Lofty Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Terms of Use governing Lofty Customers’ use of the Service Offerings (the “Agreement”) when the GDPR applies to your use of our Services to process Customer Data. This DPA is an agreement between you and the entity you represent (“Customer”, “you” or “your”) and Lofty (“We”, “Our”, “Data Processor”) under the Agreement. Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in in the definitions section of this DPA.

1. Data Processing.
Annex 1 - List of Sub-processors

As of the date of this agreement, Lofty engages the following sub-processors that may process Personal Data:

Sub-processor (Entity Name) Service Provider's Location Provided Service
Amazon Web Services (AWS) USA Infrastructure as a Service and Platform as a Service
Google Cloud Platform (GCP) USA Natural Language Understanding
OpenAI USA Generative AI
Vonage USA Cloud Communication Service Provider
Bandwidth USA Communication Platform for Messaging Service
Lob USA Automated direct mail and postal service provider
Zendesk USA Customer Support
MailParser USA Mail Parsing Service
National Processing USA Payment Gateway
HubSpot USA Marketing and Analytics
Atlassian - Jira USA Ticketing System
Office 365 USA Business Communication and Collaboration
Twilio USA Cloud Communication Service Provider USA Project Management
Thinkific USA Online Training
Productboard USA Product Tracking and feedback collection
Home Junction / Attom Data USA Listing Data Analysis
Annex 2 - Information Security Measures

Security Program. Lofty has developed, implemented, and will consistently update and maintain as needed: (i) a written and comprehensive information security program in compliance with applicable Data Protection Law; and (ii) reasonable policies and procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft. ​Lofty will maintain appropriate measures to protect the integrity, security and confidentiality of all Customer Personal Data against any anticipated threats or hazards, and/or unauthorized access to or use of such data, which measures shall include the following:

  • In assessing the appropriate level of security account shall be taken in particular of all the risks that are presented by processing, for example from accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access or disclosure of Customer Personal Data;
  • the encryption of Personal Data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of Personal Data;
  • measures to identify vulnerabilities regarding the processing of Personal Data in systems used to provide services to the Customer;

Access. Lofty shall reasonably update all access rights based on personnel or computer system changes and shall periodically review all access rights at an appropriate frequency to ensure current access rights to Customer Personal Data are appropriate and no greater than are required for an individual to perform his or her functions necessary to fulfill the purposes of the Agreement. Access controls include:

Changes. The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. Lofty will therefore evaluate the measures on a periodic basis and will take reasonable measures to maintain compliance with the requirements. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in applicable data protection law or by data protection authorities of competent jurisdiction.

Where an amendment to the Service Agreement is necessary in order to execute a Customer instruction to Lofty to improve security measures as may be required by changes in applicable data protection law from time to time, the Parties shall negotiate an amendment to the underlying agreement in good faith.

Physical Security Measures. Lofty shall maintain appropriate physical security measures for any facility used to Process Customer Personal Data and continually monitor any changes to the physical infrastructure, business, and known threats.

Lofty​ maintains physical security standards designed to prohibit unauthorized physical access to Lofty facilities and equipment by using the following practices:

Technical Security Measures. Lofty shall: