Legal
Data Processing Agreement
1. Parties and Scope
This Data Processing Agreement ("DPA") is entered into between:
- Data Controller ("Controller"): The organization that registers for and uses the TNF360 platform to create virtual property tours.
- Data Processor ("Processor"): The Noughty Fox SRL (IDNO: 1022600002164), Chișinău, Republic of Moldova.
This DPA governs the Processor's handling of personal data on behalf of the Controller in connection with the TNF360 platform ("Platform"), as described in the Terms and Conditions and Privacy Policy. This DPA forms part of the agreement between the parties and supplements the Terms and Conditions.
2. Definitions
Terms used in this DPA that are defined in Regulation (EU) 2016/679 ("GDPR") or Republic of Moldova Law No. 195/2024 on Personal Data Protection have the same meaning as in those regulations. "Personal data", "processing", "data subject", "supervisory authority", and "personal data breach" are interpreted accordingly.
3. Subject Matter and Duration
3.1. Subject matter: The Processor provides a virtual touring platform that captures, processes, stores, and publishes property tour data on behalf of the Controller.
3.2. Duration: This DPA remains in effect for as long as the Processor processes personal data on behalf of the Controller. It terminates automatically when all personal data has been deleted or returned in accordance with Section 10.
4. Details of Processing
4.1. Purpose of processing: Capturing property data, stitching panoramic images, generating floor plans, hosting and publishing virtual tours, and providing the web editor — all as instructed by the Controller through use of the Platform.
4.2. Categories of data subjects:
- Individuals who appear in captured property imagery (if present during capture).
- Property occupants or owners whose property is being captured (indirectly, through property interiors and visible personal belongings).
4.3. Types of personal data processed:
- 360° video recordings and device sensor data from property captures
- 3D spatial models and floor plans of properties
- Property names, descriptions, and locations
- Any personal data incidentally visible in captured imagery (photographs, documents, personal items)
4.4. Nature of processing: Collection, storage, automated processing (panorama stitching, floor plan generation), publication via web viewer, and deletion.
5. Obligations of the Processor
The Processor shall:
5.1. Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data outside the EU, unless required to do so by applicable law — in which case the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
5.2. Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7.
5.4. Not engage another processor without prior written authorization from the Controller, subject to Section 6.
5.5. Assist the Controller, taking into account the nature of processing, in responding to requests from data subjects exercising their rights under GDPR or applicable data protection law.
5.6. Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to the Processor.
5.7. At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless applicable law requires retention.
5.8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA, and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller, subject to reasonable advance notice.
6. Sub-Processors
6.1. The Controller provides general written authorization for the Processor to engage the following sub-processors:
| Sub-Processor | Processing Activity | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and data storage | EU |
| Google (ARCore Cloud Anchors) | Spatial relocalization for property capture (Android only) | Global (Google Cloud) |
| PostHog | Product analytics (editor only) | EU |
6.2. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 14 days of notification.
6.3. If the Controller objects to a new sub-processor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the agreement with respect to the affected services.
6.4. The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract, ensuring that the sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures.
6.5. The Processor remains fully liable to the Controller for the performance of any sub-processor's obligations.
7. Security Measures
The Processor implements and maintains the following technical and organizational measures:
- Data at rest is stored with server-side encryption within the EU.
- Data in transit between the mobile app, web interfaces, and backend is encrypted using TLS.
- Passwords are hashed using industry-standard algorithms.
- Access to production systems is restricted to authorized personnel on a need-to-know basis.
- Periodic reviews of access controls and security practices are conducted.
The Processor shall regularly test, assess, and evaluate the effectiveness of these measures and update them as appropriate to the evolving risk landscape.
8. Personal Data Breach Notification
8.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach involving the Controller's data.
8.2. The notification shall include, to the extent available:
- A description of the nature of the breach, including the categories and approximate number of data subjects and records concerned.
- The name and contact details of the Processor's point of contact for further information.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.
8.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
9. International Data Transfers
9.1. All platform data hosted by the Processor is stored within the EU.
9.2. During the panorama stitching process, capture data may be temporarily transferred to processing infrastructure in Chișinău, Moldova. This data is deleted from local infrastructure after processing is complete.
9.3. On Android devices, sensor data is transmitted to Google servers via ARCore Cloud Anchors for spatial relocalization. This data is processed by Google under its own privacy policy and data processing terms. Google may process this data outside the EU/EEA.
9.4. The Processor shall not transfer personal data to a country outside the EU/EEA without ensuring appropriate safeguards are in place, in accordance with Chapter V of the GDPR or equivalent provisions of applicable data protection law.
10. Data Return and Deletion
10.1. Upon termination of the agreement or at the Controller's request, the Processor shall:
- Delete or return all personal data processed on behalf of the Controller, at the Controller's choice.
- Delete existing copies of the personal data, unless applicable law requires retention.
10.2. The Processor shall complete deletion within 30 days of the request or termination, and provide written confirmation upon request.
10.3. Data that has been anonymized and aggregated for technology improvement purposes (as described in the Terms and Conditions, Section 5.3) is no longer personal data and is not subject to deletion obligations under this DPA. The Controller may separately object to this processing as described in the Terms and Conditions, Section 5.4.
11. Audits
11.1. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
11.2. The Controller or its appointed auditor may conduct an audit of the Processor's data processing activities, subject to:
- At least 30 days' prior written notice.
- A maximum of one audit per calendar year, unless a personal data breach has occurred or a supervisory authority requires an audit.
- Reasonable scope and duration, conducted during normal business hours.
- Confidentiality obligations regarding the Processor's proprietary information.
11.3. The Processor shall cooperate with the audit and provide reasonable access to relevant facilities, systems, and personnel.
12. Liability
The liability of each party under this DPA is subject to the limitations set out in the Terms and Conditions.
13. Governing Law
This DPA is governed by the laws of the Republic of Moldova. For Controllers located in the European Union, mandatory provisions of applicable EU Member State law shall apply where they override the chosen governing law.
14. Contact
For any questions or requests related to this DPA:
The Noughty Fox SRL
Email:
support@thenoughtyfox.com