Data Processing Agreement

1. Definitions

• "Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Supervisory Authority" have the meanings given in the GDPR.
• "Customer Data" means Personal Data that the Controller submits to or through the Service.
• "Sub-processor" means any third party engaged by the Processor to process Customer Data on behalf of the Controller.
• "Service" means the Stelid field service management platform and associated APIs.

2. Scope & Roles

The Controller determines the purposes and means of processing Customer Data. The Processor processes Customer Data solely on documented instructions from the Controller and for the purpose of providing the Service.

Categories of Data Subjects: the Controller's employees, field workers, customers, and end-users. Types of Personal Data: names, email addresses, phone numbers, physical addresses, GPS location data, photographs, job notes, and payment references. Nature of Processing: storage, retrieval, organisation, transmission, and deletion in connection with the features of the Service.

3. Processor Obligations

• Process Customer Data only on documented instructions from the Controller, including with respect to transfers outside the EEA/UK.
• Ensure that persons authorised to process Customer Data are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures (see Section 6).
• Engage Sub-processors only with prior notice and subject to equivalent contractual obligations (see Section 5).
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
• Assist the Controller with data protection impact assessments and prior consultation with Supervisory Authorities where required.
• Delete or return all Customer Data upon termination, unless retention is required by applicable law.
• Make available to the Controller all information necessary to demonstrate compliance and allow for audits.

4. Controller Obligations

• Ensure a lawful basis for processing Personal Data through the Service.
• Provide all required notices and obtain any necessary consents from Data Subjects.
• Ensure that instructions to the Processor comply with applicable data protection law.
• Promptly notify the Processor of any Data Subject requests that the Processor must assist with.

5. Sub-processors

The Processor uses the following Sub-processors. The Controller consents to the use of these Sub-processors at the time of entering into this DPA. The Processor will provide at least 30 days' prior notice before engaging new Sub-processors. The Controller may object within that period; if no reasonable resolution is reached, the Controller may terminate the Service.

6. Security Measures

The Processor implements and maintains the following technical and organisational measures:

• Encryption in transit: TLS 1.2+ on all connections.
• Encryption at rest: AES-256 on database storage (via Supabase/AWS).
• Access control: Row-Level Security (RLS) policies on all database tables; role-based access control.
• Authentication: Secure session tokens, email verification, optional MFA.
• Rate limiting: Applied to all API endpoints to prevent abuse.
• Data minimisation: AI features send only necessary context; no raw PII sent to AI providers.
• Audit logging: All AI operations logged with model, provider, and timestamps (3-year retention).
• Automated purge: GDPR data purge cron — anonymised profiles hard-deleted after 30 days, GPS data purged after 90 days.
• Incident response: See Section 7 for breach notification procedures.

7. Data Breach Notification

In accordance with GDPR Articles 33 and 34:

• The Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of a Personal Data breach.
• Notification shall include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate.
• The Processor shall cooperate with the Controller to enable the Controller to notify its Supervisory Authority within the 72-hour GDPR deadline (Article 33(1)).
• Where a breach is likely to result in a high risk to Data Subjects, the Processor shall assist the Controller in notifying affected individuals (Article 34).
• The Processor maintains a breach incident log and will provide access to relevant entries upon request.

8. International Transfers

Where Customer Data is transferred outside the EEA or UK, the Processor relies on one or more of the following transfer mechanisms:

• EU–US Data Privacy Framework (where the Sub-processor is certified).
• Standard Contractual Clauses (SCCs) approved by the European Commission (Module 2: Controller to Processor and Module 3: Processor to Processor as applicable).
• UK International Data Transfer Agreement (IDTA) or UK Addendum to the SCCs for UK GDPR transfers.

The Controller may request copies of transfer mechanism documentation by contacting privacy@sitesnap.app.

9. Data Subject Rights

The Processor provides self-service tools for the Controller to fulfil Data Subject requests:

• Right of access & portability: Settings > Security > "Export Your Data" provides a complete machine-readable JSON export (Article 20).
• Right to erasure: Settings > Security > "Delete Account" anonymises all personal data immediately and hard-deletes after 30 days (Article 17).
• Right to restriction: AI processing can be disabled organisation-wide via Settings > AI Transparency (Article 18).
• Right to object: The Controller may contact the Processor to restrict specific processing activities.

The Processor will respond to Controller-relayed Data Subject requests within 30 calendar days.

10. Term & Termination

This DPA remains in effect for the duration of the Controller's use of the Service. Upon termination:

• The Controller may export all Customer Data within 30 days using the data export tool.
• After 30 days, the Processor will delete all Customer Data in accordance with its retention policies, unless retention is required by law.
• The Processor will provide written confirmation of deletion upon request.

11. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service, except that these limitations shall not apply to the extent they would be contrary to GDPR obligations. In the event of a data breach caused by the Processor's non-compliance with this DPA, the Processor shall be liable for damages directly attributable to its breach of this DPA.

12. Contact & Supervisory Authority

Processor contact for data protection matters:

Email: privacy@sitesnap.app

Lead Supervisory Authority: Data Protection Commission (DPC), Ireland — applicable where Stelid processes data under EU GDPR as a cross-border processor with an establishment in the EU.

Data Subjects in the EEA or UK may also lodge complaints with their local Supervisory Authority.