Data Processing Agreement

Unless otherwise defined here, capitalized terms have the meanings given in the Agreement. The following terms have the meanings ascribed below:

• “Applicable Data Protection Law” means all data-protection and privacy laws applicable to the Processing of Personal Data under this DPA, including (as applicable) the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and U.S. state privacy laws including the California Consumer Privacy Act as amended by the CPRA (“CCPA”), the Virginia VCDPA, the Colorado CPA, and analogous regimes.
• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Sub-processor”, and “Supervisory Authority” have the meanings given in the GDPR (or analogous terms under other Applicable Data Protection Law, including “Business” and “Service Provider” under the CCPA).
• “Customer Personal Data” means Personal Data contained in the Tenant Data that HSP Processes on behalf of the Customer in connection with the Services.
• “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Personal Data Processed by HSP or its Sub-processors.
• “Standard Contractual Clauses” or “SCCs” means the Module Two (Controller-to-Processor) Standard Contractual Clauses approved by the European Commission in Decision 2021/914 of 4 June 2021, and the UK International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK ICO.

2.1 Roles. With respect to Customer Personal Data, the Customer is the Controller (or Business) and HSP is the Processor (or Service Provider). Where the Customer is itself a processor acting on behalf of a third-party controller, HSP is a sub-processor; the Customer warrants that it has the authority and a lawful basis to engage HSP.

2.2 Scope. This DPA applies only to HSP’s Processing of Customer Personal Data on the Customer’s behalf in the course of providing the Services. It does not apply to Personal Data for which HSP is itself a Controller (e.g., billing contact information, User authentication data), which is governed by the Privacy Policy.

2.3 Duration. This DPA takes effect on the effective date of the Agreement and continues for as long as HSP Processes Customer Personal Data on the Customer’s behalf.

3.1 Documented Instructions. HSP will Process Customer Personal Data only on the documented instructions of the Customer, including (a) as necessary to perform the Services as described in the Agreement, (b) as instructed by the Customer through the Platform configuration (for example, by enabling a CRM connector or designating report recipients), and (c) as required by applicable law (in which case HSP will notify the Customer of the legal requirement before Processing, unless the law prohibits such notice).

3.2 Lawfulness of Instructions. HSP will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. The Customer is solely responsible for the lawfulness of its instructions and the lawful basis for its Processing of Personal Data.

3.3 Subject Matter, Nature, Purpose, Duration; Categories; Data Subjects. The details of HSP’s Processing are set out in Annex A (Description of Processing).

4.1 Confidentiality. HSP will treat Customer Personal Data as Confidential Information of the Customer.

4.2 Authorized Personnel. HSP will ensure that personnel who Process Customer Personal Data are bound by written confidentiality obligations and have received appropriate data-protection and security training. Access is granted on a need-to-know, least-privilege basis.

5.1 Technical and Organizational Measures. HSP will implement and maintain the technical and organizational measures set out in Annex B (Security Measures), designed to ensure a level of security appropriate to the risk to Customer Personal Data.

5.2 Updates. HSP may update Annex B from time to time provided the updates do not materially diminish the overall level of protection.

6.1 General Authorization. The Customer authorizes HSP to engage Sub-processors to Process Customer Personal Data in connection with the Services, subject to the conditions in this Section 6.

6.2 Current Sub-processors. A current list of Sub-processors is set out in Annex C (Sub-processors).

6.3 Notice of Changes. HSP will provide the Customer with at least 30 days’ advance notice of any addition or replacement of a Sub-processor by posting the updated list at https://homeservicepulse.ai/sub-processors and, where the Customer has subscribed to a sub-processor update channel, by email. The Customer may object to a new Sub-processor on reasonable data-protection grounds within 30 days of notice. If the Customer objects and HSP cannot reasonably accommodate the objection, the Customer may terminate the Agreement by written notice within an additional 30 days. Upon such termination, HSP will refund any pre-paid fees attributable to the unused portion of the subscription term.

6.4 Flow-Down Terms. HSP will impose on each Sub-processor data-protection terms substantially equivalent to those in this DPA, and HSP remains liable to the Customer for the acts and omissions of its Sub-processors.

7.1 Data Subject Rights. Taking into account the nature of the Processing, HSP will provide reasonable assistance, by appropriate technical and organizational measures and to the extent possible, to enable the Customer to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection, withdrawal of consent, opt-out of sale or sharing, etc.) under Applicable Data Protection Law.

7.2 Direct Contact by Data Subjects. If HSP receives a request directly from a Data Subject relating to Customer Personal Data, HSP will (a) advise the Data Subject to contact the Customer, and (b) without undue delay forward the request to the Customer.

7.3 DPIA / Risk Assessment. HSP will provide reasonable assistance to the Customer with data-protection impact assessments and prior consultations with Supervisory Authorities, to the extent required and proportionate.

7.4 Audit Cooperation. HSP will provide reasonable assistance to the Customer in demonstrating compliance with this DPA. See Section 10 (Audits).

8.1 Notification. HSP will notify the Customer of a Security Incident affecting Customer Personal Data without undue delay after becoming aware, and in any event no later than 72 hours after HSP determines, in its reasonable judgment, that the event meets the definition of a Security Incident. Notice will be sent to the security contact on file (or, in absence, to the billing contact).

8.2 Contents. To the extent known at the time of notice, HSP will describe (a) the nature of the Security Incident, the categories and approximate number of Data Subjects and records affected; (b) the likely consequences; (c) the measures taken or proposed to address it; and (d) a HSP contact for further information.

8.3 Cooperation. HSP will reasonably cooperate with the Customer’s investigation, remediation, and notification obligations.

8.4 No Admission. Notification under this Section 8 is not an admission of fault or liability by HSP.

9.1 Locations of Processing. HSP and its Sub-processors Process Customer Personal Data primarily in the United States.

9.2 SCCs and UK Addendum. Where Customer Personal Data of Data Subjects in the European Economic Area, the United Kingdom, or Switzerland is transferred to HSP in the United States (or to a Sub-processor in a country lacking an adequacy decision), the parties incorporate by reference the Module Two SCCs and, where applicable, the UK International Data Transfer Addendum. Module Two is selected on the basis that the Customer is the data exporter (Controller) and HSP is the data importer (Processor).

9.3 Supplementary Measures. HSP will, where required, apply supplementary technical, contractual, and organizational measures to ensure an essentially equivalent level of protection for cross-border transfers (e.g., encryption in transit and at rest, contractual restrictions on government access).

10.1 Reports. Upon written request and no more than once per 12-month period (except following a Security Incident), HSP will make available to the Customer: (a) HSP’s current Security Whitepaper, and (b) HSP’s responses to an industry-standard security questionnaire (such as SIG Lite or CSA CAIQ). If HSP obtains a SOC 2 Type II report or equivalent third-party security assessment in the future, HSP will make it available to the Customer on the same basis.

10.2 On-Site Audit. If the documentation in Section 10.1 is not sufficient for the Customer to verify HSP’s compliance, the Customer may conduct an audit upon at least 30 days’ written notice, no more than once per 12-month period, during HSP’s normal business hours, at the Customer’s expense, subject to reasonable confidentiality and security protections, and limited to information necessary to verify HSP’s compliance with this DPA.

11.1 End of Services. Upon termination of the Services or upon the Customer’s written request, HSP will delete or, at the Customer’s election, return Customer Personal Data within 30 days, except for (a) copies retained in routine backups, which will be deleted or rendered inaccessible within an additional 90 days, and (b) copies retained as required by law, which will continue to be protected under this DPA for the remainder of the retention period.

11.2 Export. During an active subscription and within 30 days following termination, the Customer may export its data through the Platform’s export functionality.

The parties’ liability under this DPA is subject to the limitations and exclusions set out in the Agreement. Nothing in this DPA limits a party’s liability where such limitation is prohibited under Applicable Data Protection Law (for example, the SCCs’ liability provisions vis-à-vis Data Subjects).

To the extent HSP Processes Customer Personal Data of California residents on the Customer’s behalf, HSP is a “Service Provider” under the CCPA. HSP will:

• (a) Process Customer Personal Data only for the limited and specified business purposes set out in the Agreement and this DPA;
• (b) Not “sell” or “share” (as those terms are defined under the CCPA) Customer Personal Data;
• (c) Not retain, use, or disclose Customer Personal Data outside the direct business relationship with the Customer or for any commercial purpose other than as permitted under the CCPA;
• (d) Not combine Customer Personal Data received from the Customer with personal information received from or on behalf of another person, or collected from its own interaction with the Data Subject, except as permitted under 11 C.C.R. § 7050(b);
• (e) Comply with applicable obligations under the CCPA and provide the same level of privacy protection to Customer Personal Data as required by the CCPA;
• (f) Notify the Customer if HSP determines that it can no longer meet its obligations under the CCPA;
• (g) Permit the Customer, upon reasonable notice, to take reasonable and appropriate steps to remediate unauthorized use of Customer Personal Data.

The Customer certifies that it has provided required notices to its Data Subjects and has the right to disclose Customer Personal Data to HSP for the purposes described.

14.1 Order of Precedence. In the event of conflict: (1) the SCCs and UK Addendum (where applicable), (2) this DPA, (3) the Agreement.

14.2 Governing Law. This DPA is governed by the law specified in the Agreement, except that the SCCs are governed by the law selected in the SCCs.

14.3 Amendments. HSP may update this DPA from time to time to reflect changes in law, Sub-processors, or technical and organizational measures, provided that the changes do not materially reduce the protections afforded to Customer Personal Data. If the Customer reasonably objects to a unilateral amendment as materially reducing the protections afforded to Customer Personal Data, the Customer may, within 30 days of notice of the amendment, terminate the Agreement and the parties will continue to operate under the prior version of this DPA until termination is effective.

14.4 Entire Agreement. This DPA, together with the Agreement, constitutes the entire agreement of the parties with respect to its subject matter.

Subject matter: Provision of business-intelligence analytics, AI-generated narrative summaries, branded email reports, dashboards, and related Services to the Customer.

Nature of Processing: Collection (via CRM API sync), storage, retrieval, organization, structuring, computation of derived metrics, generation of natural-language summaries via AI, transmission to designated recipients, and deletion.

Purpose: To provide the Services described in the Agreement.

Duration: For the term of the Agreement and as described in Section 11.

Categories of Data Subjects: (a) End customers of the Customer (contacts in the Customer’s CRM); (b) Personnel of the Customer who appear in CRM records (technicians, sales representatives); (c) Recipients of email reports designated by the Customer.

Categories of Personal Data: Names, postal addresses, phone numbers, email addresses, customer lifecycle status, appointment dates and locations, invoice and payment amounts and statuses, proposal records, technician identifiers, channel and campaign identifiers, free-form notes if present in CRM records.

Sensitive / Special Categories: None expected. The Customer must not direct HSP to Process special-category data under GDPR Article 9 or sensitive personal information under U.S. state laws without prior written agreement on additional safeguards.

Frequency of Transfer: Continuous (daily incremental sync; on-demand exports and report deliveries).

Retention: As described in Section 11 and the Privacy Policy.

Access control: Firebase / Google Cloud Identity Platform authentication with required email verification; account lockout on repeated failure; per-IP rate limiting; bot attestation via Cloudflare Turnstile and Firebase App Check; role-based access (owner / manager / employee); administrative actions audited.

Tenant isolation: PostgreSQL Row-Level Security policies enforce per-Tenant isolation at the database layer for all Tenant-scoped tables; admin-level access uses a sentinel session role and is restricted to designated HSP personnel.

Encryption: TLS in transit at all public endpoints; encryption at rest for the production PostgreSQL database, object storage, and secrets (Google Cloud Secret Manager).

Network security: Cloud Run public ingress with in-application authentication; Cloudflare WAF and bot-protection in front of public endpoints; private connectivity (VPC connector) for database access.

Secrets management: Google Cloud Secret Manager with least-privilege IAM; no static service-account keys in CI/CD (Workload Identity Federation with OIDC, scoped to the main branch).

AI processing: All AI inference proxied through Cloudflare AI Gateway to Anthropic; AI Output passed through an HTML allowlist sanitizer before delivery; provider-side training on inputs disabled where supported by the Anthropic API configuration in use.

Logging and monitoring: Structured JSON logging; authentication-failure logging for forensic analysis; CI-time security scanning (dependency audit, secret scanning, container scan, infrastructure scan).

Change management: Pull-request review process; protected branches; automated tests including over 1,100 unit, integration, and security tests; Plan Validation Protocol for changes executed by automated agents; per-environment deploy gates.

Backups: Cloud SQL automated backups; encryption at rest; routine rotation.

Personnel: Confidentiality obligations; least-privilege access; security training.

Vulnerability management: Dependency scanning, container scanning, and infrastructure-configuration scanning in CI; remediation tracked in the issue tracker.

Business continuity: Cloud SQL automated daily backups; database snapshots retained per Section 11. Stated targets: RTO 24 hours (full restoration); RPO 24 hours (maximum acceptable data loss). HSP will test backup restoration at least annually. RTO/RPO targets are commitments to use commercially reasonable efforts, not absolute guarantees; actual incident recovery times will vary based on the nature of the incident.

• Google LLC (Google Cloud Platform) — Application hosting (Cloud Run), database (Cloud SQL PostgreSQL), object storage, Secret Manager, BigQuery (billing-data analytics). Location: United States.
• Google LLC (Google Cloud Identity Platform / Firebase Authentication) — Authentication of Users; App Check attestation. Location: United States.
• Stripe, Inc. — Subscription billing and payment processing. Location: United States.
• Anthropic, PBC — AI inference for narrative report generation. Location: United States.
• Cloudflare, Inc. — DNS, CDN, WAF, bot protection (Turnstile), AI Gateway proxy. Location: United States.
• Google LLC (Google Workspace / Gmail API) — Outbound delivery of report emails to designated recipients. Location: United States.
• Google LLC (Google Analytics 4) — Aggregate site-usage analytics for the HSP web application. Anticipated deployment in the near term; this Annex will be updated with the effective date when deployed. Location: United States.
• PostHog, Inc. — Product analytics, session replay, and feature-flag delivery for the HSP web application. Anticipated deployment in the near term; this Annex will be updated with the effective date when deployed. Location: United States.
• Open-Meteo (Open-Meteo GmbH) — Public weather-forecast API. No Personal Data is sent; only approximate latitude / longitude of the business location. Location: Switzerland (with public API served from a global CDN).

Where applicable, the Module Two (Controller-to-Processor) Standard Contractual Clauses adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021 (the “SCCs”) apply with the following selections: Clause 7 (Docking Clause): included. Clause 9 (Use of Sub-processors): Option 2 — general written authorization, with 30 days’ notice. Clause 11 (Redress): independent dispute resolution body not selected. Clause 17 (Governing Law): the law of Ireland. Clause 18 (Choice of Forum and Jurisdiction): the courts of Ireland.

Where Customer Personal Data of UK Data Subjects is transferred, the UK International Data Transfer Addendum to the EU SCCs (Version B1.0, 21 March 2022) issued by the UK Information Commissioner’s Office applies. The Tables of the UK IDTA are populated as follows: Table 1 (Parties): as in the Agreement. Table 2 (Selected SCCs, Modules and Selected Clauses): Module Two with the selections above. Table 3 (Appendix Information): as set out in this DPA Annexes A, B, and C. Table 4 (Ending the IDTA when the Approved Addendum Changes): neither party may end the IDTA when the Approved Addendum changes.

For transfers from Switzerland, the SCCs are applied with the modifications required by the Swiss Federal Data Protection and Information Commissioner.