Data Processing Addendum
Last updated: November 2026.
This Data Processing Addendum (“DPA”) supplements the TractOps Terms of Service (the “Agreement”). When you accept the Agreement, you are also accepting this DPA on behalf of your organisation (“Customer” or “Controller”). TractOps acts as the data “Processor”.
1. Scope and roles
TractOps processes Personal Data on behalf of the Customer solely to provide the TractOps service. The Customer is the data controller, responsible for the lawful basis of processing. TractOps does not determine the purposes of processing.
2. Categories of data subjects and personal data
- Data subjects: property owners, residents, tenants, board members, and property-management staff associated with the Customer's HOA communities.
- Personal data: names, email addresses, phone numbers, mailing addresses, unit numbers, role within the community, payment-related metadata (we never store full card numbers — see §6), board votes, and content the user uploads (documents, messages, photos).
3. Sub-processors
TractOps engages the following sub-processors to provide the service. Updated lists are available on request.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel | Web hosting and edge compute | USA |
| Neon (AWS) | PostgreSQL database | USA (us-east-1) |
| Stripe | Payment processing | USA |
| Resend | Transactional email delivery | USA |
The Customer will be notified by email at least 30 days before any new sub-processor begins processing Personal Data.
4. Security measures
- TLS 1.2+ encryption for all data in transit.
- AES-256 encryption at rest (provided by Neon and Vercel Blob storage).
- Passwords hashed with bcrypt at a cost factor of 12.
- Access tokens (JWT) expire within 1 hour; refresh tokens within 7 days.
- Production access restricted to a documented list of named individuals with multi-factor authentication.
- Daily encrypted backups retained for 30 days.
- Annual review of OWASP Top 10 risks with remediation tracked.
5. International transfers
For EU/UK data subjects, TractOps relies on the Standard Contractual Clauses (2021/914/EU) for transfers to the United States. The UK Addendum to the Standard Contractual Clauses applies for UK transfers.
6. Payment data
TractOps does not store full payment-card numbers, security codes, or bank-account numbers. Payment data is collected directly by Stripe via Stripe Elements / Stripe Checkout and is subject to Stripe's PCI-DSS Level 1 certification.
7. Data subject rights
TractOps will assist the Customer in fulfilling data-subject access, rectification, deletion, and portability requests under GDPR Articles 15–21 and equivalent rights under CCPA. Self-service export and deletion tools are available in the dashboard. For requests not satisfied by self-service tools, contact contact@tractops.com with the subject line [DSR] — first response within 5 business days, completion within 30 days.
8. Data breach notification
TractOps will notify the Customer without undue delay (and in any case within 72 hours) of becoming aware of a Personal Data breach affecting the Customer's data. Notifications go to the email address on file for the account. Notifications will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken to address the breach.
9. Data retention and deletion
Customer data is retained for the duration of the Agreement. Upon termination, the Customer has 30 days to export data via self-service tools. After 30 days, all Personal Data is irreversibly deleted from production systems within 14 days, and from backups within the 30-day backup retention window thereafter.
10. Audit rights
The Customer may, no more than once per calendar year, request a copy of the most recent SOC 2 / ISO 27001 attestation (when available). TractOps does not currently hold a SOC 2 attestation; the SOC 2 Type 1 audit is scheduled for completion in 2026 Q4.
11. Liability and indemnification
Liability under this DPA is governed by the limitations of liability set out in the Agreement.
12. Termination
This DPA terminates automatically upon termination of the Agreement.
To request a counter-signed copy of this DPA for your records, email contact@tractops.com with the subject [DPA request].