Data Processing
Addendum

01. Roles of the Parties

For personal data that you submit to or generate within the Service about your tenants, applicants, and other third parties ("Customer Personal Data"), you act as the controller (or business) and Pilot acts as the processor (or service provider), processing such data only on your documented instructions. For account, billing, and product-usage data we collect to operate, secure, and improve the Service, Pilot acts as an independent controller, as described in our Privacy Policy.

02. Details of the Processing

• Subject matter & duration: processing of Customer Personal Data for the term of your subscription and any wind-down period described in Section 09.
• Nature & purpose: to provide the property-management Service — tenant and lease management, rent collection, maintenance, messaging, documents, and related features.
• Categories of data subjects: your tenants, rental applicants, co-applicants, guarantors, roommates, vendors, and your own staff or managers.
• Categories of personal data: contact and identity details, lease and tenancy data, payment and ledger records, maintenance and message content, and documents you upload. Applicant Social Security numbers are entered directly with TransUnion and are not received or stored by Pilot.

03. Our Obligations as Processor

• Process Customer Personal Data only on your documented instructions (including as set out in the Terms and this DPA), unless required by law, in which case we will inform you unless legally prohibited.
• Ensure personnel authorized to process the data are bound by appropriate confidentiality obligations.
• Implement and maintain the technical and organizational security measures described in Section 06.
• Assist you, taking into account the nature of the processing, with your obligations to respond to data-subject requests and to ensure security, breach notification, and data-protection impact assessments.
• Make available information reasonably necessary to demonstrate compliance with this DPA (Section 08).

04. Your Obligations as Controller

You are responsible for the accuracy and lawfulness of Customer Personal Data and for having an appropriate legal basis (and any required notices, consents, or authorizations) to collect it and to have Pilot process it. Your instructions must comply with Data Protection Laws. You represent that any tenant or third-party data you input was collected lawfully, as also stated in the Terms.

05. Sub-processors

You authorize Pilot to engage sub-processors to provide the Service. Each sub-processor is bound by data-protection obligations no less protective than those in this DPA, and Pilot remains responsible for their performance. Our current sub-processors include:

• Supabase — database & authentication
• Vercel — application hosting
• Stripe — payment processing & payouts
• BunnyCDN — file storage & content delivery
• Upstash — rate limiting & caching
• Resend — transactional email
• OpenRouter — AI/LLM processing (with PII redaction, per the Privacy Policy)
• TransUnion SmartMove — tenant screening (independent controller of screening data)

We will give you a reasonable opportunity to object to a new sub-processor that will process Customer Personal Data before it begins, by notice to the email associated with your account. If you reasonably object on data-protection grounds and we cannot accommodate the objection, you may terminate the affected Service.

06. Security Measures

We maintain technical and organizational measures appropriate to the risk, including encryption of data in transit (TLS 1.2+) and at rest, database row-level security (RLS) for multi-tenant isolation, role-based access controls, and ongoing security testing, as further described in Section 06 of the Privacy Policy.

07. International Transfers

Where Pilot processes personal data protected by the GDPR or UK GDPR and transfers it outside the EEA, UK, or Switzerland to a country without an adequacy decision, such transfers are made subject to appropriate safeguards, including the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum), which are incorporated into this DPA by reference and completed with the parties and processing details set out herein.

08.Audits & Information

On reasonable written request, and no more than once per year (unless required by a supervisory authority or following a personal data breach), we will make available information reasonably necessary to demonstrate compliance with this DPA, which may include third-party audit reports or security documentation, subject to confidentiality obligations.

09.Return & Deletion

On termination of the Service, you may export Customer Personal Data during the wind-down window described in the Terms. After that window, we will delete or anonymize Customer Personal Data within a commercially reasonable period, except where retention is required by law (for example, financial records retained for tax and audit purposes, or screening metadata retained for FCRA/ECOA recordkeeping), as described in the Privacy Policy.

10. CCPA / CPRA Service-Provider Terms

With respect to Customer Personal Data that constitutes personal information under the CCPA/CPRA, Pilot acts as a service provider. We will not sell or share such personal information, will not retain, use, or disclose it except as necessary to perform the Service or as permitted by the CCPA/CPRA, and will not combine it with personal information from other sources except as permitted. We certify that we understand and will comply with these restrictions.

11.Precedence & Contact

In the event of a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls. All other terms of the Terms of Service remain in full force. Questions about this DPA, or requests to execute a countersigned copy, can be sent to privacy@rentwithpilot.com.