Fourplex

Data Processing Agreement

Last updated: June 27, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between TVB Apps LLC, doing business as Fourplex ("Fourplex," "we," or "us"), and the customer organization that uses the Fourplex service ("Customer," "you"). It describes how Fourplex processes personal information on your behalf when you use Fourplex to manage your community.

If you require a countersigned copy of this DPA for your records, contact us at hello@getfourplex.com.

This document is provided for transparency. It is not legal advice. Customers with specific compliance needs should consult their own counsel.

1. Definitions

  • "Applicable Law" means the privacy and data-protection laws that apply to the processing under this DPA, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and analogous US state privacy laws such as those of Virginia, Colorado, Connecticut, and Texas.
  • "Customer Personal Data" means personal information that you or your authorized users upload to or transmit through the Service and that Fourplex processes on your behalf.
  • "Service" means the Fourplex application and related services provided under the Agreement.
  • "Subprocessor" means a third party engaged by Fourplex to process Customer Personal Data.
  • "Security Incident" means a confirmed unauthorized acquisition, access, use, disclosure, or destruction of Customer Personal Data in Fourplex's possession.
  • Terms such as "controller," "processor," "business," "service provider," "sell," "share," and "process" have the meanings given in Applicable Law.

2. Roles of the parties

As between the parties, you are the controller (or "business") of Customer Personal Data, and Fourplex is the processor (or "service provider"), processing Customer Personal Data on your behalf to provide the Service. This DPA does not create a joint-controller relationship, and Fourplex has no independent right to Customer Personal Data.

3. Scope and instructions

Fourplex will process Customer Personal Data only (a) in accordance with your documented instructions, which are set out in this DPA, the Agreement, and Annex A; (b) as necessary to provide and support the Service; and (c) as required by law. Fourplex will not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes described in Annex A, and will not combine it with personal information from other sources except as permitted by Applicable Law. If Fourplex believes an instruction violates Applicable Law, it will promptly inform you.

4. Confidentiality

Fourplex ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and limits access to those who need it to provide the Service.

5. Security

Fourplex maintains the technical and organizational security measures described in Annex B, appropriate to the risk of the processing. Fourplex may update those measures from time to time provided the overall level of protection is not materially reduced.

6. Subprocessors

You authorize Fourplex to engage the Subprocessors listed at getfourplex.com/legal/subprocessors to help provide the Service. Fourplex imposes data-protection obligations on each Subprocessor that are no less protective than this DPA and remains responsible for its Subprocessors' processing of Customer Personal Data.

Before adding or replacing a Subprocessor that processes Customer Personal Data, Fourplex will update the subprocessors page and provide at least 30 days' advance notice (by email to your account contact or through the Service). You may object on reasonable data-protection grounds within 15 days of the notice; the parties will work in good faith to resolve the objection, and if it cannot be resolved, you may terminate the affected Service and receive a refund of prepaid fees for the unused period.

7. Assistance with consumer rights requests

Taking into account the nature of the processing, Fourplex will provide reasonable assistance to help you respond to requests from individuals to exercise their rights under Applicable Law (such as access, deletion, correction, portability, and opt-out). If Fourplex receives such a request directly from an individual regarding Customer Personal Data, it will promptly forward the request to you and will not respond directly except as you direct or as required by law.

8. Security incident notification

Fourplex will notify you without undue delay, and no later than 48 hours, after becoming aware of a Security Incident affecting Customer Personal Data. The notice will describe, to the extent known, the nature of the incident, the data and individuals affected, the likely consequences, and the measures taken or proposed. Fourplex will reasonably cooperate with your efforts to notify affected individuals and regulators where required.

9. Deletion and return of data

You may export or delete Customer Personal Data through the Service at any time. Within 30 days after termination of the Agreement, Fourplex will, at your election, return or delete Customer Personal Data, except for copies retained in encrypted backups (deleted on our standard backup cycle) or as required by law. Fourplex will certify deletion on request.

10. Audit and assessments

Fourplex will make available information reasonably necessary to demonstrate compliance with this DPA, including, on request and no more than once per year (absent a confirmed Security Incident), a summary of its most recent third-party security assessment, subject to confidentiality. You may take reasonable and appropriate steps to confirm that Fourplex's use of Customer Personal Data is consistent with your obligations under Applicable Law.

11. CCPA service-provider terms

With respect to Customer Personal Data, Fourplex certifies that it understands and will comply with the following restrictions. Fourplex will not: (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than the business purposes specified in Annex A or as permitted by the CCPA; (c) retain, use, or disclose it for any commercial purpose other than providing the Service; or (d) retain, use, or disclose it outside the direct business relationship between the parties, including by combining it with personal information from other sources, except as permitted by the CCPA. Fourplex imposes these same obligations on its Subprocessors and will notify you if it determines it can no longer meet its obligations under the CCPA.

12. Other US state privacy laws

To the extent other Applicable Law designates Fourplex as a "processor" and you as a "controller," this DPA is the written contract required by such law. The nature, purpose, duration, types of data, and categories of individuals are described in Annex A. Fourplex will: maintain confidentiality; engage Subprocessors only under written contracts with equivalent obligations; assist with data-subject requests and reasonable data-protection assessments; and delete or return data as described in Section 9.

13. Liability and precedence

This DPA is incorporated into the Agreement. If there is a conflict regarding the processing of Customer Personal Data, this DPA controls. Each party's liability under this DPA is subject to the limitations of liability in the Agreement, except where Applicable Law prohibits such limitation. This DPA creates no third-party beneficiary rights.

14. International transfers

The Service is operated in the United States, and Fourplex does not transfer Customer Personal Data outside the United States. If Fourplex later processes data subject to laws requiring a cross-border transfer mechanism (such as the EU GDPR), the parties will put an appropriate mechanism in place at that time.


Annex A — Details of processing

Subject matter. Processing of Customer Personal Data in connection with providing the Fourplex HOA management service.

Nature and purpose. To (a) provide, operate, and support the Service; (b) authenticate and manage access; (c) send transactional communications on your behalf (sign-in links, dues and payment notices, meeting and reminder notices, and — where enabled — utility billing split-method change notifications); (d) process dues, fees, and payments; (e) provide optional features you enable (the Neo assistant, bank connections, utility submetering, trash split billing); (f) maintain audit logs and security monitoring; and (g) comply with legal obligations.

Categories of individuals. HOA board members and officers; homeowners and residents; administrative personnel; and vendors or contractors interacting through the Service.

Categories of personal data. Identity and contact data (name, unit, mailing address, email, phone); account and authentication data; financial data (payment-method metadata, dues and assessment history, and bank transaction information — full card and bank account numbers are held by Stripe, not Fourplex); community content (documents and extracted text, inbox email and attachments, meeting records, requests, announcements); usage and log data (including IP address); and, where enabled, water submetering readings, Neo conversation data, and — for HOAs that enable trash split billing — per-unit occupancy counts (number of residents per unit, a form of household composition information) and per-unit ownership percentages entered by the board.

Special categories. None anticipated. You agree not to upload special categories of data (such as health or biometric data) unless agreed in writing.

Duration. For the term of the Agreement and the retention periods described in the Privacy Policy.

Location. United States.

Annex B — Security measures

  • Encryption of Customer Personal Data in transit (TLS) and at rest.
  • Access controls based on least privilege and role-based permissions; multi-factor authentication for access to production systems.
  • Tenant isolation enforced at the database layer through row-level security.
  • Monitoring and logging of errors and security-relevant events, with defined alerting and response.
  • Vulnerability management, including dependency scanning in the build pipeline and timely patching of significant vulnerabilities.
  • Reliance on certified infrastructure providers (such as Supabase, Vercel, and Stripe) for physical and platform security, including those holding SOC 2 and/or PCI DSS certifications.
  • Backups with point-in-time recovery maintained by our database provider.
  • Subprocessor obligations requiring equivalent security measures.

Annex C — Approved subprocessors

The current list of approved Subprocessors is maintained at getfourplex.com/legal/subprocessors and is incorporated into this DPA by reference.

Contact

For questions about this DPA: hello@getfourplex.com