Data Processing Agreement

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between:

• Vocally Yours LLC, d/b/a Keystir, a New Jersey limited liability company ("Processor" or "Service Provider"); and
• The entity or individual identified in the applicable Keystir subscription agreement ("Controller" or "Business").

This DPA supplements and forms part of the Keystir Terms of Service and any applicable enterprise or brokerage agreement (collectively, the "Agreement"). This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the Service.

This DPA is intended for brokerage and enterprise customers who require a formal data processing agreement for regulatory compliance purposes. Individual users are covered by our standard Privacy Policy and Terms of Service.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
• "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
• "Data Subject"means the identified or identifiable natural person to whom the Personal Data relates (e.g., the Controller's clients, leads, or end users).
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Applicable Data Protection Law" means all applicable federal and state privacy laws, including CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, ICDPA, MTCDPA, OCDPA, and any other applicable privacy legislation.

3. Scope of Processing

3.1 Subject Matter and Duration

The Processor will process Personal Data for the duration of the Agreement, solely for the purpose of providing the Service as described in the Agreement and as further instructed by the Controller.

3.2 Categories of Data Subjects

• Controller's employees and agents
• Controller's real estate clients (buyers, sellers, renters)
• Controller's leads and prospects
• Third parties whose data is entered into the Service by the Controller

3.3 Types of Personal Data

• Contact information (name, email, phone, address)
• Real estate transaction data (property details, offer terms, closing information)
• Financial information (commission details, billing data)
• Communications (notes, messages, AI conversation logs)
• Documents (uploaded files, paper imports)
• Usage data (login times, feature usage, IP addresses)

4. Obligations of the Processor

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by law to do otherwise (in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law).
• Ensure that persons authorized to process Personal Data have committed to confidentiality obligations.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
  • Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
  • Row-level security ensuring data isolation between customers
  • Regular security testing and vulnerability assessments
  • Access controls and audit logging
  • Incident response procedures
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller, subject to Section 6.
• Assist the Controller in responding to Data Subject rights requests (access, deletion, correction, portability, opt-out).
• Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations.
• At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless retention is required by law.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.

5. Obligations of the Controller

The Controller shall:

• Ensure that it has a lawful basis for processing Personal Data and for instructing the Processor to process Personal Data on its behalf.
• Provide all necessary notices to, and obtain all necessary consents from, Data Subjects regarding the processing of their Personal Data through the Service.
• Comply with all applicable data protection laws in relation to its use of the Service and the instructions it provides to the Processor.
• Ensure that the Personal Data it provides to the Processor is accurate and up-to-date.

6. Sub-processors

6.1 Authorized Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

6.2 Changes to Sub-processors

The Processor shall notify the Controller at least 30 days in advance of any intended changes to the list of sub-processors (additions or replacements). The Controller may object to such changes within 15 days of receiving notice. If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the affected portion of the Agreement.

6.3 Sub-processor Obligations

The Processor shall impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each sub-processor's obligations.

7. Security Incidents

The Processor shall:

• Notify the Controller of any Security Incident without undue delay and in any event within 72 hours of becoming aware of the incident.
• Provide the Controller with sufficient information to enable the Controller to meet its obligations under applicable breach notification laws, including:
  • The nature of the Security Incident
  • The categories and approximate number of Data Subjects affected
  • The likely consequences of the incident
  • The measures taken or proposed to address the incident
• Cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Security Incident.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject rights requests under applicable law, including requests to access, correct, delete, or port Personal Data, and requests to opt out of the sale of Personal Data or targeted advertising. The Processor shall:

• Promptly notify the Controller if it receives a request directly from a Data Subject (unless prohibited by law).
• Not respond to Data Subject requests directly unless authorized by the Controller.
• Provide the Controller with the technical capability to fulfill Data Subject requests through the Service (e.g., data export, data deletion features).

9. Audits

The Processor shall make available to the Controller, upon reasonable request and at least annually, information necessary to demonstrate compliance with this DPA. The Controller may conduct, or engage an independent third-party auditor to conduct, an audit of the Processor's compliance with this DPA, subject to:

• At least 30 days' prior written notice.
• Reasonable scope, timing, and duration to minimize disruption to the Processor's business.
• Confidentiality obligations binding on the auditor.
• Audits shall not exceed one per twelve-month period unless required by a regulatory authority or following a Security Incident.

10. Data Return and Deletion

Upon termination or expiration of the Agreement, or upon the Controller's written request, the Processor shall:

• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), or
• Delete all Personal Data and certify such deletion in writing,

at the Controller's election. Data return or deletion shall be completed within 30 days of the request or termination, except where retention is required by applicable law. In such cases, the Processor shall inform the Controller of the legal requirement and limit processing to the extent necessary for compliance.

11. CCPA/CPRA Addendum

This section applies to the extent that Personal Data includes "Personal Information" as defined by the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, "CCPA").

11.1 Relationship of the Parties

For purposes of the CCPA, the Controller is the "Business" and the Processor is the "Service Provider." The Processor processes Personal Information on behalf of the Business pursuant to the Agreement and this DPA.

11.2 Restrictions on Use

The Processor (as Service Provider) shall not:

• Sell or share (as defined under CCPA) the Personal Information.
• Retain, use, or disclose the Personal Information for any purpose other than the business purposes specified in the Agreement, including retaining, using, or disclosing Personal Information for a commercial purpose other than providing the Service.
• Retain, use, or disclose the Personal Information outside of the direct business relationship between the Processor and the Controller.
• Combine Personal Information received from the Controller with Personal Information received from or on behalf of another person or entity, or collected from the Processor's own interactions with consumers, except as permitted under CCPA for service provider purposes.

11.3 Compliance Certification

The Processor certifies that it understands the restrictions set forth in this CCPA Addendum and will comply with them. The Processor shall notify the Controller if it determines that it can no longer meet its obligations under the CCPA.

11.4 Consumer Rights Assistance

The Processor shall assist the Controller in responding to verifiable consumer requests to know, delete, correct, or opt out, including by providing the technical means for the Controller to fulfill such requests and by responding within the timeframes required by the CCPA (generally 45 days, extendable by an additional 45 days with notice).

11.5 Deidentified Data

To the extent the Processor creates or receives deidentified data, it shall not attempt to reidentify such data except as permitted by the CCPA to determine whether its deidentification processes are adequate.

12. Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA limits either party's liability for breaches of confidentiality obligations, willful misconduct, or obligations that cannot be limited under applicable law.

13. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. The obligations of the Processor with respect to the processing and security of Personal Data shall continue for as long as the Processor retains Personal Data processed on behalf of the Controller.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of New Jersey, without regard to its conflict of law provisions, except to the extent superseded by applicable data protection law.

15. Contact and Execution

To execute this DPA or for questions about data processing at Keystir, please contact:

Enterprise and brokerage customers may request a countersignable version of this DPA by contacting support@keystir.com.