GDPR & Data Processing

This page describes how PropAlpha.ai, Inc. (“PropAlpha”) complies with the European Union General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), and related data protection laws when processing personal data on behalf of our customers.

This page also serves as our summary Data Processing Agreement (“DPA”). Enterprise customers requiring a countersigned DPA should contact privacy@propalpha.ai.

1. Roles and Responsibilities

1.1 Controller and Processor

Under the GDPR, the terms “controller” and “processor” have specific meanings:

• You (our customer) are the Controller — you determine the purposes and means of processing personal data within your PropHub environment (e.g., employee records, tenant data, vendor contacts).
• PropAlpha is the Processor — we process personal data on your behalf, solely as instructed by you through your use of the Services and these Terms.
• PropAlpha is also a Controller for data we collect directly from you for our own purposes (e.g., account registration, billing, and marketing), governed by our Privacy Policy.

1.2 Sub-Processors

PropAlpha engages the following categories of sub-processors to deliver the Services. We ensure all sub-processors are bound by data processing agreements consistent with GDPR requirements:

• Cloud infrastructure: Amazon Web Services, Inc. (US) — hosting, storage, compute
• Database: AWS RDS / Aurora (US, EU regions available upon request)
• Email delivery: Twilio SendGrid (US)
• Payment processing: Stripe, Inc. (US)
• Customer support: Intercom, Inc. (US)
• Analytics: Mixpanel, Inc. (US) — pseudonymized usage data only
• Error monitoring: Sentry (US) — anonymized error logs

We will notify you at least 30 days in advance of adding new sub-processors. You may object to any sub-processor addition; if we cannot accommodate your objection, you may terminate your subscription without penalty.

2. Personal Data We Process on Your Behalf

2.1 Categories of Data Subjects

Depending on how you use PropHub, we may process personal data relating to:

• Your employees and contractors (HR records, space allocations, access credentials)
• Tenants, lessees, and occupants of your properties
• Vendor and supplier contacts
• Visitors and guests (if processed through integrated access control systems)

2.2 Categories of Personal Data

• Identification data: name, employee ID, job title, department
• Contact data: email address, phone number, mailing address
• Contract data: lease terms, renewal dates, payment history
• Financial data: billing information, rent payment records (where applicable)
• Operational data: work order submissions, maintenance requests, access logs

2.3 Special Category Data

PropHub is not designed to process special category data (sensitive personal data as defined in Article 9 GDPR, such as health data or biometrics). You must not upload special category data without a specific contractual arrangement with us and appropriate legal bases for processing.

3. Our Obligations as Processor

PropAlpha commits to the following as your data processor:

3.1 Processing on Instructions

We process personal data only on your documented instructions, except where required to do so by EU or Member State law. We will inform you if we believe any instruction violates applicable data protection law.

3.2 Confidentiality

All PropAlpha personnel authorized to process personal data are bound by confidentiality obligations. Access is granted on a need-to-know basis and is subject to regular review.

3.3 Security Measures

We implement appropriate technical and organizational measures (Article 32 GDPR), including:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
• Pseudonymization of analytics data where feasible
• Regular testing and evaluation of security measures (penetration testing, SOC 2 audits)
• Multi-factor authentication for all production system access
• Incident response procedures with defined escalation paths

3.4 Data Subject Rights Assistance

We provide reasonable technical assistance to help you fulfill data subject rights requests (access, rectification, erasure, portability, restriction, and objection) within the Services. Where such requests cannot be fulfilled through self-service tools, contact privacy@propalpha.ai with your request.

3.5 Data Protection Impact Assessments

We provide reasonable assistance with your Data Protection Impact Assessments (DPIAs) where our processing activities are likely to result in a high risk, in accordance with Article 35 GDPR.

3.6 Deletion and Return

Upon termination of the Services, or at your request, we will delete or return all personal data within 30 days, and delete existing copies unless EU or Member State law requires storage. We will certify such deletion in writing upon request.

3.7 Audit Rights

We make available all information reasonably necessary to demonstrate compliance with our obligations under this DPA and allow for and contribute to audits conducted by you or a third-party auditor mandated by you, with reasonable advance notice and at your cost. We may satisfy this obligation by providing our current SOC 2 Type II report.

4. International Data Transfers

4.1 Data Residency

By default, Customer Data is stored in the United States (AWS us-east-1). Enterprise customers may request EU data residency (AWS eu-west-1 or eu-central-1) as a contractual option. Contact sales@propalpha.ai to discuss EU hosting options.

4.2 Transfer Mechanisms

For transfers of personal data from the EEA, UK, or Switzerland to the United States, PropAlpha relies on:

• Standard Contractual Clauses (SCCs): The EU Commission’s standard contractual clauses (2021/914/EU) are incorporated into our DPA for controller-to-processor transfers
• UK International Data Transfer Agreement (IDTA): For UK transfers, we use the IDTA approved by the UK ICO
• Swiss SCCs: For transfers from Switzerland, we rely on SCCs with appropriate Swiss-specific amendments

PropAlpha conducts Transfer Impact Assessments (TIAs) for transfers to the US and implements supplementary measures where required.

5. Your Rights Under GDPR

If you are located in the EEA, UK, or Switzerland, you have the following rights regarding your personal data:

5.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data and information about how it is processed.

5.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data we hold about you.

5.3 Right to Erasure / ‘Right to be Forgotten’ (Article 17)

You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis for processing.

5.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain circumstances, such as while a dispute about accuracy is resolved.

5.5 Right to Data Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

5.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims.

5.7 Rights Related to Automated Decision-Making (Article 22)

PropHub does not make solely automated decisions that produce legal or similarly significant effects on individuals.

5.8 Exercising Your Rights

To exercise any of the above rights, contact us at privacy@propalpha.ai. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We may need to verify your identity before processing your request.

6. Data Breach Notification

In the event of a personal data breach affecting your Customer Data, PropAlpha will:

• Notify you without undue delay and in any case within 72 hours of becoming aware of the breach
• Provide details of the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
• Cooperate with you to assist in any required notifications to supervisory authorities or affected individuals

Security incidents should be reported to security@propalpha.ai.

7. Data Protection Officer

PropAlpha has designated a Data Protection Officer (DPO) who can be contacted at: