Data Processing Agreement

“Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including CCPA/CPRA (Cal. Civ. Code §1798.100 et seq.), GDPR (EU 2016/679), and any applicable US state privacy law (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, and others as enacted).

“Controller” means the entity that determines the purposes and means of the Processing of Personal Data — i.e., the business operating on the 10service.app platform. Under CCPA, the Controller is the “Business.”

“Processor” means 10service.app (operated by the platform operator), which Processes Personal Data on behalf of the Controller. Under CCPA, the Processor is the “Service Provider.”

“Personal Data” means any information relating to an identified or identifiable natural person, including name, telephone number, email address, physical address, IP address, service request details, call recordings, and payment information.

“Processing” means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

“Data Subject” means the identified or identifiable natural person to whom Personal Data relates — i.e., the end customer of the Controller's home service business.

“Sub-Processor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

“Standard Contractual Clauses” (SCCs) means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to third countries (Commission Implementing Decision (EU) 2021/914).

2.1. This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the 10service.app platform services.

2.2. In the event of any conflict between this DPA and the Service Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

2.3. The details of the Processing (nature, purpose, categories of data, categories of Data Subjects, and duration) are set forth in Annex I below.

3.1. The Controller is the data controller (or “Business” under CCPA) with respect to Personal Data. The Controller determines the purposes and means of Processing.

3.2. The Processor is the data processor (or “Service Provider” under CCPA) with respect to Personal Data. The Processor shall Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.

3.3. Each Party shall comply with its obligations under Applicable Data Protection Law with respect to its role.

4.1. The Processor shall Process Personal Data only in accordance with the Controller's documented instructions, which include: (a) Processing to provide the platform services described in the Service Agreement; (b) Processing initiated by authorized users in their use of the platform; and (c) Processing to comply with other documented, reasonable instructions provided by the Controller that are consistent with the Service Agreement.

4.2. If the Processor believes that an instruction from the Controller infringes Applicable Data Protection Law, the Processor shall promptly notify the Controller and shall be entitled to suspend the relevant Processing until the Controller modifies or confirms the instruction.

5.1. Confidentiality. The Processor shall ensure that all persons authorized to Process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.

5.2. Security. The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents, as detailed in Annex II. These measures shall include, at minimum: encryption in transit (TLS 1.2+), role-based access controls, audit logging, tenant data isolation, and regular security assessments.

5.3. Personnel. The Processor shall ensure that access to Personal Data is limited to personnel who require such access for the performance of the platform services, and that such personnel have received appropriate training on data protection obligations.

5.4. Assistance. Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to Data Subject requests and to ensure compliance with the Controller's obligations under Applicable Data Protection Law.

6.1. The Controller hereby provides general written authorization for the Processor to engage Sub-Processors listed in Annex III.

6.2. The Processor shall notify the Controller at least thirty (30) days prior to engaging any new Sub-Processor or replacing an existing Sub-Processor, providing the name, location, and purpose of the Sub-Processor.

6.3. The Controller may object to a new Sub-Processor within fifteen (15) days of receiving notification by providing written notice with reasonable grounds for objection. If the Controller objects and the Parties cannot resolve the objection within thirty (30) days, the Controller may terminate the affected portion of the Service Agreement without penalty.

6.4. The Processor shall impose on each Sub-Processor, by way of a written agreement, data protection obligations no less protective than those set forth in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-Processor's obligations.

7.1. The Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organizational measures to fulfill the Controller's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

7.2. If the Processor receives a request directly from a Data Subject, the Processor shall promptly redirect the Data Subject to the Controller and notify the Controller, unless otherwise instructed.

7.3. The Processor shall process Data Subject requests within forty-five (45) days of receipt of instructions from the Controller.

8.1. The Processor shall notify the Controller of any confirmed Security Incident without undue delay, and in any event within forty-eight (48) hours of becoming aware of the incident.

8.2. Such notification shall include, to the extent known: (a) the nature of the Security Incident, including categories and approximate number of Data Subjects affected; (b) the likely consequences of the incident; (c) the measures taken or proposed to address the incident and mitigate its effects; and (d) the name and contact details of the Processor's point of contact.

8.3. The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Security Incident.

8.4. The Processor's notification of a Security Incident shall not be construed as an acknowledgment of fault or liability.

9.1. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

9.2. Upon reasonable written request (no more than once per twelve-month period), the Processor shall permit the Controller or a qualified third-party auditor appointed by the Controller to conduct an audit of the Processor's compliance with this DPA. The Controller shall provide at least thirty (30) days' advance notice. The Controller shall bear the costs of any such audit.

9.3. The Processor shall provide a current SOC 2 Type II report, ISO 27001 certificate, or equivalent security assessment report upon request, to the extent available. Where such reports are not yet available, the Processor shall provide reasonable responses to the Controller's security questionnaire.

10.1. Upon termination or expiration of the Service Agreement, the Processor shall, at the Controller's election, return or delete all Personal Data within thirty (30) days, unless retention is required by applicable law.

10.2. Personal Data contained in backup systems shall be deleted within sixty (60) days following the scheduled backup rotation cycle.

10.3. The following retention periods apply by law and override deletion requests: financial records (invoices, payments, commission records) — seven (7) years per IRS requirements; HVAC refrigerant service records — three (3) years per EPA regulations. Such records shall be anonymized (PII removed) rather than deleted.

10.4. Upon completion of deletion, the Processor shall provide written certification to the Controller confirming that Personal Data has been deleted or anonymized in accordance with this Section.

11.1. To the extent the Processor processes Personal Data subject to the CCPA/CPRA, the Processor is a “Service Provider” as defined in Cal. Civ. Code §1798.140(ag) and hereby certifies that it:

• Shall NOT sell Personal Data received from the Controller;
• Shall NOT share Personal Data for cross-context behavioral advertising;
• Shall NOT retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Service Agreement, including any commercial purpose other than providing the platform services;
• Shall NOT combine Personal Data received from or on behalf of the Controller with Personal Data received from or on behalf of another person or entity, or collected from the Processor's own interaction with the Data Subject, except as permitted by CCPA/CPRA;
• Shall NOT retain, use, or disclose Personal Data outside the direct business relationship between the Processor and the Controller.

11.2. The Processor shall notify the Controller if it determines that it can no longer meet its obligations under CCPA/CPRA as a Service Provider.

11.3. The Controller shall have the right, upon reasonable notice, to take reasonable and appropriate steps to ensure that the Processor uses Personal Data in a manner consistent with the Controller's obligations under CCPA/CPRA. This may include ongoing manual reviews and automated scans of the Processor's system, no more than once every twelve (12) months.

12.1. All Personal Data is primarily processed within the United States. To the extent that Processing involves the transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to the United States, such transfers shall be governed by the Standard Contractual Clauses (Module 2: Controller-to-Processor).

12.2. The Parties agree that the SCCs are hereby incorporated by reference and shall be deemed executed as of the effective date of this DPA.

13.1. Each Party's total aggregate liability under this DPA shall be subject to the limitations of liability set forth in the Service Agreement.

13.2. Nothing in this DPA shall limit either Party's liability for: (a) willful misconduct or gross negligence; (b) liability that cannot be excluded or limited under applicable law; or (c) either Party's indemnification obligations relating to third-party claims arising from a breach of this DPA.

14.1. This DPA shall remain in effect for the duration of the Service Agreement and shall automatically terminate upon termination of the Service Agreement, subject to the Processor's obligations under Section 10 (Data Retention and Deletion).

14.2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination shall remain in full force and effect.

15.1. Governing Law. This DPA shall be governed by the laws of the State of California, United States, without regard to its conflict of laws principles.

15.2. Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.3. Amendments. This DPA may be amended only by a written instrument signed by both Parties. The Processor reserves the right to update the annexes to reflect changes in Sub-Processors or security measures, with thirty (30) days' advance notice to the Controller.

15.4. Entire Agreement. This DPA, together with the Service Agreement and its annexes, constitutes the entire agreement between the Parties with respect to the Processing of Personal Data.