PAINTLOGIC DATA PROCESSING ADDENDUM
Version: 1.0
Effective Date: [INSERT DATE]
Last Updated: [INSERT DATE]
Plain English Summary
This addendum describes how PaintLogic processes your data as a service provider. It's designed for enterprise customers who need formal data processing agreements for compliance purposes.
1. Introduction
This Data Processing Addendum ("DPA") supplements the PaintLogic Terms of Service ("Agreement") and applies to the processing of Personal Data by PaintLogic on behalf of Customer.
This DPA is intended to help customers meet their obligations under applicable data protection laws, including the California Consumer Privacy Act (CCPA/CPRA) and, where applicable, the General Data Protection Regulation (GDPR).
2. Definitions
"Controller" means the entity that determines the purposes and means of processing Personal Data. Under this DPA, Customer is the Controller.
"Customer" means the entity that has entered into the Agreement with PaintLogic.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"PaintLogic" means PaintLogic and its affiliates providing services under the Agreement.
"Personal Data" means any information relating to an identified or identifiable natural person that PaintLogic processes on Customer's behalf.
"Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, PaintLogic is the Processor.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
"Sub-processor" means a third party engaged by PaintLogic to process Personal Data on Customer's behalf.
3. Scope and Roles
3.1 Relationship
Customer is the Controller of Personal Data uploaded to PaintLogic. PaintLogic is the Processor, processing Personal Data on Customer's behalf to provide the services.
3.2 Customer's Responsibilities
Customer is responsible for:
- Ensuring a lawful basis for collecting and processing Personal Data
- Providing required notices to Data Subjects
- Obtaining necessary consents
- Responding to Data Subject requests with PaintLogic's assistance
- Complying with applicable data protection laws
3.3 PaintLogic's Responsibilities
PaintLogic will:
- Process Personal Data only on Customer's documented instructions
- Assist Customer in meeting data protection obligations
- Maintain appropriate security measures
- Notify Customer of data breaches
- Delete or return Personal Data upon termination
4. Data Processing Details
4.1 Subject Matter
Processing of Personal Data to provide PaintLogic's receipt management, project tracking, and property record services.
4.2 Duration
Processing continues for the duration of the Agreement plus any retention period required by law or requested by Customer.
4.3 Nature and Purpose
| Processing Activity | Purpose |
|---|---|
| Receipt storage | Store uploaded receipt images and extracted data |
| Project management | Organize data by project and property |
| AI processing | Extract structured data from receipts using AI |
| Report generation | Create paint schedules and analytics |
| Subcontractor management | Facilitate subcontractor job tracking |
4.4 Types of Personal Data
Customer may upload Personal Data including:
- Names (customer names, property owner names, subcontractor names)
- Contact information (addresses, phone numbers, emails)
- Property addresses
- Financial information (invoice amounts, payment data)
- Employment information (for subcontractors)
- Government IDs (contractor licenses, tax IDs)
4.5 Categories of Data Subjects
- Customer's customers (homeowners, property managers)
- Customer's subcontractors and employees
- Customer's business contacts
5. Customer Instructions
5.1 Documented Instructions
PaintLogic will process Personal Data only in accordance with:
- The Agreement and this DPA
- Customer's use of PaintLogic features (implied instructions)
- Written instructions from Customer
5.2 Additional Instructions
Customer may provide additional processing instructions. If PaintLogic determines that an instruction violates applicable law, PaintLogic will notify Customer.
6. Security Measures
6.1 Technical and Organizational Measures
PaintLogic implements appropriate measures including:
Technical Measures: - Encryption in transit (TLS 1.2+) - Encryption at rest for sensitive data - Access controls and authentication - Regular security assessments - Secure development practices
Organizational Measures: - Employee confidentiality agreements - Security training - Access limited to need-to-know - Incident response procedures
6.2 Infrastructure Security
PaintLogic uses SOC 2 Type II certified infrastructure providers (Supabase) for data storage.
7. Sub-processors
7.1 Current Sub-processors
Customer authorizes PaintLogic to use the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting, authentication, file storage | United States |
| Railway | Application hosting | United States |
| Anthropic | AI processing (Claude API) | United States |
| Google/Microsoft | OAuth authentication, email integration | United States |
| USPS | Address validation | United States |
7.2 Sub-processor Agreements
PaintLogic maintains agreements with Sub-processors that impose data protection obligations substantially similar to this DPA.
7.3 Sub-processor Changes
PaintLogic will notify Customer before engaging new Sub-processors that process Personal Data. Customer may object within 30 days. If Customer objects and PaintLogic cannot accommodate the objection, Customer may terminate the affected services.
7.4 Sub-processor Liability
PaintLogic is liable for Sub-processor compliance with this DPA.
8. Data Subject Rights
8.1 Assistance
PaintLogic will assist Customer in responding to Data Subject requests, including:
- Access requests
- Correction requests
- Deletion requests
- Data portability requests
- Objection requests
8.2 Response Time
PaintLogic will respond to Customer's assistance requests within 10 business days, or sooner if required by law.
8.3 Direct Requests
If a Data Subject contacts PaintLogic directly, PaintLogic will redirect them to Customer unless legally required to respond.
9. Data Breach Notification
9.1 Notification
PaintLogic will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Customer's data.
9.2 Notification Contents
Notification will include, to the extent known:
- Nature of the breach
- Categories and approximate number of Data Subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
9.3 Customer Responsibility
Customer is responsible for notifying affected Data Subjects and regulators as required by applicable law.
10. Data Transfers
10.1 Location
Personal Data is processed in the United States. Customer consents to this transfer.
10.2 International Transfers
If Personal Data originates from jurisdictions with transfer restrictions (e.g., EU/EEA), Customer is responsible for ensuring appropriate transfer mechanisms are in place before uploading such data.
11. Audit Rights
11.1 Documentation
Upon request, PaintLogic will provide Customer with documentation demonstrating compliance with this DPA.
11.2 Audits
Customer may audit PaintLogic's compliance with this DPA:
- With 30 days' written notice
- During normal business hours
- At Customer's expense
- No more than once per year (unless required by regulator)
11.3 Third-Party Audits
PaintLogic may satisfy audit requests by providing relevant third-party audit reports (e.g., SOC 2 reports).
12. Data Retention and Deletion
12.1 During Agreement
PaintLogic retains Personal Data for the duration of the Agreement, subject to Customer's deletion requests.
12.2 Upon Termination
Upon Agreement termination:
- Customer may export data within 30 days
- PaintLogic will delete Personal Data within 90 days after the export period
- Backups may retain data for up to an additional 90 days
12.3 Exceptions
PaintLogic may retain data longer if required by law, but will isolate and protect such data.
13. California-Specific Terms (CCPA/CPRA)
13.1 Service Provider Certification
For purposes of CCPA/CPRA, PaintLogic certifies that it:
- Processes Personal Information only for the business purposes specified in the Agreement
- Will not sell Personal Information
- Will not retain, use, or disclose Personal Information outside the direct business relationship
- Will not combine Personal Information with data from other sources except as permitted
13.2 Rights Requests
PaintLogic will assist Customer in responding to California consumer rights requests within the timeframes required by CCPA/CPRA.
14. Liability
14.1 Limitation
Liability under this DPA is subject to the limitation of liability in the Agreement.
14.2 Indemnification
Each party will indemnify the other for losses arising from the indemnifying party's breach of this DPA.
15. Term and Termination
15.1 Term
This DPA remains in effect for the duration of the Agreement.
15.2 Survival
Sections relating to confidentiality, data retention, and liability survive termination.
16. General
16.1 Conflicts
If this DPA conflicts with the Agreement, this DPA controls with respect to data protection matters.
16.2 Amendments
This DPA may be amended by PaintLogic with 30 days' notice. Material adverse changes require Customer consent.
16.3 Governing Law
This DPA is governed by the same law as the Agreement (Illinois).
17. Contact
Data Protection Inquiries:
privacy@paint-logic.com
Legal:
legal@paint-logic.com
Last reviewed: [DATE]
Attorney Review Status: 🟡 YELLOW — DPA should be reviewed for specific customer requirements