Data Processing Agreement

Effective Date: June 1, 2025

Contact Email: info@prefabhouseusa.com

This Data Processing Agreement ("Agreement") complements and does not override the Heavenger Homes Terms of Use and Privacy Policy, as posted on prefabhouseusa.com, along with any other agreements governing its services. This Agreement is entered into between:

Heavenger Homes, registered in India, operating https://www.prefabhouseusa.com, acting as the Data Controller ("Controller", "we", "us", or "our"), and

You or the entity you represent ("Data Subject", "you", or "your").

Together, we are the "Parties" and individually a "Party." Undefined terms will adopt the meanings in the Terms of Use or applicable laws. Both Parties agree to comply with applicable Data Protection Laws, including GDPR and CCPA, throughout the data processing relationship.

1. Definitions

"CCPA" – California Consumer Privacy Act of 2018.
"Controller" – You, the party that determines how and why personal data is processed.
"Data Protection Laws" – Applicable privacy laws (GDPR, CCPA, and Indian legislation, as updated).
"Data Subject" – An identified or identifiable individual whose data is processed.
"GDPR" – EU General Data Protection Regulation (Regulation 2016/679) and similar regulations in the UK and Switzerland.
"Personal Data" – Any information relating to an identified or identifiable person under applicable laws.
"Processing" – Any operation on Personal Data (collection, storage, analysis, sharing, deletion).
"Processor" – Heavenger Homes, acting to process data on your behalf.
"Sub-Processor" – Any third party engaged by the Processor to assist with processing.
"Security Incident" – Any accidental or unlawful access, destruction, alteration, or disclosure of Personal Data.

2. Governance and Controller Obligations

You are responsible for compliance with all relevant data laws, including:

Ensuring lawful, fair, and transparent Processing;
Obtaining valid consents for data collection (especially for marketing, EU/CA transfers);
Verifying accuracy and integrity of Personal Data;
Issuing lawful, documented Instructions for Processing;
Ensuring secure transfer of Data to us (e.g., through SSL, encrypted communication);
Complying with email and electronic messaging laws for communications sent through our site;
Informing us immediately if legal compliance becomes impossible in any respect.

3. Processor Obligations

3.1. Processing According to Instructions

We will only process data following your documented and lawful Instructions, the Privacy Policy, or applicable data laws.

3.2. Legal Conflicts

If any law prevents us from following your Instructions, we will promptly notify you and cease Processing until updated Instructions are received.

3.3. Security Measures

We maintain appropriate technical and organizational safeguards (e.g., encryption, regular audits, secure backups). We may update controls as needed, as long as protection is not reduced.

3.4. Confidentiality

Only authorized personnel with contractual confidentiality obligations may access Personal Data.

3.5. Processing Duration

We will process Personal Data during our engagement and until data is either returned or deleted per Sections 3.8 and 8.

3.6. Supporting Data Subject Rights

We will assist you in responding to any request from Data Subjects under GDPR/CCPA (e.g., access, rectification, deletion).

3.7. Security Incidents

We will notify you "without undue delay" upon detecting any Security Incident, and assist with mitigation, notifications, and compliance actions, including regulatory reporting.

3.8. Return or Deletion

Upon termination of our services, we will delete or return all Personal Data unless legally required to retain it. Data kept in backups will be securely isolated and deleted per policy. You may instruct us at any time to return or delete your data.

4. Sub-Processors

We may engage Sub-Processors (e.g., Google Analytics, Facebook Pixel), ensuring:

You are notified prior to new Sub-Processor engagement;
Sub-Processors are under binding agreements with equivalent data protection obligations;
We remain liable for any breach caused by Sub-Processors.

5. International Data Transfers

Data may be transferred or accessed across borders (India → EU/US or vice versa).

We ensure lawful transfers under GDPR (e.g., Standard Contractual Clauses) and comply with CCPA transfer rules.

6. Auditing

Either Party may request an audit or inspection (including by independent auditors) to confirm compliance with this DPA and applicable laws.

Cooperation and access to documentation and premises will be provided upon appropriate notice.

7. Breach Vigilance

Both Parties commit to vigilant monitoring and immediate notification if a breach of applicable data laws or security occurs.

Liability will be allocated proportionally unless one Party's actions alone caused the breach.

8. Special Rules for EU Data (GDPR)

You are confirmed as the GDPR Data Controller; we are Processor.
If we challenge the legality of your Instructions under GDPR, we will notify you immediately.
You have 30 days to object to any Sub-Processor; if unresolved, you may suspend or terminate services.
We will help secure legally permitted international transfers—e.g., using SCCs or other lawful mechanisms.

9. Additional Rules for California Data (CCPA)

For California residents, you are the "Business" and we are the "Service Provider".

We only process data for specified business purposes consistent with the CCPA.

10. General Provisions

10.1 Amendments

We may update this DPA. Continued use after updates means your acceptance.

10.2 Severability

Invalid provisions will not affect the remainder of the Agreement.

10.3 Limitation of Liability

Liability is capped in accordance with our Terms of Use, including both Parties and their affiliates.

10.4 Governing Law

The Agreement is governed by the jurisdiction clause of our Terms of Use, unless overridden by specific legal requirements in individual jurisdictions.