Data Processing Agreement

This Data Processing Agreement ("DPA") is entered into between Lotwright ("Processor") and the customer organization using Lotwright's services ("Controller"). It supplements the Terms of Service and applies where the Controller's use of Lotwright involves processing personal data subject to applicable data protection laws.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by Lotwright on the Controller's behalf.

"Processing" means any operation performed on Personal Data, including storage, retrieval, transmission, and deletion.

"Sub-processor" means any third party engaged by Lotwright to process Personal Data in connection with providing the service.

2. Scope of Processing

Lotwright processes the following categories of Personal Data on the Controller's behalf:

• Builder staff names, email addresses, and role information
• Trade partner (subcontractor) names, contact information, and license/insurance data
• Buyer/homeowner names, email addresses, and communication content
• Site walk audio recordings and AI-generated transcripts
• Job photos and associated metadata
• Invoices and financial records referencing individuals

Processing is performed for the purpose of providing the Lotwright construction management service as described in the Terms of Service.

3. Controller Obligations

The Controller agrees to:

• Obtain any legally required consent from individuals whose data is entered into Lotwright (including trade partners and homebuyers)
• Ensure a lawful basis exists for all Personal Data provided to Lotwright for processing
• Notify Lotwright of any changes to instructions regarding the processing of Personal Data
• Comply with applicable data protection laws in relation to the Controller's own use of Lotwright

4. Processor Obligations

Lotwright agrees to:

• Process Personal Data only on documented instructions from the Controller, unless required otherwise by applicable law
• Ensure that authorized personnel processing Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures (see Section 6)
• Assist the Controller in responding to data subject rights requests within a reasonable timeframe
• Notify the Controller without undue delay upon becoming aware of a Personal Data breach
• Delete or return all Personal Data upon termination of services, at the Controller's election

5. Sub-processors

Lotwright uses the following sub-processors to deliver its service. The Controller provides general authorization for Lotwright to engage these sub-processors:

• Supabase — Database hosting and file storage (US East region)
• Anthropic — AI features (Claude models). Data processed for AI features only where explicitly enrolled by the Controller.
• Groq — Audio transcription (Whisper). Site walk recordings are processed solely for transcription and deleted from Groq's systems after processing.
• Resend — Transactional email delivery
• Stripe — Payment processing. Lotwright does not store full card numbers; payment data is handled directly by Stripe.
• Netlify — Application hosting

Lotwright will notify the Controller in advance of any additions or replacements to this list. The Controller may object to a new sub-processor within 30 days; if the objection cannot be resolved, either party may terminate the service without penalty.

6. Security Measures

Lotwright maintains the following technical and organizational measures:

• Encryption of data at rest and in transit (AES-256 and TLS 1.2+)
• Row-level security enforcing organizational data isolation
• Multi-factor authentication required for all platform administrators
• Cryptographically hash-chained audit log for all data mutations
• Role-based access controls limiting Personal Data access to authorized personnel
• Regular automated security scanning via pre-commit hooks and CI pipeline
• Point-in-time database recovery with minimum 7-day retention

7. Data Subject Rights

Where a data subject submits a request to exercise their rights (access, rectification, erasure, portability) to the Controller, Lotwright will assist the Controller in fulfilling those requests to the extent technically feasible. Requests should be submitted to corey@greatergracedigital.com.

8. Data Retention and Deletion

Lotwright retains Personal Data for the duration of the subscription and for a 90-day post-termination period, during which the Controller may export data. After the retention period, Personal Data is permanently deleted unless the Controller has purchased a Photo Retention add-on, in which case photo data is retained for the contracted period. Job archive ZIP exports downloaded by the Controller become the Controller's responsibility upon download.

9. International Transfers

Lotwright's primary infrastructure is located in the United States. Where the Controller is subject to GDPR or similar laws governing international data transfers, Lotwright will cooperate in executing Standard Contractual Clauses (SCCs) or other approved transfer mechanisms upon written request.

10. Governing Law

This DPA is governed by the same law as the Terms of Service. Any disputes under this DPA will be resolved as set out in the Terms of Service.

11. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service regarding data processing obligations, this DPA takes precedence.