Data Processing Agreement

1. Purpose and Scope

This Data Processing Agreement ("DPA") supplements and is incorporated into the Master Service Agreement ("MSA") between Resolve ("Provider" / "Processor") and the integration company ("Client" / "Controller"). It governs how Provider processes personal data on behalf of Client in connection with the Resolve platform ("Platform").

This DPA is intended to satisfy the data processing agreement requirements of applicable data protection laws including the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and substantially similar state and national privacy laws.

2. Definitions

• Personal Data: Any information that identifies or can identify a natural person, as defined under applicable data protection law.
• Data Subject: The natural person whose Personal Data is being processed — in this context, Client's end users (homeowners).
• Controller: The party that determines the purposes and means of processing Personal Data (Client).
• Processor: The party that processes Personal Data on behalf of the Controller (Provider).
• Processing: Any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• Sub-processor: A third party engaged by Provider to process Personal Data in connection with delivering the Platform.
• Security Incident: Any unauthorized access, disclosure, alteration, or destruction of Personal Data.

3. Roles of the Parties

Client as Controller: Client determines why and how Personal Data about its End Users is collected and used. Client is responsible for ensuring it has a lawful basis for sharing End User data with Provider and for providing End Users with appropriate privacy disclosures.

Provider as Processor: Provider processes Personal Data only as instructed by Client (through configuration of the Platform) and as necessary to deliver the Platform services. Provider does not sell, rent, or use Personal Data for its own marketing purposes.

Client Data Accuracy and Configuration: Client is solely responsible for the accuracy, completeness, appropriateness, and lawfulness of all Personal Data and content it uploads, enters, or configures within the Platform. This includes but is not limited to: residence profiles, device configurations, uploaded documents, service notes, End User-to-residence assignments, and document scope classifications (company-wide vs. residence-specific). Any data exposure, privacy incident, or harm to Data Subjects resulting from Client's misconfiguration — such as uploading confidential documents to an incorrect scope, assigning End Users to wrong residences, or providing inaccurate device or home data — is solely Client's responsibility as Controller. Provider processes data as configured by Client and bears no liability for outcomes resulting from Client's data entry, categorization, or configuration decisions.

4. Details of Processing

Categories of Data Subjects

Residential end users (homeowners and household members) of Client's smart home integration services.

Categories of Personal Data

• Account identifiers: name, email address, phone number
• Residence information: address, property details, room layouts
• Device and system inventory: device names, models, configurations, installation notes
• Conversation content: chat messages, support inquiries, troubleshooting history
• Photos and media: images uploaded during support sessions (home interiors, equipment)
• Usage data: session timestamps, feature usage, escalation records
• Service history: technician notes, maintenance records

Purposes of Processing

• Providing AI-powered support responses to End User inquiries
• Routing and managing escalations to Client's support team
• Storing and retrieving device configurations and home context for AI responses
• Generating service reports and usage analytics for Client
• Improving service quality (aggregated, de-identified analytics only)

Duration

Personal Data is processed for the duration of the MSA. Upon termination, data is retained for up to 30 days during the export window, then permanently deleted per Section 9 below.

5. Provider Obligations

Provider agrees to:

• Process Personal Data only on documented instructions from Client (i.e., the configuration and use of the Platform), except where required by applicable law
• Ensure personnel authorized to process Personal Data are bound by appropriate confidentiality obligations
• Implement and maintain the technical and organizational security measures described in Section 7
• Not transfer Personal Data outside the Client's country of operation except as described in Section 8
• Assist Client in responding to Data Subject rights requests as described in Section 6
• Notify Client of Security Incidents as described in Section 10
• Delete or return Personal Data upon termination per Section 9
• Make available information necessary to demonstrate compliance with this DPA and cooperate with reasonable audits on 30 days' notice

6. Data Subject Rights

If Provider receives a request from an End User exercising their rights (access, rectification, erasure, portability, restriction of processing, or objection), Provider will promptly forward the request to Client. Provider will assist Client with fulfilling such requests to the extent technically feasible within the Platform.

Client is responsible for responding to Data Subject rights requests. Provider will provide reasonably requested assistance, including data exports and deletion, within 30 days of Client's written instruction.

7. Security Measures

Provider implements and maintains commercially reasonable technical and organizational security measures designed to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. These measures currently include, but are not limited to, the following. Provider reserves the right to modify, update, or replace specific security measures as technology, threats, and industry best practices evolve, provided that the overall level of data protection is not materially diminished:

Access Control

• All data is access-controlled by company tenant ID — no cross-tenant data access is possible
• Row-Level Security (RLS) is enforced at the database layer on all tables
• Storage buckets are private — files require authenticated, tenant-scoped access
• Admin access requires multi-factor authentication (TOTP)
• API routes require valid session tokens; all service-role operations are audited

Data in Transit and at Rest

• All data in transit is encrypted using TLS 1.2 or higher
• Data at rest is encrypted using AES-256 (managed by Supabase/AWS)
• Storage objects (photos, documents) use private, signed URLs with time-limited expiry

Operational Security

• Rate limiting applied to all API endpoints and authentication flows
• Audit logging of administrative actions (document uploads, escalations, configuration changes)
• SSRF protections on webhook integrations
• Content Security Policy headers on all web responses

8. Sub-processors

Client authorizes Provider to engage the following sub-processors to deliver the Platform. Provider will notify Client of any material changes to this list with 30 days' advance notice, giving Client the opportunity to object.

Chat messages and support content are transmitted to AI sub-processors for processing. Provider does not send full End User profiles or system inventory to AI services — only the relevant context needed to answer each support query.

AI Provider Data Practices: AI sub-processors receive data through their commercial API services. Per their published API terms at the time of this DPA, API data is generally not used for model training. However, Provider does not control and cannot guarantee the data handling, retention, or training practices of AI sub-processors beyond their published policies. Client acknowledges that AI sub-processor terms may change over time and that Provider's obligation is limited to selecting sub-processors with commercially reasonable data handling practices and notifying Client of material changes to the sub-processor list. Provider is not liable for changes to AI sub-processor policies or data handling practices that occur after engagement.

9. Data Deletion and Return

Upon termination or expiration of the MSA, Provider will:

• Make Client Content (device configurations, documents, conversation history) available for export via the administrative dashboard for 30 days following the termination date
• Permanently delete all Personal Data from the Platform's active systems within 30 days of the termination date
• Delete data from backups within 90 days (consistent with standard backup rotation schedules)
• Provide written confirmation of deletion upon Client's request

Provider may retain Personal Data beyond these periods only where required by applicable law, and only to the minimum extent required.

10. Security Incident Notification

In the event of a Security Incident affecting Personal Data, Provider will:

• Notify Client without undue delay, and in any event within 72 hours of becoming aware of the incident
• Provide available information about the nature of the incident, the categories and approximate number of Data Subjects affected, and the likely consequences
• Describe the measures taken or proposed to address the incident and mitigate its effects
• Cooperate with Client in any required regulatory notification or Data Subject communication

Notification to Client does not constitute an acknowledgment of fault or liability. Client is responsible for any regulatory notifications required by applicable law in its jurisdiction.

11. International Data Transfers

The Platform is hosted in the United States. If Client is located in the European Economic Area, the United Kingdom, or another jurisdiction with data transfer restrictions, Client acknowledges that Personal Data will be transferred to and processed in the United States.

Provider relies on appropriate safeguards for such transfers, including:

• Standard Contractual Clauses ("SCCs") as published by the European Commission (available upon request)
• The UK International Data Transfer Agreement ("IDTA") (available upon request)

To request a copy of the applicable transfer mechanism, contact legal@resolveconcierge.com.

12. CCPA Service Provider Terms

To the extent Provider processes Personal Data of California residents on Client's behalf, Provider acts as a "Service Provider" under the CCPA. Provider agrees to:

• Not sell or share Personal Data for cross-context behavioral advertising
• Not retain, use, or disclose Personal Data for any purpose other than providing the Platform services specified in the MSA
• Comply with applicable sections of the CCPA and assist Client in responding to Consumer rights requests

13. Audit Rights

Upon Client's written request with at least 30 days' advance notice, Provider will make available information reasonably necessary to demonstrate compliance with this DPA. This may include security documentation, penetration test summaries (under NDA), or completion of a security questionnaire.

Provider may fulfill audit requests by providing certifications from qualified third-party auditors (such as SOC 2 reports) in lieu of direct audits. On-site inspections require Provider's prior written consent and are subject to reasonable confidentiality protections.