Expanded Freddie Mac initiative covers first-year cost of rent reporting through Esusu for multifamily borrowers. Learn more!

DATA PROCESSING ADDENDUM

Effective Date: May 1, 2023

Last Updated: May 1, 2023

 

This Data Processing Addendum (“DPA”) governs all rent reporting and ancillary services (the “Services”) provided by Esusu Financial, Inc. (“Company”). By accessing or using the Services, you (“Data Contributor”) agree to be bound by the terms of this DPA, which may change from time to time upon reasonable notice, and which are incorporated by reference into the Main Services Agreement between Company and Data Contributor (the “Agreement”). Capitalized terms used but not defined in this DPA shall have the meanings set out in the Main Agreement

IF YOU DO NOT AGREE TO THIS DPA, YOU SHOULD NOT USE ANY COMPANY SERVICES UNDER THE AGREEMENT.  

 

  1. PURPOSE
    1. The Data Controller (“Controller”) and Data Processor (“Processor”) will process Personal Data in accordance with this DPA and applicable law.
  2. DEFINITIONS
    1. “Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action.
    2. “Consumer” means any resident in the United States whose rights are covered by federal , state or local laws.
    3. “Controller” means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of personal processing data.
    4. “Data Breach” means any security incident that leads to or may lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data of any Resident Data and/or Data Contributor Data.
    5. Data Subjects” means any individual natural person(s) who can be identified directly or indirectly using any Personal Data.
    6. Data Protection Laws”  means all applicable data privacy and data protection laws, rules, regulations, decrees, orders, and other government requirements, including, The Fair Credit Reporting Act, 15 U.S.C. § 1681 (“FCRA”), California Consumer Privacy Act (as amended) (the “CCPA”), including as modified by the California Privacy Rights Act of 2020 (the “CPRA”), upon the CPRA’s enforcement date of January 1, 2023, as applicable to Personal Data, Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Connecticut Data Privacy Act (“CTDPA”), and the Utah Consumer Privacy Act (“UCPA”).
    7. Personal Information” or “Personal Data” or “Personally Identifiable Information,” also known as PII, means information that identifies relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
    8. Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
    9. Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
    10. Sensitive Data” or “Special Categories of Personal Data” means any (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) that is genetic data, biometric data processed to uniquely identify a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation, and (iii) relating to criminal convictions and offenses. 
    11. Sub-processor” or “Third-Party” means any processor engaged by the Company to assist in fulfilling its obligations with respect to providing the Services pursuant to the MSA or this DPA where such entity processes Personal Data. Sub-processors may include affiliates or other third parties. 
  3. PROCESSING OF PERSONAL DATA
    1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of  Personal Data, the Data Contributor is the Controller, the Company is the Processor, and the Company or members of the Company Group will engage Sub-processors pursuant to the requirements set forth in this DPA. Where The Company processes Personal Data, Company will process such personal data in compliance with Applicable Data Protection Law as outlined in this DPA.
    2. Data Contributor’s Processing of Personal Data. Data Contributor shall, in its use of the Services and provision of instructions, Process Personal Data in accordance with the requirements of applicable Data Protection Law. Data Contributor shall have sole responsibility for the accuracy, quality, and legality of  Personal Data and the means by which the Data Contributor acquired Personal Data. 
    3. Company’s Processing of Personal Data. As the Data Contributor’s Processor, the Company shall only Process Personal Data for the following purposes: (i) Processing in accordance with the MSA; (ii) Processing initiated by Authorized Users in their use of the Services; and (iii)  Processing to comply with other reasonable instructions provided by Data Contributor that are consistent with the terms of the MSA (individually and collectively,  the “Purpose”). The Company acts on behalf of and on the instructions of the Data Contributor in carrying out the Purpose. 
    4. Details of the Processing. The subject matter of Processing Personal Data by the Company is the Purpose. The duration of the Processing, the nature and purpose of the Processing, the types of  Personal Data, and categories of Data Subjects Processed will be established under this DPA. The Company acts as Data Contributor’s service provider concerning the Processing of Personal Data subject to the CCPA as amended by CPRA, the VCDPA, the CPA, the CTDPA and the UCPA,. Data Contributor discloses the Personal Data to The Company, and The Company shall Process such Personal Data only for the purposes as set out in the Agreement, including this DPA.
      1. Unless and except the Company receives a tenant’s consent, the Company shall not sell or share the Personal Data, except as set forth below;
        1. Retain, use, or disclose the Personal Data (i) for any purpose other than the business purposes as set out in the Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than the business purposes specified in the Agreement, or as otherwise permitted by applicable laws; or (ii) outside of the direct business relationship between the parties;
        2. Combine the Personal Data that The Company receives from, or on behalf of, Data Contributor with Personal Data that The Company receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, provided that The Company may combine Personal Data to perform any business purpose as permitted by the applicable laws, including regulations thereto, or by regulations adopted by Privacy Protection Agencies.
        3. The Company shall comply with obligations applicable to it as a service provider under the applicable laws and shall provide Personal Data with the same level of privacy protection as is required by the applicable laws.
        4. Data Contributor shall have the right to take reasonable and appropriate steps to help ensure that The Company uses the Personal Data in a manner consistent with Data Contributor’s obligations under the applicable laws. 
        5. The Company shall notify Data Contributor if it makes a determination that it can no longer meet its obligations as a service provider under the applicable laws. If The Company so notifies Data Contributor, Data Contributor shall have the right to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data.
        6. The Company’s agreement with any sub-processor shall obligate such sub-processor to observe the requirements set forth in the DPA. 
  4. RIGHTS OF DATA SUBJECTS 
    1. Data Subject Requests. The Company shall, to the extent legally permitted, promptly notify Data Contributor if  Company receives any requests from a Data Subject to exercise the following Data Subject rights: access,  rectification, restriction of Processing, deletion, data portability, objection to the Processing, or to not be subject to an automated individual decision making (each, a “Data  Subject Request”). Taking into account the nature of the Processing, Company shall assist Data Contributor by appropriate technical and organizational measures, insofar as possible, to fulfill the Data Contributor’s obligation to respond to a Data Subject Request under applicable Data Protection Laws. 
  5. SUB-PROCESSORS 
    1. Appointment of Sub-processors. Data Contributor acknowledges and agrees that (a) The Company may retain Sub-processors; and (b) The Company and Company’s Data Contributor Parties, respectively, may engage Third-Party Sub-processors in connection with the provision of the Services. As a condition to permitting a  third-party Sub-processor to Process Personal Data, the Company or the Company Affiliates will enter into a written  agreement with each Sub-processor containing data protection obligations that provide at least the  same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the Services provided by such Sub-processor. 
  6. SECURITY 
    1. Controls for the Protection of Data Contributor Data. The Company shall maintain appropriate technical and organizational measures for the protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage,  unauthorized disclosure of, or access to, Data Contributor Data), confidentiality and integrity of Data Contributor Data. The Company regularly monitors compliance with these measures. 
  7. DATA CONTRIBUTOR DATA INCIDENT MANAGEMENT AND NOTIFICATION 
    1. The Company maintains security incident management policies and procedures. The Company shall notify the Data Contributor of any Data Breach relating to Personal Data (within the meaning of applicable Data Protection Law) of which Company becomes aware and which may require a  notification to be made to applicable regulatory bodies or Data Subjects under applicable Data Protection  Law or which Company is required to notify to Data Contributor under applicable Data Protection Law.
  8. RETURN AND DELETION OF DATA CONTRIBUTOR DATA 
    1. Upon termination of the Services for which the Company is Processing Personal Data, the Company shall, upon Data Contributor’s request and subject to the terms described in the MSA, return all Data Contributor Data and copies of such data to the Data Contributor or securely destroy them and demonstrate to the satisfaction of Data Contributor that it has taken such measures unless applicable law prevents it from  returning or destroying all or part of Data Contributor Data. The Company agrees to preserve the confidentiality of, or anonymize, any retained Data Contributor Data and will only actively Process such Data Contributor Data after such date to comply with the laws to which it is subject. 
  9. CONTROLLER AFFILIATES 
    1. Contractual Relationship. The parties acknowledge and agree that by executing the DPA, the Data Contributor enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Controller Data Contributor Parties, thereby establishing a  separate DPA between Company and each such Controller Affiliate, whom, subject to the provisions of the Agreement, agrees to be bound by the obligations under this DPA and, to the extent applicable, the MSA. To avoid doubt, a Controller Affiliate is not and does not become a party to the MSA and is only a party to the DPA. All access to and use of the Services by Controller Affiliates must comply with the MSA’s terms and conditions, and any Agreement violation by a Controller Affiliate shall be deemed a violation by Data Contributor. 
    2. Communication. The Data Contributor, the contracting party to the MSA, shall remain responsible for coordinating all communication with Company under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Controller Affiliates.