Data Processing Addendum (DPA)
Last Updated: February 2, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Listing Kit Studio, LLC ("Processor," "we," "us") and the customer entity agreeing to the Terms ("Customer" or "Controller"). This DPA applies where Processor processes Personal Data on behalf of Customer in connection with the Listing Kit Studio Service.
If there is any conflict between this DPA and the Terms, this DPA controls regarding data protection obligations.
1. Definitions
- "Applicable Data Protection Laws" means laws and regulations applicable to the processing of Personal Data under this DPA (including, as applicable, EU/UK GDPR, US state privacy laws, and similar frameworks).
- "Controller" means Customer, who determines the purposes and means of processing Personal Data.
- "Processor" means Listing Kit Studio, LLC, which processes Personal Data on behalf of Customer.
- "Personal Data" means any information relating to an identified or identifiable natural person that Processor processes on behalf of Customer.
- "Customer Data" means data (including Personal Data) submitted to the Service by or for Customer.
- "Subprocessor" means a third party engaged by Processor to process Personal Data on behalf of Customer.
2. Roles and Scope
2.1 Customer as Controller. Customer is the Controller of Personal Data included in Customer Data.
2.2 Processor as Processor. Processor processes Personal Data only on documented instructions from Customer, as set out in the Terms and this DPA, unless required by law.
3. Processing Details
Processing details are described in Exhibit A (Processing Details).
4. Customer Obligations
Customer represents and warrants that:
- It has provided all required notices and obtained all required consents/authorizations for Customer Data, including any listing-related data, client contact info, or personal images uploaded.
- Its instructions and use of the Service comply with Applicable Data Protection Laws.
- It will not provide Sensitive Data unless expressly agreed in writing (see Section 5.4).
5. Processor Obligations
5.1 Confidentiality. Processor will ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
5.2 Security. Processor will implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. See Exhibit C (Security Measures).
5.3 Documented Instructions. Processor will process Personal Data only as necessary to provide the Service and as otherwise instructed by Customer through use/configuration of the Service.
5.4 Sensitive Data. Customer will not upload sensitive categories of data (e.g., government IDs, payment card numbers, health data, precise geolocation, children's data) unless Processor explicitly agrees in writing.
6. Subprocessors
6.1 Authorization. Customer grants Processor general authorization to use Subprocessors to support the Service.
6.2 List. Current Subprocessors are listed in Exhibit B (Subprocessors).
6.3 Subprocessor Terms. Processor will impose data protection obligations on Subprocessors consistent with this DPA.
6.4 Changes. Processor may add or replace Subprocessors. Processor will maintain an up-to-date list in Exhibit B (or a public subprocessor list referenced by Exhibit B). If Customer reasonably objects to a new Subprocessor on data protection grounds within 30 days of notice, the parties will work in good faith to resolve the concern. If unresolved, Customer may terminate the affected portion of the Service without penalty for the remainder of the then-current subscription term.
7. International Data Transfers
Customer acknowledges Processor and Subprocessors may process Personal Data in the United States and other locations where they operate. Where international transfer mechanisms are required by law (e.g., EU/UK GDPR), the parties will implement an appropriate mechanism (such as Standard Contractual Clauses) upon Customer's request.
8. Assistance With Data Subject Requests
Taking into account the nature of processing, Processor will provide reasonable assistance to Customer to respond to requests by data subjects to exercise their rights under Applicable Data Protection Laws (e.g., access, deletion, correction), to the extent Customer cannot fulfill such requests through the Service's features.
9. Security Incidents
9.1 Notice. Processor will notify Customer without undue delay after becoming aware of a Security Incident affecting Personal Data processed under this DPA.
9.2 Information. Processor will provide available information reasonably necessary for Customer to meet its incident notification obligations under Applicable Data Protection Laws.
9.3 No admission. Notification of a Security Incident is not an admission of fault or liability.
10. Audits
10.1 Audit Rights. Upon reasonable prior notice, Customer may audit Processor's compliance with this DPA no more than once per year, unless required by law or following a Security Incident.
10.2 Scope. Audits must be limited in scope, not unreasonably interfere with Processor operations, and be subject to confidentiality.
10.3 Alternatives. Processor may satisfy audit requests by providing reasonable documentation such as security summaries, policies, or third-party attestations where available.
11. Return and Deletion of Personal Data
11.1 During Term. Customer may export or retrieve Customer Data using available Service features.
11.2 Upon Termination. After termination or expiration of the subscription, Processor will delete Customer's uploaded content and associated kit data within 60 days, consistent with the retention statement in the Privacy Policy, unless legal obligations require longer retention.
11.3 Backups. Personal Data may remain in backup systems for a limited period until overwritten in the normal course.
12. Liability
Liability under this DPA is subject to the limitations of liability and exclusions in the Terms, unless prohibited by Applicable Data Protection Laws.
13. Term
This DPA remains in effect for as long as Processor processes Personal Data on behalf of Customer under the Terms.
14. Contact
Data protection requests and questions: contact us.
Exhibit A - Processing Details
Subject matter: Provision of the Listing Kit Studio Service (marketing kit generation for real estate marketing).
Duration: For the term of the subscription and up to 60 days after subscription end (deletion timeline), plus limited backup/log retention as described.
Nature and purpose: Hosting, storing, organizing, and processing Customer Data to generate marketing outputs (graphics, videos, emails, flyers), provide authentication, support, billing, analytics (if enabled), and maintain security and reliability.
Categories of data subjects: Customer's users; individuals appearing in uploaded photos (e.g., agents); and individuals whose information Customer inputs (e.g., sellers/clients) as part of listing marketing.
Types of Personal Data: Names/emails for account access; listing-related details; images; branding assets; usage logs; billing metadata (via payment processor).
Processing operations: Collection, storage, retrieval, transformation/formatting for output generation, transmission, deletion.
Note: The Service is not intended to function as a permanent file-archival or backup service.
Exhibit B - Subprocessors (as of Last Updated)
- Supabase - authentication/database/storage
- Vercel - hosting/serverless functions
- Stripe - payment processing
- Planned: Google Analytics - analytics (website usage measurement)
Exhibit C - Security Measures (summary)
Processor maintains reasonable administrative, technical, and physical safeguards, which may include:
- Encryption in transit (TLS/HTTPS)
- Access controls and least-privilege permissions
- Account authentication and session protections
- Logical separation of tenant data
- Monitoring and logging for security events
- Backups and disaster recovery practices
- Vendor security controls aligned with cloud provider capabilities