Open Book HOA

Data Processing Agreement

Last Updated: April 5, 2026

Summary

This DPA governs how Open Book HOA LLC processes data on behalf of your HOA. Your HOA is the Data Controller for HOA-managed data; Open Book HOA LLC is the Data Processor. We also act as an independent Data Controller for platform operations (accounts, security). We use sub-processors (Supabase, Vercel, Anthropic, OpenAI) and will notify you of changes. We commit to 72-hour breach notification and support data subject rights.

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between the homeowner association ("Data Controller" or "Client") and Open Book HOA LLC ("Data Processor") for the provision of HOA management and transparency services.

2. Dual Data Role

Open Book HOA LLC acts as both a Data Processor and an independent Data Controller, depending on the type of data involved:

  • Data Processor — For HOA-managed data, including member records, documents, financial records, and communications. The HOA remains the Data Controller and determines the purposes and means of processing.
  • Data Controller — For platform operations data, including user accounts, authentication credentials, platform analytics, and security monitoring. Open Book HOA LLC independently determines the purposes and means of processing this data.

This DPA primarily governs Open Book HOA LLC's obligations as Data Processor. Open Book HOA LLC's obligations as Data Controller are governed by our Privacy Policy.

3. Definitions

  • Personal Data — Any information relating to an identified or identifiable natural person, including homeowner names, contact details, unit information, and financial records.
  • Processing — Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
  • Data Subject — An identifiable person whose personal data is processed, including homeowners, board members, and property managers.
  • Sub-processor — A third party engaged by the Data Processor to process personal data on behalf of the Data Controller.

4. Scope of Processing

The Data Processor processes personal data solely for the purpose of providing the Open Book HOA LLC platform services, including:

  • HOA document storage and management
  • Financial record keeping (bank statements, invoices, assessments, transactions)
  • AI-powered document analysis and text extraction (see AI Disclosure)
  • Communication facilitation between HOA members
  • Transparency reporting for homeowners

5. Data Controller Responsibilities

The homeowner association (Data Controller) is solely responsible for compliance with applicable laws and regulations, including but not limited to:

  • Record retention and disclosure requirements under applicable HOA governance laws (including Florida Statutes Chapter 720 where applicable)
  • Data accuracy of uploaded documents and records
  • Determining the lawful basis for processing member personal data
  • Ensuring that uploaded documents do not contain unauthorized or unlawfully obtained personal data
  • Notifying data subjects about how their data is processed through the platform

6. Data Processor Obligations

The Data Processor shall:

  • Process personal data only on documented instructions from the Data Controller
  • Ensure that persons authorized to process personal data have committed to confidentiality
  • Implement appropriate technical and organizational security measures (see Section 9)
  • Assist the Data Controller in responding to data subject requests (access, rectification, erasure, portability)
  • Delete or return all personal data upon termination of services, at the Data Controller's choice, within 30 days
  • Make available all information necessary to demonstrate compliance with this DPA

Open Book HOA LLC does not guarantee the accuracy, completeness, or legality of any documents or data uploaded by users or HOAs.

7. Sensitive Data Restrictions

Users should not upload highly sensitive personal information, including but not limited to Social Security numbers, full bank account numbers, credit card numbers, or passwords. The Data Processor is not designed to store or process this category of data and accepts no additional liability for the presence of such data in uploaded documents.

8. Sub-processors

The Data Processor uses the following sub-processors:

  • Supabase — Database hosting, authentication, and file storage (United States)
  • Vercel — Application hosting and content delivery (United States and global edge network)
  • Anthropic — AI document processing and analysis (United States)
  • OpenAI — Text embeddings and document indexing (United States)

The Data Processor will notify the Data Controller of any intended changes to sub-processors at least thirty (30) days in advance, providing the Data Controller an opportunity to object.

Data may be processed and stored in the United States and other jurisdictions where our service providers operate.

9. Security Measures

The Data Processor implements the following security measures:

  • Encryption of data in transit (TLS 1.2+) and at rest
  • Row-level security policies ensuring tenant data isolation
  • Role-based access controls with principle of least privilege
  • Regular security updates and vulnerability patching
  • Audit logging of data access and modifications

While we implement industry-standard security measures, no system is completely secure, and users acknowledge this risk. The Data Processor will promptly notify the Data Controller of any security vulnerabilities that may affect the processing of personal data.

10. Data Breach Notification

In the event of a personal data breach, the Data Processor shall:

  • Notify the Data Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide sufficient information to enable the Data Controller to meet its notification obligations to authorities and data subjects
  • Cooperate with the Data Controller in investigating and remediating the breach
  • Document the breach, its effects, and the remedial actions taken

11. Data Subject Rights

The Data Processor shall assist the Data Controller in fulfilling its obligations to respond to data subject requests, including:

  • Right of access — Providing copies of personal data upon request
  • Right to rectification — Correcting inaccurate personal data
  • Right to erasure — Deleting personal data when legally required
  • Right to data portability — Exporting personal data in a structured, machine-readable format
  • Right to restriction — Limiting the processing of personal data in certain circumstances

12. Data Retention

HOA records are retained in accordance with HOA-provided retention policies or applicable legal requirements. The Data Controller may request deletion or export of data at any time during the service period.

Following deletion, residual copies of data may persist in encrypted backups for a limited period (up to 30 days), after which they are permanently purged. Backup data is not accessible for regular operations and is retained solely for disaster recovery purposes.

13. Term and Termination

This DPA remains in effect for the duration of the service agreement. Upon termination, the Data Processor shall, at the Data Controller's election, delete or return all personal data within 30 days, unless retention is required by applicable law.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of Florida, without regard to its conflict of law provisions.

15. Contact Us

For questions about this Data Processing Agreement or to exercise data subject rights, please contact us at dpa@openbookhoa.com.