Legal
For customer organizations subscribing to Hot Sauce CRM as a processor of personal data.
This Data Processing Addendum ("DPA") governs the processing of Personal Data by Hot Sauce CRM ("Processor") on behalf of the customer organization that has subscribed to the Hot Sauce CRM service ("Controller"). It is incorporated by reference into the subscription agreement between the Controller and the Processor.
Terms used in this DPA ("Personal Data," "Data Subject," "Processing," "Controller," "Processor," "Subprocessor") have the meaning given to them by applicable data-protection law, including the EU General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act ("CCPA") as amended by CPRA, and analogous US state laws.
The Processor processes Personal Data solely to provide, maintain, and improve the Hot Sauce CRM service for the Controller — including lead management, communications (SMS / email / calls), appointment scheduling, sales tracking, reporting, and AI-assisted reply drafting. The Processor does not use Personal Data for any other purpose.
Duration: from the start of the subscription until 30 days after termination (the standard data-deletion window — see Section 9).
Categories of Personal Data: contact details (name, phone, email), consent records, communication content (SMS / email bodies, call notes), appointment history, sale records, technical metadata captured at the time of submission (IP address, user agent, timestamp).
Categories of Data Subjects: prospects, members, and other contacts of the Controller's gym / fitness business, plus the Controller's own staff users of the Hot Sauce CRM service.
The Processor shall:
The Controller authorizes the Processor to engage the subprocessors listed below as of the date of this DPA. The Processor remains liable to the Controller for the acts and omissions of its subprocessors.
| Subprocessor | Purpose | Data location |
|---|---|---|
| Vercel Inc. | Application hosting | USA |
| Supabase Inc. | Database + auth + storage | USA (default region) |
| Twilio Inc. | SMS delivery + inbound parsing | USA |
| Resend Inc. | Transactional + drip email delivery + inbound parsing | USA |
| Anthropic PBC | AI draft generation + assessment (when tenant is on Medium tier or higher) | USA |
| Upstash Inc. | Rate-limiting for public endpoints (optional) | USA |
| GitHub Inc. | Scheduled cron invocation (no Personal Data passes through) | USA |
The Processor will give the Controller 30 days' prior written notice of any intended new or replaced subprocessor. The Controller may object within that period; if the parties cannot agree, the Controller's sole remedy is to terminate the subscription with pro-rated refund of pre-paid fees.
The Processor maintains:
Data Subjects may submit access, export, deletion, or correction requests through the public form at /dsr. The Processor will fulfill verified requests within 30 days of receipt and will notify the Controller of any requests that require Controller action.
Default retention periods:
On termination of the subscription, the Processor will return or delete all Personal Data within 30 days, except where retention is required by applicable law (e.g. consent proofs).
The Processor will notify the Controller of any Personal Data Breach affecting the Controller's data without undue delay and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, the categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.
On reasonable prior written notice and not more than once per year (except where required by a Supervisory Authority), the Processor will provide the Controller with reasonable information to verify compliance with this DPA, including recent third-party security attestations where available. On-site audits require the parties to agree in writing on scope, timing, and confidentiality first.
All subprocessors listed in Section 6 are located in the United States. The Processor will execute Standard Contractual Clauses or rely on other appropriate transfer mechanisms for Personal Data transferred from the EU/EEA, UK, or Switzerland on request from the Controller.
This DPA is governed by the same law that governs the subscription agreement. Where applicable, GDPR / CCPA / state privacy law overrides any conflicting term.
Notices and questions about this DPA should be sent to howee@simplifychem.com.