Data Processing Addendum (DPA)

1. Parties

Customer (Controller / Business / Data Exporter): [Controller Legal Name], [Address], [Contact Email].
AgentNook.com (Processor / Service Provider / Data Importer): AgentNook.com (hello@agentnook.com).

2. Definitions

Terms used but not defined here have the meanings in the Agreement. “Applicable Data Protection Laws” means, as applicable, the GDPR, UK GDPR, ePrivacy laws, and U.S. state privacy laws including the CCPA/CPRA. “Customer Data” means Personal Data processed by AgentNook on Customer’s behalf under the Agreement.

3. Scope & Processing Instructions

• AgentNook will process Customer Data solely: (a) to provide, secure, and improve the Service; (b) per Customer’s documented instructions set out in the Agreement and this DPA; and (c) as required by law.
• Customer is responsible for the accuracy, quality, and legality of Customer Data and the means by which it obtained the data.
• Nature and purpose, types of data, categories of data subjects, and duration are described in Annex I.

4. Confidentiality & Personnel

AgentNook will ensure persons authorized to process Customer Data are bound by appropriate confidentiality obligations and receive privacy/security training proportional to their roles.

5. Security

AgentNook will implement and maintain appropriate technical and organizational measures as described in Annex II, including TLS in transit and at-rest encryption of sensitive fields (phone, email). Hosting is provided via reputable providers (currently Supabase for database and Vercel for application hosting).

6. Sub-processors

• Customer authorizes AgentNook to use Sub-processors to provide the Service. Current Sub-processors are listed in Annex III.
• AgentNook will impose substantially similar data-protection obligations on Sub-processors and remain responsible for their performance.
• AgentNook will provide notice of new Sub-processors and allow Customer to object on reasonable grounds. If the parties cannot resolve an objection in good faith, Customer may terminate the affected Service (without penalty) as its sole remedy.

7. International Data Transfers

• Where AgentNook processes Customer Data subject to the GDPR/UK GDPR outside the EEA/UK, the parties incorporate by reference the EU Commission Standard Contractual Clauses (SCCs) (Module 2: Controller→Processor, and where applicable Module 3: Processor→Processor) and, for the UK, the UK Addendum to the EU SCCs.
• For the SCCs: the data exporter is Customer; the data importer is AgentNook; the Annexes to the SCCs are completed by Annex I–III of this DPA; governing law and forum for the SCCs are set to Ireland (or another EEA Member State specified by Customer), and the competent supervisory authority is determined per Annex I.

8. Assistance

• Data Subject Requests. Taking into account the nature of processing, AgentNook will assist Customer by appropriate technical and organizational measures to fulfill requests to exercise rights of data subjects (e.g., access, deletion, portability). AgentNook will promptly forward requests it receives directly to Customer.
• DPIAs & Consultations. AgentNook will provide assistance reasonably required for data protection impact assessments and prior consultations with supervisory authorities, to the extent related to the Service and Customer’s use of it.

9. Personal Data Breach

AgentNook will notify Customer without undue delay (and in any event within 72 hours of confirmation) after becoming aware of a Personal Data Breach affecting Customer Data. The notice will include details known at the time and be followed by updates as information becomes available. AgentNook will take reasonable steps to mitigate effects and identify the root cause.

10. Audits

Upon reasonable advance notice and no more than annually (unless required by a competent authority or in the event of a material breach), Customer may audit AgentNook’s compliance with this DPA. Audits will be conducted during normal business hours, without undue disruption, and may leverage independent third-party reports or questionnaires where appropriate. Each party bears its own costs.

11. Return & Deletion

Upon termination or expiration of the Agreement, AgentNook will delete or return Customer Data from active systems within 90 days, subject to legal holds and disaster recovery/backups. If a user belongs to a team or brokerage organization, the organization’s workspace retains organization-owned data for the duration of that organization’s subscription.

12. CCPA/CPRA Service-Provider Terms (U.S.)

• AgentNook will process Customer Personal Information solely to perform the Service for Customer’s purposes; it will not “sell” or “share” Personal Information (as defined by CPRA), nor combine it with other data except as permitted to provide and improve the Service for Customer.
• AgentNook will comply with applicable consumer rights requests received via Customer and will flow down service-provider obligations to Sub-processors.

13. Liability & Conflict

Each party’s aggregate liability under this DPA is subject to the limitations/exclusions of liability in the Agreement. In case of conflict, this DPA prevails over the Agreement to the extent of the conflict, and the SCCs (where applicable) prevail over this DPA.

14. Governing Law & Venue (Non-SCC)

For issues not governed by the SCCs/UK Addendum, this DPA follows the Agreement’s governing law and venue: Nevada law and exclusive jurisdiction in Clark County, Nevada.

15. Term & Termination

This DPA is effective as of the Effective Date and continues for the duration of the Agreement. Termination follows the Agreement. Sections that by nature should survive (e.g., confidentiality, liability) will survive.

Annex I — Details of Processing

Subject matter: Provision of the AgentNook CRM and deal-tracking Service.

Duration: Term of the Agreement plus 90-day post-termination deletion window.

Nature & purpose: Hosting, storage, transmission, and processing of Customer Data to manage contacts, deals, tasks, documents, and related workflows; support; security; billing; and service improvement.

Categories of data subjects: Customer’s end users (agents, staff), clients/prospects, partners/vendors, and other individuals whose data Customer inputs into the Service.

Types of Personal Data (as determined by Customer): identifiers (name, email, phone), professional details, property/deal metadata, notes, tasks, file attachments; usage/diagnostic data.Sensitive fields (phone and email) are encrypted at rest by AgentNook. Customer should not input PHI, payment card data, or other special categories unless expressly permitted.

Special categories: Not intended or required for the Service.

Frequency of transfers: Continuous as initiated by Customer’s use of the Service.

Competent supervisory authority (SCCs): For EU exporters, the authority of the Member State where the exporter is established (default: Ireland if unspecified).

Annex II — Technical & Organizational Measures

• Encryption in transit (TLS) and encryption at rest for sensitive fields (phone, email).
• Access controls, RBAC, least-privilege, and MFA for administrative access.
• Segregated production environment; secrets management; key rotation policies.
• Logging, monitoring, and alerting; anomaly and intrusion detection.
• Regular backups, tested restore procedures, and disaster-recovery planning.
• Secure SDLC practices, code review, and dependency vulnerability scanning.
• Vendor risk management; Sub-processor due diligence and contractual safeguards.
• Data minimization, retention controls, and secure deletion procedures (90-day window).
• Employee training and confidentiality agreements.
• Incident response plan with notification workflows (72-hour target for breach notice).
• Physical security provided by cloud hosting providers (e.g., Supabase, Vercel data centers/providers).

Annex III — Authorized Sub-processors

The following Sub-processors support the Service. Customer authorizes their use. AgentNook may update this list with notice to Customer:

• Supabase — Managed PostgreSQL database and storage (infrastructure & backups).
• Vercel — Application hosting and edge delivery.
• Stripe — Payment processing (tokens/metadata only; no full card storage by AgentNook).
• Google Analytics — Web analytics on the public marketing site only (not on the dashboard).
• Microsoft Clarity — Session analytics on the public marketing site only (not on the dashboard).
• [Optional: Email delivery provider] — Transactional email (order receipts, account notices).

Note: Advertising networks are not used on the dashboard. Analytics are limited to the public website.

Execution

If the Agreement is executed electronically or by acceptance flow, this DPA is deemed executed on the same date. Otherwise, the parties may sign a copy of this DPA.