Legal

Data Processing Addendum

For customer organizations subscribing to Hot Sauce CRM as a processor of personal data.

Starter template — under legal review. This document covers the structural requirements of GDPR Article 28 and CCPA equivalents but has not yet been reviewed by privacy counsel. Email howee@simplifychem.com to request the signed, executable copy with your business name inserted as Controller.

1. Scope and parties

This Data Processing Addendum ("DPA") governs the processing of Personal Data by Hot Sauce CRM ("Processor") on behalf of the customer organization that has subscribed to the Hot Sauce CRM service ("Controller"). It is incorporated by reference into the subscription agreement between the Controller and the Processor.

2. Definitions

Terms used in this DPA ("Personal Data," "Data Subject," "Processing," "Controller," "Processor," "Subprocessor") have the meaning given to them by applicable data-protection law, including the EU General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA") as amended by CPRA, and analogous US state laws.

3. Subject matter, nature, and purpose

The Processor processes Personal Data solely to provide, maintain, and improve the Hot Sauce CRM service for the Controller — including lead management, communications (SMS / email / calls), appointment scheduling, sales tracking, reporting, and AI-assisted reply drafting. The Processor does not use Personal Data for any other purpose.

Duration: from the start of the subscription until 30 days after termination (the standard data-deletion window — see Section 9).

4. Categories of personal data + data subjects

Categories of Personal Data: contact details (name, phone, email), consent records, communication content (SMS / email bodies, call notes), appointment history, sale records, technical metadata captured at the time of submission (IP address, user agent, timestamp).

Categories of Data Subjects: prospects, members, and other contacts of the Controller's gym / fitness business, plus the Controller's own staff users of the Hot Sauce CRM service.

5. Processor obligations

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller (the subscription agreement, the Hot Sauce CRM admin UI, and any signed amendments are such instructions).
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures described in Section 7 to protect Personal Data.
  • Assist the Controller, taking into account the nature of processing, in responding to Data Subject Requests (see Section 8).
  • Notify the Controller of any Personal Data Breach without undue delay and within 72 hours of becoming aware (see Section 10).
  • Make available to the Controller all information necessary to demonstrate compliance and allow for audits (see Section 11).

6. Subprocessors

The Controller authorizes the Processor to engage the subprocessors listed below as of the date of this DPA. The Processor remains liable to the Controller for the acts and omissions of its subprocessors.

SubprocessorPurposeData location
Vercel Inc.Application hostingUSA
Supabase Inc.Database + auth + storageUSA (default region)
Twilio Inc.SMS delivery + inbound parsingUSA
Resend Inc.Transactional + drip email delivery + inbound parsingUSA
Anthropic PBCAI draft generation + assessment (when tenant is on Medium tier or higher)USA
Upstash Inc.Rate-limiting for public endpoints (optional)USA
GitHub Inc.Scheduled cron invocation (no Personal Data passes through)USA

The Processor will give the Controller 30 days' prior written notice of any intended new or replaced subprocessor. The Controller may object within that period; if the parties cannot agree, the Controller's sole remedy is to terminate the subscription with pro-rated refund of pre-paid fees.

7. Security measures

The Processor maintains:

  • TLS 1.2+ encryption for all data in transit and AES-256 encryption at rest (via Vercel and Supabase platform defaults).
  • Role-based access controls implemented via PostgreSQL row-level security policies, per-tenant deployment isolation, and separately scoped service-role keys.
  • Audit logs of administrative actions retained per Section 9.
  • Webhook signature verification on all inbound integrations (Twilio, Resend) and a fail-closed default when secrets are not configured.
  • Content Security Policy, HSTS, and frame-ancestors hardening on all responses.

8. Data Subject Requests

Data Subjects may submit access, export, deletion, or correction requests through the public form at /dsr. The Processor will fulfill verified requests within 30 days of receipt and will notify the Controller of any requests that require Controller action.

9. Retention and deletion

Default retention periods:

  • Active lead / member records: retained while the customer relationship is active.
  • Archived leads: 7 years from archive date.
  • Communication content (SMS / email): 2 years from `occurred_at`.
  • Audit log: 7 years.
  • Consent proofs: indefinitely after revocation (regulatory defensibility).

On termination of the subscription, the Processor will return or delete all Personal Data within 30 days, except where retention is required by applicable law (e.g. consent proofs).

10. Personal data breach notification

The Processor will notify the Controller of any Personal Data Breach affecting the Controller's data without undue delay and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, the categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

11. Audit rights

On reasonable prior written notice and not more than once per year (except where required by a Supervisory Authority), the Processor will provide the Controller with reasonable information to verify compliance with this DPA, including recent third-party security attestations where available. On-site audits require the parties to agree in writing on scope, timing, and confidentiality first.

12. International transfers

All subprocessors listed in Section 6 are located in the United States. The Processor will execute Standard Contractual Clauses or rely on other appropriate transfer mechanisms for Personal Data transferred from the EU/EEA, UK, or Switzerland on request from the Controller.

13. Governing law

This DPA is governed by the same law that governs the subscription agreement. Where applicable, GDPR / CCPA / state privacy law overrides any conflicting term.

14. Contact

Notices and questions about this DPA should be sent to howee@simplifychem.com.