This Data Processing Addendum ("DPA") supplements our Terms of Service and Privacy Policy for customers who process personal data subject to applicable data protection laws.

1. Definitions

"Controller" means you, the customer, who determines the purposes and means of processing personal data.

"Processor" means Toolfy, who processes personal data on behalf of the Controller.

"Personal Data" has the meaning given in applicable data protection laws.

2. Nature and Purpose of Processing

2.1 Subject Matter

Provision of field service management software and related services.

2.2 Duration

Processing continues for the duration of your subscription and applicable retention periods.

2.3 Purpose of Processing

Providing field service management software (customer records, job scheduling, invoicing, quotes)
Customer support and service improvement
Billing and account management
Communications (email, SMS) as instructed by Controller
Team management for businesses with multiple users

2.4 Categories of Personal Data

Customer contact information (names, addresses, phone numbers)
Job and service details
Communication records
Payment and billing information
Usage and technical data

2.5 Categories of Data Subjects

Your customers and prospects
Your employees and contractors
Contact persons at customer locations

3. Controller Obligations

You warrant that:

You have lawful basis for processing personal data
You have obtained necessary consents from data subjects
You comply with applicable data protection laws
Processing instructions are lawful

4. Processor Obligations

We commit to:

Process personal data only on your documented instructions
Ensure personnel are bound by confidentiality
Implement appropriate technical and organizational measures
Assist with data subject rights requests
Notify you of personal data breaches without undue delay
Delete or return personal data at end of services (unless required by law)

5. Sub-processors

We may engage sub-processors to assist in providing services. Current sub-processors include:

Stripe Inc. - Payment processing
Twilio Inc. - SMS communications
Postmark (Wildbit, LLC) - Email delivery
Supabase Inc. - Database services
Vercel Inc. - Application hosting

We will provide 30 days' notice of new sub-processors. You may object to new sub-processors on reasonable data protection grounds.

6. International Transfers

Personal data may be transferred internationally. We ensure appropriate safeguards:

6.1 UK/EU Transfers

Standard Contractual Clauses approved by authorities
UK International Data Transfer Agreement (IDTA)
Adequacy decisions where available

6.2 Cross-Border Transfers (US/CA/AU)

US-Canada: Adequate level of protection under applicable frameworks
US-Australia: Reasonable steps under Australian Privacy Principles
All jurisdictions: Contractual protections with sub-processors

7. Security Measures

We implement technical and organizational measures including:

Encryption of data in transit and at rest
Access controls and authentication
Regular security assessments
Incident response procedures
Staff security training

8. Data Subject Rights

We will assist you in responding to data subject requests within 30 days, including:

Access to personal data
Rectification of inaccurate data
Erasure of personal data
Data portability
Restriction of processing

9. Data Protection Impact Assessments

We will assist with Data Protection Impact Assessments when legally required, providing relevant information about our processing activities.

10. Personal Data Breaches

10.1 Breach Notification Timeline

We will notify you of any personal data breach without undue delay and, where required by applicable data protection laws (including GDPR Article 33, UK Data Protection Act 2018, and similar regulations), within 72 hours of becoming aware of the breach.

If notification cannot be provided within 72 hours due to the complexity of the investigation, we will provide an initial notification within 72 hours with available information and follow up with additional details as soon as practicable.

10.2 Breach Notification Content

Our breach notification will include, to the extent known at the time:

Nature and description of the personal data breach
Categories and approximate number of data subjects affected
Categories and approximate number of personal data records affected
Name and contact details of our Data Protection Officer or point of contact
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate adverse effects
Recommended actions for you (the Controller) to take, if any

10.3 Ongoing Communication

We will cooperate with you and provide reasonable assistance in investigating the breach, notifying supervisory authorities (if required), and communicating with affected data subjects (if required). We will keep you informed of all material developments in our investigation and remediation efforts.

10.4 Your Notification Obligations

You remain responsible for determining whether the breach requires notification to supervisory authorities or data subjects under applicable laws. We will provide you with sufficient information to meet your notification obligations.

11. Audit Rights

Upon reasonable notice, you may audit our compliance with this DPA. We may charge reasonable fees for extensive audits. We will provide relevant certifications and audit reports as available.

12. Liability and Indemnification

Each party shall be liable for damages caused by its breach of applicable data protection laws. We will indemnify you against claims arising from our non-compliance with this DPA, subject to the limitations in our Terms of Service.

13. Term and Termination

This DPA remains in effect while we process personal data on your behalf. Upon termination, we will delete or return personal data as instructed, unless legally required to retain it.

14. Contact Information

For DPA-related matters, contact:

Email: dpo@toolfy.io
Address: Toolfy Ltd, London, UK

Home |Terms of Service |Privacy Policy