Data Processing Agreement

Effective date: 2026-05-07 Version: 0.1 (pre-lawyer-review draft)

Pending legal review. This document was drafted in good faith from standard GDPR templates and Homaic's constitutional privacy commitments (homaic-charter v1.2 §6.1, homaic-foundation-standards v1.1 §2). It will be reviewed by counsel before Homaic's public launch and before being offered as a binding instrument to GDPR-covered customers.

0. Purpose and applicability

This Data Processing Agreement (the "DPA") governs Homaic, Inc.'s ("Homaic," the "Processor") processing of personal data on behalf of you (the "Customer," the "Controller") to the extent the GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss FADP, or analogous data-protection laws apply to that processing.

This DPA is part of the Terms of Service. Where this DPA conflicts with the Terms or the Privacy Policy on a point of GDPR-covered processing, this DPA controls.

If you are a U.S. consumer using the Service for personal home documentation, this DPA does not change your relationship with Homaic — your relationship is governed by the Terms and the Privacy Policy. The DPA exists for customers whose use of the Service is governed by the GDPR or analogous laws and who require a written processor agreement.

You can request a counter-signed copy of this DPA by emailing legal@homaic.io.

1. Definitions

The capitalized terms below have the meanings given to them in the GDPR. The most load-bearing for this DPA:

  • Personal Data — any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
  • Controller — the natural or legal person who determines the purposes and means of processing of Personal Data.
  • Processor — the natural or legal person who processes Personal Data on behalf of the Controller.
  • Sub-processor — any Processor engaged by Homaic to process Personal Data on behalf of the Controller.
  • Data Subject — the identified or identifiable natural person to whom the Personal Data relates.
  • Processing — any operation performed on Personal Data, including collection, storage, retrieval, transfer, and erasure.

2. Roles

For Personal Data processed in the Service:

  • Controller: Customer (the account holder using the Service).
  • Processor: Homaic, Inc.
  • Sub-processors: the third-party service providers listed in §8 (currently Anthropic, PBC; Stripe, Inc.; Supabase, Inc.; Vercel, Inc.).

For data Homaic processes on its own behalf — for example, account-creation records, billing data, and Service-operations metadata — Homaic is the Controller, and that processing is governed by the Privacy Policy at /privacy, not by this DPA.

3. Subject matter, nature, and purpose of processing

  • Subject matter: Customer's home documentation, AI-extracted suggestions on Customer's home documents, and supporting account and operational data.
  • Nature of processing: storage, retrieval, indexing, encryption, transmission, AI extraction (when initiated by Customer), display, and erasure of Personal Data submitted by Customer or generated through Customer's use of the Service.
  • Purpose: providing the homeowner-documentation Service described in the Terms, including Mode A AI extractions Customer initiates and Mode B (MCP) agent operations Customer authorizes.
  • Duration: for the term of Customer's subscription, plus the 30-day deletion period and 90-day backup-retention window described in the Privacy Policy §5.
  • Categories of Data Subjects: the Customer; members of the Customer's household whose data the Customer chooses to record; contractors, neighbors, agents, and other third parties whose contact details or interactions the Customer chooses to record.
  • Categories of Personal Data: identification data (name, email), contact data, property addresses, asset details, free-text notes, AI-extraction inputs and outputs, account-and-billing metadata. See Privacy Policy §1 for the full inventory.

4. Homaic's obligations as Processor

Homaic will:

  • Process Personal Data only on documented instructions from Customer. Customer's instructions are: (a) the use of the Service in accordance with the Terms; (b) any specific instructions Customer gives to Homaic in writing; and (c) any operation Customer authorizes through the dashboard, the API, or MCP. If Homaic believes an instruction violates GDPR or other applicable law, Homaic will inform Customer and may decline to act on the instruction.
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations (whether contractual or statutory).
  • Take all measures required pursuant to GDPR Article 32 (security of processing). The current technical and organizational measures are described in §6 below.
  • Engage Sub-processors only in accordance with §8 (Sub-processors).
  • Assist Customer in fulfilling Customer's obligations to respond to Data Subject requests (Articles 12-23). The Service provides self-serve access, correction, deletion, and portability features that allow Customer (and Customer's Data Subjects, where Customer chooses to extend the surfaces) to fulfill most requests directly. Where Homaic's assistance is required, Homaic will respond to Customer's documented request within a reasonable time.
  • Assist Customer in ensuring compliance with Articles 32-36 (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of processing and the information available to Homaic.
  • Notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer's data, with the information required by GDPR Article 33(3) to the extent it is then known.
  • Make available to Customer all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, on reasonable notice and subject to reasonable confidentiality terms. [LAWYER REVIEW NEEDED] — audit cost allocation, frequency caps, and reasonable-notice period to be set at counsel review; default expectation is one audit per twelve months on no fewer than 30 days' notice, with audit costs borne by Customer except where the audit identifies a material breach by Homaic.
  • At Customer's choice, delete or return all Personal Data to Customer at the end of the provision of services, and delete existing copies unless retention is required by applicable law. The default end-of-service path under the Terms is deletion within 30 days, with backups aged out within 90 days; Customer may instead initiate an export (Privacy Policy §6 — Access right) and request earlier deletion.

5. Customer's obligations as Controller

Customer is responsible for:

  • ensuring that Customer has a lawful basis under GDPR Article 6 for the processing Customer instructs Homaic to perform;
  • ensuring that any special-category Personal Data (GDPR Article 9) processed in the Service has the additional lawful basis required by Article 9(2);
  • providing notices to and, where required, obtaining consent from Data Subjects for the processing Customer instructs Homaic to perform;
  • responding to Data Subject requests directed to Customer in the first instance, with Homaic's assistance under §4 where required;
  • complying with Customer's own obligations under GDPR Articles 24-39 in Customer's role as Controller.

6. Technical and organizational measures (Article 32)

Homaic implements the following technical and organizational measures to ensure a level of security appropriate to the risk of the processing:

  • Pseudonymization and encryption of Personal Data. Database storage encrypted at rest using AES-256. All Service traffic encrypted in transit using TLS 1.2 or higher. Pseudonymization applied to operational analytics (Privacy Policy §1.2).
  • Confidentiality, integrity, availability, and resilience. Row-level security on every table holding Personal Data, gated to the authenticated session. Per homaic-foundation-standards §5.1 Habit 1, this is constitutional and is not configurable per deployment.
  • Restoration of availability and access in a timely manner in the event of a physical or technical incident. Daily automated database backups via Supabase point-in-time recovery, with weekly offsite export to AWS S3. Recovery testing performed quarterly.
  • Process for regularly testing, assessing, and evaluating the effectiveness of the measures. Security review pass before each release. Formal penetration testing pre-launch.
  • Access control. Magic-link authentication for users; OAuth for MCP clients. 2FA available at MVP, required for Pro tier accounts at v1.1. Personnel access to production systems is gated by role-based access control with audit logging.
  • Sub-processor management. See §8.
  • Incident response. Documented runbook for security incidents (homaic-runbook); breach notification path described in §4.
  • Audit logging. Sensitive operations are recorded to a security audit log with 90-day retention (Privacy Policy §5).

These measures may be updated as the security landscape evolves. Homaic will not reduce the overall level of security without giving Customer reasonable notice.

7. International data transfers

Personal Data is hosted in the United States by default (see Privacy Policy §3). Where Customer is located in the EEA, the United Kingdom, or Switzerland, transfers of Personal Data to the United States are governed by:

  • Standard Contractual Clauses issued by the European Commission (Decision 2021/914), incorporated by reference where applicable. [LAWYER REVIEW NEEDED] — the specific module (Module 2 — controller-to-processor — is the expected default), the docking clause for Sub-processor onward transfers, and any UK Addendum or Swiss equivalent are to be confirmed at counsel review and incorporated as Annex SCC to this DPA.
  • Supplementary measures described in §6 (encryption in transit and at rest, pseudonymization where appropriate, restricted personnel access, audit logging).

If the European Commission, the UK ICO, or the Swiss FDPIC issues a successor mechanism or finds the transfer mechanism above to be insufficient, Homaic will adopt the successor mechanism within a reasonable time and will notify Customer.

8. Sub-processors

8.1 Authorized Sub-processors

Customer authorizes Homaic to engage the following Sub-processors at the date of this DPA:

Sub-processorPurposeLocationDPA / Privacy reference
Anthropic, PBCMode A AI extractions Customer initiatesUnited Statesanthropic.com/legal/privacy
Stripe, Inc.Pro tier payment processingUnited Statesstripe.com/privacy
Supabase, Inc.Database, authentication, storageUnited Statessupabase.com/privacy
Vercel, Inc.Application hosting and edge deliveryUnited Statesvercel.com/legal/privacy-policy

Homaic has entered into written agreements with each Sub-processor that impose data-protection obligations no less protective than those in this DPA, to the extent applicable to the Sub-processor's role, including for international transfers where required.

8.2 Adding or replacing a Sub-processor

Homaic will give Customer at least 30 days' prior notice before adding or replacing a Sub-processor that processes Customer's Personal Data. Notice will be sent by email and published on the Privacy Policy page (/privacy).

If Customer reasonably objects to a new Sub-processor on data-protection grounds, Customer may object in writing within the notice period. Homaic and Customer will work in good faith to resolve the objection. If the objection cannot be resolved, Customer may terminate the affected portion of the Service and receive a pro-rata refund for the unused portion of any prepaid term.

8.3 Onward liability

Homaic remains liable to Customer for the performance of Sub-processors' data-protection obligations on the same terms as Homaic's own obligations under this DPA.

9. Data Subject requests

Where a Data Subject contacts Homaic directly with a request under GDPR Articles 15-22 (access, rectification, erasure, restriction, portability, objection, automated decision-making), Homaic will redirect the Data Subject to Customer if Customer is the Controller. To the extent the request relates to data Homaic processes as Controller (account-and-billing metadata, Service-operations data described in the Privacy Policy), Homaic will respond directly.

The Service's self-serve access, correction, deletion, and portability features (Privacy Policy §6) are designed to allow Customer to fulfill most requests directly without Homaic's involvement. Where Homaic's assistance is required, Homaic will respond to Customer's documented request within a reasonable time and at no additional cost, except where requests are manifestly unfounded or excessive.

10. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service (§10), as those limitations may be modified by counsel review. [LAWYER REVIEW NEEDED] — interaction between DPA liability and Terms liability cap is the standard area where counsel should adjust language; default position is that the Terms cap applies aggregated across the Terms and this DPA.

11. Term and termination

This DPA takes effect on the Effective Date and remains in effect for as long as Homaic processes Personal Data on behalf of Customer under the Terms. Termination of this DPA does not relieve either party of obligations that by their nature survive termination, including confidentiality, audit cooperation, and the deletion or return of Personal Data under §4.

12. Order of precedence

In the event of a conflict between this DPA and the Terms or Privacy Policy on a question of GDPR-covered processing, this DPA controls. In the event of a conflict between this DPA and the Standard Contractual Clauses (Annex SCC), the Standard Contractual Clauses control.

13. Governing law

This DPA is governed by the laws of the State of Colorado, United States, except where the GDPR or other applicable data-protection law requires otherwise. The Standard Contractual Clauses (Annex SCC) carry their own governing-law provision, which controls where applicable.

14. Contact

  • Data Protection Officer: dpo@homaic.io [LAWYER REVIEW NEEDED — confirm whether DPO appointment is required at MVP scale.]
  • Legal notices: legal@homaic.io
  • Privacy questions: privacy@homaic.io
  • Security disclosures: security@homaic.io

Annex 1 — Description of processing

Subject matter, nature, purpose, duration, categories of Data Subjects, and categories of Personal Data are described in §3 above. This annex incorporates §3 by reference.

Annex 2 — Technical and organizational measures

The technical and organizational measures applied by Homaic are described in §6 above. This annex incorporates §6 by reference.

Annex 3 — Sub-processor list

The Sub-processor list is maintained in §8.1 above. The current list at the date of execution is incorporated by reference; updates to the list are governed by §8.2.

Annex SCC — Standard Contractual Clauses

[LAWYER REVIEW NEEDED] — The Standard Contractual Clauses (EU Commission Decision 2021/914, Module 2 — controller-to-processor) are incorporated here by reference. The annexes to the SCCs (parties, description of transfer, technical and organizational measures, list of Sub-processors) are populated from §3, §6, and §8.1 of this DPA respectively. The UK Addendum and Swiss equivalent will be incorporated where Customer is located in the UK or Switzerland. The final form of this Annex will be set at counsel review.

Version history

  • 0.1 — 2026-05-07 — Initial pre-lawyer-review draft, authored as part of Phase 5 Sub-Session 5B.psi. Reflects homaic-charter v1.2 §6.1 (privacy is structural) and homaic-foundation-standards v1.1 §2 (data classification + user rights). Pending counsel review and SCC integration before being offered as a binding instrument to GDPR-covered customers.