Data Processing Agreement
Effective Date: August 29, 2023
This Data Processing Agreement (“DPA”), including its annexes, is incorporated into the Software Subscription Agreement Terms and Conditions, the Subscription Services Terms, or other agreement between Latch Systems, Inc. (“Latch”) and Customer (as defined below) governing the use of Services (as defined below) (the “Agreement”). This DPA sets out data protection requirements with respect to the processing of Customer Personal Data (as defined below) that is collected, stored, or otherwise processed by Latch in the course of providing the Services to Customer.
1. Definitions
The following terms have the following meanings when used in this DPA. Any capitalized terms that are not defined in this DPA have the meaning provided in the Agreement.
“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity and who is a beneficiary of the Services under the Agreement.
“Customer” means the organization that uses the Services in a multi-family building pursuant to the Agreement. For the avoidance of doubt, this DPA does not govern personal use of the Services at a single-family residence.
“Customer Personal Data” means any personal data or personal information (as that term is defined in the applicable Data Protection Laws) that Customer provides to Latch or that Latch processes on behalf of Customer in the course of providing Services.
“Data Protection Laws” means any data protection law that applies to Customer or Latch, including, but not limited to (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA), together with the CCPA regulations, (ii) Virginia Consumer Data Protection Act (VCDPA), (iii) the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), (iv) the British Columbia Personal Information Protection Act (PIPA), (v) state data breach notification laws, and (vi) any other data protection legislation applicable to the respective party in its role in the processing of Customer Personal Data under the Agreement; in each case as amended, repealed, consolidated, or replaced from time to time.
“Security Incident” means any accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Personal Data on systems managed or otherwise controlled by Latch.
“Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) number of a credit or debit card or a truncated number of a bank account); (c) employment, financial, credit, genetic, biometric, or health information; (d) racial, ethnic, political, or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; or (e) other information that falls within the definition of “sensitive data” under applicable Data Protection Laws.
“Services” means the services provided by Latch to Customer pursuant to the Agreement.
“Sub-processor” means any service provider or processor engaged by Latch or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates of Latch but shall exclude Latch employees, contractors, or consultants.
2. Roles and Responsibilities
2.1 Parties’ roles. The parties acknowledge and agree that with regard to the processing of Customer Personal Data, Latch is a “service provider” or “processor” acting on behalf of Customer, and Customer is a “business” (or “controller”) or a “service provider” (or “processor”), as those terms are defined in the Data Protection Laws. For the avoidance of doubt, this DPA shall not apply to instances where Latch is the “business” or “controller” (as defined by Data Protection Laws) unless otherwise described in Annex C (Jurisdiction-Specific Terms) of this DPA.
2.2 Purpose limitation. Unless otherwise required by applicable law, Latch shall process Customer Personal Data, as further described in Annex A (Details of Data Processing) of this DPA, only in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”). The parties agree that the Agreement, including this DPA, along with the Customer’s use of any settings, features, or options in the Services (as the Customer may be able to modify from time to time) constitute the Customer’s complete and final instructions to Latch in relation to the processing of Customer Personal Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
2.3 Prohibited data. Customer will not provide, directly or indirectly, any Sensitive Data to Latch for processing under the Agreement, and Latch will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
2.4 Customer compliance. Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Customer Personal Data and any processing instructions it issues to Latch; and (ii) it has provided, and will continue to provide, all notice, and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for Latch to process Customer Personal Data for the purposes described in the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired Customer Personal Data.
2.5 Lawfulness of Customer’s instructions. Customer will ensure that Latch’s processing of the Customer Personal Data in accordance with Customer’s instructions will not cause Latch to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. Latch shall promptly notify Customer in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any data processing instruction from Customer violates Data Protection Laws. Where Customer acts as a service provider or processor on behalf of a third-party controller (or other intermediary to the ultimate controller), Customer warrants that its processing instructions as set out in the Agreement and this DPA, including its authorizations to Latch for the appointment of Sub-processors in accordance with this DPA, have been authorized by the relevant business or controller. Customer shall serve as the sole point of contact for Latch and Latch need not interact directly with (including to provide notifications to or seek authorization from) any third-party business or controller other than through regular provision of the Services to the extent required under the Agreement. Customer shall be responsible for forwarding any notifications received under this DPA to the relevant controller, where appropriate.
3. Sub-Processing
3.1 Sub-processors. Customer agrees that Latch may engage Sub-processors to process Customer Personal Data on Customer’s behalf. The Sub-processors currently engaged by Latch are available here. From time to time, Latch may engage or disengage Sub-processors, as its business needs require. Any changes to our Sub-processors will be reflected here.
3.2 Sub-processor obligations. Latch shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Customer Personal Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause Latch to breach any of its obligations under this DPA. Customer acknowledges and agrees that Latch may be prevented from disclosing Sub-processor agreements to Customer due to confidentiality restrictions but Latch shall, upon request, use reasonable efforts to provide Customer with all relevant information it reasonably can in connection with Sub-processor agreements.
4. Security
4.1 Security Measures. Latch shall implement and maintain appropriate technical and organizational security measures that are designed to protect Customer Personal Data from Security Incidents and designed to preserve the security and confidentiality of Customer Personal Data in accordance with Latch’s security standards described in Annex B (“Security Measures”) of this DPA.
4.2 Confidentiality of processing. Latch shall ensure that any person who is authorized by Latch to process Customer Personal Data (including its staff, contractors, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
4.3 Updates to Security Measures. Customer is responsible for reviewing the information made available by Latch relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Latch may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.
4.4 Security Incident response. Upon becoming aware of a Security Incident, Latch shall promptly take reasonable steps to contain and investigate it. Where Latch confirms that a Security Incident impacts Customer Personal Data, Latch shall: (i) notify Customer without undue delay, and where feasible, within 48 hours of awareness and confirmation; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and (iii) reasonably cooperate with the Customer in the containment and investigation of the Security Incident. Latch’s notification of or response to a Security Incident under this Section 4.4 shall not be construed as an acknowledgment by Latch of any fault or liability with respect to the Security Incident.
4.5 Customer responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services (including but not limited to Latch’s web platform designed to enable spaces, users and access management by authorized users (the “Platform”)), including securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the Services, and ensuring that only authorized individuals have access to Customer’s account in the Platform.
5. Security Reports
Security reports. Customer acknowledges that Latch is regularly audited against SOC 2 standards by independent third party auditors and internal auditors respectively. Upon reasonable written request, but no more than once per calendar year, Latch shall supply (on a confidential basis) a summary copy of its most current audit report(s) (“Report”) to Customer, so that Customer can verify Latch’s compliance with the audit standards against which it has been assessed. Customer acknowledges that these reports shall be subject to the confidentiality provisions of the Agreement as Latch’s Confidential Information.
6. Return or Deletion of Data
Deletion or return on termination. Upon termination or expiration of the Agreement, Latch shall (at Customer’s election) delete or return to Customer all Customer Personal Data in its possession or control, except that this requirement shall not apply to the extent Latch is required by applicable law to retain some or all of the Customer Personal Data, or Customer Personal Data it has archived on back-up systems, which Customer Personal Data Latch shall securely isolate, protect from any further processing and eventually delete in accordance with Latch’s deletion policies, once permitted by applicable law.
7. Data Subject Rights and Cooperation
7.1 Data subject requests. As part of the Services, Latch provides Customer with a number of self-service features within the Platform, that Customer may use to retrieve, correct, delete, or restrict the use of Customer Personal Data, which Customer may use to assist it in connection with its (or its third-party controller’s) obligations under the Data Protection Laws with respect to responding to requests from data subjects via Customer’s account at no additional cost. Customer acknowledges that, as a data controller or business, it is responsible for fulfilling individual rights requests under Data Protection Laws. For the avoidance of doubt, nothing in the Agreement (including this DPA) shall restrict or prevent Latch from responding to any data subject or data protection authority requests in relation to personal data for which Latch is a controller. Latch will process data subject requests in accordance with its Privacy Policy.
7.2 Data protection impact assessment. Only to the extent required under applicable Data Protection Laws, Latch shall (considering the nature of the processing and the information available to Latch) provide all reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. Latch shall comply with the foregoing by: (i) complying with Section 5 (Security Reports); (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Customer to comply with such obligations, upon request, providing additional reasonable assistance (at Customer’s expense).
7.3 In-app account deletion. As required by app store rules, Latch provides individual end users with an in-app option to request that their account, and personal data associated with it, be deleted. When Latch receives such a request, it will inform the relevant Customer of the request and, after confirming that the end user has no current active access to any doors, Latch will process the deletion request within 15 days of receipt. The Customer may object to such deletion and explain the reasons for the objection in writing.
8. Jurisdiction-Specific Terms
To the extent Latch processes Customer Personal Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Annex C, then the terms specified in Annex C with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to Latch.
9. Limitation of Liability
9.1 Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement.
9.2 Any claims made against Latch or its Affiliates under or in connection with this DPA shall be brought solely by the Customer entity that is a party to the Agreement.
9.3 In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
10. Relationship with the Agreement
10.1 This DPA shall remain in effect for as long as Latch carries out Customer Personal Data processing operations on behalf of Customer or until termination of the Agreement (and all Customer Personal Data has been returned or deleted in accordance with Section 6 above).
10.2 The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services.
10.3 In the event of any conflict or inconsistency between this DPA and the Terms of Service, the provisions of the following documents (in order of precedence) shall prevail: (i) this DPA; and then (ii) the Terms of Service.
10.4 Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.
10.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
10.6 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
Annex A – Details of Data Processing
(a) Categories of data subjects:
The categories of data subjects whose personal data is processed include (i) Customers, including Owners, including Property Managers, and Installers (i.e., individual end users with access to Latch’s Mission Control), (ii) Residents (i.e., Customer’s building residents), and (iii) Guests (i.e., individuals invited into a building by Customer or Resident, including service providers).
(b) Categories of personal data:
Customer may upload, submit, or otherwise provide certain personal data to Latch that typically include includes the following types of personal data:
- Customers: Identification and contact data (name, address, title, contact details, username); financial information (credit card details, account details, payment information); employment details (employer, job title, geographic location, area of responsibility).
- Residents: Full name, physical address, phone number, email address, move-in and move-out dates, and lease dates.
- Guests: Full name, phone number, and email address.
(c) Sensitive data processed (if applicable):
Latch does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of its Services.
(d) Frequency of processing:
Continuous for the duration of the Agreement, including any renewals.
(e) Subject matter and nature of the processing:
Latch provides a variety of services, including access control and opening doors, managing and sharing door access, managing and operation of smart home services, payment services, and bookings, as more particularly described in the Agreement. The subject matter of the data processing under this DPA is the Customer Personal Data. Customer Personal Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities:
- Storage and other processing necessary to provide, maintain and improve the Services provided to Customer pursuant to the Agreement; and/or
- Disclosures in accordance with the Agreement and/or as compelled by applicable law.
(f) Purpose of the processing:
Latch shall only process Customer Personal Data for the Permitted Purposes, which shall include: (i) processing as necessary to provide the Services in accordance with the Agreement; (ii) processing initiated by Customer in its use of the Services; and (iii) processing to comply with any other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement.
(g) Duration of processing and period for which personal data will be retained:
Latch will process Customer Personal Data as outlined in Section 6 (Return or Deletion of Data) of this DPA.
Annex B - Security Measures
The Security Measures applicable to Latch Services are described here (as updated from time to time in accordance with Section 4.3 of this DPA).
Annex C - Jurisdiction-Specific Terms
1. United States
This section applies to Customers who engage Latch for the provision of Services in California, Virginia, Colorado, Utah, and Connecticut, and any other state having enacted general application privacy laws that come into effect during the term of this Agreement.
Except as described otherwise, the definitions of “Controller” and “Business” and “Processor” and “Service Provider” are used interchangeably; in each case as defined under the relevant Data Protection Laws.
- For this “United States” section of Annex C only, “Permitted Purposes” shall include processing Customer Personal Data only for the purposes described in this DPA and in accordance with Customer’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, as otherwise agreed in writing, including, without limitation, in the Agreement, or as otherwise may be permitted for “service providers” or “processors.”
- Latch’s obligations regarding data subject requests, as described in Section 7 (Data Subject Rights and Cooperation) of this DPA, extend to rights requests under the applicable Data Protection Law.
- Notwithstanding any use restriction contained elsewhere in this DPA, Latch shall process Customer Personal Data to perform the Services, for the Permitted Purposes and/or in accordance with Customer’s documented lawful instructions, or as otherwise permitted or required by applicable law.
- Latch shall not sell or share Customer Personal Data.
- Latch shall not retain, use, disclose, or otherwise process Customer Personal Data outside of the direct business relationship between Latch and Customer.
- Latch shall not retain, use, disclose, or otherwise process Customer Personal Data for any purpose other than for the specific purpose of providing the Services to Customer under the Agreement.
- Latch shall not combine Customer Personal Data with personal information it receives from, or on behalf of, another person(s), or collects from its own interaction with a Resident or Guest in the course of performing the Services, except where both (i) required to perform the Services and (ii) permitted by applicable law.
- Notwithstanding any use restriction contained elsewhere in this Annex C, Latch may de-identify or aggregate Customer Personal Data as part of performing the Services specified in this DPA and the Agreement.
- Latch shall not provide access to Customer Personal Data to any other entity, except it may use Sub-processors to perform the Services, provided that Latch obligates such Sub-processors in writing to the same terms that apply to Latch through this DPA.
- Latch shall ensure the security of Customer Personal Data including by: (i) providing the same level of privacy protection to Customer Personal Data as is required by Data Protection Laws and (ii) ensuring each person processing Customer Personal Data is subjected to a duty of confidentiality with respect to such Customer Personal Data.
- Latch shall notify Customer promptly, but in no event later than five (5) business days, in writing if it determines it can no longer meet its obligations under applicable Data Protection laws and allow Customer to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Customer Personal Data.
- Where Sub-processors process the Customer Personal Information, Latch takes steps to ensure that such Sub-processors are service providers or processors under the applicable Data Protection Law with whom Latch has entered into a written contract that includes terms substantially similar to this “California, Virginia, Colorado, Utah, and Connecticut'' section of Annex C or are otherwise exempt from the definition of “sale” or “sharing,” as those terms are defined in the applicable Data Protection Law. Latch conducts appropriate due diligence on its Sub-processors.
2. Canada
This section applies to Customers who engage Latch for the provision of Services in Ontario and British Columbia and whose data processing activities, therefore, are subject to PIPEDA and PIPA.
- Latch takes steps to ensure that Latch’s Sub-processors, as described in Section 3 (Sub-processing) of the DPA, are third parties under PIPEDA and PIPA, with whom Latch has entered into a written contract that includes terms substantially similar to this DPA. Latch conducts appropriate due diligence on its Sub-processors.
- Latch will implement technical and organizational measures as set forth in Section 4 (Security) of the DPA.