Start Valuation
Log in
Jump back in
Sign up
Let Hoff & Leigh help you out

Data Processing Addendum (Controller–Processor)

Effective: October 30, 2025

1) Parties and scope

This Data Processing Addendum ("DPA") forms part of the agreement(s) governing use of the Hoff & Leigh Valuations platform (the "Service") between Hoff & Leigh, Inc. ("Customer," acting as controller/business) and BKV Productions LLC ("Processor," acting as processor/service provider) (together, the "Parties"). This DPA applies to Processor’s processing of personal information on behalf of Customer through the Service. The Service is intended for U.S. use only.

2) Roles and instructions

3) Nature and purpose; types of data; subjects

Nature and purpose: hosting, storage, parsing (including via third-party AI and document processing services), human-in-the-loop review, transmission, and related operations to provide and improve the Service. Data types typically include account identifiers (e.g., name, email), property-related documents/media and metadata, usage logs, and support communications. Data subjects typically include Customer’s brokers, staff, and clients.

4) Confidentiality and security

5) Subprocessors

Customer authorizes Processor to engage subprocessors reasonably necessary to provide the Service, including hosting, storage, parsing/AI, and support providers. A current list is published at /legal/subprocessors and may be updated from time to time. Processor remains responsible for subprocessors’ performance of obligations under this DPA.

6) International transfers

The Service is intended for U.S. use, with primary processing in the United States. Caching/CDN and certain third-party processing may use global infrastructure. Customer consents to such transfers.

7) Assistance

Taking into account the nature of processing, Processor will provide reasonable assistance to Customer in responding to consumer requests and meeting security and privacy obligations (e.g., security notices, impact assessments) as required by applicable U.S. law.

8) Incident notification

Processor will notify Customer without undue delay and in any event within sixteen (16) days after becoming aware of a personal data breach affecting Customer personal information, unless applicable law requires earlier notification. Notices will be sent to bderkhan@bkv.tech unless otherwise specified.

9) Deletion and return

Upon Customer’s request or termination of the Service, Processor will delete personal information within thirty (30) days, subject to permitted retention for security, legal, and backup purposes.

10) Audits

On reasonable request no more than annually, Processor will provide information reasonably necessary to demonstrate compliance with this DPA (e.g., security descriptions and third‑party audit reports or certifications if available). Formal onsite audits are not required unless mandated by law and only after good-faith efforts to resolve concerns.

11) U.S. privacy (service provider)

For U.S. state privacy laws (e.g., CCPA/CPRA), Processor acts as a service provider and will not: (a) sell or share Customer personal information; (b) retain, use, or disclose Customer personal information except to provide the Service or as permitted by law; or (c) combine Customer personal information with information received from other sources except as permitted to provide the Service or as directed by Customer.

12) Term and termination

This DPA remains in effect while Processor processes Customer personal information to provide the Service. Termination of the underlying agreement terminates this DPA, subject to Sections 8 and 9.

13) Miscellaneous

In case of conflict between this DPA and the underlying agreement, this DPA controls as to processing of personal information. This DPA is governed by Colorado law, and disputes are resolved as set forth in the underlying agreement’s dispute resolution terms.