Data Processing Agreement

You are the Controller of personal data you and your end users submit to the Platform (“Customer Data”). We act as the Processor of that data, processing it only as described in the Terms, this DPA, and your documented instructions.

Data subjects: your end users, typically homeowners submitting a lead through your funnel, and your admin users.

Categories of personal data:

• Contact: name, email, phone
• Property address: street, city, state, ZIP
• Project metadata: selected service, options, price estimate, notes
• Appointment timing and calendar events
• Referral source and UTM parameters
• Technical data: IP address, device/browser metadata
• Admin user credentials (password hashes, session tokens)

We process Customer Data to operate and maintain the Platform: storing leads, sending transactional email, booking appointments, geocoding service addresses, rendering admin dashboards, billing your subscription, and producing anonymous usage analytics. We do not sell Customer Data or use it for our own marketing.

You authorize us to engage the following sub-processors, each bound by data-protection terms at least as protective as this DPA:

We will notify you by email (and/or in the admin dashboard) of any new sub-processor at least 30 days before that sub-processor begins processing Customer Data. You may object by terminating the Terms before the change takes effect.

• All network traffic to the Platform is encrypted in transit using TLS 1.2 or higher.
• Admin credentials are stored as bcrypt hashes. Sessions use signed cookies (NextAuth JWT).
• Secrets (API keys, OAuth tokens) are stored in the Vercel environment variable store, not in Customer Data.
• Access to production systems is limited to authorized personnel and is audited.
• Runtime errors are monitored via Sentry; no Customer Data fields are intentionally sent to Sentry.
• Rate limiting is applied to public endpoints to deter abuse.

We will reasonably assist you in fulfilling data-subject requests (access, correction, deletion, portability) by providing administrative tools in the dashboard and, where the tools are insufficient, direct support on request.

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. The notice will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the mitigations taken or proposed.

Sub-processors may process Customer Data in the United States. Where required by law, we rely on Standard Contractual Clauses or equivalent mechanisms for cross-border transfers.

We retain Customer Data for the duration of the subscription. On termination, Customer Data will remain available for export for 30 days, after which it may be deleted from active systems. Backups are retained for a rolling window and then overwritten on the normal backup rotation schedule.

On written request no more than once per year, we will provide reasonable information to demonstrate compliance with this DPA. Where a physical audit is legally required, you may audit at your own cost, subject to reasonable confidentiality and scheduling constraints.

Liability for claims arising from this DPA is subject to the limitations in the Terms of Service.

For privacy or data-protection inquiries, contact support@cbcsaas.com.