Data Sharing Agreement

Version: June 18, 2025

This Data Sharing Agreement (“DSA”) is entered into by the entity identified as “Yardi” on the signature page of the Agreement,on behalf of itself and the Yardi Group (collectively, unless where otherwise indicated, “Yardi“), and the entity identified as the “Company” on the signature page of the Agreement, on behalf of itself and its affiliates (collectively, “Company“). Where there is a conflict between the Agreement and this DSA, the provisions of this DSA shall govern.

1.   Definitions

1.1             Capitalized terms used but not defined in this DSA shall have the same meanings given to them in the Agreement.

1.2             “Affiliate” means any entity that is directly or indirectly controlled by, controlling or under common control with a party (as applicable).  “Control” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

1.3             “Data Protection Law”means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, (i) the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”) (collectively “CCPA”), (ii) the Virginia Consumer Data Protection Act, (iii) the Colorado Privacy Act, (iv) the Connecticut Data Privacy Act, (v) the Utah Consumer Privacy Act, (vi) Florida Digital Bill of Rights, (vii) Texas Data Privacy and Security Act, (viii) Oregon Consumer Privacy Law, (ix) the Delaware Personal Data Privacy Act; (x) the Iowa Consumer Data Protection Act; (xi) the Nebraska Data Privacy Act; (xii) the New Jersey Data Protection Act; (xiii) the New Hampshire Privacy Act; (xiv) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (the “General Data Protection Regulation” or “GDPR”), including the United Kingdom GDPR; (xv) the EU e-Privacy Directive (Directive 2002/58/EC); (xvi) the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and (xvii) any further national or international data protection laws and regulations, in each case, as such laws and regulations are superseded, amended, or replaced.

1.4             “Personal Data” means information (i) relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, genetic, mental, economic, cultural or social identity; or (ii) that is otherwise regulated by applicable Data Protection Law.

1.5             “Security Incident” means any unauthorized or unlawful breach of security leading to, or reasonably believed to have led to, the accidental or unlawful destruction loss, alteration, unauthorized disclosure or access to Personal Data.

1.6             “Sub-Processor” means any third party (including any Affiliate) engaged directly or indirectly by Company or Yardi to process any Personal Data relating to this DSA and/or the Agreement.  The term “Sub-Processor” shall also include any third party appointed by a Sub-Processor to process any Personal Data relating to this DSA and/or the Agreement.

1.7             “Yardi Group” means every company or corporation that directly or indirectly controls, is controlled by, or is under common control with, Yardi Systems, Inc.

1.8             The terms “Controller,” “Data Subject,” “Processor,” and “Processing” (and “Process“) shall have the meanings given to them, or the equivalent term, in applicable Data Protection Law.   

2.               Subject Matter of this Data Sharing Agreement

2.1             Yardi has entered into an Agreement with Company pursuant to which Company has agreed to provide Company Services to Yardi and Common Clients, as more particularly described in the Agreement. In delivering the Company Services under the Agreement, Company may process Personal Data controlled by Common Clients.

2.2             As part of its contractual arrangements, Yardi has provided certain assurances to its clients, to ensure the appropriate protection of Common Client Data when Yardi exchanges such Common Client Data with third party vendors. In addition, Yardi needs to include certain contractual terms in its agreement with third party providers to comply with applicable Data Protection Law.

2.3             This DSA is supplemental to the Agreement and reflects the parties’ agreement with regard to the access, exchange, processing and storage of Personal Data made available to Company in connection with the performance of the Agreement.

3.               Role and Scope of Processing

3.1             Company and Yardi shall process Personal Data under the Agreement only as independent Processors acting on behalf of Common Clients (the third-party Controllers). Company and Yardi agree to process Personal Data as described at Annex 1, which forms an integral part of this DSA. The parties acknowledge and agree that Company is not a Sub-Processor of Yardi and Yardi is not a Sub-Processor of Company. Company is responsible for entering into a separate agreement that governs the relationship between Company and Common Clients and in particular the associated Processing of Personal Data and such agreement is independent of Yardi’s relationship with Common Clients. For the avoidance of doubt, Yardi is instructed by Common Clients to exchange the Personal Data with Company via the Data Exchange Interface and Yardi is not responsible for any subsequent or onward Processing of Personal Data by Company once the Personal Data is transmitted to Company.

4.               Confidentiality

4.1             The parties shall ensure that any person who processes Personal Data on behalf of Common Clients (including employees, officers, partners, principals, agents and Sub-Processors) in the context of this Agreement treats all Personal Data as strictly confidential. The parties shall ensure that all such persons have signed an appropriate confidentiality agreement or are otherwise bound to a duty of confidentiality (whether a contractual or statutory duty) and that they process the Personal Data for a permitted purpose, as further detailed in Annex 1. 

5.               Security

5.1             Company and Yardi will implement and maintain all appropriate technical and organizational security measures to protect against Security Incidents and to preserve the security, integrity and confidentiality of Personal Data. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. At a minimum, the parties agree to the security measures identified at Annex 2.

6.               Data Transfers

6.1             The parties acknowledge and agree either party may transfer Personal Data in compliance with applicable Data Protection Law and consistent with their respective agreement with Common Clients. 

7.               Security Incidents

7.1             In the event of a security incident (as defined under applicable Data Protection Law) involving Company or Yardi’s environment, the impacted party shall promptly inform the other party and provide written details of the security incident as soon as it becomes known or available, including:

(a)             a description of the nature of the incident, including the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
(b)             a description of the likely consequences of the incident; and
(c)             a description of the measures taken or proposed to address the incident, including measures to mitigate its possible adverse effects.

7.2             The content and provision of any notification, public/regulatory communication or press release concerning the security incident shall be mutually agreed upon by the parties, except as otherwise required by applicable law.

8.               Duration and Term

8.1           This DSA shall come into effect on the Agreement Effective Date. The obligations placed upon Company and Yardi under this DSA shall survive so long as the parties process Personal Data on behalf of Common Clients.

9.               General

9.1             Company shall defend, indemnify and hold harmless Yardi, Yardi Affiliates,  and their respective officers, directors, employees, agents, successors and permitted assigns (each, a “Yardi Indemnitee“) from and against any and all losses, damages, liabilities, deficiencies, actions, judgments, interest, awards, penalties, fines, costs or expenses of whatever kind, including reasonable legal fees, the cost of enforcing any right to indemnification hereunder, and the cost of pursuing any insurance providers arising out of or resulting from any claim against any Yardi Indemnitee arising out of, or resulting from Company’s failure to comply with any of its obligations under this DSA. Any exclusion of damages or limitation of liability that may apply to limit Company’s liability in the Agreement shall not apply to Company’s liability arising under or in connection with this DSA.

9.2             Any failure by Company to comply with any of the provisions of this DSA, or any non-compliance with this DSA that threatens the security of Personal Data, shall be considered a material breach of the Agreement. In such event, Yardi may terminate the Agreement and this DSA, effective immediately, upon written notice to Company without further liability or obligation to Company.

9.3             Company acknowledges that Yardi may disclose this DSA to any relevant third-party Controller of the Personal Data where requested by such Controller.

9.4             If any part of this DSA is held unenforceable, the validity of all remaining parts will not be affected.

ANNEX 1

Details of Processing

A. LIST OF PARTIES

Name: Yardi Systems, Inc.

Address: 430 South Fairview Avenue, Goleta, CA 93117

Contact person’s name, position and contact details: Dan Campbell, Vice President, DPO, 430 South Fairview, Goleta, CA 93117, +1 (805) 699-2040, [email protected].

Role (controller/processor): Independent Processor

Name: Company

Address: Company’s address as set forth in the Agreement.

Contact person’s name, position and contact details:  Single Point of Contact (SPOC) of the Company whose contact details are on file.

Role (controller/processor): Independent Processor

B. DESCRIPTION OF PROCESSING

Categories of Data Subjects: Tenants, prospects, and customers of Common Clients.

Categories of Personal Data: First name, last name, phone number, address, email address, grade, and information on rent or rent related payments.

Special categories of data (if applicable): N/A

Nature of the Processing: Company is a service provider that provides certain services to real property managers and owners which comprise Company Services for which an interface from Yardi’s RentCafe service is useful.

Purpose(s) of Processing: The RentCafe application program interfaces and the user interface modifications and data exchange capabilities (developed by Yardi for Common Clients) to automate data exchange between Common Clients and Company associated with provision of Company Services.

ANNEX 2

Security Measures

Yardi

1. Yardi’s technical and organizational measures, including technical and organizational measures to ensure the security of the data, are available here: https://resources.yardi.com/legal/standard-contractual-clauses/TOMs.

Company

1. Risk Management. Company must maintain a process for escalating, remediating, and holding management accountable for concerns identified during audits or other independent tests. If available, Company must provide: (1) Service Organization Control (SOC) reports, prepared in accordance with the American Institute of Certified Public Accountants Statement on Standards for Attestation Engagements No. 18 (SSAE 18); (2) Certification by independent third parties for compliance with domestic internal control standards (e.g., the National Institute of Standards and Technology (“NIST”)); (3) Certification by independent third parties for compliance with international internal control standards (e.g., the International Standards Organization (“ISO”)), and (4) Attestation of Compliance, prepared in accordance with the Payment Card Industry Data Security Standard (“PCI DSS AOC”).

2. Information Security. Company must maintain an information security program with sufficient experience in identifying, assessing, and mitigating known and emerging threats and vulnerabilities. When technology is necessary to support service deliver, Company must provide Yardi with details on Company’s infrastructure and application security programs, including the software development life cycles and results of vulnerability and penetration tests.

3. Resilience. Company must maintain adequate disaster recovery and business continuity plans and provide Yardi with Company’s telecommunications redundancy and resilience plans and preparations for known and emerging threats and vulnerabilities, such as wide-scale natural disasters, distributed denial of service attacks, or other intentional or unintentional events.

4. Incident-Reporting and Management Programs. Company must maintain incident reporting and management programs and provide Yardi with clearly documented processes and accountability for identifying, reporting, investigating, and escalating incidents.

5. Physical Security. Company must maintain sufficient physical and environmental controls to ensure the safety and security of its facilities, technology systems, and employees. 

6. Insurance Coverage. Company must maintain appropriate insurance coverage including, but not limited to, coverage for (i) crime, (ii) professional liability, (iii) commercial general liability, (iv) automobile, and (v) worker’s compensation.