Data Processing Agreement
Last Updated: March 31, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Tenant entity (“Controller”) and Renta Labs LLC (“Processor,” “Renta”).
This DPA applies to the processing of Personal Data by Renta on behalf of the Tenant in connection with the Renta platform.
1. Definitions
- Controller — the Tenant, who determines the purposes and means of processing Personal Data
- Processor — Renta, which processes Personal Data on behalf of the Controller
- Data Subject — the individual to whom the Personal Data relates (primarily Renters)
- Personal Data — any information relating to an identified or identifiable natural person
- Personal Data Breach — unauthorized access, disclosure, loss, or destruction of Personal Data
- Sub-processor — any third party engaged by Renta to process Personal Data
2. Scope and Purpose of Processing
Categories of Personal Data Processed
| Category | Data Elements | Sensitivity |
|---|---|---|
| Identifiers | Name, email, phone, address, DOB | Standard |
| Government identification | Driver's license number, state | Sensitive |
| Biometric-adjacent | Digital signature data | Standard |
| Financial identifiers | Card last four, brand, Stripe tokens | Standard |
| Transaction data | Booking history, amounts, deposits, refunds | Standard |
| Waiver data | Signed waiver content, signature, signing IP | Standard |
| Emergency contacts | Contact name, phone, relationship | Standard |
| Technical data | IP address, browser and device information | Standard |
Purposes: Operating the Platform, processing bookings, payment processing, waiver management, CRM, transactional communications, analytics and reporting, security, and legal compliance.
Duration: For the term of the Tenant's subscription plus retention periods in Section 9.
3. Processor Obligations
Renta processes Personal Data only on the Controller's documented instructions. For CCPA purposes, Renta is a “service provider” (§1798.140(ag)) and shall not sell, share, or use Personal Data for any purpose beyond providing the Platform service.
Renta ensures personnel are bound by confidentiality, assists with data subject access requests (DSARs) within 10 business days, and cooperates with data protection impact assessments upon request.
4. Security Measures
Renta implements the following technical and organizational measures (per GDPR Art. 32):
- TLS 1.2+ for all data in transit
- AES-256 encryption at rest (database level via AWS/Supabase)
- AES-256-GCM field-level encryption for driver's license numbers and signature data
- Row-level security (RLS) enforcing strict tenant data isolation
- Role-based access controls (owner, manager, staff) with differentiated permissions
- Masked display of sensitive data with unmasking restricted to owner/manager roles
- Audit logging of all access to sensitive data
- Multi-factor authentication support
- Regular security assessments
5. Sub-processors
| Sub-processor | Purpose | Data Location |
|---|---|---|
| Supabase (AWS) | Database, auth, file storage | United States |
| Stripe | Payment processing, identity verification | US / Global |
| Resend | Transactional email delivery | United States |
| Vercel | Application hosting | US / Global |
The Controller may object to new sub-processors within 15 days of notice. If unresolved within 30 days, either party may terminate the affected services without penalty.
6. International Data Transfers
All Personal Data is stored in the United States. For EU/EEA/UK Controllers, transfers rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses (EU Commission Decision 2021/914). For Australian Controllers, this DPA constitutes the contractual arrangement required by APP 8. For Mexican Controllers, this DPA satisfies LFPDPPP Art. 36.
7. Personal Data Breach Notification
Renta will notify the Controller of any Personal Data Breach within 72 hours (per GDPR Art. 33), including: the nature and scope of the breach, affected data categories, likely consequences, and remediation measures.
The Controller is responsible for notifying their own customers and supervisory authorities as required by applicable law.
8. Audit Rights
The Controller may audit Renta's compliance up to once per 12 months with 30 days' notice. Renta may provide a SOC 2 report or security assessment in lieu of on-site audit.
9. Data Retention and Deletion
- 30-day data export window after termination
- Deletion within 90 days after export window
- Payment/tax records: 7 years (26 U.S.C. §6501)
- Waiver/signature records: 7 years
- Driver's license numbers: automatically purged 90 days post-booking
- Anonymized data: may be retained indefinitely
10. Liability
Each party is liable for damages caused by its own breach. Liability caps from the Terms of Service apply. Where GDPR applies, liability follows Art. 82.
11. General Provisions
Governed by the law specified in the Terms of Service. Renta may update this DPA with 30 days' notice. Sections 3 (CCPA), 4 (Security), 7 (Breach), 9 (Retention), and 10 (Liability) survive termination.
12. Contact
Renta Labs LLC
1752 W Plains Dr
Apple Valley, UT 84737
Email: privacy@getrenta.io
Platform: getrenta.io
Renta Labs (company): rentalabs.io