← Back to ModMageLegal

Data Processing Addendum

This Data Processing Addendum (DPA) governs ModMage's processing of personal data on behalf of customers and forms part of our Terms of Service.

Last updated · June 26, 2026

1.Introduction

This Data Processing Addendum (the “DPA”) forms part of the agreement between the customer (“Customer”, “you”) and ModMage, Inc. (“ModMage”, “we”, “us”) for the provision of the ModMage property-management platform and related web, iOS, and Android applications (the “Services”). The agreement is comprised of our Terms of Service, any applicable order form or subscription plan, and this DPA. By accepting the Terms of Service or using the Services, you agree to this DPA.

This DPA applies whenever ModMage processes personal data on your behalf in the course of providing the Services — for example, information about your staff, the residents, tenants, and applicants who interact with your properties, and the records you maintain in the platform. It supplements, and where relevant clarifies, the privacy commitments described in our Privacy Policy.

Where you act on behalf of your own customers, this DPA can be read so that you are the processor and ModMage is your sub-processor. In all cases, the protections below apply to the personal data ModMage handles for you.

2.Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service. For the purposes of this DPA:

  • Controller — the entity that determines the purposes and means of processing personal data.
  • Processor — the entity that processes personal data on behalf of, and under the instructions of, a controller.
  • Personal data — any information relating to an identified or identifiable natural person that ModMage processes on your behalf under the agreement.
  • Processing — any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.
  • Data subject — the individual to whom personal data relates, including your staff and the residents, tenants, and applicants at your properties.
  • Sub-processor — a third party engaged by ModMage to process personal data in connection with the Services.
  • Applicable data-protection law — all laws and regulations governing the processing of personal data that apply to the parties, including the EU General Data Protection Regulation (GDPR), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection, and U.S. state privacy laws such as the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the “CCPA”).
  • Standard Contractual Clauses (SCCs) — the clauses approved by the European Commission for the transfer of personal data to processors established in countries that do not ensure an adequate level of protection, together with the UK International Data Transfer Addendum.

3.Roles and scope

As between the parties, the Customer is the controller of the personal data processed under the agreement (or, where the Customer itself acts as a processor for its own customers, the Customer is a processor and ModMage is a sub-processor). ModMage acts as a processor (or sub-processor) and processes personal data only on the Customer’s behalf.

ModMage processes personal data solely to provide, secure, maintain, and improve the Services, to comply with the Customer’s documented instructions, and to meet its own legal obligations. The subject matter, nature, purpose, and duration of processing, along with the types of personal data and categories of data subjects, are described in Annex I.

4.Processing instructions

ModMage will process personal data only on documented instructions from the Customer, including with regard to international transfers, unless required to do otherwise by a law to which it is subject. The agreement, this DPA, the configuration choices you make in the platform, and your authorized use of the Services together constitute your complete and final documented instructions.

ModMage will inform the Customer if, in its opinion, an instruction infringes applicable data-protection law, unless legally prohibited from doing so. ModMage is not obliged to perform a comprehensive legal review of instructions but will act reasonably and in good faith.

5.Confidentiality

ModMage ensures that personnel authorized to process personal data are bound by appropriate obligations of confidentiality, whether contractual or statutory, that survive the end of their engagement. Access to personal data is limited to those personnel who need it to provide, support, or secure the Services, and that access is granted on a least-privilege basis.

6.Security measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, ModMage implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk. These measures are summarized in Annex II and described in more detail on our Security page.

ModMage regularly reviews and, where appropriate, updates these measures. ModMage may modify a specific control provided the overall level of protection is not materially reduced. The Customer is responsible for the security of its own credentials, devices, and end-user accounts and for configuring the Services appropriately, consistent with our Acceptable Use Policy.

7.Sub-processors

The Customer provides ModMage with a general authorization to engage sub-processors to help provide the Services, such as cloud infrastructure, payment processing, email delivery, and error and usage analytics providers. ModMage maintains a current list of sub-processors, which is available on request to dpo@modmage.io.

  • ModMage imposes data-protection obligations on each sub-processor that are substantially equivalent to those in this DPA, by written contract.
  • ModMage remains fully liable to the Customer for the performance of each sub-processor’s obligations.
  • ModMage will give the Customer advance notice of the addition or replacement of a sub-processor. The Customer may object on reasonable, data-protection grounds within the notice period; the parties will then work in good faith to resolve the objection, and if it cannot be resolved, the Customer may terminate the affected Services.

A representative list of the categories of sub-processors currently in use appears in Annex III.

8.Data subject requests

Taking into account the nature of the processing, ModMage assists the Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Customer’s obligation to respond to requests from data subjects exercising their rights — including access, rectification, erasure, restriction, data portability, and objection.

Where ModMage receives a request directly from a data subject relating to personal data processed on the Customer’s behalf, it will not respond to the substance of the request itself but will, unless legally prohibited, promptly notify the Customer so the Customer can respond. Many of these actions can also be performed by the Customer directly using the self-service tools in the platform, including the controls described at /account-deletion.

9.Personal data breach

ModMage will notify the Customer without undue delay after becoming aware of a personal data breach affecting personal data processed on the Customer’s behalf. The notification will describe, to the extent known and available at the time:

  • the nature of the breach and the categories of data affected;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach and mitigate its effects; and
  • a contact point from whom further information can be obtained.

ModMage will provide reasonable cooperation to help the Customer meet its own breach-notification and record-keeping obligations. A notification by ModMage is not an acknowledgment of fault or liability. Security concerns can be reported at any time to security@modmage.io.

10.International transfers

ModMage primarily processes and stores personal data in the United States and may process it in other locations where it or its sub-processors operate. Where the provision of the Services involves transferring personal data out of the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the parties agree that the appropriate transfer mechanism applies.

For such transfers, the EU Standard Contractual Clauses (Module Two, controller to processor, or Module Three, processor to processor, as applicable) are incorporated into this DPA by reference, together with the UK International Data Transfer Addendum and any equivalent Swiss adaptations. Where there is a conflict between the SCCs and this DPA in respect of an in-scope transfer, the SCCs prevail.

11.Audits

ModMage makes available to the Customer the information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party certifications, audit reports, and security documentation, which can be requested from dpo@modmage.io.

Where the Customer reasonably requires additional information, or where required by applicable data-protection law, ModMage will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer. Audits are subject to reasonable advance notice, take place during normal business hours, are conducted under confidentiality obligations, must not unreasonably disrupt ModMage’s operations or compromise the security of other customers’ data, and are typically available on Enterprise plans. The parties will agree on the scope, timing, and reasonable costs of any such audit in advance.

12.CCPA / CPRA terms

To the extent ModMage processes personal information subject to the CCPA on the Customer’s behalf, ModMage acts as a “service provider” and the Customer is the “business”, as those terms are defined under the CCPA. ModMage processes such personal information only for the specific business purpose of providing the Services under the agreement and for the limited purposes permitted by the CCPA.

  • ModMage does not “sell” or “share” personal information, and does not retain, use, or disclose it for any purpose other than performing the Services or as otherwise permitted by the CCPA.
  • ModMage does not combine the personal information it receives from the Customer with personal information from other sources, except as permitted under the CCPA.
  • ModMage certifies that it understands and will comply with these restrictions, and will assist the Customer with consumer rights requests as described above.

13.Return and deletion

Upon termination or expiry of the agreement, and at the Customer’s choice, ModMage will delete or return the personal data processed on the Customer’s behalf and delete existing copies, unless retention is required by applicable law. The mechanics of export and deletion, including any post-termination grace period, are described in our Account Deletion policy and the agreement.

ModMage may retain personal data to the extent and for the period required by law, for example to meet financial record-keeping or tax obligations, and will continue to protect any retained data in accordance with this DPA. Residual copies in routine backups are deleted in line with our standard backup-rotation schedule.

14.Liability and conflict

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the agreement, and any reference in the agreement to a party’s liability means the aggregate liability of that party under the agreement and this DPA together.

This DPA is incorporated into and forms part of the agreement. In the event of a conflict between this DPA and the Terms of Service or any other part of the agreement with respect to the processing of personal data, this DPA controls. The SCCs prevail over this DPA only to the extent of an in-scope international transfer, as described above.

15.Annexes

Annex I — Details of processing

Categories of data subjects: the Customer’s staff, administrators, and authorized users; and the residents, tenants, prospective tenants, applicants, and guarantors associated with the Customer’s properties.

Categories of personal data: contact details (name, email, phone, mailing address); account and authentication data; lease and tenancy records; maintenance and communication history; payment and payout details processed through our payment partners; and usage, device, and log data generated through use of the Services.

Special categories of data: the Services are not intended for the processing of special-category data; the Customer is responsible for not submitting such data except where necessary and lawful.

Nature and purpose of processing: hosting, storage, and operation of the ModMage property-management platform, including tenant onboarding, leasing, rent collection and payouts, maintenance workflows, messaging, reporting, and customer support.

Duration of processing: for the term of the agreement, plus any limited post-termination retention period described in the agreement and the Account Deletion policy.

Annex II — Technical and organizational measures

ModMage maintains a layered security program that includes the following categories of measures, described in more detail on our Security page:

  • Encryption — encryption of data in transit using current TLS standards and encryption of data at rest.
  • Access control — role-based, least-privilege access, unique credentials, and multi-factor authentication for administrative access.
  • Monitoring and logging — audit logging, alerting, and continuous monitoring of systems for anomalous activity.
  • Resilience — regular backups, redundancy, and documented incident-response and business-continuity procedures.
  • Secure SDLC — code review, dependency and vulnerability management, change control, and regular security testing throughout the software development lifecycle.

Annex III — Sub-processors

The table below lists the categories of sub-processors ModMage relies on to provide the Services. The entries are illustrative; the current, named list is available on request to dpo@modmage.io.

Sub-processorPurposeLocation
Cloud hosting providerApplication hosting, storage, and infrastructureUnited States
Payment processorRent collection, payouts, and billingUnited States
Email delivery providerTransactional and notification emailUnited States
Error and analytics providerError monitoring and product usage analyticsUnited States / EU

16.Contact

Questions about this DPA, requests for our sub-processor list or audit materials, and other data-protection matters can be directed to our Data Protection Officer or legal team.

Data Protection Officer: dpo@modmage.io

Legal: legal@modmage.io

ModMage, Inc.
2261 Market Street, Suite 4242
San Francisco, CA 94114
United States