DATA PROCESSING ADDENDUM
Effective Date: _________________________
This Data Processing Addendum (the "DPA") forms part of the Terms of Service between Production Labs, LLC ("Production Labs," "Processor") and the customer named in the Terms or applicable order form ("Customer," "Controller"). It governs the Processing of Personal Data submitted by Customer to the Production OS service (the "Service"). In the event of conflict between this DPA and the Terms of Service, this DPA controls with respect to the Processing of Personal Data.
This DPA is designed to support compliance with the General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK GDPR, the California Consumer Privacy Act of 2018 as amended ("CCPA/CPRA"), and other applicable data protection laws to the extent they apply to the Processing under the Terms.
1. DEFINITIONS
Terms not defined here have the meanings in the Terms of Service or applicable Data Protection Laws.
- "Data Protection Laws" means GDPR, UK GDPR, CCPA/CPRA, and any other privacy and data protection laws applicable to the Processing.
- "Personal Data" means information about an identified or identifiable natural person that Customer submits to the Service or that is collected by the Service on Customer's behalf.
- "Process," "Processing" has the meaning given under applicable Data Protection Laws (essentially, any operation performed on Personal Data).
- "Subprocessor" means a third party engaged by Production Labs to Process Personal Data on Customer's behalf.
- "Data Subject" means the individual to whom Personal Data relates.
2. ROLES AND SCOPE
2.1 Roles
For Personal Data Processed under the Service:
- Customer is the Controller (or, where Customer is itself acting as a processor for another controller, the relevant processor).
- Production Labs is the Processor (or sub-processor, as applicable).
Where CCPA/CPRA applies, the parties intend that Production Labs acts as Customer's "Service Provider" and Production Labs will not "sell" or "share" Personal Data within the meaning of CCPA/CPRA.
2.2 Scope
The subject matter, duration, nature, purpose, and categories of Data Subjects and Personal Data are described in Annex A — Processing Details.
2.3 Customer Responsibilities
Customer warrants that: (a) it has provided all required notices and obtained all required consents and authorizations under applicable Data Protection Laws to enable Production Labs to Process Personal Data as contemplated by the Terms and this DPA; (b) Customer's instructions comply with applicable Data Protection Laws; and (c) Customer will not submit any sensitive Personal Data (including health, financial, biometric, or government identifier data) except where the Service is reasonably intended to support such data.
3. PRODUCTION LABS' OBLIGATIONS
3.1 Documented Instructions
Production Labs will Process Personal Data only on Customer's documented instructions, which are: (a) the Terms of Service; (b) this DPA; (c) any settings Customer configures in the Service; and (d) any additional instructions Customer provides in writing that Production Labs agrees to follow. If applicable law requires Production Labs to Process Personal Data otherwise, Production Labs will inform Customer unless prohibited.
3.2 Confidentiality of Personnel
Production Labs will ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations and have been trained on data protection.
3.3 Security
Production Labs will implement and maintain the technical and organizational security measures described in Annex B — Security Measures.
3.4 Assistance With Data Subject Requests
Production Labs will, taking into account the nature of the Processing, provide reasonable assistance to Customer in responding to Data Subject requests (e.g., access, deletion, correction, portability). Where feasible, Customer can address such requests directly through Service features (e.g., contact deletion, data export). Where Production Labs receives a Data Subject request relating to Customer's Personal Data, Production Labs will forward it to Customer without responding, unless legally required to respond.
3.5 Assistance With DPIAs and Regulator Engagement
Production Labs will provide reasonable assistance to Customer in connection with: (a) data protection impact assessments; (b) prior consultations with supervisory authorities; and (c) responding to inquiries from supervisory authorities.
3.6 Audit Rights
Production Labs will make available information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior notice (not more than once per twelve months, unless required by a supervisory authority), Customer may audit Production Labs' Processing operations to the extent reasonable and at Customer's expense. The parties will cooperate in good faith on audit scope and conduct.
3.7 Subprocessors
Customer authorizes Production Labs to engage the Subprocessors listed in Annex C — Subprocessor List. Production Labs will:
(a) Enter into written agreements with each Subprocessor imposing data protection obligations substantially equivalent to those in this DPA;
(b) Remain liable for any Subprocessor's compliance with this DPA;
(c) Provide notice of intended changes to its Subprocessor list (additions or replacements) by updating the published list at agentgrowthos.com/legal/subprocessors, or by email if requested. Customer may object on reasonable data-protection grounds within fifteen (15) days; if the parties cannot resolve the objection, Customer may terminate the affected Service for convenience with a pro-rated refund of unused prepaid fees.
4. INTERNATIONAL TRANSFERS
If Personal Data of EEA, UK, or Swiss Data Subjects is transferred to a country not deemed adequate, the parties agree that the Standard Contractual Clauses (Module 2: Controller to Processor) approved by the European Commission, as updated from time to time, are incorporated by reference and apply to that transfer. The UK Addendum to the SCCs applies for UK transfers; the Swiss Addendum applies for Swiss transfers.
5. PERSONAL DATA BREACH
Production Labs will notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach affecting Customer's Personal Data, and will provide reasonable information to assist Customer in meeting its own notification obligations.
6. DELETION AND RETURN OF PERSONAL DATA
On termination or expiration of the Service, Production Labs will, at Customer's option, delete or return all Personal Data, subject to: (a) backup retention until the next ordinary backup cycle (typically within ninety (90) days); and (b) retention required by applicable law. The Terms of Service Section 15.5 governs the timing of export availability.
7. LIABILITY
Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. To the extent applicable Data Protection Laws impose joint liability that cannot be limited by contract, those provisions control.
8. TERM
This DPA takes effect on the Effective Date and continues until termination of the Service.
ANNEX A — PROCESSING DETAILS
| Item | Description |
|---|---|
| Subject matter | Provision of the Production OS software-as-a-service platform. |
| Duration | The term of Customer's Subscription, plus retention periods set forth in Section 6 and the Terms of Service. |
| Nature and purpose | Hosting, storing, transmitting, processing, analyzing, and displaying Customer Data to enable Customer to run its real estate practice, including CRM, calendar, document, workflow, communication, and AI-assisted functions. |
| Categories of Data Subjects | Customer's authorized users (employees, agents, contractors); Customer's contacts, prospects, leads, and clients; counterparties to real-estate transactions; other individuals whose information Customer chooses to submit to the Service. |
| Categories of Personal Data | Identification data (name, business affiliation); contact data (email, phone, address); communications (notes, message history); transaction data (opportunity stage, value, dates); calendar / scheduling data; documents Customer uploads (may contain a variety of fields depending on document type); usage and analytics data; any other Personal Data Customer chooses to submit. |
| Special category data | Customer agrees not to submit special category data (e.g., racial / ethnic origin, health, biometric, financial account, government identifier) unless specifically supported by the Service. |
ANNEX B — SECURITY MEASURES
Production Labs maintains the following technical and organizational security measures (as updated from time to time, provided that updates do not materially reduce the level of protection):
B.1 Access Control
- Role-based access control with least-privilege defaults.
- Multi-factor authentication for administrative access to production systems.
- Logging of administrative actions.
B.2 Encryption
- TLS 1.2 or higher for data in transit.
- AES-256 (or equivalent) encryption for sensitive data at rest, including OAuth tokens and encryption keys.
- Hashed (never plaintext) storage of authentication credentials.
B.3 Network Security
- Production environment isolated from development.
- Firewalled hosting infrastructure.
- DDoS protection at the edge.
B.4 Application Security
- Code review for production changes.
- Dependency scanning.
- Input validation, output encoding, and parameterized queries to prevent injection attacks.
- Session security with HTTP-only, secure, signed cookies.
B.5 Operational Security
- Logging and monitoring of authentication, authorization, and error events.
- Backup of production data with periodic restore testing.
- Incident response procedures.
- Periodic security review of subprocessors.
B.6 Personnel
- Confidentiality obligations on all personnel.
- Security awareness training.
- Access provisioning and de-provisioning tied to role.
B.7 Physical Security
- Reliance on the physical security measures of cloud infrastructure providers (Railway, Neon, AWS as applicable), each of which maintains SOC 2 Type II (or equivalent) attestations.
ANNEX C — SUBPROCESSOR LIST
The current Subprocessors Customer authorizes Production Labs to engage are:
| Subprocessor | Purpose | Location of Processing |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| OpenAI / Anthropic | AI assistant capabilities | United States |
| GoHighLevel | Backend CRM infrastructure | United States |
| Neon | Cloud database hosting | United States |
| Railway | Application hosting | United States |
| Twilio | SMS / voice (where enabled) | United States |
| Postmark / Resend | Transactional email | United States |
| Tavily | AI web research (where enabled) | United States |
| Rewardful | Affiliate tracking | United States |
| Calendly | Calendar integration (where Customer connects) | United States |
| Google LLC | Google Calendar integration (where Customer connects) | United States |
| Other third-party integrations | As authorized by Customer per integration | Per provider |
The current published list at agentgrowthos.com/legal/subprocessors supersedes this Annex if updated.
SIGNATURES
Customer:
By: ___________________________________ Name: __________________________________ Title: __________________________________ Date: __________________________________
Production Labs, LLC:
By: ___________________________________ Name: Caleb Robinson Title: Member / Chief Executive Officer Date: __________________________________
_End of Data Processing Addendum_