Data Processing Addendum (DPA) — TEMPLATE

⚠️ Starting template, not legal advice. Have counsel review before offering
it to customers. A DPA is the contract that lets business customers (controllers)
use you (processor) in compliance with privacy law (GDPR/UK GDPR/CCPA).

This DPA forms part of the Agreement between [LEGAL ENTITY NAME] ("Processor") and the Customer ("Controller").

1. Roles

For Customer Data, Customer is the Controller (or processor for its own clients) and we are the Processor. We process Customer Data only on Customer's documented instructions (the Agreement, the Service's features, and lawful requests).

2. Scope & purpose

and messaging records to operate the Service.

service history, invoices/payments metadata. No special-category data is required.

  • Subject matter: providing the [PRODUCT] field-service platform.
  • Duration: the term of the Agreement.
  • Nature/purpose: storing and processing customer, job, inspection, invoice,
  • Data subjects: Customer's staff and Customer's own end customers.
  • Data categories: names, business/contact details, addresses, phone numbers,

3. Our obligations

breach.

except as legally required to retain.

  • Process only on instructions; tell Customer if an instruction appears unlawful.
  • Ensure personnel are bound by confidentiality.
  • Implement appropriate technical & organizational security measures (Annex B).
  • Assist Customer with data-subject requests, DPIAs, and breach obligations.
  • Notify Customer without undue delay after becoming aware of a personal-data
  • Delete or return Customer Data on termination (export window per the Agreement),

4. Sub-processors

Customer authorizes the sub-processors in Annex A. We impose data-protection terms on them no less protective than this DPA and remain responsible for their performance. We will give notice of new sub-processors and a chance to object.

5. International transfers

Where data is transferred across borders, we rely on an appropriate transfer mechanism (e.g., Standard Contractual Clauses), incorporated by reference.

6. Audits

We will make available information necessary to demonstrate compliance and allow reasonable audits, subject to confidentiality and notice.

7. Liability

Liability under this DPA is subject to the limitations in the Agreement.


Annex A — Sub-processors (EXAMPLE — confirm your actual stack)

| Sub-processor | Purpose | Location | |---|---|---| | Supabase | Database, auth, file storage | [REGION] | | Stripe | Subscription billing | US/global | | Twilio | SMS delivery | US/global | | [Hosting, e.g. Vercel] | Application hosting | [REGION] | | [Error monitoring, e.g. Sentry] | Diagnostics | [REGION] |

Annex B — Security measures (summary)

Encryption in transit (TLS); tenant data isolation (per-org scoping + row-level security); least-privilege database roles; access control + audit logging; secrets stored outside source control; regular backups; signed webhook verification. [Expand to match your actual controls.]