Effective Date:
March 17, 2026
This Partner Data Processing Agreement (“DPA”), including its annexes, is incorporated into the Channel Partner Agreement, the API License Agreement (each as defined below), or other master agreement between Partner and DOOR Systems, Inc. (“DOOR”) governing the use of Services (as defined below) (the “Agreement”) by Partner and Customer. This DPA sets out data protection requirements with respect to the processing of Partner Personal Data and Customer Personal Data (each term as defined below) where DOOR acts as a Processor of Partner Personal Data and a sub-processor of Customer Personal Data where DOOR has no direct contractual relationship with the Customer.
The following terms have the following meanings when used in this DPA. Any capitalized terms that are not defined in this DPA have the meaning provided in the Agreement.
“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity and who is a beneficiary of the Services under the Agreement.
“API License Agreement” means the OpenDOOR SDK and API License Agreement, together with any statement of work, Orders, addenda, schedules or supplements thereto, executed by Partner and DOOR.
“Channel Partner Agreement” means the DOOR Channel Sales Policies and Procedures together with an Authorization Letter, the applicable addendum, any Orders and schedules or supplements thereto, executed by Partner and DOOR.
“Customer” means the organization that uses the Services in a multi-family building pursuant to the Agreement. For the avoidance of doubt, this DPA does not govern personal use of the Services at a single-family residence.
“Customer Personal Data” means any personal data or personal information (as that term is defined in the applicable Data Protection Laws) that Customer provides to DOOR or that DOOR processes on behalf of Customer in the course of providing Services.
“Data Protection Laws” means any data protection law that applies to Customer or DOOR, including, but not limited to (i) the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CCPA), together with the CCPA regulations, (ii) Virginia Consumer Data Protection Act (VCDPA), (iii) the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), (iv) the British Columbia Personal Information Protection Act (PIPA), (v) state data breach notification laws, and (vi) any other data protection legislation applicable to the respective party in its role in the processing of Customer Personal Data under the Agreement; in each case as amended, repealed, consolidated, or replaced from time to time.
“Partner” means a company that has been authorized in writing by DOOR to resell, distribute or facilitate the sale of DOOR Products to Customers pursuant to the applicable Channel Partner Agreement and, if applicable, such company’s affiliate(s) or subsidiary(ies).
“Partner Personal Data” means (a) any personal information (as that term is defined in the applicable Data Protection Laws) that DOOR processes on behalf of Partner in connection with DOOR’s provision of the Services and (b) Customer Personal Data.
“Security Incident” means any accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Personal Data on systems managed or otherwise controlled by DOOR.
“Sensitive Data” means (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number (other than the truncated (last four digits) number of a credit or debit card or a truncated number of a bank account); (c) employment, financial, credit, genetic, biometric, or health information; (d) racial, ethnic, political, or religious affiliation, trade union membership, information about sexual life or sexual orientation, or criminal record; or (e) other information that falls within the definition of “sensitive data” under applicable Data Protection Laws.
“Services” means the services provided by DOOR to Partner and/or Customer pursuant to the Agreement.
“Sub-processor” means any service provider or processor engaged by DOOR or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates of DOOR but shall exclude DOOR employees, contractors, or consultants.
2.1 Parties’ roles. The parties acknowledge and agree that with regard to the processing of Partner Personal Data (except with respect to Customer Personal Data), DOOR is a “service provider” or “processor” acting on behalf of Partner, and Partner is a “business” (or “controller”) or a “service provider” (or “processor”), as those terms are defined in the Data Protection Laws. For the avoidance of doubt, this DPA shall not apply to instances where DOOR is the “business” or “controller” (as defined by Data Protection Laws) unless otherwise described in Annex C (Jurisdiction-Specific Terms) of this DPA. In cases where Partner acts as a Processor of Customer Personal Data and Customer is the Controller, DOOR is a sub-processor.
2.2 Purpose limitation. Unless otherwise required by applicable law, DOOR shall process Partner Personal Data, as further described in Annex A (Details of Data Processing) of this DPA, only in accordance with Partner’s documented lawful instructions as set forth in this DPA, as necessary to comply with applicable law, or as otherwise agreed in writing (“Permitted Purposes”). The parties agree that the Agreement, including this DPA, along with Partner’s use of any settings, features, or options in the Services (as Partner may be able to modify from time to time) constitute Partner’s complete and final instructions to DOOR in relation to the processing of Partner Personal Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
2.3 Prohibited data. Partner will not provide, directly or indirectly, any Sensitive Data to DOOR for processing under the Agreement, and DOOR will have no liability whatsoever for Sensitive Data, whether in connection with a Security Incident or otherwise. For the avoidance of doubt, this DPA will not apply to Sensitive Data.
2.4 Partner compliance. Partner represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Data Protection Laws, in respect of its processing of Partner Personal Data and any processing instructions it issues to DOOR; and (ii) it has provided, and will continue to provide, all notice, and has obtained, and will continue to obtain, all consents and rights necessary under Data Protection Laws for DOOR to process Partner Personal Data for the purposes described in the Agreement. Partner shall have sole responsibility for the accuracy, quality, and lawfulness of Partner Personal Data and the means by which Partner acquired Partner Personal Data.
2.5 Lawfulness of Partner’s instructions. Partner will ensure that DOOR’s processing of the Partner Personal Data in accordance with Partner’s instructions will not cause DOOR to violate any applicable law, regulation, or rule, including, without limitation, Data Protection Laws. DOOR shall promptly notify Partner in writing, unless prohibited from doing so under Data Protection Laws, if it becomes aware or believes that any data processing instruction from Partner violates Data Protection Laws. Where Partner acts as a service provider or processor on behalf of a third-party controller (or other intermediary to the ultimate controller), Partner warrants that its processing instructions as set out in the Agreement and this DPA, including its authorizations to DOOR for the appointment of Sub-processors in accordance with this DPA, have been authorized by the relevant business or controller. Partner shall serve as the sole point of contact for DOOR and DOOR need not interact directly with (including to provide notifications to or seek authorization from) any third-party business or controller other than through regular provision of the Services to the extent required under the Agreement. Customer shall be responsible for forwarding any notifications received under this DPA to the relevant controller, where appropriate.
3.1 Sub-processors. Partner agrees that DOOR may engage Sub-processors to process Partner Personal Data on Partner’s behalf. The Sub-processors currently engaged by DOOR are available here. From time to time, DOOR may engage or terminate Sub-processors, as its business needs require. Any changes to our Sub-processors will be reflected here.
3.2 Sub-processor obligations. DOOR shall: (i) enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Partner Personal Data as those in this DPA, to the extent applicable to the nature of the service provided by such Sub-processor; and (ii) remain responsible for such Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-processor that cause DOOR to breach any of its obligations under this DPA. Partner acknowledges and agrees that DOOR may be prevented from disclosing Sub-processor agreements to Partner due to confidentiality restrictions but DOOR shall, upon request, use reasonable efforts to provide Partner with all relevant information it reasonably can in connection with Sub-processor agreements.
4.1 Security Measures. DOOR shall implement and maintain appropriate technical and organizational security measures that are designed to protect Partner Personal Data from Security Incidents and designed to preserve the security and confidentiality of Partner Personal Data in accordance with DOOR’s security standards described in Annex B (“Security Measures”) of this DPA.
4.2 Confidentiality of processing. DOOR shall ensure that any person who is authorized by DOOR to process Partner Personal Data (including its staff, contractors, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
4.3 Updates to Security Measures. Partner is responsible for reviewing the information made available by DOOR relating to data security and making an independent determination as to whether the Services meet Partner’s requirements and legal obligations under Data Protection Laws. Partner acknowledges that the Security Measures are subject to technical progress and development and that DOOR may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Partner.
4.4 Security Incident response. Upon becoming aware of a Security Incident, DOOR shall promptly take reasonable steps to contain and investigate it. Where DOOR confirms that a Security Incident impacts Partner Personal Data, DOOR shall: (i) notify Partner without undue delay, and where feasible, within 48 hours of awareness and confirmation; (ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Partner; and (iii) reasonably cooperate with the Partner in the containment and investigation of the Security Incident. DOOR’s notification of or response to a Security Incident under this Section 4.4 shall not be construed as an acknowledgment by DOOR of any fault or liability with respect to the Security Incident.
4.5 Partner responsibilities. Notwithstanding the above, Partner agrees that except as provided by this DPA, Partner is responsible for its secure use of the Services (including but not limited to DOOR’s web platform designed to enable spaces, users and access management by authorized users (the “Platform”)), including securing its account authentication credentials, protecting the security of Partner Personal Data when in transit to and from the Services, and ensuring that only authorized individuals have access to Partner’s account in the Platform.
Security reports. Partner acknowledges that DOOR is regularly audited against SOC 2 standards by independent third party auditors and internal auditors respectively. Upon reasonable written request, but no more than once per calendar year, DOOR shall supply (on a confidential basis) a summary copy of its most current audit report(s) (“Report”) to Partner, so that Partner can verify DOOR’s compliance with the audit standards against which it has been assessed. Partner acknowledges that these reports shall be subject to the confidentiality provisions of the Agreement as DOOR’s Confidential Information.
Deletion or return on termination. Upon termination or expiration of the Agreement, DOOR shall (at Partner’s election) delete or return to Partner all Partner Personal Data in its possession or control, except that this requirement shall not apply to the extent DOOR is required by applicable law to retain some or all of the Partner Personal Data, or Partner Personal Data it has archived on back-up systems, which Partner Personal Data DOOR shall securely isolate, protect from any further processing and eventually delete in accordance with DOOR’s deletion policies, once permitted by applicable law.
7.1 Data subject requests. As part of the Services, DOOR provides a number of self-service features within the Platform, that Partner may use to retrieve, correct, delete, or restrict the use of Partner Personal Data, which Partner may use to assist it in connection with its (or its third-party controller’s) obligations under the Data Protection Laws with respect to responding to requests from data subjects via Partner’s account at no additional cost. Partner acknowledges that, as a data controller or business, it is responsible for fulfilling individual rights requests under Data Protection Laws. For the avoidance of doubt, nothing in the Agreement (including this DPA) shall restrict or prevent DOOR from responding to any data subject or data protection authority requests in relation to personal data for which DOOR is a controller. DOOR will process data subject requests in accordance with its Privacy Notice.
7.2 Data protection impact assessment. Only to the extent required under applicable Data Protection Laws, DOOR shall (considering the nature of the processing and the information available to DOOR) provide all reasonably requested information regarding the Services to enable Partner to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws. DOOR shall comply with the foregoing by: (i) complying with Section 5 (Security Reports); (ii) providing the information contained in the Agreement, including this DPA; and (iii) if the foregoing sub-sections (i) and (ii) are insufficient for Partner to comply with such obligations, upon request, providing additional reasonable assistance (at Partner’s expense).
7.3 In-app account deletion. As required by app store rules, DOOR provides individual end users with an in-app option to request that their account, and personal data associated with it, be deleted. When DOOR receives such a request, it will inform the relevant Partner of the request and, after confirming that the end user has no current active access to any doors, DOOR will process the deletion request within 15 days of receipt. The Partner may object to such deletion and explain the reasons for the objection in writing.
To the extent DOOR processes Partner Personal Data originating from and protected by Data Protection Laws in one of the jurisdictions listed in Annex C, then the terms specified in Annex C with respect to the applicable jurisdiction(s) (“Jurisdiction-Specific Terms”) apply in addition to the terms of this DPA. In the event of any conflict or ambiguity between the Jurisdiction-Specific Terms and any other terms of this DPA, the applicable Jurisdiction-Specific Terms will take precedence, but only to the extent of the Jurisdiction-Specific Terms’ applicability to DOOR.
9.1 Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Agreement.
9.2 Any claims made against DOOR or its Affiliates under or in connection with this DPA shall be brought solely by the Partner entity that is a party to the Agreement.
9.3 In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise.
10.1 This DPA shall remain in effect for as long as DOOR carries out Partner Personal Data processing operations on behalf of Partner or until termination of the Agreement (and all Partner Personal Data has been returned or deleted in accordance with Section 6 above).
10.2 The parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services.
10.3 In the event of any conflict or inconsistency between this DPA and the Terms of Service, the provisions of the following documents (in order of precedence) shall prevail: (i) this DPA; and then (ii) the Terms of Service.
10.4 Except for any changes made by this DPA, the Agreement remains unchanged and in full force and effect.
10.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
10.6 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
(a) Categories of data subjects:
The categories of data subjects whose personal data is processed include (i) Partner, (ii) Customers, including Owners, including Property Managers, and Installers (i.e., individual end users with access to DOOR OS), (iii) Residents (i.e., Customer’s building residents), and (iv) Guests (i.e., individuals invited into a building by Customer or Resident, including service providers).
(b) Categories of personal data:
Partner and Customers may upload, submit, or otherwise provide certain personal data to DOOR that typically include the following types of personal data:
(c) Sensitive data processed (if applicable):
DOOR does not want to, nor does it intentionally, collect or process any Sensitive Data in connection with the provision of its Services.
(d) Frequency of processing:
Continuous for the duration of the Agreement, including any renewals.
(e) Subject matter and nature of the processing:
DOOR provides a variety of services, including access control and opening doors, managing and sharing door access, managing and operation of smart home services, payment services, and bookings, as more particularly described in the Agreement. The subject matter of the data processing under this DPA is the Partner Personal Data. Partner Personal Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities:
(f) Purpose of the processing:
DOOR shall only process Partner Personal Data for the Permitted Purposes, which shall include: (i) processing as necessary to provide the Services in accordance with the Agreement; (ii) processing initiated by Partner in its use of the Services; and (iii) processing to comply with any other reasonable instructions provided by Partner (e.g., via email or support tickets) that are consistent with the terms of the Agreement.
(g) Duration of processing and period for which personal data will be retained:
DOOR will process Partner Personal Data as outlined in Section 6 (Return or Deletion of Data) of this DPA.
The Security Measures applicable to DOOR Services are described here (as updated from time to time in accordance with Section 4.3 of this DPA).
This section applies to Partners who engage DOOR for the provision of Services in California, Virginia, Colorado, Utah, and Connecticut, and any other state having enacted general application privacy laws that come into effect during the term of this Agreement.
Except as described otherwise, the definitions of “Controller” and “Business” and “Processor” and “Service Provider” are used interchangeably; in each case as defined under the relevant Data Protection Laws.
This section applies to Partners who engage DOOR for the provision of Services in Ontario and British Columbia and whose data processing activities, therefore, are subject to PIPEDA and PIPA.
