← Back to Home

Data Processing Agreement

Last updated: June 16, 2026

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

  • Data Controller (“Customer”) — The individual or organization using The Farm Vault to store and manage farm, ranch, or winery data.
  • Data Processor (“Company”) — Doc Home Improvements, LLC, operator of The Farm Vault.

This DPA supplements and is incorporated into the Terms of Service and Privacy Policy.

2. Scope of Processing

The Company processes the following categories of data on behalf of the Customer:

  • Asset Data — Descriptions, photos, makes, models, serial numbers, VINs, estimated values, and replacement costs of farm equipment, buildings, and homes.
  • Insurance Data — Policy numbers, carrier names, coverage amounts, premiums, deductibles, declaration pages, and driver information (names, license numbers, dates of birth).
  • Farm Profile Data — Farm names, addresses, acreage, operation type, and agent/carrier contact information.
  • Account Data — Name, email, phone number, and encrypted password hash.

3. Purpose of Processing

Data is processed solely for the purposes of:

  • Providing the asset management and insurance tracking service
  • AI-powered photo analysis and coverage advisory (data is processed but not retained by AI providers for training)
  • Generating renewal summaries and shareable reports
  • Email notifications related to the service
  • Billing and subscription management via Stripe

4. Security Measures

The Company implements the following technical and organizational measures to protect Customer data:

  • Encryption in transit — All data transmitted between users and the platform is encrypted using TLS 1.2+.
  • Encryption at rest — Stored files (photos, documents) are encrypted using AES-256 in cloud storage.
  • Password security — User passwords are hashed using bcrypt with salt rounds; plain-text passwords are never stored.
  • Access controls — Role-based access with farm-level data isolation. Users can only access data for farms they own or have been invited to.
  • Two-factor authentication — Optional email-based 2FA for enhanced login security.
  • Rate limiting — Login, signup, and contact endpoints are rate-limited to prevent brute-force attacks.
  • Session management — JWT-based sessions with configurable expiration.

5. Sub-Processors

The Company uses the following sub-processors:

ProviderPurposeData Processed
Amazon Web Services (AWS)Cloud storageUploaded photos and documents
StripePayment processingBilling information (no card data stored by Company)
AI Providers (Abacus.AI)Photo analysis, coverage advisorAsset photos, policy text (processed, not stored for training)

The Company will notify the Customer of any changes to sub-processors with 30 days' notice.

6. Data Retention & Deletion

  • Customer data is retained for the duration of the active account.
  • Upon account deletion, all associated data (assets, policies, photos, documents) will be permanently deleted within 30 days.
  • The Customer may export their data at any time using the built-in export feature (Excel, CSV, or PDF formats).
  • Backups are retained for up to 30 days after deletion for disaster recovery purposes, then permanently purged.

7. Data Subject Rights

The Company will assist the Customer in responding to requests from data subjects exercising their rights under applicable law, including:

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to data portability
  • Right to restrict processing

Requests should be directed to [email protected].

8. Breach Notification

In the event of a personal data breach, the Company will notify the Customer without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include:

  • The nature of the breach, including categories and approximate number of records affected
  • Contact details for the Company's data protection point of contact
  • A description of the likely consequences
  • A description of measures taken or proposed to mitigate the breach

9. Confidentiality

The Company ensures that personnel authorized to process Customer data are bound by appropriate confidentiality obligations. Access to Customer data is limited to personnel who require it for legitimate business purposes.

10. Governing Law

This DPA is governed by the laws of the State of Oregon, consistent with the Terms of Service.

11. Contact

For questions about this DPA or to request a signed copy, contact:

Doc Home Improvements, LLC
Data Protection Contact
Email: [email protected]