Data Processing Addendum

Template notice. This DPA was generated 2026-06-03 and reflects how HOA Watch processes personal data today. It has not been reviewed by counsel. Before relying on it for compliance — particularly under GDPR, CCPA, or any other framework — contact a qualified attorney. For specific DPA questions email legal@hoawatch.us.

Last updated: 2026-06-03

1. Parties and scope

This Data Processing Addendum ("DPA") is between HOA Watch, Inc., a Delaware corporation ("HOA Watch", "Processor"), and the customer entity that has subscribed to the HOA Watch service ("Customer", "Controller"). It governs HOA Watch's processing of Personal Data on the Customer's behalf in connection with the service. It is incorporated by reference into the Terms of Service. Where there is a conflict, this DPA controls for matters of personal data processing.

2. Definitions

Controller
The entity that determines the purposes and means of processing Personal Data. For HOA Watch customers, the Customer (typically the HOA legal entity) is the Controller.
Processor
The entity that processes Personal Data on behalf of the Controller. HOA Watch is the Processor.
Sub-processor
A third-party service provider engaged by HOA Watch to process Personal Data on the Customer's behalf.
Personal Data
Any information relating to an identified or identifiable natural person processed under the agreement, as defined under applicable data protection law (including GDPR, CCPA/CPRA, and the Texas Data Privacy and Security Act).
Data Subject
The natural person to whom Personal Data relates — for HOA Watch, typically a board member, a resident, or an anonymous portal submitter.
Applicable Law
Data protection and privacy laws that apply to the parties' processing, including GDPR, UK GDPR, CCPA/CPRA, and the Texas Data Privacy and Security Act.

3. Processing details

  • Subject matter. HOA Watch's provision of its issue-triage SaaS to the Customer.
  • Duration. The term of the Customer's subscription, plus the 30-day post-cancellation grace period described in our Privacy Policy.
  • Nature and purpose. Ingesting, storing, classifying, summarizing (via AI), and presenting issues so the Customer's board can triage and respond to them.
  • Categories of Personal Data. Identification data (name, email), authentication identifiers (CIAM object ID), HOA membership and role data, address-verification data for residents, the content of submitted issues (which may include free-text descriptions, photos, and contact details), ingested communications from configured sources (Facebook posts, SMS, email, voicemail transcripts), and technical data (IP, request logs).
  • Categories of Data Subjects. Customer's board members, residents of the Customer's HOA, and members of the public who submit issues to the Customer's portal.

4. Sub-processors

The Customer authorizes HOA Watch to engage the following sub-processors, each under a written agreement that imposes data-protection obligations no less protective than this DPA:

  • Microsoft Azure (US, centralus) — hosting, database, storage, queueing, secrets.
  • Microsoft Entra External ID — authentication.
  • Azure OpenAI (US, centralus) — AI classification and summarization. Microsoft contractually does not use Customer Data to train its underlying models.
  • Stripe — billing and payment processing.
  • Azure Communication Services (Microsoft Azure) — SMS ingest/delivery and transactional email.
  • Cloudflare — Turnstile bot protection and CDN.
  • GitHub — source code hosting and deployment automation; no Customer Personal Data is processed here.

HOA Watch will give the Customer reasonable advance notice — at least 30 days, where practicable — before adding or replacing a sub-processor that processes Personal Data, by updating this page. The Customer may object on reasonable data-protection grounds; if we cannot accommodate the objection, the Customer may terminate the affected portion of the service.

5. Security measures

HOA Watch implements and maintains the technical and organizational measures described on our Security page, including encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege managed-identity access, audit logging, and dependency vulnerability management. The Security page is incorporated into this DPA by reference and may be updated as our controls evolve, never to a level below what is in place on the date of this DPA.

6. Data subject rights

Taking into account the nature of the processing, HOA Watch will assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligations to respond to requests from Data Subjects to exercise their rights under Applicable Law (access, rectification, erasure, restriction, portability, objection, opt-out of sale or sharing). Where a Data Subject contacts HOA Watch directly, we will refer them to the Customer (the Controller) unless we are required to respond by Applicable Law.

7. Breach notification

HOA Watch will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Customer's data. The notification will include, to the extent then known: the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

8. International transfers

HOA Watch processes Personal Data only in the United States. Where Personal Data originates in the European Economic Area, the United Kingdom, or Switzerland, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2 — Controller to Processor) and the UK International Data Transfer Addendum are incorporated into this DPA by reference and apply to such transfers, with HOA Watch as data importer and the Customer as data exporter. Annex I (parties, processing details, supervisory authority) is populated from Sections 1 and 3 of this DPA; Annex II (security measures) is populated from Section 5; Annex III (sub-processors) is populated from Section 4.

9. Audits and reports

HOA Watch will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA. The Customer may, no more than once per twelve-month period and on at least 30 days' prior written notice, request a summary of HOA Watch's then-current security posture, the compliance reports of our sub-processors (e.g., Microsoft Azure SOC reports, where we are permitted to share them), and the results of any third-party audit HOA Watch has commissioned. Onsite audits are not available given our cloud-only architecture; a third-party audit report will be substituted where one exists.

10. Termination — return or deletion of data

On termination of the Customer's subscription, HOA Watch will, at the Customer's option exercised within the 30-day grace period: (a) make a copy of the Customer's data available for export through the application or the API, or (b) delete the Customer's data. Absent instruction, deletion is the default and occurs automatically after the grace period, as described in our Privacy Policy. Backup copies are deleted in the ordinary course of backup rotation within 90 days of hard deletion.

11. Governing law

This DPA is governed by the laws of the State of Delaware, without regard to its conflict-of-laws rules, except that the Standard Contractual Clauses incorporated into Section 8 are governed by the law specified in those Clauses.

12. Acceptance and signature

Acceptance of the Terms of Service and an active paid subscription to HOA Watch constitute acceptance of this DPA on the Customer's behalf by the individual who created the subscription, who represents that they are authorized to bind the Customer entity. A countersigned copy is available on request to legal@hoawatch.us for customers who require one for their vendor file.

13. Contact

DPA questions, sub-processor notifications, and audit requests: legal@hoawatch.us.