Data Processing Addendum | SitePath Intelligence

How to execute this DPA

This Data Processing Addendum ("DPA") supplements the SitePath Terms of Service and forms a binding agreement between SitePath Intelligence and the customer ("Customer") whose personal data SitePath processes on Customer's behalf.

By using the Platform after the effective date above, Customer is deemed to have entered into this DPA. Customers who require a counter-signed copy or a custom order form may request one by emailing Support@sitepathintel.com with the subject line "DPA Request" and including the legal name, registered address, signatory name, and signatory title. We will return a counter-signed PDF within ten (10) business days.

1. Background & application

SitePath provides a research platform that helps Customer evaluate county-level permitting environments and related public-record information. In delivering the Platform, SitePath may process personal data on Customer's behalf, including (depending on the Customer's plan and configuration) the personal data of the Customer's own employees, contractors, or other Authorized Users.

This DPA applies to all such processing and is incorporated into the Terms of Service. In case of any conflict between this DPA and the Terms with respect to the processing of personal data, this DPA controls.

2. Definitions

Terms not defined here have the meanings given in the Terms of Service or in the GDPR. Without limitation:

"Applicable Data Protection Laws" means all data-protection and privacy laws applicable to the parties' processing of Personal Data, including the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the UK General Data Protection Regulation as incorporated by the UK Data Protection Act 2018 ("UK GDPR"), the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and any other U.S. state comprehensive privacy law in force from time to time.
"Customer Personal Data" means personal data that SitePath processes on Customer's behalf in connection with the Platform.
"Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Decision (EU) 2021/914 of 4 June 2021.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office.

3. Roles of the parties

With respect to Customer Personal Data, Customer is the controller (or the "business" under the CCPA) and SitePath is the processor (or the "service provider" under the CCPA). Each party is responsible for compliance with the Applicable Data Protection Laws that apply to it in that role.

Where Customer Personal Data originates from Customer's own customer or employee (i.e., where Customer itself acts as a processor for a third-party controller), Customer represents that it has obtained any required authority for SitePath to act as a sub-processor in that chain.

For SitePath's own collection of personal data from end users (account creation, billing, security logs as described in the Privacy Policy), SitePath acts as a controller. That processing is governed by the Privacy Policy, not by this DPA.

4. Scope & duration

SitePath will process Customer Personal Data for the duration of Customer's subscription to the Platform and for any post-termination period required to return or delete the data (Section 13). The subject-matter, nature, purpose, types of personal data, and categories of data subjects involved are described in Schedule 1.

5. Customer instructions

SitePath will process Customer Personal Data only on documented instructions from Customer, except where required by applicable law. Customer's use of the Platform consistent with the Terms of Service and applicable order documents constitutes its documented instructions. Customer may issue additional written instructions by emailing Support@sitepathintel.com; SitePath will accommodate reasonable additional instructions to the extent consistent with the Platform's design.

SitePath will inform Customer if, in its opinion, an instruction violates Applicable Data Protection Laws, and may suspend the processing in question pending resolution.

6. Confidentiality

SitePath ensures that all personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality, whether by contract or by statutory duty. SitePath limits access to Customer Personal Data to personnel who need it to perform their job functions, on a least-privilege basis.

7. Security measures

SitePath implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to data subjects. The current measures are described in Schedule 2. SitePath may update those measures over time, provided the overall level of protection is not materially diminished.

8. Sub-processors

Customer authorizes SitePath to engage sub-processors to process Customer Personal Data, provided SitePath:

maintains a current list of sub-processors at Schedule 3 of this DPA;
binds each sub-processor in writing to data-protection obligations no less protective than those in this DPA;
remains liable to Customer for the performance of each sub-processor's obligations to the same extent as if SitePath performed them itself; and
gives Customer at least thirty (30) days' notice (by email or by updating Schedule 3) before adding or replacing any sub-processor that processes Customer Personal Data.

Customer may object to the addition of a new sub-processor on reasonable data-protection grounds by emailing Support@sitepathintel.com within fifteen (15) days of the notice. The parties will work in good faith to resolve the objection; if no resolution is reached, Customer may terminate the affected portion of its subscription and receive a pro-rata refund of prepaid fees for the unused period.

9. Data-subject requests

If SitePath receives a request from a Data Subject to exercise any right granted by Applicable Data Protection Laws (access, rectification, erasure, restriction, portability, objection, or any other) in relation to Customer Personal Data, SitePath will, without undue delay:

refer the Data Subject to Customer where the Platform's design allows; or
where SitePath responds directly, do so only on Customer's documented instructions.

SitePath will reasonably assist Customer, taking into account the nature of the processing and the information available to SitePath, in fulfilling its own obligation to respond to such requests.

10. Breach notification

SitePath will notify Customer without undue delay, and in any case within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent then known, include:

a description of the nature of the breach (categories and approximate number of data subjects and records concerned);
the likely consequences;
the measures taken or proposed to address the breach and to mitigate its possible adverse effects; and
contact details for follow-up.

SitePath will provide reasonable assistance to Customer in connection with any obligation Customer may have to notify supervisory authorities or affected data subjects.

11. Audit rights

SitePath will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including the most recent independent attestations, certifications, or audit reports of SitePath's sub-processors where available.

Once per twelve (12)-month period, on at least thirty (30) days' prior written notice, Customer or its independent auditor (subject to confidentiality undertakings reasonably acceptable to SitePath, and provided the auditor is not a competitor of SitePath) may conduct an audit of SitePath's compliance with this DPA. The audit will be at Customer's expense, conducted during normal business hours, and structured to minimize disruption. The parties will agree in advance on scope, timing, and procedures. Audit rights under the SCCs are unaffected.

12. International transfers

To the extent processing under this DPA involves the transfer of Customer Personal Data from the EEA, the UK, or Switzerland to a country that has not been deemed to provide an adequate level of protection by the European Commission, the UK Government, or the Swiss Federal Council, the parties agree:

the EU Standard Contractual Clauses (Module Two: controller-to-processor; or Module Three: processor-to-processor, as applicable) are incorporated into this DPA by reference and are deemed signed by both parties, with the data-exporting party as data exporter and SitePath as data importer;
the UK Addendum is incorporated by reference for UK transfers;
the SCCs are supplemented by the FADP for Swiss transfers; references to "EU Member State" are read to include Switzerland, and references to data subjects in Switzerland may, where applicable, bring claims before Swiss courts.

The information required by Annex I, II, and III of the SCCs is set out in Schedule 4.

13. Return & deletion of data

On termination or expiry of Customer's subscription, SitePath will, at Customer's election:

return all Customer Personal Data to Customer in a structured, commonly used, machine-readable format; or
delete all Customer Personal Data from active systems within thirty (30) days, and from backups within ninety (90) days, except where retention is required by applicable law (in which case the data remains subject to the confidentiality and security obligations of this DPA).

SitePath will, on request, provide written confirmation of deletion.

14. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Laws, including liability to data subjects under Article 82 of the GDPR.

15. CCPA / U.S. state law addendum

This Section applies where SitePath processes personal information of California consumers on Customer's behalf within the meaning of the CCPA, and on a comparable basis under other U.S. state privacy laws (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA, and similar). SitePath:

processes personal information only for the limited and specified purposes described in this DPA and the Terms;
does not sell or share personal information (as those terms are defined under the CCPA) and does not retain, use, or disclose it for any commercial purpose other than performing the services or as permitted by the CCPA;
does not retain, use, or disclose personal information outside the direct business relationship with Customer;
does not combine personal information received from Customer with personal information received from any other source, except as permitted by the CCPA;
certifies its understanding of, and compliance with, the restrictions in this Section; and
will notify Customer if it determines it can no longer meet its obligations under the CCPA.

Customer may, on reasonable notice, take steps to stop and remediate any unauthorized use of personal information.

16. General

Order of precedence. In the event of conflict, the following order applies: (i) the SCCs and UK Addendum as incorporated; (ii) this DPA; (iii) the Terms of Service; (iv) any other documents referenced therein.

Updates. SitePath may update this DPA from time to time provided the updates do not materially reduce the protection of Customer Personal Data. Material updates will be communicated to active subscribers at least thirty (30) days in advance.

Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect.

Governing law. This DPA is governed by the law specified in the Terms of Service, except that the SCCs are governed by the law of the EU Member State agreed in Schedule 4, and the UK Addendum is governed by the laws of England and Wales.

Schedule 1

Processing details

List of parties. Data exporter: Customer (controller). Data importer: SitePath Intelligence (processor), Wilmington, Delaware, United States. Contact for each is identified in the Customer's account record and at Support@sitepathintel.com.

Subject-matter of the processing. Provision of the SitePath Platform — county-level research, comparison, watchlist, alert, and (for Enterprise) AI-brief features.

Duration. For the duration of Customer's subscription plus any post-termination period required to return or delete Customer Personal Data under Section 13.

Nature and purpose of the processing. Collection, storage, organization, retrieval, consultation, use, transmission, restriction, erasure, and destruction, as needed to operate the Platform, authenticate Authorized Users, deliver paid features, secure the service, and comply with law.

Categories of data subjects. Customer's Authorized Users (employees, contractors, individual subscribers) and any other natural persons identified in Customer Personal Data.

Categories of personal data.

Identification data — name, email address, account identifier.
Authentication data — hashed password, session tokens, sign-in timestamps.
Subscription & billing data — plan tier, billing interval, Stripe customer ID, subscription ID.
Usage data — pages and counties viewed, watchlist contents, comparison sessions, exported reports, AI-brief requests.
Technical data — IP address, user-agent, browser locale, device characteristics, security and rate-limit events.

Special-category data. None expected. Do not submit special-category data to the Platform.

Frequency of the transfer. Continuous, for the duration of the subscription.

Retention period. See Section 6 of the Privacy Policy.

Sub-processors. See Schedule 3.

Competent supervisory authority. For EU transfers, the lead supervisory authority of the data exporter's main establishment; in default, the Irish Data Protection Commission. For UK transfers, the UK Information Commissioner's Office. For Swiss transfers, the Federal Data Protection and Information Commissioner.

Schedule 2

Technical and organizational measures (TOMs)

SitePath maintains the following technical and organizational measures designed to ensure a level of security appropriate to the risk:

(a) Access control

Production access is limited to a small number of named personnel, granted on a least-privilege basis, and reviewed at least annually.
Administrative access requires unique identifiers and multi-factor authentication.
Passwords are hashed using industry-standard algorithms; plaintext passwords are never stored.
Session tokens are short-lived JWTs issued by Netlify Identity over TLS.

(b) Encryption

All traffic to and from the Platform is encrypted in transit using TLS 1.2+.
Data at rest on managed infrastructure (Netlify Identity, Stripe, Resend) is encrypted using AES-256 or an equivalent industry-standard cipher.

(c) Integrity, availability & resilience

Production infrastructure is hosted on Netlify's globally distributed CDN with serverless functions executed in isolated runtimes.
Routine backups of identity and subscription metadata are performed by the relevant sub-processors under their own retention policies.
Per-IP and per-user rate limiting protects sensitive endpoints from abuse and denial-of-service.
Strict origin and CSRF checks on every state-changing function.

(d) Personnel

All personnel with access to Customer Personal Data are bound by confidentiality obligations and receive periodic security and privacy training.

(e) Sub-processor management

Sub-processors are reviewed for data-protection posture before engagement and re-evaluated periodically.
Sub-processors are contractually bound to data-protection obligations no less protective than those in this DPA.

(f) Incident response

Documented procedure for detecting, escalating, and responding to security incidents.
Application and infrastructure logging is retained for at least ninety (90) days.
Customer notification within seventy-two (72) hours of awareness of a Personal Data Breach (Section 10).

(g) Data minimization

The Platform collects only the personal data needed for the features the Customer uses.
Optional analytics are loaded only after explicit consent and with IP anonymization where supported by the provider.
Sensitive form inputs in any analytics session replays are masked at capture.

(h) Data subject rights

Authorized Users can self-serve account deletion from their account page, which cancels the active Stripe subscription and removes the identity record.
Documented procedure for handling access, deletion, correction, and portability requests, with a 30-day default response timeline.

Schedule 3

Sub-processors

The following sub-processors are engaged by SitePath in connection with the Platform. We update this list before adding or replacing any sub-processor that processes Customer Personal Data (Section 8).

Sub-processor	Location	Processing activity	Transfer safeguard
Netlify, Inc.	United States (global CDN)	Web hosting, serverless functions, Netlify Identity (authentication and account records).	EU SCCs; Netlify is also a Data Privacy Framework participant.
Stripe, Inc.	United States	Payment processing, subscription billing, customer-portal access.	EU SCCs; Stripe is a Data Privacy Framework participant.
Resend (Drand Labs, Inc.)	United States	Transactional email delivery on SitePath's behalf.	EU SCCs.
Anthropic PBC	United States	AI-brief generation for Enterprise users; processed under the Anthropic API zero-retention terms.	EU SCCs.
OpenStreetMap Foundation / Nominatim	United Kingdom (UK) / Germany (DE)	Map tile delivery and address geocoding for Customer-initiated searches.	UK adequacy / EU intra-area processing.
Google LLC (Google Analytics 4)	United States / Ireland	Optional aggregate usage analytics. Loaded only after Authorized-User consent.	EU SCCs; Google is a Data Privacy Framework participant.
Microsoft Corporation (Clarity)	United States	Optional behavioral analytics. Loaded only after Authorized-User consent.	EU SCCs; Microsoft is a Data Privacy Framework participant.

The current contact email for data-protection inquiries to any sub-processor is available on request from Support@sitepathintel.com.

Schedule 4

Standard Contractual Clauses

The EU Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated into this DPA as set out below.

Module selection

Module Two (controller to processor) applies where Customer is the controller of the Customer Personal Data.
Module Three (processor to processor) applies where Customer itself acts as a processor for a third-party controller.

Optional clauses

Clause 7 (docking clause) — not applied.
Clause 9 — Option 2 (general written authorization) — applied with thirty (30) days' notice (see Section 8).
Clause 11(a) — independent dispute resolution body option not applied; Clause 11 otherwise applies.
Clause 17 — the law of the Republic of Ireland.
Clause 18 — courts of the Republic of Ireland.

Annexes

Annex I — List of parties, description of transfer, competent supervisory authority: as set out in Schedule 1.
Annex II — Technical and organizational measures: as set out in Schedule 2.
Annex III — List of sub-processors: as set out in Schedule 3.

UK Addendum

For transfers subject to the UK GDPR, the UK Information Commissioner's International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022) is incorporated. Tables 1–4 are completed as follows: parties as in Annex I; appendix information as in this DPA; neither party may end the Addendum when the Approved Addendum changes; Importer is permitted to make changes to the Approved Addendum where required by law.

Swiss FADP supplement

For transfers of personal data from Switzerland under the FADP, references in the SCCs to the GDPR are read as references to the FADP, references to EU Member States are read to include Switzerland, the Swiss Federal Data Protection and Information Commissioner is the supervisory authority, and Swiss courts have jurisdiction for claims brought by Swiss data subjects.