Data Processing Agreement
For a PDF version of this agreement, please click here.
Version 1.1
Last updated: June 23, 2025
This Data Processing Agreement (“DPA”) is an agreement between the entity set forth in the applicable Master Services Agreement (“Customer”) and Fixify, Inc. (“Company”). This DPA is subject to the Master Services Agreement between Customer and Company (the “Agreement”) and all capitalized terms not otherwise defined in this DPA will have the meaning set forth in the Agreement. This DPA is effective as of the date of Customer’s first use of the Services (the “DPA Effective Date”). Customer and Company are separately referred to as a “Party” and jointly as the “Parties.”
Pursuant to the Agreement, Company provides the Services to Customer and such Services involve Company handling Customer Data, which may include Personal Information. This DPA reflects the Parties’ agreement with respect to the processing of Personal Information in accordance with the requirements of this DPA and Data Protection Laws.
1. Definitions
“Applicable Law” means all laws, rules, and regulations, as amended, that are applicable to the Agreement and/or any of the Parties.
“Customer Data” means any information provided to Company for Processing under the Agreement.
“Data Controller” means the Party who determines the purpose and means of the Processing of Personal Information.
“Data Processor” means the Party who Processes Personal Information on behalf of the Data Controller.
“Data Protection Laws” means all data protection and privacy laws and regulations applicable to the respective party in its role in the Processing of Personal Information under the Agreement.
“Data Residency Laws” means the Applicable Law of a country, territory, province, or jurisdiction that requires Personal Information to be Processed or stored within such country, territory, province, or jurisdiction.
“Data Subject” means the identified or identifiable natural person to whom Personal Information relates.
“Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
“Process” or “Processing” means any operation or set of operations that are performed on Customer Data or on sets of Customer Data, whether or not by automated means. This term includes “Process,” “Processes,” and “Processed.”
“Security Incident” means the unauthorized access or disclosure, destruction, loss, or alteration to Customer Data.
“Sub-processor” means any other processors engaged by Company to Process Customer Data.
2. Details of the Processing.
a. The details of data Processing (such as subject matter, nature and purpose of the Processing, categories of Personal Information and Data Subjects) are described in the Agreement and in Exhibit A. Company acknowledges and agrees that it may receive, collect, and Process Customer Data that may include Personal Information. Personal
b. The Agreement and this DPA shall generally constitute Customer’s instructions for the processing of Customer Personal Information. Customer may issue additional instructions as needed. Company will inform Customer, without undue delay if, in Company’s reasonable opinion, an instruction infringes Applicable Law; provided, however, that Company is not responsible for performing legal research and/or for providing legal advice to Customer. The Parties shall in good faith seek to resolve the infringing instruction.
c. The Company will not retain, use, or disclose any Personal information provide by or collected on behalf of Customer except as necessary for the purpose of performing Company’s obligations under the Agreement, as permitted by the Agreement, or as permitted under Applicable Law.
3. Role of the Parties
This Parties acknowledge that Customer is the Data Controller and Company is the Data Processor with regard to the Services. For the purposes of United States Data Protection Laws, Company will act as a “service provider” or “processor” in its performance of its obligations pursuant to the Agreement.
4. Sale or Sharing of Data
Company acknowledges and agrees that it shall not make any re-disclosure of Customer Data other than as permitted by this DPA or the Agreement. Company shall not “sell” or “share” Customer Data as defined in the Data Protection Laws. Company may provide data to its Sub-processors in order to provide the Services, and with third-parties if legally required.
5. Data Residency Requirements
Data Controller shall advise Company of any relevant Data Residency Laws.
6. Customer Data Disposition
Upon written request from Customer, Company shall return and/or dispose of all Customer Data, with the exception of any Customer Data that has been licensed to Company for improvement and development of its Services. The format for returning Customer Data will be as mutually agreed to by the Parties.
7. Sub-processing.
a. Sub-processors. By entering into this DPA, Customer provides general authorization for Company to engage Sub-processors to Process Customer Data. Company must: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Customer Data to the standard required by Data Protection Laws and to the same standard provided by this DPA; and (ii) remain liable to Customer if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the Agreement.
b. Notice of New Sub-processors. Company maintains an up-to-date list of its Sub-processors at https://compliance.fixify.com/, which contains a mechanism for Customer to subscribe to notifications of new Sub-processors. Company will provide such notice, to those emails subscribed, at least ten (10) days before allowing any new Sub-processor to Process Customer Data (the “Sub-processor Notice Period”).
c. Objection to New Sub-processors. Customer may object to Company’s appointment of a new Sub-processor during the Sub-processor Notice Period, provided such objection is based on documented evidence that establishes the Sub-processor does not or cannot comply with this DPA or Data Protection Laws and identifies the reasonable data protection basis for the objection (“Objection”). In the event of an Objection, the parties will work together in good faith to find a mutually acceptable resolution to address such Objection, including but not limited to reviewing additional documentation supporting the Sub-processor’s compliance with the DPA and/or Data Protection Laws. To the extent the parties do not reach a mutually agreeable resolution in a reasonable time period, not to exceed 30 days, Customer may, without penalty or liability, in its sole discretion, terminate the Services with 30 days’ written notice and Company shall provide a pro-rata refund of any sums paid in advance for Services not provided by Company.
8. Data Security
Company shall implement and maintain industry-standard administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of Customer Data. Company shall adhere to the data security requirements of applicable Data Protection Laws. Company acknowledges and agrees to have an industry standard written incident response plan. Upon request, Company agrees to provide Customer with a summary of Company’s written incident response plan.
9. Security Incident
Company agrees to adhere to applicable Data Protection Laws with respect to a Security Incident including, the required responsibilities and procedures for notification, mitigation, and recovery of any such incident. If Company becomes aware of a Security Incident, Company shall notify Customer of the Security Incident without undue delay, and no later than seventy-two (72) hours after becoming aware, unless notification would disrupt investigation of the Security Incident by law enforcement. In such event, notification shall be made within a reasonable time after the incident. The initial Security Incident notification and follow up communications shall provide, as it becomes available, the following information:
a. a list of the types of Customer Data that were or are reasonably believed to have been the subject of the Security Incident;
b. if the information is possible to determine at the time of the notice, the (1) date and time of the Security Incident, (2) the estimated data and time of the Security Incident, or (3) the date and time range of the Security Incident;
c. whether the notification was delayed due to a law enforcement investigation; d. a description of the Security Incident; and
e. when available, the root cause analysis of the Security Incident and the planned remediation and recovery steps.
10. Audits
Company’s security compliance is assessed by independent third-party auditors. Upon Customer’s request and subject to the confidentiality obligations set forth in the Agreement and, in Company’s sole discretion, an additional confidentiality agreement in a form provided by Company, Company shall provide access to information regarding Company’s SOC 2 Type 2 Report. Customer may only use such information to confirm Company’s compliance with this DPA and to assist Customer with complying with its obligations under Data Protection Laws. Company’s SOC 2 Type 2 Report is Company Confidential Information.
11. Data Subject Requests
As between the Parties, Customer shall have sole discretion and responsibility in responding to the rights asserted by any Data Subject in relation to Customer Data (“Data Subject Request”). Company shall promptly notify Customer if Company receives a Data Subject Request that pertains to Customer Data or otherwise identifies Customer. Company shall reasonably cooperate with Customer in the response to the Data Subject Request if the requested Customer Data is not accessible by Customer.
12. Data Protection Impact Assessments
Company shall reasonably cooperate with Customer if Customer is required to create a Data Protection Impact Assessment as required by Data Protection Laws.
13. Use of Artificial Intelligence
Company uses Fixify AI in its Services as described in the Agreement.
14. Third-Party Inquiries
If law enforcement or other government authorities request disclosure of Customer Data from Company, Company shall promptly notify Customer prior to a compelled disclosure, unless lawfully prohibited. Company shall reasonably cooperate with Customer in addressing the request.
15. No Third-Party Rights
In no event shall this DPA benefit or create any right or cause of action on behalf of a third party, but without prejudice to the rights or remedies available to Data Subjects under Data Protection Laws.
16. Termination
In the event that either party seeks to terminate this DPA, they may do so by mutual written consent if the Agreement has been terminated or is terminated in conjunction with this DPA.
17. General Compliance
Each Party remains exclusively liable for its own compliance with Data Protection Laws. Customer warrants that it has provided all required notices and obtained all permissions or, if applicable and sufficient under applicable Data Protection Laws, another valid legal basis as required under applicable Data Protection Laws to provide Company with any Personal Information.
18. Precedence
This DPA will prevail over the Agreement in relation to the processing of Customer Personal Information to the extent any conflict or inconsistency exists between the DPA and the Agreement.
19. Special or Sensitive Data
Unless set forth in a statement of work, order, or other document, Customer Data may not include any sensitive or special data that imposes specific data security or data protection obligations on Company in addition to or different from those specified in any documentation or which are not provided as part of the Services. Company does not require and does not request any sensitive or special data to provide the Services. Customer understands and agrees that Company does not differentiate between different types of data sensitivity when Processing Customer Data or treat certain types of Customer Personal Information differently from other types and applies the same security measures to all Customer Data.
20. Entire Agreement
This DPA and the Agreement constitute the entire agreement of the Parties relating to the subject matter hereof and supersedes all prior communications, representations, or agreements, oral or written, by the Parties relating hereto. This DPA may be amended only with the signed written consent of both Parties. Neither failure nor delay on the part of any Party in exercising any right, power, or privilege hereunder shall operate as a waiver of such right, nor shall any single or partial exercise of any such right, power, or privilege preclude any exercise thereof or the exercise of any other right, power, or privilege.
21. Severability and Waiver
If any provision of this DPA is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this DPA will otherwise remain in full force and effect and enforceable. Any waiver or failure to enforce any provision of this DPA on one occasion will not be deemed a waiver of any other provision or of such provision on any other occasion.
22. Governing Law
This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement.
LIST OF PARTIES
Data exporter:
Name: The Customer who has purchased Services from data importer
Address: as set forth in the Agreement or as set forth in data exporter’s account for the Services
Contact person: as set forth in the Agreement or as set forth in data exporter’s account for the Services
Activities relevant to the data transferred under the DPA: as set forth in the Agreement
Signature and date: refer to Agreement
Role: controller
Data importer:
Name: Fixify, Inc.
Address: as set forth in the Agreement
Contact person: as set forth in the Notices provision in the Agreement
Activities relevant to the data transferred under these Clauses: as set forth in the Agreement
Signature and date: refer to Agreement
Role: processor
DESCRIPTION OF PROCESSING
1. Categories of Data Subjects subjects whose Personal Information is Processed: Customer and its End Users
2. Categories of Personal Information Processed: Data exporter may submit Customer Personal Information to the Services, the extent of which is determined and controlled by the data exporter and it End Users in their sole discretion, and which may include the following:
a. Employee identifiable data
b. Diagnostic data (data collected during working a ticket, including but not limited to screenshots during conversation, logs of application usage, messages)
c. Enterprise data (e.g., IP addresses, server names)
d. IT support data (e.g., tickets, ticket ID, attachments relating to the issue)
3. Sensitive data transferred: None, as set forth in Section 19 of the DPA
4. The frequency of the transfer: Continuous, as set forth in the Agreement
5. Nature of the Processing: Company will Process Personal Information to provide the Services in accordance with the Agreement
6. Purpose(s) of the Processing: The purpose of the Processing is provision of the Services 7. Duration of Processing: As set forth in the Agreement
8. Transfers to Sub-processors: Company will transfer Customer Personal Information to Sub-processors as permitted in Section 7 (Sub-processing).