AgentsCard logoGet Started Free

Data Processing Agreement

Last updated: February 10, 2026

This Data Processing Agreement ("DPA") is entered into between AgentsCard Inc. ("Processor" or "AgentsCard") and the customer that has signed up for AgentsCard's services ("Controller" or "Professional Partner") and forms part of the AgentsCard Terms of Service ("Agreement").

This DPA is effective as of the date the Professional Partner accepted the Agreement.

1. Definitions

  • "Controller," "Processor," "Data Subject," "Personal Data," "Processing," and "Personal Data Breach" shall have the meanings given to them in the GDPR.
  • "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including but not limited to the GDPR and the CCPA.
  • "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as approved by the European Commission.
  • "Service Data" means any Personal Data that Processor Processes on behalf of Controller in the course of providing the Platform services under the Agreement.

2. Subject Matter and Details of Processing

2.1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Service Data, Professional Partner is the Controller and AgentsCard is the Processor.

2.2. Purpose. AgentsCard shall Process Service Data only for the purpose of providing, maintaining, and improving the Platform services as described in the Agreement and as instructed by the Controller.

2.3. Details of Processing. The details of the Processing of Service Data, as required by Article 28(3) of the GDPR, are described in Annex I of this DPA.

3. Obligations of the Processor

AgentsCard, as the Processor, agrees to:

3.1. Process Only on Instruction. Process Service Data only in accordance with the Controller's documented lawful instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law.

3.2. Confidentiality. Ensure that all personnel authorized to Process Service Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.3. Security. Implement and maintain appropriate technical and organizational security measures to protect Service Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Annex II.

3.4. Subprocessors.

  • Controller provides a general authorization for AgentsCard to engage third-party subprocessors to Process Service Data on its behalf. The current list of subprocessors is maintained at Subprocessors and is attached as Annex III.
  • AgentsCard will notify Controller of any intended changes concerning the addition or replacement of subprocessors, thereby giving the Controller the opportunity to object to such changes as described in our Subprocessor Policy.
  • AgentsCard will impose on its subprocessors data protection obligations that are no less protective than those in this DPA. AgentsCard shall remain fully liable to the Controller for the performance of the subprocessor's data protection obligations.

3.5. Data Subject Rights. To the extent legally permissible, AgentsCard will provide reasonable assistance to the Controller to enable the Controller to respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Law.

3.6. Personal Data Breaches. AgentsCard will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Service Data. AgentsCard will provide the Controller with sufficient information to allow the Controller to meet any obligations to report the breach to a supervisory authority or notify Data Subjects.

3.7. Data Protection Impact Assessments. AgentsCard will provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities, as required under Applicable Data Protection Law.

3.8. Return or Deletion of Data. Upon termination of the Agreement, AgentsCard will, at the choice of the Controller, delete or return all Service Data to the Controller, and delete existing copies unless Union or Member State law requires storage of the Personal Data.

4. Obligations of the Controller

Controller, as the Controller, represents and warrants that:

  • It has complied and will comply with all Applicable Data Protection Law in its collection and use of Service Data.
  • It has a lawful basis for the Processing of all Service Data provided to AgentsCard.
  • It is solely responsible for the accuracy, quality, and legality of the Service Data and the means by which it acquired the Service Data.
  • Its instructions to AgentsCard for the Processing of Service Data will comply with all Applicable Data Protection Law.

5. International Data Transfers

For transfers of Personal Data from the European Economic Area (EEA), the UK, or Switzerland to a country that does not ensure an adequate level of protection, the parties agree that the Standard Contractual Clauses (SCCs) will apply. The SCCs are deemed incorporated into this DPA by reference.

6. Audits

AgentsCard shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, upon reasonable notice and subject to appropriate confidentiality obligations.

7. Term and Termination

This DPA will commence on the date of the Agreement and will remain in effect until the termination or expiration of the Agreement. The obligations of confidentiality, data return/deletion, and any other provisions which by their nature are intended to survive, will survive termination.

Annex I: Details of Processing

A. Subject Matter of Processing

The Processing of Personal Data by AgentsCard to provide the Platform services to the Professional Partner as described in the Agreement.

B. Duration of Processing

For the term of the Agreement, plus any period required for the return or deletion of data as described in this DPA.

C. Nature and Purpose of Processing

The subject matter of the data processing under this DPA is the provision of the AgentsCard platform. AgentsCard provides a comprehensive real estate client management and marketing ecosystem. The nature and purpose of the processing includes:

  • Digital Infrastructure: Creating, hosting, and maintaining professional websites and online presence for the Professional Partner.
  • Client Management (CRM): Managing customer relationships, tracking lead lifecycles, and referral programs.
  • Marketing & Engagement: Providing tools for automated and manual communications, including email and SMS marketing, as well as reputation management (reviews).
  • Intelligence & Insights: Generating analytics, performance reports, and data visualizations to assist the Professional Partner in business optimization.

D. Categories of Data Subjects

  • Clients and Prospects: Individual home buyers, sellers, and leads who interact with the Professional Partner’s website, mobile presence, referral programs, or communication tools powered by AgentsCard.
  • Authorized Users: Employees, contractors, or agents of the Professional Partner who are granted access to the Platform to manage the Professional Partner’s account and data.

E. Types of Personal Data Processed

  • Lead and Client Data: Name, email address, phone number, physical address (current or property-of-interest), property preferences, communication history (email/SMS logs), referral source, IP address, device information, and website interaction data (such as viewed listings or saved searches).
  • Authorized User Data: Name, business email address, professional role/title, login credentials, and platform usage metadata (logs of actions taken within the CRM).

Annex II: Technical and Organizational Security Measures

AgentsCard implements and maintains the following security measures:

  1. Encryption: Service Data is encrypted in transit using TLS and at rest using industry-standard encryption protocols.
  2. Access Control: Access to Personal Data is restricted to authorized personnel who have a need to know. Access is managed through role-based access controls (RBAC), multi-factor authentication (MFA), and regular access reviews.
  3. Data Minimization: We collect and process only the Personal Data that is necessary to provide the services.
  4. Physical Security: Our infrastructure is hosted on secure, certified data centers (e.g., Google Cloud Platform, Cloudflare) that have robust physical security controls.
  5. Incident Response: We maintain an incident response plan to promptly identify, investigate, and respond to security incidents and Personal Data Breaches.
  6. Business Continuity: We maintain a business continuity and disaster recovery plan, including regular data backups, to ensure service availability.
  7. Personnel Security: All employees and contractors are subject to confidentiality agreements and undergo security and privacy training.

Annex III: Authorized Subprocessors

The Professional Partner agrees that AgentsCard may use the subprocessors listed in AgentsCard's Subprocessors, which is maintained at the following link:

Subprocessors