1. Purpose
This DPA applies to Notase customers on the Brokerage and Enterprise tiers who, in using the Service, act as a “controller” of personal data relating to other individuals (for example, team members, inquiring prospects, or past clients). It sets out the obligations that apply to Notase as a “processor” of that personal data.
For all other customers, Notase’s processing is described in our Privacy Policy, and this DPA applies only to the extent personal data of third parties is processed.
2. Definitions
Capitalized terms not defined in this DPA have the meaning set out in our Terms of Service or, where applicable, in the GDPR and comparable data protection laws. For convenience:
- Controller means the entity that determines the purposes and means of processing personal data — in this context, you, the Customer.
- Processor means Notase, which processes personal data on behalf of the Controller.
- Subprocessor means a third party engaged by Notase to process personal data on Notase’s behalf.
- Data subject means the identified or identifiable natural person to whom the personal data relates.
- Personal data means any information relating to a data subject, as processed by Notase on behalf of Customer in connection with the Service.
3. Processing details
Subject matter and duration: processing for the term of the agreement between Customer and Notase, plus any wind-down period required to return or delete personal data.
Nature and purpose: hosting, transmission, generation, analysis, and related operations necessary to provide the Service as configured by Customer.
Categories of personal data: account identifiers and contact details, property and listing data, generated content, communication content, and usage and technical data.
Categories of data subjects: Customer’s users and team members, inquirers and leads, and third parties referenced in content submitted to the Service.
4. Subprocessors
Customer authorizes Notase to engage subprocessors to support delivery of the Service. The current list of subprocessors includes:
- Clerk — authentication and session management.
- Neon — PostgreSQL database hosting.
- Vercel — application and edge hosting.
- Resend — transactional email delivery.
- Anthropic (and other AI model providers as needed) — generation of content in response to Customer requests.
- Payment processor — subscription billing and refunds.
Notase enters into written agreements with each subprocessor that impose data protection obligations no less protective than those in this DPA. Notase will provide notice of any intended addition or replacement of subprocessors, giving Customer a reasonable opportunity to object on legitimate grounds.
5. Security measures
Notase implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including:
- Encryption of personal data in transit (TLS) and at rest;
- Role-based access controls and the principle of least privilege for Notase personnel;
- Centralized logging, monitoring, and audit trails;
- Regular backups and tested restoration procedures;
- Incident response procedures, including 24/7 alerting for critical events;
- Confidentiality commitments for all personnel with access to personal data.
6. Data subject rights
Notase will provide reasonable assistance to Customer, taking into account the nature of the processing, to enable Customer to respond to requests from data subjects exercising their rights under applicable data protection law. If Notase receives a request directly from a data subject regarding Customer data, Notase will refer the data subject to Customer without responding on the substance of the request.
7. Breach notification
Notase will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer data. The notification will include the information required by applicable law and reasonably available to Notase at the time, and will be updated as additional information becomes available.
8. International transfers
Personal data may be transferred to and processed in jurisdictions outside the data subject’s country of residence. Where such transfers involve personal data originating from the European Economic Area, the United Kingdom, or Switzerland, the parties rely on the Standard Contractual Clauses published by the European Commission (and the UK International Data Transfer Addendum, where applicable), which are incorporated into this DPA by reference.
9. Audit rights
Notase will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including summary reports from independent third-party audits where available. Upon request and subject to reasonable confidentiality obligations, Notase will cooperate with audits conducted by Customer or an auditor mandated by Customer, provided that audits (i) occur no more than once per year unless required by a supervisory authority, (ii) are conducted during normal business hours with reasonable notice, and (iii) do not unreasonably disrupt the Service or compromise the confidentiality of other Notase customers.
10. Deletion and return
Upon termination or expiry of Customer’s agreement with Notase, Notase will, at Customer’s choice and within a reasonable wind-down period, either return all personal data processed on Customer’s behalf or delete it, together with copies, except to the extent retention is required by applicable law.
11. Governing terms
This DPA supplements and forms part of the Terms of Service between Customer and Notase. In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA controls.