Data processing addendum

Purpose

This Data Processing Addendum (DPA) supplements the agreement between Summit Estate Management, LLC ("Controller") and any third-party service providers that process personal information on Summit Estate Management's behalf ("Processors"). It also describes the Controller-Processor relationship between Summit Estate Management and the data subjects whose information is handled in the Service.

Subject matter and duration

Processing: hosting and operation of the Summit Estate Management property management platform. Duration: for the life of the agreement plus any retention period required by law.

Nature and purpose of processing

Account authentication, scheduling, ticket workflow, invoicing, document storage, audit logging, security monitoring. No advertising or profiling.

Types of personal information

• Identification: name, email, role, optional phone, optional mailing address
• Property: address, household contacts, vendor preferences, appliance inventory, access codes (encrypted)
• Operational: tickets, photos, documents, notes, invoices, walkthrough records
• Security: login attempts, IP addresses, MFA status, audit log entries

Categories of data subjects

• Summit Estate Management internal staff (admin, managers, crew)
• Summit Estate Management clients (property owners and authorized household members)
• Vendors (insurance certificates, contact info)

Sub-processors

Summit Estate Management uses the following sub-processors:

• DigitalOcean LLC (United States): cloud hosting
• Cloudflare Inc. (United States): DNS
• Let's Encrypt / ISRG (United States): TLS certificates
• Sentry / Functional Software Inc. (United States): error monitoring [planned]
• Better Stack / Better Stack s.r.o. (EU): log aggregation [planned]

Summit Estate Management gives 30 days' notice before adding or changing sub-processors. Controllers may object on reasonable grounds.

Processor obligations

Each sub-processor must:

• Process personal information only on documented instructions
• Maintain appropriate technical and organizational security measures
• Notify Summit Estate Management of personal data breaches without undue delay
• Assist with data subject rights requests
• Delete or return personal information at the end of the engagement

Security measures

Summit Estate Management applies, at minimum: TLS in transit; bcrypt password hashing; Fernet-encrypted field-level secrets (access codes); per-request CSP and other security headers; append-only audit logging; progressive login lockout; optional TOTP MFA enforced on privileged roles; nightly database backups with 14-day retention.

Data subject rights

Summit Estate Management supports access (data export), correction, and deletion requests through self-service endpoints at /account/data-export, /account/correction-request, and /account/deletion-request. Standard turnaround: 45 days.

International transfers

Where personal information is transferred outside the data subject's jurisdiction (in particular, transfers to United States providers), Summit Estate Management relies on Standard Contractual Clauses or other lawful transfer mechanisms.

Breach notification

Summit Estate Management will notify affected Controllers of a personal data breach without undue delay, and in any event within 72 hours of becoming aware of a breach involving personal information they control.

Termination

At termination, personal information is exported on request and deleted within 45 days, subject to legal retention requirements.

Contact

demo@oakwright.co