Version

1.0

Legal

/

Data Processing Addendum

Data Processing Addendum

Effective Date: June 25, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Sunate, Inc. ("Sunate" or "Processor") and the business customer using the Services ("Customer" or "Controller") when Sunate processes personal data on Customer's behalf.

If Customer has signed a separate DPA with Sunate, that signed DPA controls.

1. Scope and roles

This DPA applies to personal data contained in Customer Data that Sunate processes to provide the Services under Customer's documented instructions ("Customer Personal Data").

Customer is the controller, business, or equivalent party that determines the purposes and means of processing.

Sunate is the processor, service provider, contractor, or equivalent party that processes Customer Personal Data on Customer's behalf.

Each party will comply with data-protection law applicable to its role.

For account administration, billing, security, support, product operations, websites, and certain independently sourced property or business-contact data, Sunate may act as a separate controller or business as described in the Privacy Policy.

2. Customer instructions

Sunate will process Customer Personal Data only:

  • To provide, secure, maintain, and support the Services.

  • As configured or instructed by Customer and authorized users.

  • As described in the agreement and this DPA.

  • To prevent fraud and abuse.

  • As required by law, in which case Sunate will notify Customer unless prohibited.

The agreement, Customer's use and configuration, and documented support requests constitute Customer's instructions.

Sunate will inform Customer if an instruction appears to violate applicable data-protection law, unless prohibited.

3. Customer responsibilities

Customer is responsible for:

  • The lawfulness of its instructions.

  • Required notices, permissions, and lawful bases.

  • Data accuracy, minimization, and retention.

  • User access and permissions.

  • Recipient consent and communications compliance.

  • Responding to individuals whose information Customer controls.

  • Avoiding unsupported regulated or highly sensitive information.

4. Confidentiality

Sunate will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations and receive access only as needed for their responsibilities.

5. Security

Sunate will maintain reasonable administrative, technical, and organizational safeguards appropriate to the nature of Customer Personal Data and the risk of processing.

Measures may include:

  • Authentication and tenant-scoped access controls.

  • Encryption in transit and provider-supported encryption at rest.

  • Logging and monitoring.

  • Backup and recovery measures.

  • Secure development and dependency management.

  • Incident-response and access-removal processes.

  • Provider review and contractual protections.

Additional information appears in the Security Overview.

Customer is responsible for secure configuration, users, devices, credentials, integrations, exports, and lawful data collection.

6. Subprocessors

Customer authorizes Sunate to use subprocessors to provide the Services.

Sunate will impose data-protection obligations appropriate to the services performed and remains responsible for subprocessors to the extent required by applicable law and the agreement.

The current list appears at Subprocessors.

Sunate may update the list. Where required, Sunate will provide a reasonable notice mechanism for material additions.

A customer with a reasonable data-protection objection should contact Sunate promptly. The parties will work in good faith on a commercially reasonable solution. If none is available, Customer may stop using the affected feature, subject to the agreement.

Customer also authorizes transfers to third-party integrations that Customer expressly enables. Such providers may act under their own terms and are not necessarily Sunate subprocessors.

7. Individual rights requests

Taking into account the nature of processing, Sunate will provide reasonable assistance through available product features and support so Customer can respond to verified requests for access, correction, deletion, portability, restriction, objection, or other rights.

If Sunate receives a request relating to Customer Personal Data, Sunate may direct the requester to Customer and will not independently fulfill the request unless Customer instructs us or law requires it.

8. Security incidents

Sunate will notify Customer without undue delay after confirming a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data where notification is required ("Security Incident").

The notice will include available information reasonably needed for Customer's obligations, such as:

  • The nature of the incident.

  • Categories of affected information and people.

  • Likely consequences.

  • Measures taken or proposed.

Information may be provided in phases as the investigation develops.

Unsuccessful attempts, scans, blocked attacks, spam, and events that do not compromise Customer Personal Data are not Security Incidents under this section.

9. Assistance and compliance information

Taking into account the nature of processing and information available to Sunate, Sunate will provide reasonable assistance with Customer's security, breach-notification, data-protection-impact-assessment, and regulator-consultation obligations where required.

Additional or unusually burdensome assistance may be subject to reasonable fees unless caused by Sunate's breach.

Upon reasonable request and subject to confidentiality, Sunate will provide information reasonably necessary to demonstrate compliance with this DPA.

Audits should first rely on current documentation, summaries, questionnaires, and independent reports if available.

Any on-site audit must be legally required, narrowly scoped, scheduled reasonably, protect other customers and security, and avoid unnecessary disruption.

10. Return and deletion

During the term, Customer may use available features to access or export Customer Data.

Upon termination and written request, Sunate will delete or return Customer Personal Data within a reasonable period, unless retention is:

  • Required by law.

  • Needed for security, disputes, or legal claims.

  • Contained temporarily in protected backups.

  • Required to preserve suppression, consent, transaction, or audit records.

Retained information remains protected until deleted or de-identified.

11. International transfers

Customer authorizes processing in the United States and other countries where Sunate or its subprocessors operate.

Where a recognized transfer mechanism is required, the parties will use applicable standard contractual clauses or another valid safeguard.

Sunate will provide an appropriate transfer addendum on request when required for Customer's use.

12. U.S. state privacy terms

To the extent U.S. state privacy law applies to Customer Personal Data:

  • Sunate will process the information for the limited and specified business purposes in the agreement and Customer's instructions.

  • Sunate will not sell or share Customer Personal Data for cross-context behavioral advertising.

  • Sunate will not retain, use, or disclose Customer Personal Data outside the direct business relationship except as permitted by law and the agreement.

  • Sunate will not combine Customer Personal Data with information from another source except as permitted by law to provide the Services, detect incidents, prevent fraud, or follow Customer instructions.

  • Customer may take reasonable steps to help ensure that Sunate uses Customer Personal Data consistently with these obligations.

The parties acknowledge that transmitting Customer Personal Data to Sunate under this DPA is not consideration for a sale of that Customer Personal Data.

13. Processing details

Subject matter: Provision of the Sunate CRM, Copilot, messaging, workflow, data, document, website, integration, and support features selected by Customer.

Duration: The term of the agreement plus the limited retention period described above.

Nature and purpose: Hosting, organizing, retrieving, analyzing, transmitting, generating, synchronizing, supporting, securing, and deleting Customer Personal Data as needed to provide the Services and follow instructions.

People: Customer personnel, account holders, contractors, homeowners, prospects, leads, customers, signers, website visitors, form submitters, and other individuals whose information Customer submits.

Information categories: Contact and account details; CRM and project records; communications; files, photos, audio, and documents; property and transaction information; calendar and email information; consent and delivery records; usage and technical information; and other Customer-submitted information.

Sensitive information: The Services are not intended for unnecessary highly sensitive information. Customer must minimize sensitive information, apply appropriate permissions, and avoid submitting regulated health data, full payment credentials, authentication secrets, or government identifiers unless expressly supported.

14. Priority and contact

If this DPA conflicts with the agreement on data-protection obligations, this DPA controls for Customer Personal Data.

Questions or requests for an executed DPA may be sent to legal@sunate.app.

Your next job is already on the map. Sunate finds it. You close it.

© 2026 Sunate, Inc. All rights reserved.

Backed by

Your next job is already on the map. Sunate finds it. You close it.

© 2026 Sunate, Inc. All rights reserved.

Backed by

Your next job is already on the map. Sunate finds it. You close it.

© 2026 Sunate, Inc. All rights reserved.

Backed by