DATA PROCESSING AGREEMENT Effective Date: April 4, 2026 Version: 1.0 This Data Processing Agreement ("Agreement") is entered into between: **DATA CONTROLLER:** Customer/Property Organization ("Controller") **DATA PROCESSOR:** Ghost Tech LLC ("Processor") RECITALS WHEREAS, the Controller engages the Processor to provide parking permit and resident access management services; and WHEREAS, in the course of providing these services, the Processor may process personal data on behalf of the Controller; and WHEREAS, the parties wish to establish terms governing such processing consistent with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and similar privacy laws. NOW, THEREFORE, in consideration of the mutual covenants herein, the parties agree as follows: --- ## 1. DEFINITIONS 1.1 **Personal Data** means any information relating to an identified or identifiable natural person. 1.2 **Processing** means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, transmission, or erasure. 1.3 **Sub-processor** means any entity engaged by the Processor to process Personal Data on behalf of the Controller. 1.4 **Data Subject** means the individual to whom Personal Data relates. --- ## 2. SCOPE AND PURPOSE 2.1 **Services** The Processor provides the following services to the Controller: - Parking permit issuance and tracking - Parking restriction data storage - Vehicle and resident access management - SMS and email notification delivery - Admin reporting and analytics 2.2 **Personal Data Processed** The categories of Personal Data processed include: - Names, email addresses, phone numbers - Vehicle information (make, model, license plate) - Residential address and apartment number - Vehicle photo/documentation - Device tokens for push notifications - Access logs and activity history 2.3 **Purpose** Processing is performed solely to enable the Controller to administer parking and access control services as requested. --- ## 3. PROCESSOR OBLIGATIONS 3.1 The Processor shall: - Process Personal Data only on documented instructions from the Controller - Implement and maintain appropriate technical and organizational security measures - Restrict access to Personal Data to authorized personnel only - Not disclose Personal Data without prior written authorization - Assist the Controller in responding to Data Subject rights requests - Delete or return Personal Data upon service termination 3.2 The Processor shall not: - Process Personal Data for its own purposes - Retain Personal Data longer than necessary to provide the services - Transfer Personal Data outside the services infrastructure without authorization --- ## 4. SECURITY AND CONFIDENTIALITY 4.1 **Technical Measures** The Processor implements: - End-to-end encryption of customer databases at rest - TLS 1.2+ encryption for data in transit - Secure SMTP (STARTTLS or Implicit TLS) for email transmission - Bcrypt password hashing with appropriate cost factors - Rate limiting and brute-force attack mitigation - Audit logging of administrative access 4.2 **Organizational Measures:** - Restricted access to Personal Data based on role requirements - Employee confidentiality agreements - Regular security assessments and penetration testing - Incident response procedures --- ## 5. SUB-PROCESSORS 5.1 The Processor currently engages the following Sub-processors: - **Twilio, Inc.** – SMS/phone communication services - **Stripe, Inc.** – Payment processing (if applicable) - **Amazon Web Services (AWS)** – Infrastructure and hosting - **Google Workspace** – Email and collaboration tools (internal use only) 5.2 The Controller may object to new Sub-processor additions by notifying the Processor in writing. The Processor will either address the objection or offer to terminate the affected services. --- ## 6. DATA SUBJECT RIGHTS 6.1 The Processor shall assist the Controller in fulfilling Data Subject requests for: - Access to their Personal Data - Correction of inaccurate data - Erasure ("right to be forgotten") - Restriction of processing - Data portability - Objection to processing 6.2 The Controller remains responsible for responding to requests within GDPR timelines (typically 30 days). --- ## 7. DATA BREACH NOTIFICATION 7.1 The Processor shall notify the Controller without undue delay upon discovering any unauthorized access, loss, or compromise of Personal Data. 7.2 The notification shall include: - Description of the breach - Categories and approximate number of affected Data Subjects - Likely consequences of the breach - Measures taken or proposed to mitigate the breach - Contact information for further details 7.3 The Controller remains responsible for evaluating whether notification to Data Subjects and supervisory authorities is required. --- ## 8. INTERNATIONAL TRANSFERS 8.1 If Personal Data must be transferred outside the Data Subject's country of origin, the Processor shall ensure an appropriate legal basis for such transfer (e.g., Standard Contractual Clauses, adequacy decisions, or explicit consent). 8.2 The Processor shall maintain documentation of all international transfer mechanisms in use. --- ## 9. DATA RETENTION 9.1 The Processor retains Personal Data only as long as necessary to provide the services or as required by law. 9.2 Default retention periods: - Active user accounts: Duration of service + 30 days - Deleted accounts: 30 days (unless regulatory hold applies) - Audit logs: 365 days - SMS/email logs: 90 days (or as configured by the Controller) 9.3 The Controller may request earlier deletion of specific data categories at any time. --- ## 10. CONTROLLER OBLIGATIONS 10.1 The Controller shall: - Ensure lawful basis for collecting and providing Personal Data - Ensure Data Subject notification and consent (if required) - Provide accurate and complete personal data - Maintain all contractual and licensing rights to the data - Notify the Processor of any requirements under privacy laws 10.2 The Controller remains solely responsible for: - Privacy policy disclosures - Obtaining necessary Data Subject consents - Responding to Data Subject rights requests - Compliance with own privacy law obligations --- ## 11. AUDIT AND INSPECTION 11.1 The Controller or its authorized auditor may request information regarding Processor security practices, subject to reasonable notice and confidentiality obligations. 11.2 The Processor shall participate in annual security assessments or upon reasonable justified request. --- ## 12. TERM AND TERMINATION 12.1 This Agreement remains in effect for the duration of the Master Service Agreement between the parties. 12.2 Upon termination of services, the Processor shall, at the Controller's written instruction: - Delete all Personal Data (unless retention is required by law) - Provide a final export of Personal Data in a structured format - Certify deletion or return in writing --- ## 13. LIABILITY 13.1 Each party's liability under this Agreement shall not exceed the fees paid in the twelve (12) months preceding the claim. 13.2 Neither party shall be liable for indirect, incidental, or consequential damages. --- ## 14. GOVERNING LAW This Agreement shall be governed by and construed under the laws of the jurisdiction where the Controller is based, without regard to conflict of law principles. Any disputes shall be resolved through binding arbitration or court jurisdiction as specified in the Master Service Agreement. --- ## 15. AMENDMENTS 15.1 The Processor may modify this Agreement upon 30 days' written notice. Material changes adverse to the Controller will trigger the right to terminate services without penalty. 15.2 Continued use of the services following notice constitutes acceptance of amended terms. --- ## 16. SEVERABILITY If any provision of this Agreement is found invalid or unenforceable, the remaining provisions shall continue in full force and effect. --- ## 17. CONTACT INFORMATION **Data Protection Officer / Privacy Contact:** Ghost Tech LLC Email: privacy@parkrequest.com **Sub-processor Inquiries / Contracting:** Email: support@parkrequest.com --- **ACKNOWLEDGMENT** By signing below, both parties acknowledge they have read, understood, and agree to be bound by the terms of this Data Processing Agreement. **CONTROLLER:** Name: ___________________________ Title: ____________________________ Date: ____________________________ Signature: _______________________ **PROCESSOR (Ghost Tech LLC):** Name: ___________________________ Title: ____________________________ Date: ____________________________ Signature: _______________________ --- ## APPENDIX A: STANDARD CONTRACTUAL CLAUSES (EU/UK) The parties incorporate by reference the Standard Contractual Clauses approved by the EU Commission for data transfers to non-EU entities, where applicable.