Data Processing Agreement
Effective date: May 12, 2026
This DPA forms part of the Estatly Terms of Service between Customer ("Controller") and Estatly Inc. ("Processor") for any Personal Data processed under the Service.
1. Roles
Customer is the Controller of all lead, contact, listing, and consumer Personal Data uploaded or captured through the Service. Estatly is the Processor and processes Personal Data only on documented instructions from the Controller.
2. Categories of data & data subjects
- Data subjects: prospective home buyers / sellers, agent contacts, brokerage staff.
- Categories: name, email, phone, mailing address, property preferences, transaction history, message content.
- Processing purposes: lead capture, AI-generated outreach, scheduling, transaction management.
3. Subprocessors
Customer authorizes the following subprocessors. We will give 30 days notice via email and the changelog before adding a new subprocessor.
| Subprocessor | Purpose | Region | Added |
|---|---|---|---|
| Lovable Cloud (Supabase) | Database, auth, file storage | US / EU | 2026-01-01 |
| Cloudflare | CDN, edge runtime, DDoS | Global | 2026-01-01 |
| Stripe | Payment processing & billing | US / EU | 2026-01-01 |
| Twilio | SMS & voice delivery | US | 2026-01-01 |
| ElevenLabs | AI voice synthesis | US | 2026-02-01 |
| Resend | Transactional email (legacy) | US | 2026-01-01 |
| Lovable Email | Branded transactional & auth email | US / EU | 2026-05-01 |
| Google AI (Gemini) | AI completions & reasoning | US | 2026-01-01 |
| OpenAI | AI completions (fallback) | US | 2026-01-01 |
| RapidAPI / Explorium | Property & market data enrichment | US | 2026-02-01 |
Last updated: May 13, 2026.
4. Security measures
- TLS 1.2+ in transit; AES-256 at rest.
- Row-Level Security on every multi-tenant table.
- Least-privilege admin access with audit logging.
- Annual penetration testing.
- Incident response within 72 hours of confirmed breach.
5. International transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland to the U.S., the parties agree to the EU Standard Contractual Clauses (Module 2 — Controller to Processor) and UK Addendum, which are incorporated by reference.
6. Data subject rights
Estatly will assist Customer in responding to data subject access, deletion, and portability requests within 10 business days of receiving a written request.
7. Audit rights
Customer may request our most recent SOC 2 report (when available) or a security questionnaire response once per 12-month period. On-site audits are available with 30 days notice for Brokerage-tier customers.
8. Return / deletion
On termination, Customer may export Personal Data within 30 days. After 30 days, all Personal Data is deleted from production systems within 60 days and from backups within 180 days.
9. Signature
Use of the Service constitutes acceptance of this DPA. For a counter-signed copy on Brokerage-tier accounts, contact legal@estatly5000.com.