Twellie — Data Processing Addendum

Version: 1.0 Last Updated: April 19, 2026

This Data Processing Addendum ("DPA") forms part of the agreement (the "Agreement") between Twellie, Inc. ("Twellie," "Processor") and the customer identified in the Agreement ("Customer," "Controller"). It governs the Processing of Personal Data performed by Twellie on behalf of the Customer in connection with the Service.

This DPA is incorporated into and forms part of the Terms of Service. In case of conflict between this DPA and the Terms of Service, this DPA controls only with respect to the Processing of Personal Data. Otherwise the Terms of Service prevail.

By accepting the Terms of Service you are deemed to have signed this DPA on behalf of your organization. For execution of a separately signed copy, email legal@twellie.com.

1. Definitions

Capitalised terms used but not defined here have the meanings given in the Agreement, the GDPR (Regulation (EU) 2016/679), or the UK GDPR, as applicable.

"Affiliate" — any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

"Controller" — the Customer, who determines the purposes and means of the Processing.

"Data Subject" — an identified or identifiable natural person whose Personal Data is Processed.

"EU GDPR" — Regulation (EU) 2016/679 of the European Parliament and of the Council.

"Personal Data" — any information relating to an identified or identifiable natural person that is Processed under the Agreement.

"Processing" — any operation performed on Personal Data (collection, storage, use, disclosure, erasure, etc.).

"Processor" — Twellie, which Processes Personal Data on behalf of the Controller.

"Restricted Transfer" — a transfer of Personal Data from the EEA, UK, or Switzerland to a country not deemed adequate under the relevant Data Protection Law.

"Standard Contractual Clauses" ("SCCs") — Module 2 (Controller-to-Processor) of the European Commission's Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914, as amended, incorporated here by reference.

"Sub-processor" — any third party engaged by Twellie to Process Personal Data on behalf of the Controller.

"UK GDPR" — the EU GDPR as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

"UK IDTA" — the International Data Transfer Agreement issued by the UK Information Commissioner, as updated from time to time.

2. Scope and Roles

2.1 Subject Matter of Processing

Twellie will Process Personal Data provided by the Controller or collected by Twellie on behalf of the Controller in order to deliver the Service described in the Agreement.

2.2 Duration

The duration of Processing is the term of the Agreement plus any additional period required to comply with legal obligations or to return or delete Personal Data.

2.3 Nature and Purpose

The nature of the Processing includes hosting, storage, transmission, analysis, generation of Reports, and support. The purpose is solely to deliver and support the Service.

2.4 Categories of Data Subjects

End users of the Customer's workspace; residents of properties submitted for analysis whose information appears in public records or photographs.

2.5 Categories of Personal Data

Identifiers (name, email, phone, account ID);
Commercial data (subscription tier, usage, billing);
Internet/device data (IP, browser, device identifiers);
Approximate location (derived from IP);
User-submitted content (addresses, photos, documents, notes);
Communications (support tickets, feedback);
Optional sensitive-adjacent data included voluntarily by users.

Twellie does not intentionally Process special categories of data (GDPR Art. 9).

3. Obligations of the Processor (Twellie)

Twellie will:

3.1 Process Only on Documented Instructions

Process Personal Data only on the Controller's documented instructions, including with regard to transfers, except where required by EU, UK, or other applicable law. Where Twellie relies on a legal requirement, it will inform the Controller unless the law prohibits such notification on important grounds of public interest. The Terms of Service + this DPA constitute the Controller's complete and final instructions.

3.2 Confidentiality

Ensure that persons authorised to Process Personal Data are under appropriate contractual or statutory confidentiality obligations.

3.3 Security (Art. 32 GDPR)

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (the "Security Measures"), as described in Annex II to this DPA.

3.4 Sub-processors

Engage Sub-processors only in accordance with Section 5 below.

3.5 Assistance with Data-Subject Requests

Taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller's obligations to respond to data-subject requests under Articles 12-22 GDPR. Twellie provides self-service access, export, and deletion tools via the Service.

3.6 Assistance with Controller Obligations

Assist the Controller in ensuring compliance with Articles 32-36 GDPR (security, personal data breaches, impact assessments, consultation with supervisory authorities), taking into account the nature of the Processing and the information available to Twellie.

3.7 Deletion or Return at Termination

At the choice of the Controller, delete or return all Personal Data after the end of the Service, and delete existing copies unless EU, UK, or other applicable law requires storage.

3.8 Information and Audits (Art. 28(3)(h) GDPR)

Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to Section 8 below.

4. Obligations of the Controller (Customer)

The Controller:

Represents that it has a valid legal basis for Processing under Data Protection Law and has provided any required notices and obtained any required consents from Data Subjects;
Is solely responsible for the lawfulness, accuracy, and completeness of Personal Data submitted to the Service;
Will comply with its own obligations as a Controller;
Acknowledges that the Service is an automated information service and is not intended to be used to Process special-category data or data subject to sectoral law (HIPAA, GLBA, FCRA, etc.) unless expressly agreed in writing.

5. Sub-processors

5.1 General Authorisation

The Controller provides general authorisation for Twellie to engage Sub-processors to deliver the Service. The current list of Sub-processors is available at https://twellie.com/sub-processors and incorporated into this DPA by reference.

5.2 Notice of New Sub-processors

Twellie will notify the Controller of any intended addition or replacement of a Sub-processor, giving the Controller an opportunity to object at least fifteen (15) days before the new Sub-processor begins Processing. Notification will be via email to the Controller's primary administrative contact and by updating the published Sub-processor list.

5.3 Objection Right

If the Controller has a reasonable basis to object — e.g., the new Sub-processor cannot comply with Data Protection Law — the Controller may notify Twellie at legal@twellie.com. Twellie will work in good faith to find a reasonable alternative. If no alternative can be agreed within thirty (30) days, either party may terminate the affected part of the Service without liability (except that the Controller remains obligated to pay for Service already rendered).

5.4 Sub-processor Obligations

Twellie will:

Conclude a written agreement with each Sub-processor imposing obligations materially equivalent to those in this DPA, including in respect of Security Measures and Restricted Transfers;
Remain liable to the Controller for the performance of each Sub-processor's obligations.

6. International Transfers

6.1 Standard Contractual Clauses (EU)

To the extent any Processing involves a Restricted Transfer from the EEA to a country not recognised as adequate, the Standard Contractual Clauses (Module 2: Controller-to-Processor) will be deemed incorporated into this DPA and executed by the parties. The following options apply:

Clause 7 (Docking clause): included;
Clause 9 (General authorisation for Sub-processors): included, with a fifteen-day objection window as described above;
Clause 11 (Redress): the independent-dispute-resolution option is not selected;
Clause 17 (Governing law): the law of Ireland;
Clause 18 (Choice of forum and jurisdiction): the courts of Ireland;
Annex I.A (List of Parties): Controller is the Customer identified in the Agreement; Processor is Twellie, Inc.;
Annex I.B (Description of Transfer): as set out in Section 2 and Annex I to this DPA;
Annex I.C (Competent Supervisory Authority): the Irish Data Protection Commission;
Annex II (Technical and Organisational Measures): as set out in Annex II to this DPA.

6.2 UK IDTA

For Restricted Transfers originating in the UK, the UK International Data Transfer Addendum (or the UK IDTA as a standalone instrument at the Controller's option) applies and is incorporated into this DPA. Tables 1-4 are populated by reference to the corresponding sections of this DPA and the SCCs.

6.3 Swiss Transfers

For Restricted Transfers originating in Switzerland, the SCCs apply as modified by the Swiss Federal Data Protection Authority, with Switzerland as the governing jurisdiction and the Swiss authority as the competent supervisory authority.

6.4 Supplementary Measures

Twellie maintains the supplementary technical, organisational, and contractual measures described in Annex II to mitigate risks identified in the Schrems II judgment (including encryption in transit and at rest, access controls, and commitments to challenge overbroad government requests).

6.5 Alternative Mechanisms

Twellie may, at its discretion, participate in an adequacy framework (e.g. the EU-U.S. Data Privacy Framework) as a self-certifying participant; if it does so, certifications will be published on the Sub-processor page. Where the Controller wishes to rely on DPF adequacy, Twellie will cooperate.

7. Personal Data Breaches

7.1 Notification

Twellie will notify the Controller without undue delay and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data.

7.2 Information Provided

The notification will describe, to the extent then known:

The nature of the breach;
Categories and approximate number of Data Subjects and records affected;
Likely consequences;
Measures taken or proposed to address the breach and mitigate possible adverse effects.

Additional information will be provided as it becomes available.

7.3 Controller's Own Obligations

The Controller remains solely responsible for any notifications to Data Subjects or supervisory authorities required under Articles 33-34 GDPR.

7.4 Routine Incidents

Minor incidents that pose no risk to Data Subjects (e.g. failed login attempts, malware blocked at the perimeter) do not constitute Personal Data Breaches and are not individually reportable, though Twellie aggregates and reports them through internal security reviews.

8. Audits

8.1 Audit Reports

Twellie will make available independent third-party audit reports (e.g. SOC 2, ISO 27001 when obtained) to the Controller under NDA as the principal means of demonstrating compliance.

8.2 Additional Audits

Where the Controller reasonably requires further information that is not addressed in the audit reports, Twellie will respond to reasonable written requests within thirty (30) days.

8.3 On-Site Audits

On-site audits are available once per twelve-month period, subject to:

Forty-five (45) days' advance notice;
Scheduling during normal business hours so as not to disrupt the Service;
A written scope agreed in advance;
The Controller (and its auditor, if any) signing Twellie's standard confidentiality agreement;
The Controller bearing its own costs and Twellie's reasonable costs of facilitating the audit.

Twellie may decline access to:

Information that would compromise the security of other customers;
Trade secrets or confidential information of other parties;
Any information Twellie is legally prohibited from disclosing.

9. Liability

The liability of each party under this DPA is subject to the exclusions and limitations set out in the Agreement. Nothing in this DPA excludes or limits liability for:

A breach of the SCCs by either party (where excluded by the SCCs);
Damages that cannot be excluded under Data Protection Law;
Indemnification obligations arising under the Agreement.

10. Miscellaneous

10.1 Term

This DPA enters into force on the Effective Date of the Agreement and terminates upon termination of the Agreement, except for provisions that by their nature should survive.

10.2 Amendments

This DPA may be amended by Twellie to the minimum extent necessary to comply with changes in Data Protection Law. Twellie will provide thirty (30) days' notice of material amendments. The Controller's continued use after the effective date constitutes acceptance.

10.3 Order of Precedence

In case of conflict between this DPA and the SCCs, the SCCs prevail in respect of Restricted Transfers only. In case of conflict between this DPA and the Agreement, this DPA prevails in respect of data protection.

10.4 Counterparts and Electronic Signature

This DPA may be executed electronically and in counterparts, each of which is an original.

Annex I — Description of Processing

A. List of Parties

Controller: the Customer identified in the Agreement. Contact: the email associated with the admin Account. Processor: Twellie, Inc., [ADDRESS — INSERT BEFORE LAUNCH]. Contact: legal@twellie.com.

B. Description of Transfer

Frequency: continuous during use of the Service;
Nature of Processing: as described in Section 2;
Purpose: provision of the Service;
Period of Retention: as described in the Privacy Policy and this DPA;
Recipients: Twellie and Sub-processors identified at https://twellie.com/sub-processors;
Categories of Personal Data: identifiers, commercial data, internet/device data, user-submitted content, approximate location, communications.

C. Competent Supervisory Authority

For EU transfers: Irish Data Protection Commission (21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland).
For UK transfers: Information Commissioner's Office (Wycliffe House, Water Lane, Wilmslow SK9 5AF, United Kingdom).
For Swiss transfers: Federal Data Protection and Information Commissioner (Feldeggweg 1, 3003 Bern, Switzerland).

Annex II — Technical and Organisational Measures

Twellie implements the following Security Measures. Measures are regularly reviewed and updated as technology and threats evolve; the current list is always available at https://twellie.com/security.

A. Access Control

Multi-factor authentication required for all administrative access to production systems;
Role-based access control; least-privilege principle;
Quarterly access reviews; immediate revocation on offboarding;
SSH keys rotated annually; sensitive credentials stored in a vault with audit logging.

B. Transmission Security

TLS 1.2+ for all external traffic (web, mobile, API);
HSTS with one-year max-age, includeSubDomains;
Internal service traffic encrypted where feasible;
No credential transmission over unencrypted channels.

C. Storage Security

Encryption at rest (AES-256 or equivalent) for all user-data databases and object storage;
Hardware security modules (via Supabase) for key management;
Logical and physical segregation of production from non-production environments;
No production data in development or test environments.

D. Integrity and Availability

Daily backups with point-in-time recovery;
Backup integrity tested monthly;
Disaster-recovery tested annually;
Redundant infrastructure in the primary region.

E. Pseudonymisation and Anonymisation

User IDs are opaque UUIDs, never derived from personal identifiers;
Analytics events use hashed or anonymised identifiers where feasible;
Sensitive fields (e.g. authentication tokens) are never logged in plaintext.

F. Confidentiality of Personnel

All personnel sign confidentiality agreements as part of onboarding;
Annual security-awareness training;
Background checks (in permitted jurisdictions);
Clear-desk and clear-screen policies.

G. Incident Response

Documented incident-response plan;
24/7 on-call rotation for security incidents;
Post-incident reviews with corrective-action tracking;
Annual tabletop exercise.

H. Secure Development

Code review required for all changes to production code;
Automated vulnerability scanning;
Static and dynamic code analysis;
Dependency scanning with patch SLA (criticals within seven days);
Pre-commit secret-detection hook (gitleaks).

I. Physical Security

Production infrastructure hosted by sub-processors with SOC 2 Type II, ISO 27001, or equivalent attestation (Supabase, Google Cloud, AWS underpinning).

J. Supplementary Measures for Restricted Transfers

All Personal Data encrypted in transit and at rest;
Sub-processor contracts include Schrems II-aligned government-request transparency and challenge obligations;
Transfer-impact assessments maintained and available on request.

Annex III — Sub-processors

The current list of authorised Sub-processors is published at https://twellie.com/sub-processors and includes at minimum the categories: authentication/database, payments, email, AI/ML model providers, error monitoring, analytics, infrastructure, and distribution (where applicable).

Execution

By accepting the Agreement and the Terms of Service, the Controller and the Processor are deemed to have executed this DPA. For a separately countersigned copy bearing wet-ink or electronic signatures, please email legal@twellie.com with the subject line "Signed DPA request." Twellie will countersign and return within ten (10) business days.