OfferReady· Legal

Enterprise data terms

Customer-facing document

Data Processing Addendum

v2.0 · Effective July 3, 2026

Effective July 3, 2026. This document is provided by OfferReady, a Florida limited liability company. It is informational and is not legal advice.

This DPA sets the data-protection terms under which OfferReady processes Personal Data on behalf of brokerage and enterprise customers. It is incorporated into the OfferReady Terms of Service or master agreement between the parties.

This Data Processing Addendum (“DPA”) is entered into between OfferReady, a Florida limited liability company (“OfferReady” or “Processor”) and the brokerage or enterprise customer identified in the applicable order form (“Customer” or “Controller”), and is incorporated into the OfferReady Terms of Service or master agreement between the parties (the “Agreement”).

What this does

  • Defines Controller and Processor roles and limits Processing to Customer’s documented instructions and applicable law.
  • Requires notice of new or replacement Subprocessors at least 30 days in advance, with objection and termination rights for Customer.
  • Requires breach notification without undue delay, and in any event within 72 hours, after OfferReady becomes aware of a Personal Data Breach.
  • Provides for return and deletion of Personal Data at termination and incorporates the EU Standard Contractual Clauses and UK Addendum for restricted international transfers.

What this does NOT do

  • OfferReady shall not sell or share Personal Data as those terms are defined in the CCPA, and shall not use or disclose it beyond performing the services as a service provider.
  • OfferReady shall not use Personal Data to train public or third-party foundation models.
  • OfferReady asserts no certifications or controls beyond those stated in the Subprocessors & Security Overview.

Full document text

1. DEFINED TERMS

1.1 “Personal Data” means any information relating to an identified or identifiable natural person processed by OfferReady on behalf of Customer under the Agreement.

1.2 “Processing”, “Controller”, “Processor”, “Data Subject”, and “Personal Data Breach” have the meanings given in applicable Data Protection Law.

1.3 “Data Protection Law” means all data-protection and privacy laws applicable to the Processing, which may include the California Consumer Privacy Act as amended, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), other U.S. state privacy laws, and, where applicable, the EU/UK General Data Protection Regulation (“GDPR”).

1.4 “Subprocessor” means a third party engaged by OfferReady to Process Personal Data on Customer’s behalf.

2. ROLES; SCOPE OF PROCESSING

2.1 Customer is the Controller (or, where Customer acts for a third-party controller, a processor, in which case OfferReady is a subprocessor) and OfferReady is the Processor of Personal Data processed through the platform under the Agreement.

2.2 The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are described in Annex 1.

3. PROCESSING INSTRUCTIONS; PURPOSE LIMITATION

3.1 OfferReady shall Process Personal Data only (a) on Customer’s documented instructions, which consist of the Agreement, this DPA, and Customer’s configuration and use of the platform, and (b) as required by applicable law, in which case OfferReady will inform Customer of the legal requirement before Processing unless prohibited by law.

3.2 OfferReady shall not sell or share Personal Data (as those terms are defined in the CCPA), shall not retain, use, or disclose Personal Data for any purpose other than performing the services or as otherwise permitted of a “service provider” under Cal. Civ. Code § 1798.140, and shall not combine Personal Data with data from other sources except as permitted by Data Protection Law. OfferReady certifies that it understands and will comply with these restrictions.

3.3 OfferReady will notify Customer if, in its opinion, an instruction violates Data Protection Law, and may suspend the affected Processing until the instruction is modified.

3.4 No model training. OfferReady shall not use Personal Data to train public or third-party foundation models.

4. CONFIDENTIALITY OF PERSONNEL

4.1 OfferReady shall ensure that persons authorized to Process Personal Data are bound by confidentiality obligations and access Personal Data only as needed to perform the services.

5. SUBPROCESSORS

5.1 Customer provides general authorization for OfferReady to engage the Subprocessors identified in the OfferReady Subprocessors & Security Overview (incorporated by reference).

5.2 OfferReady will provide notice of new or replacement Subprocessors at least 30 days before they Process Personal Data, via email to Customer’s designated administrative contact or in-platform notice. Customer may object in writing on reasonable data-protection grounds within 15 days; if the parties cannot resolve the objection, Customer may terminate the affected services and receive a pro-rata refund of prepaid, unused fees.

5.3 OfferReady shall flow down data-protection obligations no less protective than this DPA to each Subprocessor and remains liable for its Subprocessors’ performance.

6. SECURITY

6.1 OfferReady shall implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex 2 and the Subprocessors & Security Overview. OfferReady asserts no certifications or controls beyond those stated there.

7. PERSONAL DATA BREACH

7.1 OfferReady shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer’s Personal Data, and shall provide information reasonably available to assist Customer in meeting Customer’s own notification obligations, followed by updates as the investigation progresses.

7.2 OfferReady’s notification is not an acknowledgment of fault or liability.

8. DATA SUBJECT REQUESTS; ASSISTANCE

8.1 Taking into account the nature of the Processing, OfferReady shall provide reasonable assistance — including through platform functionality — to enable Customer to respond to Data Subject requests (access, deletion, correction, portability, opt-out) under Data Protection Law. If a Data Subject contacts OfferReady directly, OfferReady will redirect the request to Customer where identifiable.

8.2 OfferReady shall provide reasonable assistance with Customer’s data-protection impact assessments and regulator consultations where required by Data Protection Law, at Customer’s cost for material efforts beyond platform functionality.

8.3 Audit. OfferReady shall make available information reasonably necessary to demonstrate compliance with this DPA and, no more than once per 12 months on 30 days’ notice, allow a review of relevant documentation (e.g., security summaries, third-party attestations when available). On-site audits are limited to cases where documentation is insufficient and are subject to confidentiality and reasonable scheduling.

9. RETURN AND DELETION

9.1 On termination or expiration of the Agreement, OfferReady shall, at Customer’s election made within 60 days, return Customer’s Personal Data via platform export and/or delete it, and shall delete remaining copies within 90 days, except where retention is required by law or data resides in routine backups, in which case it remains protected under this DPA until deleted in the ordinary course.

10. INTERNATIONAL TRANSFERS

10.1 To the extent Processing involves a restricted international transfer of Personal Data subject to the GDPR or UK GDPR, the parties incorporate the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller-to-processor), and the UK International Data Transfer Addendum, completed as set out in Annex 1 and Annex 2. Absent such transfers, this Section is inoperative.

11. LIABILITY

11.1 Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement, which apply in aggregate across the Agreement and this DPA. Nothing in this Section limits liability that cannot be limited under Data Protection Law.

12. ORDER OF PRECEDENCE; GOVERNING LAW

12.1 If this DPA conflicts with the Agreement regarding the Processing of Personal Data, this DPA controls. If incorporated Standard Contractual Clauses conflict with this DPA, the Clauses control for the transfers they govern.

12.2 This DPA is governed by Florida law, without regard to conflict-of-laws principles; exclusive venue lies in the state and federal courts located in Miami-Dade County, Florida, except as mandatory Data Protection Law provides otherwise.

ANNEX 1 — PROCESSING DETAILS

  • Subject matter: Provision of the OfferReady real-estate SaaS platform.
  • Duration: Term of the Agreement plus the deletion period in Section 9.
  • Nature and purpose: Hosting, storage, transmission, display, AI-assisted drafting/summarization, communications, analytics, and support, as configured by Customer.
  • Categories of Data Subjects: Customer’s personnel and agents; buyers, sellers, and other consumers; collaborators (assistants, TCs, lenders); other participants that Customer or its users invite to the platform.
  • Categories of Personal Data: Names, contact details, account credentials, communications and documents submitted to the platform, property-search activity, usage data, billing contact data. No sensitive-category data is intended to be collected; users are instructed not to submit Social Security numbers or full financial account numbers to the platform.

ANNEX 2 — SECURITY MEASURES

Reference: OfferReady Subprocessors & Security Overview. Measures include: encryption in transit (TLS/HTTPS) and encryption at rest provided by default by the Google Cloud hosting infrastructure; role- and scope-based application access controls; restricted, need-to-know production access protected by authentication controls, as described in the OfferReady Subprocessors & Security Overview, as updated from time to time; platform logging provided by the hosting infrastructure; incident-response process; and personnel confidentiality obligations. No controls beyond those stated in the Subprocessors & Security Overview are asserted.

This is not legal advice, not lending advice, not valuation advice, and not tax, inspection, or insurance advice.

OfferReady is organizational software. It does not draft, interpret, recommend, negotiate, approve, or execute legal agreements, and it is not a brokerage, lender, title company, escrow agent, appraiser, inspector, or law firm.

OfferReady · Legal document · v2.0, effective July 3, 2026

This document is not legal advice. Questions: albert@arbicgroup.com.