This Data Processing Agreement (“DPA”) supplements the Terms of Service between Woosung Investments LLC (“Processor”) and the customer entity that has agreed to those Terms (“Controller” or “Customer”). It governs the processing of personal data submitted to the Service by Customer (the “Personal Data”).
Capitalized terms used but not defined here have the meaning given in applicable data protection law (including the GDPR, UK GDPR, and CCPA/CPRA). “Data Subject,” “Processing,” “Controller,” and “Processor” have the meanings given in the GDPR.
Customer is the Controller of the Personal Data. Command Center is a Processor acting on Customer’s behalf. The categories of Data Subjects typically include Customer’s tenants, applicants, vendors, and employees. The categories of Personal Data typically include names, contact information, payment information, lease terms, communications, and similar property-management records.
We will process Personal Data only on Customer’s documented instructions, including as provided in the Terms, this DPA, and Customer’s configuration of the Service. We will notify Customer if, in our opinion, an instruction violates applicable law.
We implement appropriate technical and organizational measures to protect Personal Data, including:
Customer authorizes our use of the sub-processors listed in our Privacy Policy. We will:
Customer may object to a new sub-processor in writing within 30 days. If we cannot accommodate the objection, Customer may terminate the affected portion of the Service.
If we receive a request from a Data Subject (access, deletion, correction, portability, etc.) relating to Personal Data, we will not respond directly and will forward the request to Customer without undue delay. We will provide reasonable assistance to Customer in responding to such requests through Service features (data export, deletion tools) or, where necessary, through direct support.
We will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer’s Personal Data. Our notification will include, to the extent known, the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address it.
Personal Data is processed in the United States. Where Personal Data is transferred from the EEA, UK, or Switzerland to the United States or another country lacking an adequacy decision, the parties will rely on the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), which are incorporated into this DPA by reference.
On Customer’s written request (no more than once per 12-month period unless required by a supervisory authority or following a confirmed breach), we will provide reasonable information demonstrating compliance with this DPA, such as third-party audit reports or security questionnaires. On-site audits are by mutual written agreement and at Customer’s expense.
On termination of the Service, we will, at Customer’s choice:
except where retention is required by law.
Each party’s liability arising out of or related to this DPA is subject to the limitations of liability in the Terms.
If there is a conflict between this DPA and the Terms, this DPA controls with respect to the Processing of Personal Data.
For DPA matters, email chris@woosunginvestments.com.