Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of, and is governed by, the Terms of Service (the "Agreement") between Overlocked, Inc. ("Overlocked," "we," "us") and the operator customer that accepts the Agreement ("Customer," "you"). It applies whenever Overlocked processes Personal Data on your behalf in connection with the Service. If there is any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA controls.

1. Definitions

Capitalized terms not defined here have the meaning given in the Agreement. "Personal Data," "Controller," "Processor," "Subprocessor," "Data Subject," and "Processing" have the meanings given under applicable data protection law, including the California Consumer Privacy Act as amended ("CCPA/CPRA") and, where applicable, the EU/UK General Data Protection Regulation ("GDPR"). "Applicable Data Protection Law" means all privacy and data protection laws applicable to the processing of Personal Data under the Agreement.

2. Roles of the Parties

For Personal Data relating to your renters and end users that Overlocked processes through the Service, you are the Controller (or "business" under the CCPA/CPRA) and Overlocked is the Processor (or "service provider"). Overlocked will process such Personal Data only as a Processor acting on your documented instructions. Overlocked separately acts as a Controller of operator account and billing data it collects to provide and bill the Service, which is described in our Privacy Policy.

3. Scope and Details of Processing

• Subject matter & duration: Processing of Personal Data for the term of the Agreement and any post-termination period described in Section 9.
• Nature & purpose: To provide the self-storage facility management Service, including managing facilities, units, renters, leases, billing, notifications, and the renter self-service portal.
• Categories of Data Subjects: Your staff users and your renters and their authorized contacts.
• Categories of Personal Data: Name, email, phone number, mailing address, government-ID details and ID images, license-plate number, insurance documents, unit-access credentials (gate code, PIN), lease and billing records, and payment metadata. Full payment card and bank-account numbers are processed by Stripe and are not stored by Overlocked.
• Special categories: None are required by the Service; you agree not to upload special-category data except as inherent to government-ID images you choose to store.

4. Customer Instructions

Overlocked will process Personal Data only (a) to provide the Service in accordance with the Agreement, (b) as further instructed by you through your use of the Service, and (c) as required by applicable law, in which case Overlocked will inform you of that legal requirement before processing unless prohibited from doing so. You are responsible for ensuring that your instructions and your collection and use of Personal Data comply with Applicable Data Protection Law, including providing required notices and obtaining any required consents from Data Subjects.

5. Confidentiality

Overlocked will ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations and are granted access on a least-privilege, need-to-know basis.

6. Security Measures

Overlocked maintains technical and organizational measures appropriate to the risk, including encryption in transit (TLS 1.2+) and at rest (AES-256), tenant isolation enforced at the application and middleware layers, MFA-enforced and role-based access controls, audit logging of administrative actions, and least-privilege access for engineers and support staff. These measures are described further in our Privacy Policy and our internal information security and data classification policies.

7. Subprocessors

You authorize Overlocked to engage the Subprocessors listed at overlocked.io/subprocessors to process Personal Data in connection with the Service. Overlocked imposes data protection obligations on each Subprocessor that are no less protective than those in this DPA and remains responsible for each Subprocessor's performance. Overlocked will provide at least 30 days' notice before adding or replacing a Subprocessor that processes Personal Data; if you reasonably object on data protection grounds, you may terminate the affected portion of the Service.

8. Data Subject Rights & Assistance

Taking into account the nature of the processing, Overlocked will provide reasonable assistance — through the Service's self-service tools and, where necessary, manual support — to help you respond to Data Subject requests to access, correct, delete, or port their Personal Data, and to meet your security, breach-notification, and data protection impact assessment obligations. If Overlocked receives a request directly from a Data Subject, it will, where permitted, refer the request to you.

9. Personal Data Breach

Overlocked will notify you without undue delay after becoming aware of a Personal Data Breach affecting your Personal Data, and will provide information reasonably available to it to help you meet your notification obligations under Applicable Data Protection Law.

10. Return and Deletion

Upon termination or expiry of the Agreement, Overlocked will, at your choice, return or delete Personal Data processed on your behalf within a reasonable period, except to the extent retention is required by law or for audit-log integrity. You may export your data through the Service prior to termination.

11. Audits

Overlocked will make available information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party certifications and reports for its Subprocessors where available. Any on-site audit is limited to once per twelve-month period, on reasonable prior notice, during business hours, subject to confidentiality, and at your expense.

12. International Transfers

The Service and its Subprocessors process Personal Data in the United States. This DPA does not provide for processing of Personal Data outside the United States; international data transfer mechanisms (such as the EU Standard Contractual Clauses) are out of scope for the current version of the Service.

13. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

14. Governing Law

This DPA is governed by the laws of the State of Tennessee, without regard to its conflict of law provisions, and the parties submit to the exclusive jurisdiction of the state and federal courts located in Davidson County (Nashville), Tennessee, consistent with the Agreement.

15. Contact

Questions about this DPA, or requests for a counter-signed copy, can be directed to privacy@overlocked.io.