Data Privacy Agreement
Updated:
This Data Processing Agreement (“DPA”) is entered into between CheckIT Technologies Inc., a Delaware corporation, 144 Via Bandolero, Arroyo Grande, CA 93420 (“CheckIT,” “Processor,” or “Service Provider”), and the subscribing customer (“Customer,” “Business,” or “Controller”) that has accepted the CheckIT Terms of Service or signed an Order referencing this DPA (the “Agreement”).
This DPA supplements and is incorporated by reference into the Agreement. In the event of conflict between this DPA and the Agreement, this DPA controls solely with respect to data protection.
1. Definitions
• "Applicable Privacy Laws" — all U.S. federal and state laws relating to data protection, privacy, and security applicable to processing under this DPA, including CCPA/CPRA (and its 2026 regulations covering ADMT, risk assessments, and cybersecurity audits), VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, Montana Consumer Data Privacy Act, and the Iowa, Tennessee, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Rhode Island, Indiana, and Kentucky comprehensive privacy laws, as amended.
• "Controller" — the party that determines the purposes and means of processing Personal Information. Customer is the Controller (or Business).
• "Personal Information" or "Personal Data" — information that identifies, relates to, describes, or is reasonably linkable to a particular individual or household, that CheckIT processes on behalf of Customer.
• "Processing" — any operation performed on Personal Information, as defined under Applicable Privacy Laws.
• "Processor" — the party that processes Personal Information on behalf of the Controller. CheckIT is the Processor (or Service Provider).
• "Security Incident" — a breach of CheckIT’s security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information processed on behalf of Customer.
• "Sensitive Personal Information" or "Sensitive Data" — as defined under Applicable Privacy Laws, including government identifiers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, mental or physical health, sex life or sexual orientation, citizenship or immigration status, genetic and biometric data, and personal information of children.
• "Subprocessor" — any third party engaged by CheckIT to process Personal Information on behalf of Customer.
2. Scope and Roles
2.1 Subject Matter
This DPA governs CheckIT’s processing of Personal Information submitted to the Service in connection with construction-industry financial document verification, discrepancy detection, dispute drafting, and related profit-optimization workflows.
2.2 Roles
Customer is the Controller (or Business) and CheckIT is the Processor (or Service Provider). Each party will comply with its obligations under Applicable Privacy Laws.
2.3 Customer Instructions
CheckIT will process Personal Information only: (a) on Customer’s documented instructions (this DPA, the Agreement, any Order, and use of the Service per the Documentation); (b) as necessary to provide, secure, monitor, troubleshoot, and improve the Service for Customer; or (c) as required by Applicable Privacy Laws.
2.4 Restrictions on CheckIT (CCPA Service Provider Commitments)
CheckIT will not:
• Sell or Share Personal Information;
• retain, use, or disclose Personal Information for any purpose other than the Business Purposes in this DPA and the Agreement, or as permitted under Applicable Privacy Laws;
• retain, use, or disclose Personal Information outside the direct business relationship between CheckIT and Customer;
• combine Personal Information received from Customer with Personal Information from any other party except as permitted by Applicable Privacy Laws or per Section 7.2 of the Agreement (which requires advance notice, de-identification, and opt-out); or
• use Personal Information to train, fine-tune, or improve any third-party general-purpose or foundation AI model.
CheckIT certifies that it understands and will comply with the restrictions in this Section 2.4.
3. Details of Processing
• Subject matter: Processing of Personal Information in connection with the Service.
• Duration: The term of the Agreement plus the retention period in Section 9.
• Nature and purpose: OCR; data extraction; AI-assisted discrepancy detection; dispute drafting; reporting; account management; security; support.
• Categories of data subjects: Customer’s employees, contractors, vendors, customers, and other individuals whose information appears in documents submitted to the Service.
• Categories of Personal Information: Identifiers (name, business email, business phone, employer); commercial information (invoice/PO/RFQ data, payment terms, tax IDs); professional or employment information; internet activity (Service usage logs); inferences drawn from the above.
• Sensitive Personal Information: Customer shall not submit Sensitive Personal Information unless expressly authorized by CheckIT in writing.
4. Customer Obligations
4.1 Lawfulness
Customer is solely responsible for (a) the accuracy, quality, and legality of Personal Information; (b) having all rights, consents, and authority necessary to submit Personal Information to the Service; (c) providing required notices to data subjects; and (d) responding to consumer requests (with CheckIT’s assistance per Section 7).
4.2 No Sensitive Data Without Authorization
Customer agrees not to submit Sensitive Personal Information, PCI-DSS-regulated payment card data, HIPAA-regulated health information, children’s data, or other categories of regulated data unless CheckIT has approved such use in writing and additional safeguards are agreed.
5. CheckIT Obligations
5.1 Confidentiality of Personnel
CheckIT will ensure all personnel authorized to process Personal Information are bound by appropriate confidentiality obligations and receive appropriate privacy and security training.
5.2 Security Measures
CheckIT implements and maintains safeguards designed in alignment with SOC 2 and ISO/IEC 27001 principles, including at a minimum:
• Encryption: TLS 1.2+ in transit; AES-256 at rest.
• Access Control: Role-based access; least-privilege provisioning; mandatory MFA for administrative access; periodic access reviews.
• Network Security: Firewalls, intrusion detection/prevention, segmentation, and regular vulnerability scanning.
• Application Security: Secure SDLC; code review; dependency scanning; annual penetration testing.
• Physical Security: Cloud data centers operated by certified providers (SOC 2 Type II, ISO 27001).
• Logging and Monitoring: Audit logs retained for at least 12 months; 24/7 security monitoring.
• Incident Response: Documented plan with defined roles, escalation, and notification procedures, tested at least annually.
• Business Continuity: Encrypted backups; documented recovery procedures.
• Personnel: Background checks (as permitted by law); written confidentiality agreements; annual security training.
5.3 Support and Troubleshooting Access
Customer authorizes CheckIT’s authorized personnel to access Customer Data solely to (a) diagnose and resolve technical or functional issues; (b) verify the accuracy and completeness of processing; and (c) provide training or guidance at Customer’s request.
6. Subprocessors
6.1 General Authorization
Customer provides general authorization for CheckIT to engage Subprocessors. CheckIT will (a) impose data-protection obligations on each Subprocessor no less protective than this DPA; and (b) remain liable for each Subprocessor’s performance.
6.2 Current Subprocessors
• Microsoft Azure (Microsoft Corporation) — Cloud hosting, OCR, storage, compute, telemetry — United States
• OpenAI, L.L.C. — Generative AI / NLP for discrepancy analysis and dispute drafting. Training on Customer Data disabled — United States
• Anthropic, PBC — Generative AI / NLP for discrepancy analysis and dispute drafting. Training on Customer Data disabled — United States
• Stripe, Inc. — Payment processing, billing, and subscription management — United States
• Resend, Inc. — Transactional email delivery — United States
A current list is also maintained at checkitapps.com/subprocessors.
6.3 Notice of New Subprocessors
CheckIT will provide at least 30 days’ advance written notice before adding or replacing any Subprocessor that processes Personal Information.
6.4 Right to Object
Customer may object in writing to a new Subprocessor on reasonable, documented data-protection grounds within 30 days of notice. If no alternative is feasible, Customer may terminate the affected portion of the Service and receive a prorated refund of prepaid, unused fees.
7. Consumer / Data Subject Rights
7.1 Cooperation
CheckIT will provide reasonable assistance to help Customer fulfill its obligations to respond to consumer requests under Applicable Privacy Laws (including rights to know, access, delete, correct, port, opt out of Sale/Sharing, opt out of profiling and ADMT, limit use of Sensitive Personal Information, and appeal).
7.2 Direct Requests
If CheckIT receives a request directly from a consumer pertaining to Customer’s Personal Information, CheckIT will, where lawful, redirect the request to Customer and notify Customer without undue delay.
7.3 Universal Opt-Out Mechanisms
CheckIT will reasonably cooperate with Customer’s obligation to honor universal opt-out preference signals (including the Global Privacy Control) where required under Applicable Privacy Laws.
8. Security Incidents
8.1 Notification
CheckIT will notify Customer of a confirmed Security Incident without undue delay and no later than 72 hours after CheckIT confirms the Security Incident.
8.2 Content of Notice
To the extent then known, the notice will include: (a) a description of the nature of the Security Incident; (b) categories and approximate number of data subjects and records affected; (c) likely consequences; (d) measures taken or proposed; and (e) a designated point of contact.
8.3 Cooperation
CheckIT will reasonably cooperate with Customer in investigating the incident and complying with applicable breach-notification laws.
8.4 Not an Admission
A Security Incident notice is not an acknowledgment of fault or liability.
9. Data Retention and Deletion
9.1 Retention During Term
CheckIT will retain Personal Information only for as long as necessary to provide the Service or as required by Applicable Privacy Laws.
9.2 Return or Deletion
On termination or expiration of the Agreement, CheckIT will, at Customer’s election, return or delete all Personal Information within 30 days, except where retention is required by applicable law or for limited legitimate business purposes.
9.3 Backups
Residual copies in backup or disaster-recovery systems will be deleted or overwritten within 90 days beyond deletion from production.
9.4 Beta and Pilot Programs
For Customers participating in beta, pilot, or early-access programs, data persistence and retention may differ from generally available production and may be subject to change.
10. Audits and Compliance
10.1 Audit Reports
Upon written request, CheckIT will make available (no more than once per 12-month period) summary information demonstrating compliance with this DPA, including its most recent third-party audit reports or certifications when available.
10.2 On-Site Audit
If summary documentation is not sufficient, Customer may conduct an on-site audit upon: (a) at least 30 days’ written notice; (b) during regular business hours; (c) without disruption to CheckIT’s operations; (d) at Customer’s expense; and (e) no more than once per 12-month period.
11. International Data Transfers
The Service is hosted in the United States. CheckIT does not currently offer the Service to data subjects outside the United States. If Customer or its data subjects are located outside the United States, Customer is responsible for ensuring that submission of Personal Information complies with applicable cross-border transfer requirements.
12. Automated Decision-Making and Risk Assessments
12.1 Risk Assessment Cooperation
On Customer’s reasonable request, CheckIT will provide information reasonably necessary to support Customer’s data-protection risk assessments under Applicable Privacy Laws.
12.2 No Solely-Automated Significant Decisions
The Service is not designed to make solely-automated decisions about consumers that produce legal or similarly significant effects. Customer agrees not to use the Service for that purpose without notifying CheckIT and complying with all applicable ADMT requirements.
13. Liability and Indemnification
The liability of each party under this DPA is subject to the limitations of liability in the Agreement. Each party will indemnify the other against regulatory fines and third-party claims arising from its own breach of this DPA.
14. Term and Termination
This DPA becomes effective upon Customer’s acceptance of the Agreement and remains in effect for the duration of the Agreement. Sections 1, 2.4, 8, 9, 10, and 13 survive termination.
15. Governing Law
This DPA is governed by the laws of the State of California. Disputes are subject to the dispute resolution provisions of the Agreement.
16. Updates to this DPA
CheckIT may update this DPA from time to time. Material changes will be communicated with at least 30 days’ advance notice by email or in-product. Continued use of the Service after the effective date constitutes acceptance.
17. Order of Precedence
In the event of conflict between (a) this DPA, (b) the Agreement, or (c) any prior data processing terms between the parties, this DPA controls solely with respect to data protection matters.
In Witness Whereof
This DPA is effective on the date Customer accepts the Agreement or signs an Order referencing this DPA.
Contact: help@checkitapps.com | Subprocessor list: checkitapps.com/subprocessors
CheckIT Technologies Inc. · 144 Via Bandolero, Arroyo Grande, CA 93420
© 2026 CheckIT Technologies Inc. All rights reserved.