Data Processing Addendum

Last updated: [DATE]. Effective: [DATE].

Template draft — final review required. This document has been drafted to be comprehensive but has not yet been reviewed by an attorney licensed in your jurisdiction. Before going live, replace every [BRACKETED] placeholder with the corresponding real value (legal entity name, state, address, support email, governing-law venue, etc.) and have an attorney confirm it covers the laws applicable to your business and your customers' locations.

This Data Processing Addendum (the "DPA") forms part of the Terms of Service between you ("Customer", "Controller") and [LEGAL ENTITY NAME] ("MyTradeCrate", "Processor"). It applies whenever MyTradeCrate processes Personal Data on behalf of Customer and controls in case of conflict with the Terms with respect to such processing.

1. Definitions

Capitalized terms not defined here have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act as amended by the CPRA ("CCPA"). "Personal Data" means any information relating to an identified or identifiable natural person processed by MyTradeCrate on Customer's behalf in connection with the Service. "Data Subject Request" means a request from a data subject to exercise rights under Applicable Data Protection Law.

2. Roles and Scope

Customer is the Controller (or processor, where Customer acts on behalf of a further controller); MyTradeCrate is the Processor.
MyTradeCrate processes Personal Data only on Customer's documented instructions, including those given through the configuration and ordinary use of the Service.
MyTradeCrate will inform Customer if, in MyTradeCrate's opinion, an instruction infringes Applicable Data Protection Law.

3. Subject Matter, Duration, Nature, Purpose, Categories

Subject matter: processing of Personal Data necessary to provide the Service.
Duration: the term of the Subscription, plus the ninety (90) day post-termination retention window and any further period required by law.
Nature: collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, restriction, erasure, and destruction.
Purpose: to enable Customer to operate its trades business (estimates, jobs, invoicing, scheduling, communications, accounting).
Categories of data subjects: Customer's end-customers, employees, contractors, vendors, and other contacts entered into the Service by Customer or its Authorized Users.
Categories of Personal Data: contact details (name, address, phone, email), property addresses and geolocation, service histories, photographs, electronic signatures, payment metadata (no card numbers), notes, and any custom-field data Customer configures.
Special categories: Customer agrees not to use the Service to process "special categories" of Personal Data (GDPR Art. 9) or sensitive personal information (CCPA) without MyTradeCrate's prior written consent.

4. Processor Obligations

MyTradeCrate will:

process Personal Data solely on Customer's documented instructions and for the purposes set out in this DPA;
ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations;
implement and maintain the technical and organizational security measures set out in Annex II;
assist Customer in responding to Data Subject Requests and complying with its security, breach-notification, data-protection-impact-assessment, and prior-consultation obligations under Applicable Data Protection Law, taking into account the nature of processing and information available;
notify Customer without undue delay and within seventy-two (72) hours of becoming aware of a Personal Data breach affecting Personal Data, providing the information set out in Section 8;
at Customer's choice, delete or return Personal Data at the end of the Service, except where law requires longer retention;
make available all information necessary to demonstrate compliance with this DPA and contribute to audits as set out in Section 10.

5. Customer Obligations

Customer is responsible for the lawfulness of Personal Data, the validity of any consent obtained, and providing the notices required by law to its end-customers.
Customer warrants that its instructions to MyTradeCrate comply with Applicable Data Protection Law.
Customer is responsible for configuring the Service appropriately for the sensitivity of the Personal Data, including enabling two-factor authentication and using strong passwords.

6. Subprocessors

Customer provides general written authorization for MyTradeCrate to engage the subprocessors listed at /legal/subprocessors. MyTradeCrate will notify Customer of the addition or replacement of a subprocessor at least thirty (30) days before that subprocessor begins processing Personal Data, by updating the subprocessors page and sending an in-app or email notice. Customer may object on reasonable, documented data-protection grounds within fifteen (15) days. If the parties cannot agree on a resolution, Customer may terminate the affected portion of the Service for material breach.

MyTradeCrate will impose data-protection obligations on each subprocessor that are no less protective than those in this DPA, and remains fully liable to Customer for the acts and omissions of its subprocessors with respect to Personal Data.

7. International Transfers

Personal Data may be processed in the United States and other countries where MyTradeCrate and its subprocessors operate. Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country that has not been recognized as providing an adequate level of data protection:

The EU Standard Contractual Clauses (2021/914), Module 2 (Controller-to-Processor) or Module 3 (Processor-to-Processor) as applicable, are incorporated by reference, with Customer as data exporter and MyTradeCrate as data importer.
For UK transfers, the UK International Data Transfer Addendum (Version B1.0) is incorporated by reference.
For Swiss transfers, the SCCs apply with references to the GDPR interpreted as references to the FADP.
The parties will adopt supplementary measures (technical, contractual, and organizational) where required to ensure an essentially equivalent level of protection.

8. Personal Data Breach Notification

Upon becoming aware of a Personal Data breach affecting Personal Data, MyTradeCrate will notify Customer without undue delay and in any event within seventy-two (72) hours, providing, to the extent then known:

a description of the nature of the breach, including the categories and approximate number of data subjects and records affected;
the name and contact details of MyTradeCrate's contact point;
the likely consequences of the breach;
the measures taken or proposed to address the breach and to mitigate its possible adverse effects.

MyTradeCrate will cooperate with Customer's reasonable requests for further information as the investigation progresses. Notification of, or response to, a breach is not an acknowledgment of fault or liability.

9. Deletion and Return

Upon termination of the Subscription, Customer may export Personal Data via the in-app export tools during the ninety (90) day grace period. After the grace period, MyTradeCrate will delete Personal Data from production systems within thirty (30) days and from backups within an additional ninety (90) days, except where retention is required by law or for legitimate purposes such as fraud prevention, accounting, audit, or defense of legal claims.

10. Audits

Once per twelve-month period (and more often if required by a supervisory authority or following a Personal Data breach), Customer may request the most recent third-party audit reports, SOC reports, or comparable documentation we hold. If documentation alone is insufficient, the parties will agree in good faith on the scope and timing of an on-site audit, to be conducted on no less than thirty (30) days' advance written notice, during normal business hours, by personnel bound by confidentiality, and at Customer's expense. Audits must not unreasonably interfere with MyTradeCrate's operations or compromise the data of other customers.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms. Nothing in this DPA limits any party's liability under Applicable Data Protection Law to data subjects or supervisory authorities.

12. Order of Precedence

In the event of conflict between this DPA and the Terms with respect to the processing of Personal Data, this DPA controls.

Annex I — Description of Processing

See Section 3 above and the subprocessor list.

Annex II — Technical and Organizational Measures

TLS 1.2+ in transit for all client-server and server-server traffic.
AES-256 encryption at rest provided by our database vendor (Supabase).
Application-layer encryption of bring-your-own messaging keys before storage.
Row-level security policies enforced on every customer-tenanted table.
Multi-factor authentication (TOTP) available for all Account holders.
Service-role keys and other secrets stored in environment-variable secrets, never in code repositories.
Comprehensive audit logging of material data changes, retained for two (2) years.
Automated database backups (daily point-in-time recovery snapshots via Supabase) plus an encrypted weekly off-site backup to Backblaze B2 retained for twelve (12) weeks plus first-of-month indefinite retention.
Card data tokenized via Stripe (PCI-DSS Level 1); raw card numbers never enter MyTradeCrate systems.
Production access restricted to authorized personnel, requires MFA, is logged, and is reviewed periodically.
Periodic dependency and infrastructure security reviews; vulnerabilities triaged within published response targets.
Documented incident-response plan and breach-notification process.
Personnel confidentiality obligations and background checks for production-access roles.

Annex III — Approved Subprocessors

The current list of approved subprocessors is at /legal/subprocessors.

Contact

DPA inquiries and rights requests: [PRIVACY EMAIL].