Data Processing Agreement

Overview

This Data Processing Agreement establishes the terms under which Ghost Tech LLC ("Processor") processes personal data on behalf of our customers ("Controllers") in accordance with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and similar privacy laws worldwide.

Key Commitments

• Data Minimization: We collect and process only the personal data necessary to provide parking and access management services.
• Security: We implement industry-standard encryption, access controls, and monitoring to protect your data.
• Compliance: We assist you in fulfilling Data Subject rights requests (access, correction, deletion, portability, etc.) within legal timeframes.
• Transparency: We maintain detailed records of all data processing activities and sub-processors engaged.
• Incident Response: We promptly notify you of any security breaches affecting your data.

Your Data Rights

As a Data Controller, you retain full rights over your organization's personal data, including:

• Right of Access: Request a copy of all personal data we process on your behalf
• Right to Correction: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of personal data under specified conditions ("right to be forgotten")
• Right to Restrict Processing: Request limitations on how we process your data
• Right to Data Portability: Request a machine-readable export of your data
• Right to Object: Object to certain types of processing activities

Our Sub-Processors

We engage the following third-party services to deliver our platform:

• Twilio, Inc. – SMS and phone communication services
• Stripe, Inc. – Payment processing (if applicable)
• Amazon Web Services (AWS) – Cloud infrastructure and data storage
• Google Workspace – Email and collaboration (internal use only)

You have the right to object to the use of new Sub-processors. We will notify you at least 30 days before engaging additional providers.

Data Security

We protect your data through:

• AES-256 encryption of databases at rest
• TLS 1.2+ encryption for all data in transit
• Bcrypt password hashing (cost factor 12+)
• Role-based access control (RBAC)
• Comprehensive audit logging
• Rate limiting and DDoS protection
• Regular security assessments and penetration testing
• Incident response procedures

Data Retention

We retain personal data only as long as necessary to provide services:

• Active Accounts: Duration of service + 30 days
• Deleted Accounts: 30 days (unless required by law)
• Audit Logs: 365 days
• Email/SMS Logs: 90 days (configurable)

You may request earlier deletion of any data category at any time.

International Data Transfers

When Personal Data must be transferred outside the originating country, we ensure legal compliance through:

• Standard Contractual Clauses (for GDPR-covered transfers)
• Adequacy decision verification
• Explicit Data Subject consent (where required)
• Supplementary safeguards to address residual risks

Your Responsibilities

As the Data Controller, you are responsible for:

• Obtaining lawful basis for collecting personal data from Data Subjects
• Providing privacy policy disclosures required by applicable law
• Obtaining necessary Data Subject consents (if consent is your lawful basis)
• Responding to Data Subject rights requests within legal timeframes
• Ensuring you have the right to share the data with ParkRequest
• Maintaining compliance with industry-specific regulations (e.g., housing law)

Contact & Support