such an assessment.  If, after the original security questionnaire assessment, Customer determines that further assessment is warranted, Customer may request, no more than annually and with thirty (30) days’ prior written notice, at Customer’s cost, an assessment related to Services provided with a scope to be mutually agreed upon.  During such a review, Customer may examine policies, procedures and other materials related to specific Services performed, to the extent that such review does not compromise confidentiality obligations to any other customers of Leo247.
7. ADDITIONALS. STATE DATA PRIVACY PROVISIONS
   1. Roles of the Parties. When processing Customer Personal Data in accordance with the Instructions, the parties acknowledge and agree that Customer is a “business” and a “controller” and Leo247 is a “service provider” and a “processor” for the purposes of the CCPA and other U.S. state general data privacy laws, respectively (“collectively, “State Privacy Laws”).
   2. Responsibilities. Leo247 certifies that it will Process Customer Personal Data as a Service Provider and processor strictly for the purpose of performing the Services under the Agreement or as otherwise permitted by the CCPA or other applicable State Privacy Laws. Further, Leo247 certifies that it (a) will not Sell or Share Customer Personal Data (as defined in the CCPA); (b) will not Process Customer Personal Data outside the direct business relationship between the parties, unless required by applicable law; and (c) will not combine the Customer Personal Data with personal information that it collects or receives from another source (other than information it receives from another source in connection with its obligations as a Service Provider under the Agreement).
   3. Compliance. Leo247 acknowledges and agrees that it will (a) comply with obligations applicable to it as a Service Provider under the CCPA and (b) provide Customer Personal Data with the same level of privacy protection as is required by the CCPA or other State Privacy Laws. Leo247 agrees to notify Customer if it makes a determination that it can no longer meet its obligations as a Service Provider under the CCPA.
   4. Not a Sale. The parties acknowledge and agree that the disclosure of Personal Data by the Customer to Leo247 does not form part of any monetary or other valuable consideration exchanged between the parties.
8. GENERAL PROVISIONS
   1. Severability. If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
   2. Limitation of Liability. Each party’s liability, taken in aggregate, arising out of or related to this DPA (and any other DPAs between the parties), whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the Agreement.
   3. Governing Law. This DPA will be governed by and construed in accordance with the “Governing Law” Section of the Agreement, unless required otherwise by Data Protection Laws.

ANNEX 1 – Record of Processing

1. LIST OF PARTIES
   Customer is the Controller.
   Leonardo247, Inc. (“Leo247”), is the Processor.
2. DESCRIPTION OF PERSONAL DATA
   Categories of Data Subjects Whose Personal Data is Processed:Customer may submit or allow its Authorized Users to submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to: Customer’s Authorized Users and residents of properties owned or managed by Customer.
   
   Categories of Personal Data Processed:
   Customer may submit or allow its authorized users to submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data: (a) first and last name, (b) title, (c) position, (d) employer, (e) contact information (company, email, phone, physical business address, home address), (f) professional life data (e.g. position, responsibilities, etc. of maintenance personnel), and (g) personal life data (e.g., lease status, maintenance issues, family members, etc.).
   Frequency of the Transfer:
   The frequency of the transfer is on a continuous basis for the duration of the Agreement.
   Nature of the Processing:
   As set forth in the Agreement.
   Purpose(s) of the Data Transfer and Further Processing:
   Leo247 will process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by the Customer in use of the Services.
   Period for which Personal Data will be Retained:Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, Leo247 will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
3. TECHNICAL AND ORGANIZATIONAL MEASURES
   Leo247 maintains and enforces various policies, standards and processes designed to secure Personal Data and other data to which Leo247 employees are provided access, and updates such policies, standards, and processes from time to time consistent with industry standards. Further, Leo247 will maintain administrative, physical, and technical safeguards designed to protect the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in Section 3.3. Leo247 will not materially decrease the overall security of the Services during a Term. Data Subject Requests shall be handled in accordance with Section 4 of the DPA.
4. SUB-PROCESSORS
   As per above, Leo247’s Sub-Processors will process Personal Data as necessary to provide the Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by the Customer in use of the Services.
   Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, Leo247’s Sub-Processors will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
   Leo247 will make available information on Sub-Processors, and if legally required, allow Customer to object to Sub-Processors, as set forth in Section 5, above.

ANNEX 2 – Security Measures

Leonardo247, Inc. (“Leo247”) maintains a documented information security program using physical, technical and organizational security controls designed to protect the confidentiality, integrity, and availability of all data or materials that customer discloses, posts, inputs or uploads to the Leo247 products (“customer data”), including the following:

Encryption at Rest: All databases, data stores, and file systems hosting customer data are encrypted using AES-256 or above, in accordance with Leo247’s Encryption Policy.

Encryption in Transit: All external transmission of customer data is encrypted end-to-end. Internet and intranet connections are encrypted and authenticated using TLS 1.2 or above with strong key exchange and cipher suites.

Access Control: Access to customer data is governed by Leo247’s System Access Control Policy and is restricted on a need-to-know basis. Multi-factor authentication (MFA) for all remote access to Leo247’s network by employees, administrators, and third-party vendors. Leo247 has documented policies to remove access promptly upon termination of services.

Mobile Device Access: Leo247 deploys antivirus and anti-malware protection on all company-issued endpoints, configured for automatic updates, scheduled scans, and personnel alerting upon threat detection.

Network Security: Leo247 maintains a layered network security architecture incorporating firewalls with default deny-all rules, network segmentation, Intrusion Detection/Prevention Systems (IDS/IPS), and a Web Application Firewall (WAF) to protect its systems and customer data.

Anti-Virus/Anti-Malware: Leo247 deploys antivirus and anti-malware protection on all company-issued endpoints, configured for automatic updates, scheduled scans, and personnel alerting upon threat detection.

Incident Response: Leo247 maintains a formal Incident Response Plan for detection, containment, and notification of security events relating to customer data.

Data Retention & Disposal: Customer data is retained and disposed of in accordance with Leo247’s Data Retention Policy, applicable law, and contractual obligations. Electronic media containing customer data is destroyed or rendered unrecoverable using secure means.

Vendor Management: Third-party vendors with access to customer data are subject to Leo247’s Vendor Management Policy, including execution of appropriate confidentiality and data protection agreements aligning with Leo247’s responsibilities under its agreements with customers.

Personnel Security: All employees and contractors are required to complete information security awareness training upon hire and annually thereafter. Confidentiality/non-disclosure agreements are executed prior to any access to confidential information.