Data Processing Addendum (DPA)

Last Updated: February 2025

This DPA forms part of the PermitPilot Terms of Service and/or Master Services Agreement ("Agreement") between The Joolt Group LLC ("Processor," "PermitPilot," "we") and the customer identified in the applicable Order Form ("Customer," "Controller," "you"). This DPA applies to the extent PermitPilot processes Personal Data on behalf of Customer in connection with the Service.

1. Definitions

  • Personal Data: information relating to an identified or identifiable natural person.
  • Processing: any operation performed on Personal Data (collection, storage, use, disclosure, etc.).
  • Controller: entity that determines purposes/means of Processing.
  • Processor: entity that processes Personal Data on behalf of the Controller.
  • Subprocessor: third party engaged by Processor to process Personal Data.
  • Applicable Data Protection Law: laws such as GDPR/UK GDPR (if applicable), and U.S. state privacy laws (e.g., CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA), as applicable to Customer.

2. Scope and Roles

2.1 Customer as Controller.

Customer is the Controller of Personal Data submitted to the Service and is responsible for compliance with Applicable Data Protection Law.

2.2 PermitPilot as Processor.

PermitPilot processes Personal Data only on documented instructions from Customer as necessary to provide and secure the Service.

2.3 PermitPilot as Controller for Account Data.

PermitPilot may act as Controller for limited account, billing, and service operations data (e.g., authentication, support communications).

3. Processing Details

  • Subject matter: operation and support of PermitPilot compliance tools, proof vault, renewals workflow, and reporting.
  • Duration: for the term of the Agreement plus any retention period described in the Privacy Policy or required by law.
  • Nature and purpose: provide the Service, maintain security, generate reports/packets, send notifications.
  • Categories of Personal Data: account identifiers (name/email), user activity logs, uploaded documents that may include personal identifiers, and property-related data.
  • Categories of Data Subjects: Customer's users (employees/contractors) and potentially third parties whose info appears in uploaded materials (e.g., government documents).

4. PermitPilot Obligations

PermitPilot shall:

  • 4.1 Process only per Customer instructions and the Agreement.
  • 4.2 Maintain confidentiality of authorized personnel.
  • 4.3 Implement reasonable security measures (administrative, technical, organizational).
  • 4.4 Assist (taking into account nature of processing) with data subject requests to the extent legally required.
  • 4.5 Notify Customer of a Personal Data breach without undue delay after becoming aware.
  • 4.6 Delete/return Personal Data at termination upon Customer request, subject to legal retention and technical constraints.

5. Customer Obligations

Customer shall:

  • Ensure it has a lawful basis to provide Personal Data to PermitPilot.
  • Ensure uploaded content is minimized and appropriate.
  • Provide necessary notices/consents to its users and end users.
  • Maintain correct access controls for its account.

6. Subprocessors

6.1

PermitPilot may use Subprocessors to provide the Service (e.g., cloud hosting, email delivery, payment processing, AI providers).

6.2

PermitPilot will maintain a list of Subprocessors upon request and will require Subprocessors to protect Personal Data consistent with this DPA.

6.3

Customer may object to a new Subprocessor on reasonable grounds; the parties will work in good faith to resolve.

7. International Transfers (if applicable)

If Personal Data is transferred internationally, PermitPilot will use appropriate safeguards (e.g., standard contractual clauses) as required by law.

8. Security

PermitPilot maintains safeguards appropriate to risk, including access controls, encryption in transit, and monitoring. Specific measures may be summarized in a Security Addendum upon request.

9. Audits

Customer may request reasonable information to verify compliance. If a formal audit is required, it must be:

  • limited to once per year,
  • at Customer's expense,
  • subject to confidentiality and security constraints,
  • coordinated in advance.

10. Liability

Liability allocation is governed by the Agreement. Nothing in this DPA expands PermitPilot's liability beyond the Agreement.

Exhibit A — Processing Instructions

PermitPilot processes Customer Personal Data to provide:

  • compliance scans and reporting
  • evidence vault storage and access
  • renewal workflows and packet generation
  • user support and account operations
  • system security and abuse prevention

Signatures: Customer ____________________ Date _______ | The Joolt Group LLC ____________________ Date _______