Legal
Data Processing Addendum
Effective date: July 6, 2026
This Data Processing Addendum (“DPA”) forms part of the FieldOps Terms of Service between FieldOps (“Processor”) and the customer identified in the applicable account (“Customer”, “Controller”), and applies to the extent FieldOps processes personal data on Customer’s behalf in providing the Service. It is automatically accepted by using the Service; no signature is required.
1. Definitions
“Personal Data”, “processing”, “controller”, “processor”, and “data subject” have the meanings given in applicable data protection law, including the EU/UK GDPR and the California Consumer Privacy Act as amended (“CCPA”). “Customer Personal Data” means Personal Data that Customer submits to the Service — typically data about Customer’s own clients and team members.
2. Scope and roles
- Customer is the controller of Customer Personal Data; FieldOps is the processor (or, under CCPA, a “service provider”).
- FieldOps processes Customer Personal Data only on Customer’s documented instructions — namely, to provide, secure, and support the Service as configured by Customer — unless required otherwise by law (in which case FieldOps will inform Customer unless legally prohibited).
- FieldOps does not sell Customer Personal Data, does not share it for cross-context behavioral advertising, and does not use it to train AI models.
3. Details of processing
- Subject matter & duration: providing the Service for the term of the account plus the wind-down period in the Terms.
- Nature & purpose: hosting, storage, transmission, display, and backup of data needed for field service management (jobs, scheduling, quoting, invoicing, payments, messaging).
- Categories of data subjects: Customer’s clients and prospects, Customer’s employees and contractors.
- Categories of data: names, contact details, service addresses, job and billing history, payment records (card data is handled by Stripe, not stored by FieldOps), photos, and message contents. Customer should not submit special categories of data (e.g., health data) to the Service.
4. Confidentiality and personnel
FieldOps ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations and access data only as needed to operate and support the Service.
5. Security
FieldOps implements appropriate technical and organizational measures, including: encryption in transit (TLS) and at rest via its hosting providers; per-organization database isolation enforced with row-level security; role-based access controls within each workspace; signed, expiring URLs for stored files; webhook signature verification for payment events; and audit logging of sensitive actions.
6. Subprocessors
Customer generally authorizes the subprocessors listed in the Privacy Policy (currently Supabase, Vercel, Stripe, Resend, Twilio, and Cloudflare). FieldOps will update that list before adding a new subprocessor; if Customer reasonably objects on data-protection grounds and no resolution is found, Customer may terminate the affected service and receive a pro-rata refund of prepaid fees. FieldOps remains responsible for its subprocessors’ performance.
7. Data subject requests
Taking into account the nature of the processing, FieldOps will assist Customer with reasonable measures to respond to data subject requests (access, correction, deletion, export). Most such requests can be fulfilled directly by Customer using in-app editing, deletion, and CSV export. If a data subject contacts FieldOps directly, FieldOps will refer the request to Customer.
8. Personal data breach
FieldOps will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably required for Customer to meet its own notification obligations.
9. Assistance
FieldOps will provide reasonable assistance with Customer’s data protection impact assessments and consultations with supervisory authorities, to the extent required by law and relating to the Service.
10. International transfers
Customer Personal Data is processed primarily in the United States. Where the GDPR or UK GDPR applies to a transfer, the parties incorporate the European Commission’s Standard Contractual Clauses (Module 2: controller-to-processor), and the UK Addendum where applicable, with Customer as data exporter and FieldOps as data importer; the details in Section 3 populate the annexes.
11. Deletion and return
Upon termination of the Service, FieldOps will, at Customer’s choice, enable export of Customer Personal Data during the wind-down period described in the Terms and thereafter delete it, unless retention is required by law.
12. Audits
FieldOps will make available information reasonably necessary to demonstrate compliance with this DPA (including summaries of its providers’ security certifications, e.g., SOC 2 reports of Supabase, Vercel, and Stripe). Audits beyond that require reasonable notice, no more than once per year, at Customer’s expense, and must not compromise other customers’ data.
13. Liability and order of precedence
The limitations of liability in the Terms of Service apply to this DPA. If this DPA conflicts with the Terms, this DPA controls for data protection matters.
14. Contact
Data protection questions: runfieldops@gmail.com.