Data Processing Agreement

"Agreement" means this Data Processing Agreement together with the Terms of Service and Privacy Policy.

"Controller"(or "Customer") means the organization that determines the purposes and means of processing personal data - i.e., you and your organization.

"Processor"(or "Miskari") means the party that processes personal data on behalf of the Controller - i.e., Miskari.

"Personal Data" means any information relating to an identified or identifiable natural person that you upload, enter, or generate through the service.

"Processing" means any operation performed on Personal Data, including storage, retrieval, use, and deletion.

"Subprocessor" means a third party engaged by Miskari to assist in processing Personal Data on your behalf.

"Applicable Privacy Law"means any data protection or privacy statute or regulation that applies to the processing of Personal Data under this Agreement, including (as applicable) the EU General Data Protection Regulation ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and their implementing regulations.

Miskari processes Personal Data as a Processor acting on documented instructions from you, the Controller. You determine the categories of Personal Data entered into the service and the purposes for which it is used. Miskari does not determine those purposes independently.

This DPA applies only to Personal Data of natural persons - for example, tenant contact details, vendor contacts, or user account information - that you store or process through the service. It does not alter the ownership of that data, which remains with you.

Subject matter. Operation of the Miskari property management platform as described in the Terms of Service.

Nature. Collection, storage, retrieval, display, transmission, and deletion of Personal Data as directed by your use of the service features.

Duration. For the term of the subscription plus the 90-day post-cancellation retention window described in the Privacy Policy.

Categories of data subjects. Individuals whose data you choose to store in the service, which may include: your employees and authorized users, tenants, guarantors, vendor contacts, and counterparties named in uploaded documents.

Categories of Personal Data. Name, email address, phone number, mailing address, job title, signature, and any other personal information contained in documents or records you upload. No special-category data (health, biometric, financial account numbers) is required by the service; if you upload documents that happen to contain such data, you do so at your own direction.

Instructions. Miskari processes Personal Data only on your documented instructions - as embodied in this Agreement and your use of the service features - unless required to do otherwise by applicable law. In that case Miskari will notify you before processing unless prohibited by law.

Confidentiality. Miskari ensures that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.

Security. Miskari implements and maintains technical and organizational measures appropriate to the risk, as described in Annex II below. These include TLS encryption in transit, encryption at rest, PostgreSQL row-level security, bcrypt password hashing, rate limiting on sensitive endpoints, audit logging, and regular automated backups.

Subprocessors. Miskari will not engage a new Subprocessor without giving you the opportunity to object. Current Subprocessors are listed in Section 08 and in the Privacy Policy. Miskari imposes data protection obligations on each Subprocessor equivalent to those in this DPA and remains liable to you for their performance.

Assistance. To the extent technically feasible and reasonably required, Miskari will assist you in fulfilling your obligations to respond to data subject rights requests (access, rectification, erasure, portability, objection) under Applicable Privacy Law. Most requests can be fulfilled through the in-app export and account-deletion features; contact privacy@miskari.com for assistance with requests that require direct action.

Security notifications. Miskari will notify you without undue delay, and in any event within 72 hours of confirmation, if it becomes aware of a Personal Data breach affecting your data. Notification will include the nature of the breach, the categories and approximate number of affected records, the likely consequences, and the measures taken or proposed to address it.

Deletion or return. On expiry of the retention period, or on your written request, Miskari will delete or return all Personal Data in its possession, unless continued retention is required by applicable law. You may export your data during the 90-day post-cancellation window using the in-app export features.

Audit. Miskari will make available on reasonable written request information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits conducted by you or a mutually agreed auditor, subject to appropriate confidentiality obligations. Requests must be made to privacy@miskari.com.

You represent and warrant that you have a lawful basis for processing the Personal Data you enter into the service, and that you have provided any required notices to and obtained any required consents from the individuals whose data you store. You instruct Miskari to process Personal Data only as described in this Agreement and your use of the service features.

Personal Data may be transferred to and processed in countries outside the EEA, the UK, or Switzerland. Where such a transfer occurs and Applicable Privacy Law requires an adequacy mechanism, Miskari relies on Standard Contractual Clauses adopted by the European Commission (Module 2: controller to processor) or equivalent safeguards. The current transfer mechanisms for each Subprocessor are available on request at privacy@miskari.com.

For transfers from the UK, Miskari relies on the UK's International Data Transfer Addendum to the EU SCCs (IDTA) or an alternative mechanism that satisfies the UK adequacy standard.

Each party's liability to the other under or in connection with this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA is intended to limit or exclude either party's liability where such limitation or exclusion is prohibited by Applicable Privacy Law.

The following Subprocessors are approved as of the date of this Agreement. Miskari will provide at least 14 days' notice before adding or replacing a Subprocessor. If you reasonably object to a new Subprocessor, you may terminate the subscription with a prorated refund of prepaid fees.

This annex describes the processing carried out by Miskari as Processor on behalf of Customer as Controller.

Data exporter (Controller): The organization identified by the account registered at app.miskari.com.

Data importer (Processor): Miskari - operator of the commercial property management platform at miskari.com.

Frequency and nature of transfer:Continuous, for as long as the subscription is active. Personal Data is transmitted over TLS and stored in an encrypted PostgreSQL database scoped to the Controller's organization.

Purpose of transfer: Providing the service features described in the Terms of Service, including property record management, billing and vendor tracking, tenant and lease management, tax protest workflow, document storage, and related notifications.

Miskari has implemented and maintains the following measures to ensure a level of security appropriate to the risk:

• Encryption in transit. All traffic between clients and the service is encrypted using TLS 1.2 or higher.
• Encryption at rest. The database and object storage are encrypted at rest by the respective infrastructure providers.
• Access control and multi-tenancy. PostgreSQL row-level security (RLS) enforces organization-scoped isolation at the database engine. The application enforces role-based access control (owner / editor / viewer) at the server layer. Super-admin access is restricted to named personnel.
• Authentication. Passwords are stored as bcrypt hashes with a high work factor. Session tokens are cryptographically signed. Sensitive actions require a valid session.
• Rate limiting and abuse prevention. Login, signup, document upload, and other sensitive endpoints are rate-limited to deter brute-force and abuse.
• Audit logging. Mutations to sensitive records (bills, assessments, protests, and others) are written to an append-only audit log. Super-admin actions are separately logged.
• Backups. Automated daily backups are stored in encrypted object storage. Restoration procedures are tested periodically.
• Vulnerability management. Dependencies are reviewed for known vulnerabilities. Security issues may be reported via the coordinated disclosure process described on the Security page.
• Incident response. Miskari maintains an incident response process including detection, containment, notification, and post-incident review.
• Personnel. Personnel with access to Personal Data are bound by confidentiality obligations.

This DPA is effective for the duration of the subscription and terminates automatically when the subscription ends and the 90-day post-cancellation retention window has elapsed. Miskari may update this DPA to reflect changes in the law or in its processing activities, with at least 30 days' notice for material changes.

Questions about this agreement or data privacy matters can be sent to privacy@miskari.com.