DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") forms part of the agreement between GovernUp Solutions, LLC ("Processor") and the community association or management company ("Controller") that subscribes to the Covenant platform (the "Services"). This DPA governs the processing of personal data by the Processor on behalf of the Controller.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed through the Services, including resident names, contact information, financial records, and household data.
• "Controller" means the community association, HOA board, or property management company that determines the purposes and means of processing Personal Data through the Services.
• "Processor" means GovernUp Solutions, LLC, which processes Personal Data on behalf of the Controller.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means the individual whose Personal Data is processed (e.g., community residents, household members, guests).

2. Scope and Purpose of Processing

The Processor processes Personal Data solely for the purpose of providing the Services as described in the Terms of Use, including:

• Community management and governance operations
• Financial record-keeping, assessment billing, and payment processing
• Communications (SMS, email, in-app notifications) between management and residents
• Document storage and management
• AI-powered features (document Q&A, meeting summaries, portfolio briefings)
• Compliance tracking (violations, ARC requests, work orders)
• Voting and governance tools

3. Categories of Data Processed

The full categories of Personal Data processed are described in our Privacy Policy, Section 1. In summary:

• Account identifiers (name, email, phone, address)
• Household data (members, vehicles, pets, emergency contacts)
• Financial data (payment history, assessment balances, Stripe identifiers)
• Communications data (SMS messages, in-app messages, notification history)
• Technical data (IP addresses, session logs, audit trails)
• Community governance data (votes, meeting minutes, documents)

4. Controller Obligations

• The Controller is responsible for ensuring a lawful basis exists for the collection and processing of Personal Data (e.g., resident consent, legitimate interest for community governance, contractual necessity).
• The Controller shall provide appropriate privacy notices to Data Subjects informing them of how their data is processed through the Services.
• The Controller shall not upload or process any data through the Services that it does not have the legal right to process.
• The Controller is responsible for the accuracy of Personal Data provided to the Processor.

5. Processor Obligations

• Process Personal Data only on documented instructions from the Controller and as necessary to provide the Services.
• Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
• Implement and maintain appropriate technical and organizational security measures as described in Section 7.
• Assist the Controller in responding to Data Subject rights requests (access, correction, deletion, portability) within 30 days.
• Notify the Controller of any Personal Data breach without undue delay and no later than 48 hours after becoming aware of it.
• Delete or return all Personal Data upon termination of the Services, at the Controller's election, within 30 days (except where retention is required by law).
• Make available all information necessary to demonstrate compliance with this DPA and allow for audits.

6. Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors:

The Processor will notify the Controller at least 30 days before adding or replacing a Sub-processor. The Controller may object to a new Sub-processor on reasonable data-protection grounds.

7. Security Measures

The Processor implements the following technical and organizational measures:

• TLS/HTTPS encryption for data in transit
• AES-256 encryption for data at rest
• Bcrypt password hashing with unique salts
• Role-based access controls with least-privilege enforcement
• Automated brute-force detection, account lockout, and IP blocking
• Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy)
• Comprehensive audit logging of all administrative and data-access actions
• Session management with configurable timeout (default 4 hours)
• Multi-tenant data isolation between communities

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

• Notify the Controller within 48 hours of becoming aware of the breach.
• Provide details including: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken to mitigate the breach.
• Cooperate with the Controller in notifying affected Data Subjects and regulatory authorities as required by applicable law.

9. Data Retention and Deletion

• Active accounts: Data retained for the duration of the service agreement.
• Post-termination: Personal Data deleted within 30 days of termination. Encrypted backups retained for up to 90 days, then permanently destroyed.
• Financial records: Retained for 7 years as required by tax and accounting regulations.
• Audit logs: Retained for 2 years for security and compliance purposes.
• The Controller may request a data export in CSV or JSON format prior to termination.

10. International Transfers

All Personal Data is processed and stored within the United States. In the event of any international data transfer, the Processor will ensure appropriate safeguards are in place, including Standard Contractual Clauses where applicable.

11. Audit Rights

The Controller may audit the Processor's compliance with this DPA upon 30 days' written notice, no more than once per year, during normal business hours. The Processor may satisfy audit requests by providing relevant certifications, audit reports, or documentation demonstrating compliance.

12. Term and Governing Law

This DPA remains in effect for the duration of the Controller's use of the Services and survives termination until all Personal Data has been deleted or returned. This DPA is governed by the laws of the State of Maryland.