Data Processing Addendum

This Data Processing Addendum ("DPA") supplements our Terms of Service and Privacy Policy for customers who process personal data subject to applicable data protection laws.

1. Definitions

"Controller" means you, the customer, who determines the purposes and means of processing personal data.

"Processor" means Toolfy, who processes personal data on behalf of the Controller.

"Personal Data" has the meaning given in applicable data protection laws.

2. Nature and Purpose of Processing

2.1 Subject Matter

Provision of field service management software and related services.

2.2 Duration

Processing continues for the duration of your subscription and applicable retention periods.

2.3 Purpose of Processing

• Providing field service management software (customer records, job scheduling, invoicing, quotes)
• Customer support and service improvement
• Billing and account management
• Communications (email, SMS) as instructed by Controller
• Team management for businesses with multiple users

2.4 Categories of Personal Data

• Customer contact information (names, addresses, phone numbers)
• Job and service details
• Communication records
• Payment and billing information
• Usage and technical data

2.5 Categories of Data Subjects

• Your customers and prospects
• Your employees and contractors
• Contact persons at customer locations

3. Controller Obligations

You warrant that:

• You have lawful basis for processing personal data
• You have obtained necessary consents from data subjects
• You comply with applicable data protection laws
• Processing instructions are lawful

4. Processor Obligations

We commit to:

• Process personal data only on your documented instructions
• Ensure personnel are bound by confidentiality
• Implement appropriate technical and organizational measures
• Assist with data subject rights requests
• Notify you of personal data breaches without undue delay
• Delete or return personal data at end of services (unless required by law)

5. Sub-processors

We may engage sub-processors to assist in providing services. Current sub-processors include:

• Stripe Inc. - Payment processing
• Twilio Inc. - SMS communications
• Postmark (Wildbit, LLC) - Email delivery
• Supabase Inc. - Database services
• Vercel Inc. - Application hosting

We will provide 30 days' notice of new sub-processors. You may object to new sub-processors on reasonable data protection grounds.

6. International Transfers

Personal data may be transferred internationally. We ensure appropriate safeguards:

6.1 UK/EU Transfers

• Standard Contractual Clauses approved by authorities
• UK International Data Transfer Agreement (IDTA)
• Adequacy decisions where available

6.2 Cross-Border Transfers (US/CA/AU)

• US-Canada: Adequate level of protection under applicable frameworks
• US-Australia: Reasonable steps under Australian Privacy Principles
• All jurisdictions: Contractual protections with sub-processors

7. Security Measures

We implement technical and organizational measures including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security assessments
• Incident response procedures
• Staff security training

8. Data Subject Rights

We will assist you in responding to data subject requests within 30 days, including:

• Access to personal data
• Rectification of inaccurate data
• Erasure of personal data
• Data portability
• Restriction of processing

9. Data Protection Impact Assessments

We will assist with Data Protection Impact Assessments when legally required, providing relevant information about our processing activities.

10. Personal Data Breaches

We will notify you without undue delay (and within 72 hours where feasible) of any personal data breach, providing:

• Description of the breach
• Categories and approximate numbers affected
• Likely consequences
• Measures taken or proposed

11. Audit Rights

Upon reasonable notice, you may audit our compliance with this DPA. We may charge reasonable fees for extensive audits. We will provide relevant certifications and audit reports as available.

12. Liability and Indemnification

Each party shall be liable for damages caused by its breach of applicable data protection laws. We will indemnify you against claims arising from our non-compliance with this DPA, subject to the limitations in our Terms of Service.

13. Term and Termination

This DPA remains in effect while we process personal data on your behalf. Upon termination, we will delete or return personal data as instructed, unless legally required to retain it.

14. Contact Information

For DPA-related matters, contact:

• Email: dpo@toolfy.io
• Address: Toolfy Ltd, London, UK