Data Processing Agreement

    Agreement for processing personal data under GDPR

    Data Processing Agreement

    GDPR/PIPEDA COMPLIANCE AGREEMENT

    This Data Processing Agreement ("DPA") governs the processing of personal data by RentalTide Inc. on behalf of our customers in compliance with applicable data protection laws including the General Data Protection Regulation (GDPR), Personal Information Protection and Electronic Documents Act (PIPEDA), and other privacy regulations.

    1. Introduction and Scope

    This Data Processing Agreement ("DPA") forms part of the Terms of Service between RentalTide Inc. ("RentalTide," "Processor," "we," "us," or "our") and you ("Customer," "Controller," "you," or "your") and governs the processing of Personal Data (as defined below) by RentalTide on behalf of Customer.

    Effective Date: February 1, 2025 Parties:

    • Data Controller: Customer (Rental Operator)
    • Data Processor: RentalTide Inc. (incorporated in Delaware, United States, with additional registration in Canada), 110 Didsbury Road, Ottawa, Ontario K2J 4T4, Canada and 1111B S Governors Ave STE 48363, Dover, DE 19904, United States

    Contact Information: Data Protection Officer: privacy@rentaltide.com Phone: 888-709-2650

    2. Definitions

    For the purposes of this DPA:

    "Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data, including:

    • EU General Data Protection Regulation (GDPR)
    • UK Data Protection Act 2018
    • Personal Information Protection and Electronic Documents Act (PIPEDA)
    • California Consumer Privacy Act (CCPA/CPRA)
    • Other applicable privacy and data protection laws

    "Controller" means the entity that determines the purposes and means of processing Personal Data (typically the Customer/Operator).

    "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

    "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to:

    • Customer names, addresses, phone numbers, and email addresses
    • Payment and financial information
    • Booking history and preferences
    • Identity verification documents
    • Location and usage data

    "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

    "Processor" means RentalTide Inc., which processes Personal Data on behalf of the Controller.

    "Sub-processor" means any third party engaged by RentalTide to process Personal Data on behalf of the Controller.

    3. Processing Activities

    3.1 Subject Matter and Duration

    RentalTide processes Personal Data to provide booking platform services, payment processing, and related functionality as described in our Terms of Service. Processing continues for the duration of the service agreement and applicable retention periods.

    3.2 Nature and Purpose of Processing

    RentalTide processes Personal Data for the following purposes:

    • Facilitating rental bookings and reservations
    • Processing payments and managing financial transactions
    • Providing customer support and communications
    • Maintaining platform security and preventing fraud
    • Generating analytics and reporting (aggregated/anonymized)
    • Complying with legal and regulatory obligations

    3.3 Categories of Data Subjects

    Personal Data relates to the following categories of Data Subjects:

    • End customers making rental bookings
    • Authorized representatives of business customers
    • Operators' employees and authorized users
    • Website visitors and platform users

    3.4 Categories of Personal Data

    RentalTide may process the following categories of Personal Data:

    • Identity Data: Names, usernames, titles, addresses, phone numbers
    • Contact Data: Email addresses, billing addresses, delivery addresses
    • Financial Data: Payment card details, bank account information, transaction history
    • Profile Data: Preferences, feedback, survey responses, booking history
    • Usage Data: Information about platform usage, including pages visited and features used
    • Technical Data: IP addresses, browser data, device information, cookies
    • Special Categories: Health data (when relevant to rental activities and with explicit consent)

    4. Controller and Processor Obligations

    4.1 Controller Responsibilities

    The Controller (Customer) shall:

    • Determine the purposes and means of processing Personal Data
    • Ensure lawful basis exists for all processing activities
    • Provide clear and comprehensive privacy notices to Data Subjects
    • Obtain necessary consents and manage consent withdrawals
    • Respond to Data Subject rights requests in accordance with applicable law
    • Notify RentalTide of any relevant changes to processing instructions
    • Conduct Data Protection Impact Assessments (DPIAs) where required

    4.2 Processor Responsibilities

    RentalTide (Processor) shall:

    • Process Personal Data only on documented instructions from the Controller
    • Ensure personnel processing Personal Data are bound by confidentiality obligations
    • Implement appropriate technical and organizational security measures
    • Engage Sub-processors only with Controller's consent and under written contracts
    • Assist Controller in responding to Data Subject rights requests
    • Assist Controller with DPIAs and consultations with supervisory authorities
    • Delete or return Personal Data at the end of processing (unless required to retain by law)
    • Maintain records of processing activities and make available to supervisory authorities

    5. Processing Instructions

    5.1 Documented Instructions

    RentalTide will process Personal Data only on documented instructions from the Controller, including:

    • These DPA terms and the main service agreement
    • Configuration settings chosen by Controller in the platform
    • Written instructions provided through designated communication channels
    • Emergency instructions for data security incidents

    5.2 Additional Instructions

    The Controller may provide additional processing instructions that:

    • Are consistent with the terms of this DPA and the main agreement
    • Do not require RentalTide to violate applicable law
    • Are technically feasible within the platform's capabilities
    • Are provided through authorized channels with proper authentication

    5.3 Conflicting Instructions

    If RentalTide believes an instruction violates applicable Data Protection Law, RentalTide will promptly inform the Controller and may suspend the relevant processing until the instruction is clarified or modified.

    6. Security Measures

    6.1 Technical Safeguards

    RentalTide implements the following technical security measures:

    • Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
    • Access Controls: Multi-factor authentication, role-based access controls
    • Network Security: Firewalls, intrusion detection systems, VPN access
    • Data Backup: Regular encrypted backups with geographic distribution
    • Monitoring: 24/7 security monitoring and incident detection systems

    6.2 Organizational Safeguards

    RentalTide maintains the following organizational measures:

    • Staff Training: Regular security and privacy training for all personnel
    • Background Checks: Security clearance for personnel with data access
    • Incident Response: Formal procedures for security incident management
    • Vendor Management: Security assessments for all Sub-processors
    • Compliance Audits: Regular internal and external security audits

    6.3 Security Standards

    RentalTide maintains compliance with:

    • SOC 2 Type II certification
    • ISO 27001 information security management standards
    • PCI DSS compliance for payment data
    • Industry best practices for cloud security

    7. Sub-processors

    7.1 Current Sub-processors

    RentalTide currently engages the Sub-processors listed in our Sub-processors document, which is incorporated by reference and updated regularly.

    7.2 Sub-processor Requirements

    All Sub-processors must:

    • Enter into written agreements with data protection obligations equivalent to this DPA
    • Implement appropriate technical and organizational security measures
    • Provide regular security and compliance certifications
    • Submit to audits and security assessments
    • Notify RentalTide immediately of any security incidents

    7.3 Changes to Sub-processors

    RentalTide will:

    • Provide 30 days advance notice of new Sub-processors via email and dashboard notifications
    • Allow Controllers to object to new Sub-processors within the notice period
    • Offer alternative solutions or service termination if objections cannot be resolved
    • Ensure all new Sub-processors meet equivalent security and privacy standards

    8. Data Subject Rights

    8.1 Rights Support

    RentalTide will assist Controllers in fulfilling Data Subject rights requests, including:

    • Access: Providing copies of Personal Data and processing information
    • Rectification: Correcting inaccurate or incomplete Personal Data
    • Erasure: Deleting Personal Data when legally required
    • Restriction: Limiting processing under certain circumstances
    • Portability: Providing data in structured, machine-readable formats
    • Objection: Stopping processing based on legitimate interests

    8.2 Request Handling

    When RentalTide receives Data Subject requests directly:

    • Requests will be forwarded to the Controller within 2 business days
    • RentalTide will provide reasonable assistance in responding
    • Controllers remain responsible for legal compliance and response timing
    • RentalTide may provide technical assistance for data extraction and formatting

    8.3 Response Timeframes

    RentalTide will provide requested assistance within:

    • 5 business days for data access and portability requests
    • 3 business days for rectification and restriction requests
    • 24 hours for urgent erasure requests
    • 10 business days for complex requests requiring technical development

    9. Data Transfers

    9.1 International Transfers

    Personal Data may be transferred to and processed in:

    • Canada (primary processing location)
    • United States (cloud infrastructure and Sub-processors)
    • Other jurisdictions where Sub-processors operate

    9.2 Transfer Safeguards

    All international transfers are protected by:

    • Standard Contractual Clauses approved by the European Commission
    • Adequacy Decisions where applicable (EU-Canada for GDPR)
    • Binding Corporate Rules for intra-group transfers
    • Explicit consent where required by law

    9.3 Transfer Restrictions

    RentalTide will not transfer Personal Data to jurisdictions that:

    • Lack adequate protection as determined by relevant authorities
    • Are subject to government surveillance without appropriate safeguards
    • Have conflicting legal requirements that prevent compliance
    • Do not allow for the implementation of required security measures

    10. Data Retention and Deletion

    10.1 Retention Periods

    Personal Data is retained according to the following schedule:

    • Active Customer Data: Duration of service relationship
    • Transaction Records: 7 years (tax and regulatory requirements)
    • Support Communications: 3 years
    • Security Logs: 2 years
    • Marketing Data: Until consent is withdrawn

    10.2 Deletion Procedures

    At the end of processing, RentalTide will:

    • Securely delete all Personal Data within 90 days of service termination
    • Provide certification of deletion upon request
    • Retain only data required by law with appropriate justification
    • Use secure deletion methods that prevent data recovery

    10.3 Legal Retention

    RentalTide may retain Personal Data longer than specified periods when:

    • Required by applicable law or regulation
    • Necessary for the establishment, exercise, or defense of legal claims
    • Required for compliance with ongoing legal proceedings
    • Needed to protect vital interests of Data Subjects or other persons

    11. Data Breach Notification

    11.1 Incident Detection

    RentalTide maintains 24/7 monitoring systems to detect:

    • Unauthorized access to Personal Data
    • Accidental or unlawful destruction, loss, or alteration
    • Unauthorized disclosure or access to Personal Data
    • System compromises that may affect data security

    11.2 Notification Timeline

    RentalTide will notify Controllers of Personal Data breaches:

    • Within 24 hours of becoming aware of the breach
    • Within 72 hours with detailed incident information
    • Ongoing updates as investigation progresses
    • Final report within 30 days including remediation steps

    11.3 Notification Content

    Breach notifications will include:

    • Description of the nature of the breach
    • Categories and approximate number of Data Subjects affected
    • Categories and approximate number of Personal Data records affected
    • Likely consequences of the breach
    • Measures taken or proposed to address the breach
    • Contact point for more information

    12. Audits and Compliance

    12.1 Audit Rights

    Controllers have the right to:

    • Conduct audits of RentalTide's data processing activities
    • Review security certifications and compliance reports
    • Inspect data processing facilities with reasonable advance notice
    • Engage third-party auditors subject to confidentiality agreements

    12.2 Compliance Reporting

    RentalTide provides:

    • Annual compliance reports on security and privacy measures
    • SOC 2 Type II reports demonstrating security controls
    • Security incident summaries on a quarterly basis
    • Sub-processor compliance updates as changes occur

    12.3 Audit Cooperation

    RentalTide will:

    • Provide reasonable assistance during audits
    • Make relevant personnel available for interviews
    • Provide access to documentation and systems as legally permitted
    • Address any identified compliance gaps within agreed timeframes

    13. Liability and Indemnification

    13.1 Allocation of Liability

    Each party is liable for damages caused by its own breach of this DPA. RentalTide's liability is limited to damages directly caused by its breach of processor obligations.

    13.2 Limitation of Liability

    MAXIMUM LIABILITY: RentalTide's total liability for data processing violations shall not exceed CAD $100 or the fees paid in the 12 months preceding the claim, whichever is greater.

    13.3 Mutual Indemnification

    • Controllers indemnify RentalTide against claims arising from Controller's processing instructions or GDPR violations
    • RentalTide indemnifies Controllers against claims arising from RentalTide's unauthorized processing or security breaches

    14. Term and Termination

    14.1 Term

    This DPA takes effect on the date the Controller first uses RentalTide services and continues until termination of the main service agreement.

    14.2 Termination Rights

    This DPA may be terminated:

    • Upon termination of the main service agreement
    • By either party with 30 days written notice
    • Immediately for material breach that remains uncured after 15 days notice
    • By Controllers if they object to Sub-processor changes and no alternative is available

    14.3 Effect of Termination

    Upon termination:

    • RentalTide will cease processing Personal Data except as required by law
    • Personal Data will be deleted or returned as instructed by Controller
    • Confidentiality obligations survive termination indefinitely
    • Audit rights survive for 3 years following termination

    15. Governing Law and Jurisdiction

    15.1 Governing Law

    This DPA is governed by the laws of Ontario, Canada, without regard to conflict of law principles.

    15.2 Dispute Resolution

    Disputes arising from this DPA shall be resolved through:

    • Good faith negotiations between the parties
    • Mediation administered by the ADR Institute of Canada
    • Binding arbitration if mediation fails
    • Ontario courts for injunctive relief

    15.3 Regulatory Cooperation

    Both parties agree to cooperate with data protection authorities and comply with their binding decisions regarding this DPA.

    16. Amendments and Updates

    16.1 Amendment Process

    This DPA may be amended:

    • By mutual written agreement of the parties
    • Unilaterally by RentalTide to comply with legal requirements (with 30 days notice)
    • To reflect changes in applicable Data Protection Laws
    • To address new processing activities or technologies

    16.2 Notification of Changes

    RentalTide will notify Controllers of DPA amendments through:

    • Email notifications to account administrators
    • Dashboard notifications within the platform
    • Updates to this document with change tracking
    • Direct communication for material changes

    17. Contact Information

    17.1 Data Protection Officer

    Name: Data Protection Officer Email: privacy@rentaltide.com Phone: 888-709-2650 Address: 110 Didsbury Road, Ottawa, Ontario K2J 4T4, Canada, 1111B S Governors Ave STE 48363, Dover, DE 19904, United States

    17.2 Legal and Compliance

    Legal Inquiries: legal@rentaltide.com
    Security Incidents: security@rentaltide.com
    DPA Questions: dpa@rentaltide.com

    Last Updated: November 14, 2025
    Effective Date: February 1, 2025
    Version: 1.0

    Signatures:

    RentalTide Inc.
    By: _
    Name: [Chief Executive Officer]
    Title: CEO
    Date: ___

    Customer/Controller:
    By: _
    Name: ___
    Title: __
    Date: ___

    This DPA is incorporated by reference into the Terms of Service and forms a binding part of the agreement between RentalTide and its customers.