Data Processing Agreement
1. Background and Purpose
Home Watch IT, LLC ("Processor") provides home watch management software (the "Services") to home watch professionals under the HWIT Master Services Agreement ("Service Agreement"). This Data Processing Agreement ("DPA") sets out the terms under which such processing takes place and satisfies the requirements of Article 28 of EU Regulation 2016/679 ("EU GDPR") and the equivalent United Kingdom legislation ("UK GDPR"). This DPA forms part of and supplements the Service Agreement. In the event of conflict, this DPA shall prevail in relation to all matters concerning personal data processing.
2. Definitions
| Term | Meaning |
|---|---|
| Applicable Law | EU GDPR (Regulation 2016/679), UK GDPR, and all subordinate legislation and regulatory guidance thereunder. |
| Controller | The HWIT customer who determines the purposes and means of processing End-User Personal Data. |
| Customer Data | All personal data submitted to or generated within the Services by or on behalf of the Controller. |
| Data Subject | Any identified or identifiable natural person whose personal data is processed under this DPA. |
| End-User Personal Data | Personal data relating to the Controller's customers, including names, postal addresses, contact details, property information, and security access information (including alarm codes). |
| Personal Data Breach | A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data. |
| Processor | Home Watch IT, LLC, which processes Customer Data on behalf of and under the instruction of the Controller. |
| SCCs | Standard Contractual Clauses approved by the European Commission under Decision (EU) 2021/914 of 4 June 2021. |
| Services | The HWIT software platform, including scheduling, visit reporting, AI-powered document search, automated email delivery, customer portal access, and related features. |
| Sub-Processor | Any third party engaged by the Processor to process Customer Data in connection with the Services. |
| UK Addendum | The International Data Transfer Addendum to the SCCs issued by the UK ICO, Version B1.0, in force 21 March 2022. |
3. Roles of the Parties
The Controller is the data controller for all End-User Personal Data processed through the Services. The Processor is the data processor, acting solely on the Controller's documented instructions. The Processor shall not process Customer Data for any purpose other than providing the Services, except where required to do so by applicable law. Each Party shall comply with its respective obligations under Applicable Law.
4. Details of Processing
| Nature of Processing | Collection, storage, organisation, retrieval, automated processing, AI-assisted search, automated email delivery, and secure deletion of Customer Data. |
| Purposes | Enabling the Controller to manage home watch visit scheduling, field reporting, customer communications, invoicing support, and AI document search. |
| Duration | For the duration of the Service Agreement and until all Customer Data is deleted in accordance with clause 9 of this DPA. |
| Categories of Personal Data | Names; postal addresses; email addresses; telephone numbers; property access and security information (including alarm codes); visit reports and inspection records; scheduling information. |
| Categories of Data Subjects | The Controller's end-user customers (homeowners and property owners); the Controller's employees and authorised field staff. |
| Special Categories of Data | None. The Services are not designed to process special category data as defined under Article 9 GDPR. |
5. Processor Obligations
5.1 Instructions
The Processor shall process Customer Data only on the documented instructions of the Controller. If required by applicable law to process beyond those instructions, the Processor shall inform the Controller before such processing, unless legally prohibited from doing so.
5.2 Confidentiality
The Processor shall ensure that all personnel authorised to process Customer Data are subject to binding confidentiality obligations and are made aware of the requirements of this DPA.
5.3 Security
The Processor shall implement and maintain appropriate technical and organisational measures including: encryption of personal data in transit and at rest; measures to ensure ongoing confidentiality, integrity, and availability; role-based access controls; and secure deletion procedures upon account termination.
5.4 Sub-Processors
The Controller provides general written authorisation for the Processor to engage the Sub-Processors listed in Schedule B. The Processor shall impose equivalent data protection obligations on each Sub-Processor, provide at least 30 days' notice of any Sub-Processor change, and remain fully liable for their acts and omissions.
5.5 Data Subject Rights
The Processor shall, insofar as technically possible, assist the Controller in fulfilling obligations to respond to Data Subject requests. The Processor shall notify the Controller without undue delay if it receives a Data Subject request directly.
5.6 Audit Rights
The Processor shall, upon reasonable written request (no more than once per 12-month period), provide the Controller with information sufficient to demonstrate compliance with this DPA.
6. Personal Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a Personal Data Breach, including a description of the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken to address it.
7. International Data Transfers
Customer Data is stored and processed in the United States of America. The Controller hereby authorises such transfer on the basis of the following safeguards:
| Sub-Processor | EU Transfer Mechanism | UK Transfer Mechanism |
|---|---|---|
| AWS | EU–US Data Privacy Framework | UK–US Data Bridge |
| Supabase | EU–US DPF; SCCs | UK Addendum to SCCs |
| Google Cloud | EU–US Data Privacy Framework | UK–US Data Bridge |
| OpenAI Ireland Ltd. | EEA entity; SCCs for onward transfers | UK Addendum to SCCs |
| SMTP2GO | SCCs, EU Commission Decision (EU) 2021/914, Module 2 | UK IDTA, ICO Version B1.0 |
| Make.com / Celonis | EU entity (Czechia) — no transfer required | UK Addendum for UK-originating data |
| PDFShift | EU entity (France) — no transfer required | UK Addendum for UK-originating data |
| MonitorQA | SCCs (EU Commission Decision 2021/914, Module 2) | SCCs + UK Addendum |
The Standard Contractual Clauses (Controller to Processor, Module 2) under Commission Decision (EU) 2021/914 are hereby incorporated into this DPA by reference. Governing law: Ireland. Competent supervisory authority: the Irish Data Protection Commission. For UK data, the UK Addendum (ICO Version B1.0) is incorporated alongside the SCCs.
8. Controller Obligations
The Controller warrants that it has a lawful basis for all processing; has provided Data Subjects with all required privacy notices; shall not instruct the Processor to process data in a manner that would violate Applicable Law; and shall not submit special category personal data without prior written agreement.
9. Data Retention and Deletion
Upon termination, the Processor shall immediately delete all live Customer Data; purge residual copies in encrypted backups within 15 days; and confirm deletion in writing upon request.
10. Liability
Each Party shall be liable to the other for damages caused by its breach of this DPA or Applicable Law. The Processor's total aggregate liability shall be subject to the limitations set out in the Service Agreement.
11. Term and Termination
This DPA shall remain in force for the duration of the Service Agreement and shall automatically terminate upon its termination. Obligations relating to deletion of Customer Data survive termination.
12. General Provisions
This DPA is governed by the laws of Ireland (other than SCCs/UK Addendum). It constitutes the entire agreement between the Parties regarding personal data processing and supersedes all prior agreements on such subject matter.
Schedule A — Annex I: Description of Processing
| Data Exporter (Controller) | The HWIT customer identified in the Service Agreement: a home watch services company using the HWIT platform. |
| Data Importer (Processor) | Home Watch IT, LLC, 12895 Josey Ln #124-1155, Dallas TX 75234, USA. Contact: info@homewatchit.com |
| Categories of Data Subjects | End-user customers of the Controller (homeowners and property owners); employees and field staff of the Controller. |
| Categories of Personal Data | Names; postal addresses; email addresses; telephone numbers; property-specific notes and access/security information (including alarm codes); visit reports; scheduling information. |
| Special Categories | None intended. |
| Frequency of Transfer | Continuous, for the duration of the Service Agreement. |
| Retention Period | Duration of the Service Agreement. All live data deleted immediately upon termination; residual backup copies purged within 15 days. |
| Supervisory Authority (EU) | Irish Data Protection Commission (DPC) — dataprotection.ie |
| Supervisory Authority (UK) | UK Information Commissioner's Office (ICO) — ico.org.uk |
Schedule B — Approved Sub-Processors
| Sub-Processor | Country | Role | Transfer Mechanism |
|---|---|---|---|
| Amazon Web Services (AWS) | USA | Cloud infrastructure & hosting | EU–US DPF; UK–US Data Bridge; SCCs |
| Supabase Inc. | USA | Database (PostgreSQL) | EU–US DPF; SCCs; UK Addendum |
| Google Cloud Platform | USA | Cloud infrastructure | EU–US DPF; UK–US Data Bridge; SCCs |
| OpenAI Ireland Ltd. | Ireland (EEA) | AI-powered document search | EEA entity; SCCs for onward transfers; UK Addendum |
| SMTP2GO (Sand Dune Mail Ltd.) | New Zealand | Transactional email delivery | SCCs Module 2 (EU 2021/914); UK IDTA (ICO v. B1.0) |
| Make.com (Celonis) | Czechia (EEA) | Workflow automation | EEA entity; UK Addendum for UK data |
| PDFShift | France (EEA) | Workflow automation | EEA entity; UK Addendum for UK data |
| MonitorQA | USA | Field reporting software (HWIT master account; client accounts managed under it; data accessed via API) | Data Processing Agreement; SCCs |
Home Watch IT, LLC
12895 Josey Ln, #124-1155, Dallas TX 75234, USA
Email: info@homewatchit.com
Phone: +1 (214) 461-0166
Home Watch IT d.o.o.
Pod Jeseni 16, 1000 Ljubljana, Slovenia
Email: info@homewatchit.com