Florida · §718

Built for HB 1021 + HB 913. Down to the section number. The software side of Florida condo compliance — statutory deadlines, notices, and records, dated and exportable.

§ 718.112(2)(c) — 48-hr notice

LEGAL · DATA PROCESSING ADDENDUM

Data Processing Addendum

Effective: 2026-04-30Last reviewed: 2026-04-30Version: 1.0Download as PDF →

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Revis-1 LLC (“HOA Rocket”) and the Subscriber. It describes how HOA Rocket processes data on the Subscriber’s behalf in providing the Service.

This is a US-domestic DPA. HOA Rocket serves Florida community associations and the CAMs who serve them. We do not currently process data of EU or UK data subjects in any volume; if that changes, we will publish an EU-specific addendum.

On this page (9 sections)

1.Roles

1.1 The Subscriber is the controller of the data processed in its Account. The Subscriber decides what data is uploaded, who has access, and how the data is used.

1.2 HOA Rocketis the processor. We process data only on the Subscriber’s documented instructions, which for normal operation are the configurations and uses of the Service the Subscriber’s Authorized Users perform.

2.Categories of data and data subjects

Categories of data processed:

  • Authentication credentials of Authorized Users.
  • Documents and records uploaded to the Account: meeting minutes, notices, financial reports, vendor contracts, reserve studies, milestone-inspection reports, records-request submissions and responses.
  • Contact information for board members, officers, the CAM, and unit owners listed in association records.
  • Audit-log entries: who acted, when, on what.

Categories of data subjects:

  • Board members and officers of the Subscriber association.
  • The Subscriber’s contracted CAM and the CAM’s firm staff.
  • Unit owners whose contact information appears in association records.
  • Vendors and counsel whose information appears in association documents.

3.Sub-processors

The current sub-processor list is published at /legal/privacy (section 4) and is incorporated by reference.

We notify Subscribers at least 30 days in advance of adding a sub-processor or materially changing what an existing sub-processor handles. Notice goes to the billing contact email and appears as a notice in the product. The Subscriber may object to a new sub-processor by terminating the subscription with prorated refund of any prepaid, unused fees.

4.Security measures

We maintain the following technical and organizational measures:

  • Encryption in transit. TLS 1.2 or higher for all client-server communication.
  • Encryption at rest. AES-256 for application database and document storage.
  • Access controls. Role-based access within the Service for Authorized Users. Internal HOA Rocket staff access is least-privileged, requires multi-factor authentication, and is logged.
  • Audit logging. All meaningful actions on Subscriber data are logged with user, timestamp, and action. Logs are exportable to the Subscriber.
  • Vendor security review. Sub-processors are reviewed against their published security documentation before onboarding and on material change.
  • Backups. Encrypted, US-region, 35-day rolling.
  • Network segregation. Production environment is isolated from non-production environments.

Detailed measures are documented at /features/security.

5.Data subject rights

5.1 If we receive a request from an individual data subject (a board member, owner, or other person) seeking access, correction, or deletion of personal data we hold on the Subscriber’s behalf, we will not respond directly. Within 5 business days of receipt, we will forward the request to the Subscriber’s designated contact.

5.2 The Subscriber is the responding party. We will reasonably assist the Subscriber in fulfilling the request, including by providing exports or executing deletions on the Subscriber’s instruction.

6.Incident notification

6.1 We notify the Subscriber’s billing contact within 72 hoursof confirming a security incident affecting the Subscriber’s data.

6.2 The notification includes, to the extent then known: the nature of the incident, the categories and approximate volume of data affected, the likely consequences, the measures taken or proposed, and a contact point for further information.

6.3 We update the notification as the investigation progresses. We do not delay notification to the Subscriber to coordinate with our own counsel beyond what is reasonable to confirm the facts.

7.Deletion and return on termination

7.1 On termination of the subscription, Subscriber data is retained for 90 days to allow export, then deleted from production systems. Backup copies cycle out within 35 days of production deletion.

7.2 The Subscriber may request a certificate of deletion. We provide it within 30 days of completion.

8.Audit

8.1 The Subscriber may request, no more than once per year, a copy of our then-current security documentation, including descriptions of controls, sub-processor list, and any third-party assessments we have performed. Reasonable confidentiality obligations apply.

8.2 On-site audits are not standard for our scale of customer; we will discuss them in good faith on request from a Subscriber whose contract value or risk profile reasonably warrants one.

9.Order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA controls with respect to data processing.