This Data Processing Addendum (DPA) supplements the agreement between Cornerstone Property Management Aspen LLC ("Controller") and any third-party service providers that process personal information on Cornerstone's behalf ("Processors"). It also describes the Controller-Processor relationship between Cornerstone and the data subjects whose information is handled in the Service.
Processing: hosting and operation of the Cornerstone property management platform. Duration: for the life of the agreement plus any retention period required by law.
Account authentication, scheduling, ticket workflow, invoicing, document storage, audit logging, security monitoring. No advertising or profiling.
Cornerstone uses the following sub-processors:
Cornerstone gives 30 days' notice before adding or changing sub-processors. Controllers may object on reasonable grounds.
Each sub-processor must:
Cornerstone applies, at minimum: TLS in transit; bcrypt password hashing; Fernet-encrypted field-level secrets (access codes); per-request CSP and other security headers; append-only audit logging; progressive login lockout; optional TOTP MFA enforced on privileged roles; nightly database backups with 14-day retention.
Cornerstone supports access (data export), correction, and deletion requests through self-service endpoints at /account/data-export, /account/correction-request, and /account/deletion-request. Standard turnaround: 45 days.
Where personal information is transferred outside the data subject's jurisdiction (in particular, transfers to United States providers), Cornerstone relies on Standard Contractual Clauses or other lawful transfer mechanisms.
Cornerstone will notify affected Controllers of a personal data breach without undue delay, and in any event within 72 hours of becoming aware of a breach involving personal information they control.
At termination, personal information is exported on request and deleted within 45 days, subject to legal retention requirements.