Data Processing Addendum
Effective: May 28, 2026 · Last updated: May 28, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Koda Properties ("we", "us", "Processor") and the Customer ("you", "Controller") and governs the Processing of Personal Data by us on your behalf.
1. Definitions
Capitalized terms have the meanings given to them in the applicable Data Protection Law for the data in question. "Data Protection Law" includes:
- Canada: the Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act respecting the protection of personal information in the private sector as amended by Law 25, and substantially-similar provincial statutes (Alberta PIPA, British Columbia PIPA).
- Jamaica: the Data Protection Act 2020 (the "Jamaica DPA").
- EU/UK: the EU General Data Protection Regulation 2016/679 and the UK GDPR.
- United States: the California Consumer Privacy Act / California Privacy Rights Act and substantially-similar state laws.
"Personal Data" includes "Personal Information" under PIPEDA, Quebec Law 25, the Jamaica DPA, and U.S. state privacy laws.
2. Roles
- You act as the Controller (or "Business" under CCPA; "Organization" under PIPEDA; "Data Controller" under the Jamaica DPA) for Personal Data you submit to the Service.
- We act as the Processor (or "Service Provider" under CCPA; "Mandated person" under Quebec Law 25; "Data Processor" under the Jamaica DPA), processing Personal Data only on your documented instructions.
- The documented instructions are: (a) the Terms of Service, (b) this DPA, (c) your configuration of the Service.
3. Processing details
| Item | Detail |
|---|---|
| Subject matter | Provision of the Koda Properties property management Service. |
| Duration | For the term of the Terms of Service plus any post-termination retention period. |
| Nature and purpose | Hosting, storing, displaying, and operating on Customer Data so the Service can deliver its features. |
| Categories of data subjects | Customer's employees, residents/owners, household members, vendors, visitors, and other individuals whose data Customer chooses to submit. |
| Categories of Personal Data | Identification data (name, role), contact data (email, phone, address), authentication data (hashed passwords, login timestamps), occupancy data (units, lots, household members), financial data (account balances, transactions, payment status), behavioral data (visits, bookings, violations), and any files/photos uploaded by Customer. |
| Special categories | The Service is not designed to process special category data (health, biometric, etc.). Customer must not submit special category data unless agreed in writing. |
4. Our obligations
We will:
- Process Personal Data only on your documented instructions, including with regard to international transfers, unless required by law (in which case we will inform you unless the law prohibits this).
- Ensure that personnel authorized to process Personal Data are bound by confidentiality.
- Implement and maintain the technical and organizational measures described in our Security Policy.
- Assist you, taking into account the nature of the processing and the information available, in:
- Responding to data subject rights requests.
- Ensuring compliance with security obligations (Art. 32 GDPR).
- Notifying and communicating about Personal Data Breaches.
- Conducting Data Protection Impact Assessments where required.
- Make available all information necessary to demonstrate compliance with these obligations.
5. Sub-processors
You provide general written authorization for us to engage sub-processors to assist with providing the Service. Current sub-processors are listed in our Privacy Policy.
We will:
- Impose data-protection obligations on each sub-processor that are no less protective than those in this DPA.
- Remain liable to you for any failures of our sub-processors to meet those obligations.
- Notify you at least 30 days before engaging a new sub-processor with access to Personal Data, by email to your account administrator and/or a notice in the Service. You may object on reasonable grounds; if we cannot accommodate your objection, you may terminate the affected portion of the Service.
6. International transfers
We process Personal Data on infrastructure located primarily in the United States. We will use safeguards appropriate to the origin jurisdiction:
- From the EEA, UK, or Switzerland: EU Standard Contractual Clauses (Module 2: Controller to Processor) or the UK International Data Transfer Addendum, plus supplementary measures where needed.
- From Canada: contractual safeguards equivalent to PIPEDA Schedule 1 principles. For Quebec Personal Information, we will conduct a Privacy Impact Assessment (Law 25, Art. 17) before transferring outside Quebec where required, and impose contractual obligations on recipients to ensure equivalent protection.
- From Jamaica: we obtain any required authorization from the Office of the Information Commissioner and impose contractual obligations equivalent to the Jamaica DPA 2020 on recipients.
- Sub-processor locations are listed in our Privacy Policy.
7. Data subject requests
We will assist you in responding to data subject requests (access, correction, deletion, portability, restriction, objection). If a data subject contacts us directly, we will redirect them to you unless we are legally required to act otherwise. The Service provides self-serve tools to export and delete Customer Data; for requests that cannot be fulfilled through these tools, contact privacy@koda.properties.
8. Personal Data Breach
If we become aware of a Personal Data Breach (or, under PIPEDA, a "Breach of Security Safeguards"; under the Jamaica DPA, a "Personal Data Breach") affecting your Customer Data, we will:
- Notify you without undue delay, and in any event within 72 hours of becoming aware (faster for jurisdictions that require it).
- Provide information reasonably available to us to help you meet your own notification obligations to regulators and data subjects under:
- PIPEDA's Breach of Security Safeguards Regulations (Canada — to the Privacy Commissioner and affected individuals where there is a real risk of significant harm; record-keeping for 24 months).
- Quebec Law 25 (Quebec — to the Commission d'accès à l'information and affected individuals where there is a risk of serious injury).
- Jamaica DPA 2020 (to the Office of the Information Commissioner and affected data subjects without undue delay).
- GDPR Art. 33–34, UK GDPR, CCPA, and other applicable laws.
- Take reasonable steps to contain and remediate the breach and assist with your investigation.
9. Return or deletion of data
Upon termination or expiration of the Service:
- You may export Customer Data for up to 30 days using self-serve tools.
- At the end of that period, we will delete or anonymize Customer Data, except where retention is required by law (e.g. tax records, audit logs).
- Residual copies may persist in backups for up to 30 days; those copies are not accessed except for restoration purposes.
10. Audits
We will make available, on reasonable request and subject to confidentiality, summary information about our security posture and any third-party audit reports (e.g. SOC 2, ISO 27001) that we hold. Audit rights are limited to once per year unless legally required, and must be conducted at your cost and during normal business hours, with at least 30 days' advance notice.
11. Canada-specific terms
Where this DPA applies to Personal Information governed by PIPEDA, Quebec Law 25, or substantially-similar provincial laws:
- We will use Personal Information only for the purposes for which it was collected by you, except with your authorization or as required by law.
- We acknowledge that you remain accountable for Personal Information transferred to us and we will provide a comparable level of protection.
- Quebec (Law 25): we will assist you with completing a Privacy Impact Assessment (PIA) where required for cross-border transfers, automated decision-making, or high-risk processing. We will not retain Quebec Personal Information for purposes beyond providing the Service without your express instruction.
- French language. Where required, we will provide privacy and contractual documents to Quebec data subjects in French.
12. Jamaica-specific terms
Where this DPA applies to Personal Data governed by the Jamaica DPA 2020:
- We will comply with the eight Standards (Data Protection Principles) set out in Section 21 of the Act.
- We will assist you in registering with the Office of the Information Commissioner where required.
- We will not process Sensitive Personal Data (Section 4) without your express instruction and an additional lawful basis under Section 23.
- We will assist with subject access requests within the timelines prescribed by the Act (typically 30 days, extendable).
- We will notify the Office of the Information Commissioner and affected data subjects of Personal Data Breaches as set out in section 8 above.
13. CCPA terms
To the extent we process Personal Information of California residents on your behalf:
- We act as your "Service Provider" or "Processor".
- We will not "sell" or "share" (as those terms are defined under CCPA/CPRA) any Personal Information.
- We will not retain, use, or disclose Personal Information for any purpose other than performing the Service, except as permitted by CCPA.
- We will not combine your Personal Information with personal information we receive from other sources, except as permitted by CCPA.
- You may take reasonable steps to monitor our compliance and remediate unauthorized use.
14. Liability
Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.
15. Conflicts and governing law
If there is a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. This DPA is governed by the same law as the Terms of Service (see Terms §13 — Ontario law for Canadian customers, Jamaican law for Jamaican and other customers).
16. Contact
For DPA-related questions or to request a signable version: privacy@koda.properties