Data Processing Agreement
Effective 2026-04-25
1. Parties
This Data Processing Agreement ("DPA") is between Varden Homes (the "Processor") and the Customer who has agreed to it (the "Controller"). It supplements and forms part of Varden's Terms of Service. Where the Controller engages Varden as a Sub-Processor on behalf of an upstream controller (e.g., a property owner whose data the Customer processes as part of a property management contract), the Controller warrants it has authority to bind the upstream controller.
2. Roles & subject matter
The Customer (Controller) determines the purposes and means of processing personal data on the Varden platform. Varden (Processor) processes Customer Data solely on the documented instructions of the Controller, except where required to do so by law.
3. Nature & purpose of processing
- Hosting tenant + landlord accounts and the lease lifecycle.
- Processing rent payments through Stripe Connect (Varden never sees raw card data).
- Sending transactional notifications (email, SMS) related to payments, leases, and maintenance.
- Generating reports and analytics for the Customer (the Controller).
- Providing AI-powered features (document analysis, drafting) where the Controller has opted in.
4. Categories of data subjects & data
Data subjects: Customer's tenants, applicants, contractors, and Customer's own staff with platform access. Categories of personal data: identity information (name, email, phone), residential and lease records, payment metadata (Stripe-tokenized card and bank references — Varden does not store PAN or full bank account numbers), document uploads, and communications.
5. Security measures (Article 32)
- AES-256 encryption at rest for all Customer Data stored in Firestore and Cloud Storage.
- TLS 1.2+ for all data in transit; HSTS preload-eligible headers on every public surface.
- Role-based access control with least-privilege defaults. MFA required for administrative access.
- Application audit trails with actor, IP, user-agent, and timestamp for every privileged action.
- Annual penetration testing and continuous SAST + dependency scanning on every change.
- Incident response runbook with on-call rotation and customer notification within 72 hours of confirmed breach.
- Backup with point-in-time recovery (Firestore PITR) and versioned object storage (Cloud Storage).
- Sub-processor due diligence and contractual flow-down of equivalent obligations.
6. Sub-processors (Article 28(2))
Varden engages the following sub-processors to provide the platform. The Customer generally authorizes these engagements. Varden will provide at least 30 days' prior notice of any addition or material change so the Customer may object on reasonable grounds.
| Sub-processor | Purpose | Region | Transfer mechanism | DPA |
|---|---|---|---|---|
| Firebase (Google Cloud) | Authentication, Firestore database, Cloud Storage, Cloud Functions | United States | EU-U.S. Data Privacy Framework + SCCs (Module 2 / 3) | Link |
| Stripe | Payment processing, identity verification, payouts (Stripe Connect) | United States | EU-U.S. Data Privacy Framework + SCCs (Module 2) | Link |
| Vercel | Application hosting and edge delivery | Global edge | SCCs (Module 2) + UK IDTA | Link |
| Brevo | Transactional email and SMS delivery | European Union | EU adequacy (data stays in EU) | Link |
| Plaid | Bank account verification for ACH payments | United States | SCCs (Module 2) | Link |
| RentCast | Rent comparable and property pricing data | United States | No EU/UK personal data transferred (US-only public records) | Link |
| OpenAI | Document analysis and drafting (Assistants API) | United States | SCCs (Module 2) | Link |
| Anthropic | AI features powered by Claude | United States | SCCs (Module 2) | Link |
| Sentry | Error monitoring and performance traces | United States | EU-U.S. Data Privacy Framework + SCCs (Module 2) | Link |
| Twilio | Voice calls (auto-dialer, voicemail) for support and dispatch | United States | EU-U.S. Data Privacy Framework + SCCs (Module 2) | Link |
| Lob | Physical mail delivery and certified mail (legal notices, address verification) | United States | SCCs (Module 2) | Link |
| GrowthBook | Feature flag evaluation and A/B test assignment | United States | SCCs (Module 2) | Link |
| PostHog | Product analytics, session replay, and behavioral event capture | United States | SCCs (Module 2) + UK IDTA | Link |
| Google Gemini (Google Cloud) | Lease and document extraction, structured field parsing | United States | EU-U.S. Data Privacy Framework + SCCs (Module 2) | Link |
| ElevenLabs | Voice AI synthesis and speech generation for tenant support | United States | SCCs (Module 2) | Link |
| Mapbox | Property geocoding, mapping tiles, and location visualizations | United States | SCCs (Module 2) | Link |
| Cloudflare | Bot management, DDoS mitigation, WAF, and edge CDN | Global edge | EU-U.S. Data Privacy Framework + SCCs (Module 2 / 3) | Link |
7. Breach notification
Varden will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Data. Notification will include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, measures taken or proposed, and the contact point at Varden (security@vardenhomes.com).
8. Data subject rights
Varden assists the Customer in fulfilling its obligations to respond to data subject requests under GDPR Articles 12-22 through the in-product privacy console at /settings/privacy (export, deletion with 30-day grace, correction). For requests that cannot be self-served, the Customer may contact privacy@vardenhomes.com.
9. International transfers
Where Customer Data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2 — Controller-to-Processor) and the UK International Data Transfer Addendum by reference, with the relevant annexes populated by this DPA.
10. Audits
Varden makes available to the Customer all information necessary to demonstrate compliance with this DPA, including its current SOC 2 Type II report, ISO/IEC 27001 certificate (when issued), and PCI DSS SAQ-A attestation. The Customer may request additional audits with reasonable advance notice no more than once per twelve months, subject to confidentiality.
11. Return or deletion of data
Upon termination, Varden will, at the Customer's choice, return or delete all Customer Data within 30 days, except where retention is required by law (e.g., financial records, tax filings).
12. Liability & governing law
Liability under this DPA is governed by the limitation of liability provisions in the Terms of Service. The DPA is governed by the law specified in the Terms of Service.