Data Processing Addendum (DPA)
DATA PROCESSING ADDENDUM
Effective Date: 07/30/2025
Last Updated:07/30/2025
This Data Processing Addendum (“DPA”) forms part of the Service Agreement or Terms of Use (“Agreement”) between The Service Pilot (“Processor,” “we,” “our”) and the customer using our Services (“Controller,” “you,” “your”) (collectively, the “Parties”).
1. Purpose and Scope
1.1 This DPA governs the processing of Personal Data by The Service Pilot on behalf of the Controller as part of the services provided under the Agreement.
1.2 The DPA ensures that Personal Data is processed in compliance with:
The General Data Protection Regulation (EU) 2016/679 (“GDPR”)
The California Consumer Privacy Act (CCPA)
Any other applicable global data protection and privacy laws.
1.3 This DPA applies only to the extent that Personal Data is processed by The Service Pilot on behalf of the Controller in connection with the Services.
2. Definitions
For the purposes of this DPA:
“Personal Data”: Any information relating to an identified or identifiable natural person processed on behalf of the Controller.
“Data Subject”: An individual whose Personal Data is processed.
“Processing/Processor”: Any operation performed on Personal Data on behalf of the Controller.
“Sub-Processor”: A third party engaged by The Service Pilot to process Personal Data for the purpose of delivering the Service.
“Controller”: The customer determining the purpose and means of processing Personal Data.
3. Roles and Responsibilities
3.1 Controller’s Responsibilities:
Ensure lawful collection and transfer of Personal Data to The Service Pilot.
Provide clear, documented instructions for processing.
Maintain compliance with all applicable data protection laws.
3.2 Processor’s Responsibilities:
Process Personal Data only in accordance with Controller’s documented instructions and the Agreement.
Implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, or disclosure.
Ensure all personnel with access to Personal Data are bound by confidentiality obligations.
Notify the Controller promptly of any Data Breach (as defined below).
4. Processing Details
Nature of Processing: Storage, organization, retrieval, transmission, and access to Personal Data to provide CRM, scheduling, and business automation services.
Purpose: Solely to fulfill obligations under the Agreement and provide requested services.
Categories of Data: Names, contact details, addresses, service details, payment information (processed by third-party providers), and other data provided by the Controller.
Data Subjects: Controller’s clients, leads, employees, and other authorized users.
Duration: Data will be retained for the term of the Agreement or as required by applicable law.
5. Sub-Processing
5.1 The Service Pilot may engage Sub-Processors to deliver functionalities including hosting, analytics, communications, and payment processing.
5.2 Sub-Processors are contractually bound to equivalent data protection obligations.
5.3 A current list of Sub-Processors can be provided upon request. The Controller has 30 days to object to a new Sub-Processor on legitimate data protection grounds.
6. International Data Transfers
Where Personal Data is transferred outside its country of origin, The Service Pilot ensures that:
Transfers are made under adequate safeguards, such as Standard Contractual Clauses or similar mechanisms recognized by applicable data protection laws.
Data subjects receive a comparable level of protection to that offered within their jurisdiction.
7. Security Measures
The Service Pilot maintains robust administrative, physical, and technical safeguards, including but not limited to:
Encryption of data in transit and at rest.
Role-based access control and authentication.
Firewalls and intrusion detection systems.
Regular vulnerability scans and security testing.
Secure data backup and recovery procedures.
8. Data Breach Notification
In the event of a Personal Data Breach (unauthorized access, loss, or disclosure):
The Service Pilot will notify the Controller without undue delay, and within 72 hours where feasible.
The notification will include the nature of the breach, affected data categories, potential consequences, and measures taken to mitigate the risk.
We will fully cooperate to fulfill any legal breach notification requirements.
9. Data Subject Rights
9.1 Upon written request from the Controller, The Service Pilot will:
Assist in fulfilling requests from Data Subjects regarding access, rectification, erasure, restriction, portability, or objection to processing.
Forward any Data Subject request directly to the Controller without responding unless instructed.
10. Audits and Compliance
10.1 Controller may request documentation demonstrating compliance with this DPA.
10.2 Controller may conduct an audit or inspection once annually with 30 days’ prior written notice, subject to confidentiality obligations.
10.3 Audits must not unreasonably disrupt Service operations.
11. Termination and Data Return
Upon termination of the Agreement or written request by the Controller:
The Service Pilot will return or delete all Personal Data within 60 days, unless retention is required by law.
Any remaining data will be securely and irreversibly deleted from active systems and backups.
12. Liability
The liability of each Party under this DPA is subject to the limitations of liability in the main Agreement. The Controller remains responsible for its own compliance obligations.
13. Governing Law
This DPA is governed by and construed in accordance with the laws of Texas, USA, unless superseded by applicable data protection regulations.
14. Conflict
In the event of conflict between this DPA and other terms of the Agreement, the provisions of this DPA shall prevail regarding the subject matter of data protection.
Signatures
Controller (Customer): _________________________
Name:
Title:
Date:
Processor (The Service Pilot): _________________________
Name:
Title:
Date: