Last Updated: May 29, 2025

INTRODUCTION

This Data Processing Addendum (“DPA“) is entered into between HomeTree Digital, a company registered under the laws of State of New York and with an office at 1 W End Avenue, Ste 18B, New York, NY 10023 (“Company”) and the Customer identified in the relevant Order Form (“Customer”). 

DATA PROCESSING ADDENDUM

Definitions 

  • Applicable Privacy Laws means all U.S. federal and state privacy laws and regulations applicable to the Processing of Customer Personal Data under the Agreement, including but not limited to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the “CCPA”), and any similar state privacy laws (e.g., in Virginia, Colorado, Connecticut, Utah), each as amended or replaced from time to time. 
  • Customer Personal Data means any Personal Data provided to the Service by or on behalf of Customer or collected and processed by or for the Customer through the Service. 
  • Data Subject means an individual who is the subject of Personal Data, also referred to as a “Consumer” under the CCPA. 
  • Personal Data means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as defined under Applicable Privacy Laws.  
  • Restricted Transfer means a transfer of Personal Data outside the United States, subject to any applicable legal requirements under U.S. data transfer laws or contracts.  
  • Security Incident means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.  
  • Service Provider and Business have the meanings given to them in the CCPA. 

Any capitalized terms used but not defined in this Addendum shall have the meanings set forth in the Agreement. 

PROCESSING OF PERSONAL DATA

  1. Description of Processing 
  • Categories of Data Subjects: Business Users (employees, contractors, agents) and third parties whose data may appear in visualizations created through the Service. 
  • Categories of Personal Data: Access credentials, contact details (name, email, phone), and any other data input by users in projects. 
  • Sensitive Data: May include sensitive data at Customer’s discretion. 
  • Frequency of Transfer: Continuous throughout the term of the Agreement. 
  • Nature and Purpose: To provide the Service as described in the Agreement. 
  • Retention: Until expiration or termination of the Agreement, unless longer retention is legally required. 
  1. Relationship of the Parties 

Customer is the Business and HomeTree Digital is a Service Provider under the CCPA. HomeTree Digital shall only Process Customer Personal Data on behalf of Customer and in accordance with the documented instructions. 

  1. Purpose Limitation 

HomeTree Digital shall Process Personal Data only for the purpose of fulfilling its obligations under the Agreement (the “Permitted Purpose”) and shall not retain, use, or disclose it for any other purpose, including for commercial benefit or a “sale” as defined by the CCPA. 

  1. Customer Responsibilities 

Customer is responsible for complying with Applicable Privacy Laws, including notice obligations and ensuring that it has the right to transfer the Customer Personal Data to HomeTree Digital. 

  1. Confidentiality 

HomeTree Digital shall ensure that anyone it authorizes to Process Personal Data is bound by confidentiality obligations. 

  1. Security 

HomeTree Digital shall maintain appropriate technical and organizational measures to protect Customer Personal Data as outlined. 

  • Data Encryption in Transit and at Rest. 
  • Access Controls Based on Least Privilege. 
  • Continuous Monitoring and Logging. 
  • Secure Software Development Practices. 
  • Incident Detection and Response Protocols. 
  • Regular Security Audits and Penetration Testing.
  1. Subprocessing 

HomeTree Digital may engage Subprocessors only under written agreements requiring data protection standards no less protective than those in this Addendum. A list of current Subprocessors is maintained and updated per Customer notification preferences. 

  1. International Transfers 

If Personal Data is transferred outside the U.S., HomeTree Digital will take appropriate steps to ensure compliance with applicable transfer laws and contractually agreed safeguards. 

  1. Consumer Rights Assistance 

HomeTree Digital will assist Customer, where feasible and legally permitted, in responding to verified consumer requests under Applicable Privacy Laws.

  1. Security Incidents 

HomeTree Digital will notify Customer without undue delay upon becoming aware of a Security Incident and will cooperate with Customer in mitigating and remediating the issue. 

  1. Data Return or Deletion 

Upon termination of the Agreement, HomeTree Digital shall return or delete Customer Personal Data, unless retention is required by law. 

  1. Audits 

HomeTree Digital will provide a copy or summary of recent third-party audit reports upon request and respond to reasonable audit-related inquiries annually. 

  1. Liability 

Any liability under this Addendum is subject to the limitations in the Agreement. 

  1. Duration 

This Addendum remains in effect for the duration of the Agreement. 

TECHNICAL AND ORGANIZATIONAL MEASURES, INCLUDING MEASURES TO ENSURE THE SECURITY OF DATA

This section describes the minimum-security standards that HomeTree Digital applies to Customer Personal Data processed in connection with the Service: 

  1. Pseudonymization and Encryption of Personal Data 

HomeTree Digital encrypts data in transit between customers and the AVA application over public networks using TLS 1.2, as a minimum. Customer Personal Data stored on HomeTree Digital servers is encrypted using AES 256, as a minimum. 

  1. Confidentiality, Integrity, Availability, and Resilience of Processing 

HomeTree Digital has personnel responsible for overseeing information security and privacy compliance. A cross-functional Information Security Committee meets regularly to review risks and controls. 

  1. Recovery and Access in the Event of an Incident 

HomeTree Digital supports service availability using AWS auto-scaling, multi-region availability zones, comprehensive monitoring, and 24/7 support coverage. Regular backups of Customer Personal Data are maintained, and a documented Personal Data Incident Response Plan governs HomeTree Digital’s incident response procedures, including containment, notification, and post-incident reviews.  

  1. Testing and Evaluation of Measures 

HomeTree Digital contracts with third-party security experts to conduct annual penetration testing. It uses automated vulnerability scanning tools and operates a public bug bounty program to assess application security.  

  1. User Identification and Authorization 

Passwords are salted and hashed using industry-standard algorithms. 

  1. Protection of Data During Transmission 

HomeTree Digital encrypts Data transmitted over public networks between customers and the HomeTree Digital application using TLS 1.2, as a minimum. 

  1. Protection of Data During Storage 

All stored Customer Personal Data is encrypted using AES 256 or higher. 

  1. Physical Security of Processing Facilities 

HomeTree Digital’s services are hosted within Amazon Web Services (AWS) data centers. Physical and environmental controls are managed by AWS. HomeTree Digital reviews AWS certifications and audit reports. 

  1. Logging and Monitoring 

Application and infrastructure logs are maintained and monitored to detect security events or anomalous activity. 

  1. System Configuration and Hardening 

Server configurations follow an internal hardening standard aligned with industry benchmarks. Patching is managed under a documented vulnerability management program. 

  1. IT Governance and Security Management 

Access to Customer Personal Data is role-based and granted on the principle of least privilege. Access to production environments requires multi-factor authentication and encrypted communications. Passwords must be securely stored, default credentials replaced, and users trained in secure password practices. Personnel are bound by confidentiality agreements and must complete annual training on information security and relevant privacy laws, including FERPA and COPPA for student-related data. 

  1. Certification and Assurance Measures 

HomeTree Digital aligns with the ISO/IEC 27001:2022 certificate, undergoing periodic external surveillance and recertification audits to ensure that its Information Security Management System (ISMS) meets the requirements of this standard.

HomeTree Digital will maintain an information security policy that meets the requirements of the ISO 27001 standard, an internal audit program that assesses HomeTree Digital’s ISMS and information security controls, and a management committee that is responsible for oversight of HomeTree Digital’s Information Security Management System (ISMS).

  1. Data Minimization 

HomeTree Digital limits the collection of Customer Personal Data to what is necessary to provide services. Customers control the nature of the data submitted via the Service. 

  1. Data Quality 

Email verification is used during sign-up, and customers may update account data directly or through customer support. 

  1. Data Retention 

HomeTree Digital adheres to a documented Data Retention Policy based on applicable legal and operational requirements. 

  1. Accountability Measures 

HomeTree Digital maintains internal records of data processing activities. Data Protection Impact Assessments are conducted for high-risk processing. A U.S.-based data privacy officer is designated to oversee compliance. 

  1. Data Portability and Deletion  

Customers may request data exports and initiate deletion of Customer Personal Data via standardized procedures documented by HomeTree Digital.