Ivory Roof, a service of Ivory Digital, LLC
Data Processing Addendum
Effective: May 20, 2026 · Last updated: May 20, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between Ivory Digital, LLC ("Processor") and the customer ("Controller") and applies to the extent Ivory Roof processes personal data on Controller's behalf subject to GDPR, UK GDPR, or comparable laws.
1. Definitions
Terms such as "personal data", "processing", "controller", "processor", and "data subject" have the meanings given in applicable data protection law.
2. Subject Matter & Duration
Processor will process personal data only to provide the Service for the duration of the Controller's subscription.
3. Nature & Purpose
Processing includes collection, storage, transmission, retrieval, analysis, generation of AI Output, and deletion as needed to operate the Service.
4. Types of Data & Data Subjects
Customer-submitted records about leads, customers, employees, and proposals — typically names, addresses, contact info, property details, and project notes.
5. Controller Instructions
Processor shall process personal data only on documented instructions from Controller, including the instructions set out in the Terms and this DPA, and as required by law.
6. Confidentiality
Personnel authorized to process personal data are bound by confidentiality obligations.
7. Security
Processor implements appropriate technical and organizational measures, including access controls, encryption in transit, regular backups, logging, and least-privilege access.
8. Subprocessors
Controller authorizes Processor to engage subprocessors (including hosting, payment, email, and AI model providers). Processor remains liable for subprocessor compliance with this DPA. A current list is available on request to privacy@ivoryroof.com.
9. Data Subject Requests
Processor will reasonably assist Controller in responding to data subject requests, taking into account the nature of the processing.
10. Personal Data Breach
Processor will notify Controller without undue delay after becoming aware of a personal data breach affecting Controller data, and will provide information reasonably required for Controller to meet its notification obligations.
11. International Transfers
Where personal data is transferred outside the EEA/UK, the parties incorporate the Standard Contractual Clauses adopted by the European Commission (Module 2: Controller to Processor) and the UK International Data Transfer Addendum, as applicable.
12. Deletion or Return
On termination, Processor will delete or return Controller's personal data within 30 days, except where retention is required by law.
13. Audits
Processor will make available information necessary to demonstrate compliance and will allow Controller-mandated audits no more than once per year, at Controller's expense, on reasonable notice, subject to confidentiality, and limited to data relevant to the Service.
14. Liability
The liability of the parties under this DPA is subject to the limitations of liability in the Terms of Service.
15. Conflict
In case of conflict, this DPA prevails over the Terms with respect to personal data processing.