Data Processing Addendum

1.           Definitions.

1.1       “Business Purpose” has the meaning given to it in the CCPA.

1.2       “Client Personal Data” means any Personal Information in respect of which Client is a controller or another entity’s processor where such Personal Information is processed by Esusu as a processor in connection with Esusu’s performance of the Services. Notwithstanding the foregoing, “Client Personal Data” excludes (a) data Esusu collects about consumers pursuant to separate consumer authorization or consent, (b) consumer report data and credit scores that Esusu obtains pursuant to permissible purposes under the FCRA, and (c) data Esusu collects through its own consumer-facing applications or services where Esusu acts as the controller.

1.3       “Deidentified” means data that (i) cannot reasonably be used to infer data about, or otherwise be linked to, a particular individual or (ii) is otherwise considered “deidentified,” “de-identified data,” or “anonymous” (or similar term, but not including the term “pseudonymous” or a term similar to “pseudonymous”) under Privacy Laws. For purposes of this DPA, Deidentified data includes aggregated data. Esusu may determine that data is Deidentified using reasonable technical and administrative measures. Esusu will not attempt to re-identify Deidentified data and will contractually prohibit any recipients of such data from attempting re-identification.

1.4       “Personal Information” means any data (i) relating to an identified or identifiable individual (including contact information, rental or payment history, or digital identifiers) or (ii) that otherwise constitutes “personal data,” “personal information,” or “personally identifiable information” under Privacy Laws.

1.5       “Privacy Laws” means Applicable Laws pertaining to data privacy or data protection, such as, to the extent applicable to such Party, the U.S. state consumer privacy or breach laws, consumer protection laws, or laws related to use of consumer data for marketing purposes.

1.6       “Security Incident” means any event which falls within the scope of a “security” incident,” as such term (or similar term, such as “security breach” or “breach of the security of the system”) is defined under Privacy Laws.

1.7       “Sell” has the meaning given to it in Privacy Laws.

1.8       “Share” has the meaning given to it in the CCPA.

1.9       The terms “controller,” “processing” (including “process” or “processed”), and “processor” have the meanings defined in Privacy Laws when used in this DPA. Where Privacy Laws use different terms to cover similar subject matter (e.g., “business” instead of “controller” and “service provider” instead of “processor”), these terms have the meanings assigned to those corresponding terms under such Privacy Laws.

2.           Rights and Obligations

2.1       Client is the controller of Client Personal Data and Esusu is Client’s processor. In certain instances where Client acts as a processor on behalf of another controller, Esusu serves as Client’s subprocessor. In either case, Esusu is referred to under this DPA as Client’s “processor.” The processing activities carried out by Esusu and related details are described in Schedule A.

2.2       Client may disclose or otherwise make available Client Personal Data to Esusu for Esusu’s performance of the Services and as otherwise permitted in this DPA. For purposes of the CCPA, such disclosure aligns with section 1798.140(e)(5) of the CCPA. Esusu shall process Client Personal Data on behalf of and in accordance with Client’s documented instructions, unless otherwise required or permitted under Applicable Law.

2.3       Esusu shall not Sell or Share Client Personal Data. Except where otherwise required or permitted under Applicable Law, Esusu shall not retain, use, or disclose Client Personal Data (i) for any purpose other than performing the Services (including, with respect to the CCPA, any “commercial purpose” as defined thereunder) or (ii) outside of the direct business relationship between Client and Esusu. With respect to the CCPA, Esusu shall not combine Client Personal Data with personal information that Esusu receives from or on behalf of another person or collects from its own interaction with consumers (each such term as defined under the CCPA), except: (a) as otherwise permitted under the CCPA (including for purposes permitted under section 7050 of the CCPA regulations, such as the Business Purpose set forth in Section 2.2 of this DPA); (b) in connection with Esusu’s furnishing of information to consumer reporting agencies or other credit reporting activities regulated under the FCRA; (c) where limited to Client Personal Data that has been Deidentified in accordance with this DPA; or (d) for purposes of fraud prevention, identity verification, or ensuring the accuracy and integrity of data furnished to consumer reporting agencies.

2.4       FCRA Activities. The Parties acknowledge that the Services include Esusu’s furnishing of rental payment data and related information to consumer reporting agencies (as defined under the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq. (“FCRA”)), subject to consumer reporting agency requirements, as part of Esusu’s core business operations. Nothing in this DPA shall restrict or impair Esusu’s rights, obligations, or activities as a “furnisher” under the FCRA, including Esusu’s rights and obligations to furnish information to consumer reporting agencies, respond to disputes, and comply with FCRA data accuracy requirements. The FCRA requirements and Esusu’s rights and obligations thereunder operate independently of and supersede any conflicting restrictions set forth in this DPA. Client acknowledges that consumer reporting activities are a fundamental component of the Services and consents to Esusu’s furnishing of rental payment data to consumer reporting agencies in connection with the Services, subject to consumer reporting agency requirements. For the avoidance of doubt, data furnished by Esusu subject to consumer reporting agencies pursuant to the FCRA shall not be deemed a “Sale” or “Share” of Client Personal Data under Privacy Laws. Consumer consent for consumer reporting activities is obtained by Esusu separately in accordance with FCRA requirements and is not governed by this DPA.

2.5       To the extent the following rights are expressly provided to Client under Privacy Laws: (i) Client has the right to take reasonable and appropriate steps to ensure that Esusu processes Client Personal Data in a manner consistent with Client’s obligations under Privacy Laws; provided, however, that Client shall exercise such right solely by conducting an audit under Section 2.6 of this DPA; and (ii) Client has the right to request documentation demonstrating Esusu’s compliance with its processor obligations under Privacy Laws, and Esusu shall provide documentation that Esusu has prepared for general use across its clients regarding such compliance. Esusu shall notify Client if Esusu determines that it can no longer meet its obligations under Privacy Laws.  Upon such notice from either Party, Client may take reasonable steps to stop and remediate any unauthorized processing by notifying Esusu that Client wishes to confer regarding such unauthorized processing, after which the Parties will confer in good faith regarding remediation steps and timelines.

2.6       With respect to any audit right expressly provided to Client under this DPA or under Privacy Laws, Client may provide written notice to Esusu requesting an audit. In response, Esusu shall provide Client with a summary of Esusu’s most recent SOC 2 Type 2 report. Where a more detailed audit is reasonably necessary under Privacy Laws or Section 2.5(i), such audit must be conducted: (i) upon reasonable written notice and at Client’s sole cost and expense; (ii) no more than once per twelve (12) month period unless otherwise required by Privacy Laws; (iii) during Esusu’s normal business hours; (iv) without involvement from Esusu’s subprocessors; (v) under a scope and process mutually agreed in writing; and (vi) remotely, except where otherwise mutually agreed in writing. For any audit, Client: (a) shall enter into a confidentiality agreement in such form as Esusu may request; (b) shall ensure personnel comply with Esusu’s policies and procedures; and (c) will not have access to Esusu’s trade secrets, source code, financial information, confidential personnel information, or confidential information relating to Esusu’s other customers or vendors. Any third-party auditors must be mutually agreed upon by Esusu and shall fulfill the obligations in (a)-(c) above.

2.7       Esusu shall ensure that its personnel that process Client Personal Data are (i) subject to a duty of confidentiality by contract or (ii) under an appropriate statutory obligation of confidentiality, in each case, with respect to Client Personal Data.

2.8       Esusu shall implement appropriate technical and organizational measures with respect to the Client Personal Data for the purpose of ensuring the level of security for such Client Personal Data that is required under Privacy Laws.

2.9       Upon becoming aware of a Security Incident, Esusu shall notify Client without undue delay and provide reasonable details to assist Client in fulfilling Client’s breach notification obligations under Privacy Laws. Client is solely responsible for complying with breach notification laws applicable to Client and fulfilling any notification obligations to third parties. Esusu’s obligations in this Section 2.9 do not apply to: (i) incidents caused by Client or Client’s Users; or (ii) unsuccessful attempts or activities that do not compromise the security of Client Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. Esusu may deliver notifications by any means Esusu selects, including via email. Client is solely responsible for maintaining accurate contact information on Esusu’s support systems at all times.

2.10       Client grants Esusu authorization to engage subprocessors and approves the subprocessors listed at https://www.esusurent.com/legal/subprocessor-list/ (the “Subprocessor List”). Consumer reporting agencies (as defined under the FCRA) engaged by Esusu for credit reporting or other FCRA-regulated activities are not “subprocessors” under this DPA; Esusu’s relationships with such agencies are governed by the FCRA and applicable consumer reporting agency agreements rather than this DPA. For all other subprocessors, Esusu shall enter into a written agreement imposing data protection terms substantially similar to those in this DPA (to the extent applicable given the nature of services provided). Where required by Privacy Laws, Client may object in writing to a new subprocessor within ten (10) days of its addition to the Subprocessor List; this objection right does not apply to consumer reporting agencies engaged for FCRA-regulated activities. Client acknowledges that, where Client objects to a subprocessor, Esusu may not provide the related Services without penalty to Esusu.

2.11     Consumer disputes regarding information furnished by Esusu to consumer reporting agencies, including Client Personal Data, are governed exclusively by the FCRA dispute procedures (15 U.S.C. §§ 1681i and 1681s-2), not by state Privacy Laws. Esusu may respond directly to and resolve FCRA-based disputes without awaiting Client instructions. For all other consumer rights requests made pursuant to Privacy Laws: (a) Client shall inform Esusu of any such requests that Esusu is obligated to comply with and provide Esusu with the information necessary to comply; (b) if Esusu receives a request directly from a consumer, Esusu will notify Client and await Client’s instructions, provided that Esusu may respond to a consumer to confirm that such request relates to Client; and (c) Esusu will coordinate with Client as reasonably necessary to obtain information required for dispute resolution.

2.12     Upon Client’s request, Esusu shall provide Client with reasonable assistance with Client’s data protection impact assessment regarding the Services pursuant to Privacy Laws by providing information to Client regarding the Services that is reasonably necessary for Client to conduct such data protection impact assessment.

2.13     Each Party represents and warrants to the other Party that its performance of its obligations under the Agreement complies with its obligations under Privacy Laws. Further, with respect to the CCPA, Esusu shall provide the same level of privacy protection as is required of “businesses” under the CCPA (as such term “business” is defined under the CCPA) by complying with this DPA.

2.14     Upon termination or expiration of the MSA, Esusu shall delete Client Personal Data, except where: (i) retained in accordance with Esusu’s backup or disaster recovery processes; (ii) Esusu deems retention necessary under Applicable Law, including Esusu’s consumer reporting agency agreement obligations; or (iii) otherwise required or permitted under Applicable Law. Esusu shall have the right to create aggregated and Deidentified datasets from Client Personal Data and to retain, use, and disclose such Deidentified data indefinitely for any purpose, including research, analytics, product development, service improvement, and industry benchmarking. Esusu’s rights with respect to Deidentified data under this Section 2.14 shall survive termination or expiration of the MSA.

Schedule A

Description of Processing

The processing activities carried out by the Esusu are described as follows:

1.     Duration

Esusu will process and retain the Client Personal Data during the term of the Agreement (i.e., on a continuous basis) until instructed otherwise by Client in accordance with the Agreement.

2.     Nature and purpose

Esusu will process Client Personal Data to perform the Services and as further instructed by Client in its use of the Services or through other documentation (e.g., this DPA), as applicable.

3.     Data subjects

Esusu shall process the following categories of persons:

● Client Renters

● Client Users

● Client personnel

4.     Client Personal Data categories

Processing concerns the following categories of Client Personal Data (depending on the category of person interacting with the Services):

● Contact Information (e.g., name, address)

● Physical Address

● Rental payment history

● Log-in and password information

● Government Identifiers (e.g., photo ID)

● Property leases and related agreement details

● Family information (e.g., names and contact details of family members)

● Online identifiers (e.g., IP address, browser type, pixel or cookie data, device identifiers)

● Demographic data

● Employment and income information

● Other data categories as instructed by Client to be processed by Esusu.

Client personnel business contact information (e.g., email address, phone number) received by Esusu outside of log-in details (e.g., via email communications) are not in scope of this DPA.

‍

‍

‍