Last Updated: Feb 6, 2026
This Data Processing Addendum (including all Schedules attached hereto, this “DPA”) is incorporated into, and is subject to the terms and conditions of, the orders or agreement(s) (collectively, the “Agreement”) governing the provision of services by Luxury Presence, Inc. (“Luxury Presence”) to Customer. This DPA applies only to the extent Luxury Presence’s Processing of Customer Personal Data is subject to the Data Protection Laws. This DPA shall be effective for the term of the Agreement.
1. Definitions
1.1. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data. The term “Controller” includes a “business” as defined under the CCPA.
1.2. “Customer Personal Data” means Personal Data Processed by Luxury Presence on behalf of Customer pursuant to or in connection with the Agreement and this DPA.
1.3. “Data Protection Laws” means all laws and regulations, including laws and regulations of: (i) the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom; (ii) the United States (including, but not limited to the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”) and other applicable state privacy laws); and (iii) any other jurisdiction in which the parties operate, in each case of (i)-(iii), to the extent applicable to the Processing of Customer Personal Data under the Agreement.
1.4. “Data Subjects” means the individuals identified in Schedule 1 to this DPA.
1.5. “EU SCCs” means the Standard Contractual Clauses approved with Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended, supplemented, updated or replaced from time to time.
1.6. “GDPR” means the General Data Protection Regulation (EU) 2016/679 together with any national implementing laws in any member state of the EEA (“EU GDPR”) and the EU GDPR as incorporated into the laws of the United Kingdom (“UK GDPR”).
1.7. “Personal Data” and “Processing” will each have the meaning given to them in the Data Protection Laws. The term “Personal Data” includes “personal information,” “personally identifiable information,” and equivalent terms as such terms may be defined by the Data Protection Laws.
1.8. “Personal Data Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data.
1.9. “Processor” means the entity which Processes Personal Data on behalf of the Controller. The term “Processor” includes a “service provider” as that term is defined under the CCPA.
1.10. “Sensitive Personal Information” means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, and such other categories as may be defined as “sensitive” under applicable Data Protection Laws.
1.11. “Sell” and “Share” have the meaning given in the Data Protection Laws.
1.12. “Service” means the subscription services and/or professional services provided by Luxury Presence to Customer pursuant to the Agreement.
1.13. “Sub-Processor” means another Processor engaged by a Processor to carry out Processing on behalf of a Controller.
1.14. “UK Addendum” means the International Data Transfer Addendum to the EU SCCs, issued by the UK Information Commissioner for parties making restricted transfers, which entered into force on 21 March 2022 (collectively, with the EU SCCs, the “SCCs”).
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
2. Relationship of the Parties
2.1. Customer is a Controller of Customer Personal Data and Luxury Presence is a Processor of Customer Personal Data. If Customer is itself acting as a Processor for Customer Personal Data on behalf of a Controller of such data, Luxury Presence will Process such data as a Sub-Processor to Customer.
2.2. Schedule 1 to this DPA sets out a description of the Processing of Customer Personal Data by Luxury Presence in the provision of the Service to Customer.
3. Processing of Customer Personal Data
3.1. Luxury Presence will only Process Customer Personal Data as a Processor on behalf of and in accordance with Customer’s prior written instructions, including any instructions provided through Customer’s use of the Service. Customer hereby instructs Luxury Presence to Process Customer Personal Data to the extent necessary to provide the Service as set forth in the Agreement and this DPA. Luxury Presence shall not (1) retain, use, or disclose Customer Personal Data other than as provided for in the Agreement, as needed to provide the Service, or as otherwise permitted by Data Protection Laws; (2) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Luxury Presence, including by combining Customer Personal Data with Personal Data Luxury Presence receives from third parties, other than Customer, except as permitted by the Data Protection Laws or as set forth in the Agreement; or (3) Sell or Share Customer Personal Data. Upon notice to Luxury Presence, Customer may take reasonable and appropriate steps in accordance with the Agreement to remediate Luxury Presence’s use of Customer Personal Data in violation of this DPA.
3.2. Luxury Presence will immediately inform Customer if, in its opinion, an instruction from Customer infringes the Data Protection Laws. If applicable laws preclude Luxury Presence from complying with Customer’s instructions, Luxury Presence will inform Customer of its inability to comply with the instructions, to the extent permitted by law.
3.3. Each of Customer and Luxury Presence will comply with their respective obligations under the Data Protection Laws. Luxury Presence shall notify Customer if it determines that it cannot meet its obligations under the Data Protection Laws. Customer has the right to take reasonable steps to ensure that Luxury Presence uses Customer Personal Data in a manner consistent with Customer’s obligations under Data Protection Laws by exercising Customer’s audit rights in Section 11 of this DPA.
3.4. Customer shall not intentionally submit Sensitive Personal Information to Luxury Presence through the Service, and the Luxury Presence Services are not designed to process Sensitive Personal Information. Customer acknowledges that, to the extent Customer enables email synchronization or similar features, Sensitive Personal Information may be incidentally included in communications synced to the Service. Customer is solely responsible for: (a) configuring sync settings to minimize incidental processing of Sensitive Personal Information; (b) ensuring any incidental processing complies with applicable Data Protection Laws, including obtaining any required explicit consents; and (c) promptly deleting any Sensitive Personal Information that should not be retained. Luxury Presence disclaims any liability arising from the incidental presence of Sensitive Personal Information in Customer’s synced communications.
3.5. Customer instructs Luxury Presence to implement automated screening of data obtained through email synchronization and similar integrations to exclude, to the extent technically feasible, (i) data not relevant to the Services, and (ii) data reasonably identifiable as special category or sensitive personal data. Customer acknowledges this instruction and agrees that Luxury Presence’s implementation of such screening constitutes compliance with Customer’s data minimization obligations under applicable Data Protection Laws, but does not transfer Customer’s responsibility for the lawfulness of personal data provided to Luxury Presence.
4. Cross-Border Transfers of Customer Personal Data
4.1. With respect to Customer Personal Data originating from the European Economic Area (“EEA”), the United Kingdom (the “UK”) or Switzerland that is transferred from Customer to Luxury Presence, the parties agree to comply with the general clauses and with “Module Two” (Controller to Processor) and “Module Three” (Processor to Processor) of the EU SCCs, which are incorporated herein by reference, with Customer as the “data exporter” and Luxury Presence as the “data importer.”
4.2. For purposes of the EU SCCs the parties agree that:
4.2.1. The optional docking clause 7 of the EU SCCs will apply.
4.2.2. In clause 9 of the EU SCCs, option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in Section 5.2 of this DPA.
4.2.3. The optional language in clause 11 of the EU SCCs will not apply.
4.2.4. In clause 17 of the EU SCCs, option 1 applies and the EU SCCs shall be governed by the laws of Ireland.
4.2.5. In clause 18(b) of the EU SCCs, the parties agree to submit to the jurisdiction of the courts of Ireland.
4.2.6. In Annex I, Section A (List of Parties) of the EU SCCs, (i) the Customer is the data exporter and Luxury Presence is the data importer and their identity and contact details and, where applicable, information about their respective data protection officer and/or representative in the EEA are those set forth in the Agreement or as otherwise communicated by each party to the other party; (ii) Customer is a Controller (under “Module Two” of the EU SCCs) or Processor (under “Module Three” of the EU SCCs), and Luxury Presence is a Processor or Sub-Processor; (iii) the activities relevant to the data transferred under the EU SCCs relate to the provision of the Service pursuant to the Agreement; and (iv) entering into this DPA shall be treated as each party’s signature of Annex I, Section A, as of the effective date of this DPA.
4.2.7. In Annex I, Section B (Description of Transfer) of the EU SCCs: (i) Schedule 1 to this DPA describes Luxury Presence’s Processing of Customer Personal Data; (ii) the frequency of the transfer is continuous (for as long as Customer uses the Service); (iii) Customer Personal Data will be retained in accordance with Clause 8.5 of the EU SCCs and this DPA; (iv) Luxury Presence uses the Sub-Processors described in Section 6.2 of this DPA to support the provision of the Service.
4.2.8. In Annex I, Section C (Competent Supervisory Authority) of the EU SCCs, the competent supervisory authority identified in accordance with Clause 13 of the EU SCCs is the competent supervisory authority communicated by Customer to Luxury Presence.
4.2.9. In Annex II of the EU SCCs, Luxury Presence has implemented and will maintain appropriate technical and organizational measures to protect the security, confidentiality and integrity of Customer Personal Data as described in Schedule 2 to this DPA.
4.3. If the transfer of Customer Personal Data is subject to the Swiss Federal Act on Data Protection (“FADP”), the parties agree to rely on the EU SCCs with the following modifications: (i) the Federal Data Protection and Information Commissioner (FDPIC) will be the competent supervisory authority under Clause 13 of the EU SCCs; (ii) the parties agree to abide by the GDPR standard in relation to all Processing of Customer Personal Data that is governed by the FADP; (iii) the term “Member State” in the EU SCCs will not prevent Data Subjects who habitually reside in Switzerland from initiating legal proceedings in Switzerland in accordance with Clause 18(c) of the EU SCCs; and (iv) references to the ‘GDPR’ in the EU SCCs will be understood as references to the FADP.
4.4. With respect to transfers from Customer to Luxury Presence of Customer Personal Data originating from the UK, the parties agree that the UK Addendum will complement the EU SCCs to the extent required under Data Protection Laws. The UK Addendum is incorporated herein by reference. The parties agree that the UK Addendum is completed as follows:
4.4.1. For the purpose of Part 1 of the UK Addendum:
4.4.1.1. Table 1 (Parties): the start date is the effective date of the Agreement, the exporter is the Customer and the importer is Luxury Presence, the table is deemed to be completed with the information set out in Section 4.2 of this DPA, and by signing this DPA, parties are deemed to have signed the UK Addendum.
4.4.1.2. Table 2 (Selected SCCs, Modules and Selected Clauses): the “Approved EU SCCs” which the UK Addendum is appended to are the EU SCCs incorporated into this DPA and completed as set out in Section 4.2 of this DPA.
4.4.1.3. Table 3 (Appendix Information): the information requested in Annex 1 is provided in Sections 4.2.6 and 4.2.7 of this DPA; the security measures requested in Annex 2 are described in Schedule 2 to this DPA; the list of Sub-Processors is available as described in Section 6.2 of this DPA.
4.4.1.4. Table 4: both the data importer and the data exporter may end the UK Addendum as set out in section 19 of the UK Addendum.
5. Confidentiality and Security
5.1. Luxury Presence will require Luxury Presence’s personnel who access Customer Personal Data to commit to protect the confidentiality of Customer Personal Data.
5.2. Luxury Presence will implement commercially reasonable technical and organizational measures, as further described in Schedule 2 to this DPA, that are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
5.3. To the extent required by Data Protection Laws, Luxury Presence will provide Customer with reasonable assistance as necessary for the fulfilment of Customer’s obligations under Data Protection Laws to maintain the security of Customer Personal Data.
6. Sub-Processing
6.1. Customer hereby authorizes Luxury Presence to appoint (and permit each Sub-Processor appointed in accordance with this Section 6 to appoint) Sub-Processors in accordance with this Section 6.
6.2. Luxury Presence maintains a current list of Sub-Processors at http://luxurypresence.com/subprocessors . Customer is responsible for periodically reviewing the Sub-Processor list. If Customer objects to a new Sub-Processor on reasonable data protection grounds, Customer may terminate the affected Services by providing written notice within thirty (30) days of the Sub-Processor’s addition to the list.
6.3. Luxury Presence will enter into an agreement with each Sub-Processor that imposes on the Sub-Processor, in substance, the same obligations that apply to Luxury Presence under this DPA. Luxury Presence will remain liable to Customer for the performance of its Sub-Processors’ data protection obligations under this DPA. Luxury Presence’s liability for Sub-Processor failures shall be subject to the limitation of liability and exclusions set forth in the Agreement.
7. Data Subject Rights
Customer is responsible for responding to any Data Subject requests relating to Customer Personal Data (“Requests”). If Luxury Presence receives any Requests during the term of the Agreement, Luxury Presence will advise the Data Subject to submit the request directly to Customer. Luxury Presence will provide Customer with reasonable assistance to permit Customer to respond to Requests.
8. Personal Data Breaches
Upon becoming aware of a Personal Data Breach affecting Customer Personal Data, Luxury Presence will (i) promptly take measures designed to remediate the Personal Data Breach, and (ii) notify Customer without undue delay. Customer is solely responsible for complying with Personal Data Breach notification requirements applicable to Customer. Customer may request that Luxury Presence reasonably assist Customer’s efforts to notify Personal Data Breaches to the competent data protection authorities and/or affected Data Subjects, if Customer is required to do so under the Data Protection Laws. Luxury Presence’s notice of or response to a Personal Data Breach under this Section 8 will not be an acknowledgement or admission by Luxury Presence of any fault or liability with respect to the Personal Data Breach.
9. Data Protection Impact Assessment; Prior Consultation
Customer may request reasonable assistance from Luxury Presence in connection with conducting data protection impact assessments or consultation with data protection authorities if Customer is required to engage in such activities under applicable Data Protection Laws and the data protection impact assessment or consultation relates to the Processing by Luxury Presence of Customer Personal Data.
10. Deletion of Customer Personal Data
Customer instructs Luxury Presence to delete Customer Personal Data after the termination of the Agreement (or such other period as set forth in the Agreement) and delete existing copies unless applicable law requires otherwise in accordance with Luxury Presence’s standard deletion practices. The parties agree that the certification of deletion described in the SCCs, if applicable, shall be provided only upon Customer’s written request. Notwithstanding the foregoing, Luxury Presence may retain Customer Personal Data to the extent and for the period required by applicable laws provided that Luxury Presence maintains the confidentiality of all such Customer Personal Data and Processes such Customer Personal Data only as necessary for the purpose(s) specified in the applicable laws requiring its storage.
11. Audits
11.1. Customer may audit Luxury Presence’s compliance with this DPA no more than once in any twelve month period. Notwithstanding the foregoing, Customer may perform more frequent audits where required by the Data Protection Laws, including where mandated by regulatory or governmental authorities with jurisdiction over Customer Personal Data. Luxury Presence will contribute to such audits by providing Customer or Customer’s regulatory or governmental authority with the information and assistance reasonably necessary to conduct the audit.
11.2. To request an audit, Customer must submit a detailed proposed audit plan to [email protected] at least thirty (30) days in advance of the proposed audit start date and must identify the specific sections of this DPA that form the basis for the audit request and identify any third party Customer intends to appoint to perform the audit. Luxury Presence will review the proposed audit plan and provide Customer with any concerns or questions. The parties will negotiate in good faith to agree on a final audit plan at least two weeks in advance of the proposed audit start date. Nothing in this Section 11 shall require Luxury Presence to breach any duties of confidentiality.
11.3. Luxury Presence may object to third party auditors that are, in Luxury Presence’s reasonable opinion, not suitably qualified or independent, a competitor of Luxury Presence, or otherwise manifestly unsuitable. Customer will appoint another auditor or conduct the audit itself if the parties cannot resolve Luxury Presence’s auditor objection after negotiating in good faith.
11.4. If the requested audit scope is addressed in an SOC 2 Type II report, SSAE 18/ISAE 3402 Type 2, ISO, NIST or similar audit report performed by a qualified third party auditor on Luxury Presence’s systems that Process Customer Personal Data (“Audit Reports”) within twelve (12) months of Customer’s audit request, then Customer agrees that such third party reports will meet Customer’s audit requirements unless Customer demonstrates a reasonable and good faith need for additional review of specific controls that are not addressed in those reports.
11.5. The audit must be conducted at a mutually agreeable time during regular business hours at the applicable facility, subject to the agreed final audit plan and Luxury Presence’s health and safety or other relevant policies. The audit may not unreasonably interfere with Luxury Presence business activities.
11.6. Any audits are at Customer’s expense and Customer will promptly disclose to Luxury Presence any perceived non-compliance or security concerns discovered during the audit, together with all relevant details.
11.7. The parties agree that the audits described in the SCCs, if applicable, shall be performed in accordance with this Section 11.
12. Liability
12.1. Each party’s liability towards the other party under or in connection with this DPA will be limited in accordance with the provisions of the Agreement.
12.2. Customer acknowledges that Luxury Presence is reliant on Customer for direction as to the extent to which Luxury Presence is entitled to Process Customer Personal Data on behalf of Customer in performance of the Service. Consequently, Luxury Presence will not be liable under the Agreement for any claim brought by a Data Subject arising from (a) any action or omission by Luxury Presence in compliance with Customer’s instructions or (b) from Customer’s failure to comply with its obligations under the Data Protection Laws.
12.3. Notwithstanding any other provision herein, Luxury Presence does not warrant that its automated content classification systems will identify or exclude all sensitive personal data or special category data. Luxury Presence’s implementation of such systems is provided as a compliance assistance measure and does not modify Customer’s representations, warranties, or indemnification obligations regarding the lawfulness of personal data provided to Luxury Presence.
13. General Provisions
13.1. Neither party may assign its rights or delegate its duties under this DPA without the prior written consent of the other party, and any such assignment absent such consent shall be deemed null and void. Notwithstanding the foregoing, either party may assign or transfer this DPA to a third party that succeeds to all or substantially all of the assigning party’s business and assets relating to the subject matter of this DPA, whether by sale, merger, operation of law or otherwise. Subject to the foregoing, this DPA is binding upon and will inure to the benefit of each of the parties and their respective successors and permitted assigns.
13.2. All notices, consents, and approvals under this DPA must be delivered via email to Luxury Presence at [email protected] and to Customer via email or in writing by courier, by fax, or by certified or registered mail, at its address set forth in the Agreement and will be effective upon receipt. Either party may change its address by giving notice of the new address to the other party.
13.3. The parties intend this DPA to be construed fairly, according to its terms, in plain English, without constructive presumptions against the drafting party. The headings of Sections of this DPA are for convenience and are not to be used in interpreting this DPA. As used in this DPA, the word “including” means “including but not limited to.”
13.4. Any delay in the performance of any duties or obligations of either party will not be considered a breach of this DPA if such delay is caused by a labor dispute, shortage of materials, fire, earthquake, flood, war, act of terror, denial of service or other malicious attacks, telecommunications failure or degradation, material changes in law, or any other event beyond the control of such party. The affected party will use reasonable efforts, under the circumstances, to notify the other party of the circumstances causing the delay and to resume performance as soon as possible.
13.5. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail. In the event of inconsistencies between the DPA and the SCCs, the SCCs will prevail.
Schedule 1
Details of Processing
1. Categories of Data Subjects. This DPA applies to Luxury Presence’s Processing of Customer Personal Data relating to Customer’s end users (collectively “Customer Clients”). This DPA also applies to Luxury Presence’s Processing of Customer Personal Data relating to Customer (if Customer is an individual acting in a business capacity) and Customer’s authorized employees and contractors accessing the Services as authorized users (collectively “Customer Authorized Users”). This DPA also applies to Luxury Presence’s Processing of Customer Personal Data relating to individuals whose contact information, communications, or other personal data is stored in Customer’s CRM database, including leads, prospects, clients, former clients, referral partners, transaction counterparties, and other third parties whose information is uploaded, imported, or synced by Customer (collectively, “CRM Contacts”).
2. Types of Personal Data.
Categories of Personal Data
| Identifiers and Contact Information |
| Name Email address Home address Phone number IP address Account identifiers and usernames |
| Account, Authentication, and Security Data |
| Hashed passwords Authentication tokens Login timestamps and login history Password reset and security verification data Audit logs and security monitoring data OAuth tokens API credentials Other integration authorization data for connected third-party accounts |
| Real Estate and Property Information |
| Property interests Property ownership information Listing content and related metadata |
| User-Provided Content and Communications |
| Information submitted by users through forms or platform features Feedback Correspondence and communications content Support requests Messages sent through the platform Call recordings or transcripts |
| Synced Email and Communication Data |
| Email message content, headers, and metadata synced from Customer’s connected email accounts Email attachments Email threading and conversation history Send/receive timestamps Sender and recipient information Read receipts and tracking data Calendar event data where integrated Email message summaries generated through subprocessing activities |
| CRM and Relationship Data |
| Contact relationship status and history Pipeline stage and deal tracking data Activity logs and interaction history Notes, tasks, and follow-up records Tags, segments, and custom fields Lead scoring and qualification data Referral source and attribution data Relationship mapping between contacts |
| Marketing, Advertising, and Engagement Data |
| Marketing preferences Consent, opt-in, and opt-out records Communication engagement data, including email opens and clicks Lead source and campaign attribution data Audience segmentation or tagging data Advertising interaction data Suppression lists and unsubscribe status |
| Technical, Usage, and Analytics Data |
| Session information, including page views and events Session ID User ID, where authenticated Device information and user agent Referrer information Identity stitching linking prior events following authentication Application events Conversion events and funnel data Testing and performance analytics Heatmaps or similar behavioral analytics, where enabled |
| Location Data |
| Approximate location derived from IP address, such as city or region Location preferences or search location, where provided |
| Media and Content |
| Photos, videos, and other media uploaded by or on behalf of Customer |
| Billing and Subscription Data |
| Billing contact information Transaction identifiers Subscription status and plan information Note: Luxury Presence does not store full payment card numbers, which are processed by third-party payment processors. |
| Third-Party Data |
| Third-party sourced data, including public or purchased data, to the extent such data is linked or reasonably linkable to an identifiable individual |
| Derived and Inferred Data |
| Inferences derived from usage or engagement data, where such inferences constitute Personal Data under applicable law |
Scope and Control. The nature, purpose, and extent of Customer Personal Data processed by Luxury Presence is determined and controlled solely by Customer in its discretion. Luxury Presence processes Customer Personal Data only on Customer’s documented instructions and in accordance with this Agreement.
3. Subject-Matter and Nature of the Processing. Personal Data will be subject to the following Processing activities as necessary to provide the Services: (a) storage, organization, and retrieval of contact records; (b) synchronization, parsing, and storage of email and communication data from connected accounts; (c) enrichment of contact records using third-party data sources; (d) analysis and reporting on customer relationships and engagement; (e) transmission of marketing and transactional communications on Customer’s behalf; (f) integration with third-party platforms as authorized by Customer; and (g) such other Processing activities as necessary to provide the Services pursuant to the Agreement.
4. Purpose of the Processing. Luxury Presence will Process Customer Personal Data for the purposes of providing the Services pursuant to the Agreement or as otherwise set forth in the Agreement.
5. Duration of the Processing. Customer Personal Data will be Processed on a continuous basis for the duration of the Agreement, subject to Section 10 of the DPA.
6. Data Minimization Measures. Luxury Presence implements features designed to automatically identify and exclude from processing: (a) communications that are not relevant to the purposes of processing described herein; and (b) communications reasonably identified as containing special categories of personal data (as defined in GDPR Article 9) or sensitive personal information (as defined under applicable U.S. state privacy laws), including but not limited to data revealing health conditions, political opinions, religious beliefs, or legal matters unrelated to real estate transactions. Such classification is intended to occur prior to ingestion into Luxury Presence’s primary systems. Communications excluded by automated classification are not retained by Luxury Presence except as necessary to maintain classification logs for audit purposes. Customer acknowledges that automated classification technology cannot guarantee identification of all sensitive content, and Customer retains responsibility for the lawfulness of data provided to Luxury Presence, including data that is not excluded by Luxury Presence’s classification systems.
Schedule 2
Security Measures
1. Introduction
Luxury Presence is committed to maintaining high standards of security. This Schedule describes the technical and organizational measures implemented to protect Customer Personal Data and ensure the confidentiality, integrity, availability, and resilience of Luxury Presence systems and services.
2. IT Security Practices
Luxury Presence maintains documented IT security policies designed to safeguard customer data and prevent unauthorized access, including policies governing user account management, minimum supported software versions, and data handling.
Regular security training is provided to employees to promote awareness of security best practices and threat mitigation.
All internal employee tools utilize single sign-on (SSO) with multi-factor authentication (MFA) enabled.
Third-party dark web monitoring is used to detect potentially compromised credentials.
3. Continuous Monitoring and Logging
Security-related events are logged using AWS CloudTrail and additional monitoring tools to support traceability and accountability.
User requests are logged to detect, analyze, and investigate unusual or suspicious activity.
Access control actions are logged to enable auditing and retrospective security analysis.
Bot traffic is detected and mitigated using heuristic analysis and Cloudflare protections.
4. Infrastructure and Data Security
4.1 Managed Database Services
All databases are hosted on AWS-managed services.
Databases are backed up every twenty-four (24) hours and support point-in-time recovery.
Data stored in AWS RDS, AWS OpenSearch, and related services is encrypted at rest using AES-256 and is encrypted in transit using TLS 1.3 or higher.
Encryption and configuration compliance are monitored using AWS Config.
4.2 Disaster Recovery
Luxury Presence maintains a documented disaster recovery plan covering critical infrastructure and data recovery processes.
4.3 Redundancy and Cloud Architecture
Infrastructure for storage and compute is deployed across multiple AWS availability zones to support high availability and failover.
Databases are monitored for slow queries, performance metrics, and configuration changes.
Application Performance Monitoring (APM) tools are used for all production services.
Production environments are logically segregated from non-production environments used for testing and quality assurance.
External inbound network traffic terminates in a public virtual private cloud (VPC). Security groups are configured to restrict unauthorized access to private network resources.
5. Website Performance and Security
5.1 Optimization and Load Management
Websites utilize server-side generated and statically generated content to improve performance and reliability.
Performance metrics, including p95 and p99 latency, are monitored.
Multiple caching layers are implemented to manage high-traffic scenarios, including traffic spikes caused by marketing campaigns, automated traffic, or media exposure.
5.2 Protection Measures
Cloudflare Web Application Firewall (WAF) is used to protect against common web-based threats.
Security linters and static code analysis tools are used in accordance with OWASP security guidelines.
Annual third-party penetration testing is conducted for production applications.
Backend dependencies are continuously scanned for known vulnerabilities using automated tools.
6. Data Management and Compliance
6.1 Data Storage and Encryption
Personal Data is stored on AWS-managed services, including AWS RDS and AWS OpenSearch.
Encryption at rest and in transit is enabled for stored data.
6.2 MLS Data Handling
The IDX team maintains compliance with MLS feed requirements and RESO standards.
6.3 Content Classification and Filtering
Luxury Presence employs artificial intelligence-based content classification to support data minimization principles. Inbound data from Customer-authorized integrations (including email synchronization) is analyzed prior to ingestion to assess relevance to permitted processing purposes and to identify potential special category or sensitive personal data.
Data classified as irrelevant or sensitive is intended to be excluded from further processing. Luxury Presence maintains and periodically reviews the effectiveness of such classification systems as part of its ongoing compliance program.
Automated content classification cannot guarantee identification or exclusion of all sensitive personal data. Luxury Presence’s implementation of such systems is provided as a compliance assistance measure and does not modify Customer’s responsibilities regarding the lawfulness of personal data provided to Luxury Presence.
7. Authentication and System Monitoring
Administrative access to internal dashboards is secured using Auth0 by Okta in accordance with OWASP authentication best practices.
AWS Config and AWS GuardDuty are used for continuous infrastructure security monitoring.
Role-based access control (RBAC) is available to segment user access based on roles and responsibilities.
8. High Availability and Load Resilience
The Services are hosted on a custom AWS-based architecture designed for resilience, high availability, and low latency.
Cloudflare CDN is used to improve availability and performance.
Internal system design targets a 99.95% service availability objective.
9. Incident Response
Luxury Presence maintains a documented incident response process.
On-call rotations and escalation procedures are in place to support timely incident detection and response.
10. Data Retention and Deletion
Customer Personal Data is retained for the duration of the Agreement and for a reasonable period thereafter to fulfill data portability requests. Upon termination and expiration of the data portability period, Luxury Presence will delete or anonymize Customer Personal Data in accordance with its data retention policies, except as required to comply with legal obligations or resolve disputes. Deletion requests are processed within thirty (30) days. Backup copies are purged in accordance with standard backup rotation schedules.
The technical and organizational measures described in this Schedule are implemented in accordance with industry standards and are designed to meet the requirements of Article 32 of the GDPR and applicable U.S. data protection laws.