Legal

Data Processing Agreement

Last Updated: February 25, 2026

This Data Processing Agreement (“DPA”) forms part of the service agreement between the client organization (“Controller”) and Candar (“Processor”) for the provision of parking citation analytics services. This DPA sets forth the terms under which Candar processes data on behalf of the Controller.

1. Definitions

“Data Controller” (or “Controller”) means the client organization that determines the purposes and means of processing parking citation data through the Candar platform.

“Data Processor” (or “Processor”) means Candar, which processes data on behalf of the Controller in accordance with the Controller's instructions and this DPA.

“Personal Data” means any information relating to an identified or identifiable natural person. Note: Candar's standard processing involves data from which personal identifiers have been removed (see Section 2).

“Processing” means any operation performed on data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

“Sub-Processor” means any third party engaged by Candar to process data on behalf of the Controller.

2. Data Categories

Candar explicitly does NOT store personally identifiable information (PII). All PII is stripped at the point of data ingestion before entering Candar's systems.

Data We Process

  • Citation numbers and status
  • Location data (street address, GPS coordinates)
  • Date and time of citation issuance
  • Violation type and code
  • Fine amount and payment status
  • Vehicle color and state of registration
  • Enforcement officer or device identifier

Data We Strip at Ingestion

  • License plate numbers
  • Vehicle owner names
  • Driver's license numbers
  • Home or mailing addresses of individuals
  • Any other personally identifiable information

Client Account Data

For authorized users of the platform, we process: name, email address, job title, organization name, and authentication credentials (hashed). This data is used solely for account management and service delivery.

3. Processing Purpose

Candar processes data solely for the following purposes, as described in the service agreement:

  • Providing parking citation analytics, dashboards, and visualization tools
  • Generating reports, including scheduled email digests and threshold-based alerts
  • Powering AI-assisted analytics features using aggregated, non-PII data
  • Creating anonymized benchmarks for cross-client comparisons (with consent)
  • Maintaining and improving the Service, including performance monitoring and bug resolution

Candar shall not process data for any purpose beyond what is specified in this DPA and the service agreement without prior written authorization from the Controller.

4. Sub-Processors

The Controller authorizes Candar to engage the following sub-processors. All sub-processors are based in the United States.

Sub-ProcessorPurposeLocation
SupabasePostgreSQL database hosting, authentication, row-level securityUnited States
VercelApplication hosting, edge network, web analyticsUnited States
AnthropicAI-powered analytics engine (Claude)United States
ResendTransactional and scheduled email deliveryUnited States

Candar will notify the Controller at least 30 days before engaging any new sub-processor. The Controller may object to a new sub-processor in writing within 14 days of notification. If a reasonable objection cannot be resolved, the Controller may terminate the affected services without penalty.

5. Security Measures

Candar implements the following technical and organizational security measures to protect data:

Encryption

  • AES-256 encryption for all data at rest
  • TLS 1.3 encryption for all data in transit
  • Encrypted database backups

Access Control

  • Row-Level Security (RLS) policies ensuring strict data isolation between organizations
  • Role-based access control for administrative functions
  • API rate limiting to prevent abuse and brute-force attacks
  • Audit logging of all administrative and data access events

Infrastructure

  • Hosted on SOC 2 Type II compliant infrastructure (Supabase, Vercel)
  • Automated security patching and dependency updates
  • Content Security Policy (CSP) headers to prevent XSS and injection attacks
  • HTTP Strict Transport Security (HSTS) enforcement

SOC 2 Readiness

Candar is actively pursuing SOC 2 Type II certification. Current security controls are designed to meet SOC 2 Trust Services Criteria for security, availability, and confidentiality.

6. Breach Notification

In the event of a data breach affecting data processed on behalf of the Controller, Candar commits to the following:

  • 48-Hour Notification: Candar will notify the Controller within 48 hours of becoming aware of a confirmed data breach.
  • Notification Contents: The notification will include: the nature and scope of the breach, the categories and approximate number of data records affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects.
  • Ongoing Communication: Candar will provide regular updates as the investigation progresses and will coordinate with the Controller's incident response procedures.
  • Documentation: Candar will maintain records of all data breaches, including the facts surrounding the breach, its effects, and the remedial actions taken.
  • Regulatory Assistance: Candar will assist the Controller in meeting its breach notification obligations under applicable laws.

7. Data Subject Rights

Candar will assist the Controller in responding to data subject requests, including requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing.

  • Candar will promptly notify the Controller if it receives a data subject request directly, unless prohibited by law from doing so
  • Candar will provide reasonable technical and organizational assistance to fulfill data subject requests
  • Response timelines will comply with applicable data protection regulations (typically 30 days)

Note: Because Candar strips PII at ingestion, the citation data stored in our systems generally cannot be linked to individual data subjects. Data subject requests will primarily pertain to client account data.

8. Data Return & Deletion

Upon termination of the service agreement, Candar will handle the Controller's data as follows:

  • Data Export (30 Days): The Controller may request a full export of their data in standard machine-readable formats (CSV, JSON) within 30 days of termination. Candar will make commercially reasonable efforts to fulfill export requests promptly.
  • Data Deletion (60 Days): All Controller data, including backups, will be permanently deleted from Candar's systems within 60 days of termination.
  • Certification of Deletion: Upon request, Candar will provide a written certification confirming that all Controller data has been permanently deleted from all systems, including backups and disaster recovery environments.
  • Exceptions: Data may be retained beyond the 60-day period only where required by applicable law or regulation. In such cases, Candar will inform the Controller of the legal basis and expected retention period.

9. Audit Rights

The Controller has the right to verify Candar's compliance with this DPA through the following mechanisms:

  • Annual Audit Right: The Controller may conduct or commission an independent audit of Candar's data processing activities once per calendar year, with 30 days' prior written notice.
  • SOC 2 Type II Report: Candar will provide its SOC 2 Type II audit report (when available) to the Controller upon request. Provision of a current SOC 2 Type II report satisfies the annual audit requirement unless the Controller has specific concerns that cannot be addressed by the report.
  • Questionnaires: Candar will respond to reasonable written security questionnaires from the Controller within 15 business days.
  • Costs: Each party bears its own costs associated with audits, unless an audit reveals a material breach of this DPA, in which case Candar shall bear the reasonable costs of the audit.

10. Cross-Border Transfers

All data processed by Candar is stored and processed exclusively within the United States. Candar does not transfer data to servers or facilities outside the United States.

  • All sub-processors (Supabase, Vercel, Anthropic, Resend) are US-based and process data within the United States
  • No data replication or backup facilities are located outside the United States
  • If international data transfer becomes necessary in the future, Candar will notify the Controller and obtain prior written authorization before proceeding

11. FERPA Position

For university clients, Candar provides the following position regarding the Family Educational Rights and Privacy Act (FERPA):

  • Parking citations are not “education records” as defined under FERPA (20 U.S.C. § 1232g). Parking citations are law enforcement records maintained by campus parking departments for enforcement purposes.
  • Candar does not store student names, student identification numbers, academic records, enrollment information, or any other data element that would constitute an education record.
  • All personally identifiable information, including any information that could link a citation to a specific student, is stripped at the point of ingestion.
  • The data processed and stored by Candar is limited to citation metadata (location, time, violation type, fine amount, vehicle descriptors) and is suitable for public records requests.

12. Term

This DPA is effective as of the date the Controller signs the associated service agreement and shall remain in effect for the duration of the service agreement (“co-terminous”).

Upon termination or expiration of the service agreement, the provisions of this DPA relating to data return and deletion (Section 8), confidentiality, and liability shall survive for the period necessary to fulfill those obligations.

For questions about this Data Processing Agreement, please contact:

Email: ivan@candar.city

Candar

Gilroy, CA