Back to BoardFlow

Data Processing Agreement

Last updated: April 17, 2026

This Data Processing Agreement ("DPA") supplements the BoardFlow Terms of Service and governs the processing of personal data by Slatewood Labs LLC ("Provider", "we", "us", or "our"), doing business as BoardFlow, on behalf of property management firms, co-op/condo boards, and building managers (collectively, "Controller") who use the Service.

Scope

This DPA governs Provider's processing of personal data on behalf ofControllers (property management firms, co-op/condo boards) when Provider acts as a Data Processor in the co-op/condo board-package review flow. For BoardFlow's direct-to-applicant rental flow, BoardFlow processes data as an independent Controller in its own right; that flow is not governed by this DPA and is instead covered by the Rental Privacy Policy.

1. Definitions and Roles

  • Data Controller: The Property Manager or Board that determines the purposes and means of processing applicant personal data.
  • Data Processor:Slatewood Labs LLC, which processes personal data strictly on the Controller's documented instructions via the BoardFlow platform.
  • PII: Personally Identifiable Information as defined by the New York SHIELD Act (N.Y. Gen. Bus. Law § 899-aa) and other applicable privacy laws, including social security numbers, financial account numbers, and government-issued identification.

2. Security Safeguards

Provider maintains a comprehensive information security program that includes, at minimum:

  • Encryption of uploaded documents and database data at rest via Supabase-managed infrastructure (AES-256 at the storage and disk layer). Sensitive financial form data (including Social Security Numbers and bank account numbers) is additionally encrypted at the application layer before being written to the database.
  • TLS 1.2 or higher for all data in transit, with HSTS enforced (max-age 2 years, preload)
  • Row-level security (RLS) enforced on every database table containing applicant data, ensuring users can only access records they are authorized to view. Access controls are enforced at both the application (proxy) and database layers. User accounts are protected by rate-limited, password-based authentication.
  • In-browser-only document rendering with short-lived (5 minute) signed URLs — native browser download and print controls are disabled in the document viewer
  • Audit logging of document access and application lifecycle events
  • Rate limiting on authentication, document access, and sensitive mutation endpoints

3. Incident Response and Breach Notification

If Provider confirms a security breach resulting in the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of unencrypted PII, Provider will:

  • Notify the affected Controller within forty-eight (48) hoursof confirming the breach via email to the Controller's designated administrative contact.
  • Provide a written report describing the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the mitigation steps taken or planned.
  • Cooperate in good faith with the Controller to satisfy the Controller's legal notification obligations to affected New York residents and any applicable regulators.

4. Sub-Processors

Controller authorizes Provider to engage third-party sub-processors to deliver the Service. Provider maintains an up-to-date list of material sub-processors, currently including:

  • Supabase — database hosting, authentication, file storage
  • Vercel — application hosting and deployment
  • Stripe — payment processing for the Package Preparation Fee
  • Resend — transactional email delivery
  • Google Gemini AI (paid tier) — AI-assisted executive summaries of applications. Provider uses the paid tier of the Gemini API, under which Google contractually does not use prompts, attachments, or responses to train or improve its models. Prompts and responses are retained by Google for a limited period (currently up to 55 days) solely for abuse monitoring.

If Provider adds a new material sub-processor, Provider will notify Controller in advance. Controller has thirty (30) days from such notice to object on reasonable data-protection grounds; if the parties cannot agree on a resolution, Controller may terminate the Service without penalty.

5. Data Retention and Destruction

  • Application documents are automatically deleted thirty (30) days after a final decision (approval or denial) is recorded on the application.
  • Stale drafting applications are automatically cleaned up after thirty (30) days of inactivity.
  • Upon termination of the Service or upon written request from Controller, Provider will securely destroy all applicable PII in Provider's possession within thirty (30) days and, on request, provide a certificate of destruction.
  • Exception: Provider may retain transaction logs and minimal metadata required for tax, legal, or payment-dispute purposes for the period required by applicable law.

6. Controller Responsibilities

Controller agrees to:

  • Provide lawful instructions for processing and ensure a valid legal basis exists for collecting applicant PII.
  • Not download, export, print, or externally transmit applicant PII except as strictly necessary for the board-review purpose, and to maintain equivalent safeguards for any such exported data.
  • Promptly notify Provider of any data-subject request, legal process, or suspected breach of which Controller becomes aware.

7. Contact

For data-processing inquiries, sub-processor notifications, or to exercise Controller rights, contact us at privacy@nycboardflow.com.