Data Processing Agreement

Effective date: 1 January 2025

Introduction

This Data Processing Agreement ("DPA") supplements the Terms of Service between RemoteOps ("Processor") and the subscribing organisation ("Controller"). This DPA governs the processing of personal data by the Processor on behalf of the Controller in connection with the RemoteOps platform, in accordance with Article 28 of the General Data Protection Regulation (GDPR).

Definitions

"Controller" means the organisation that determines the purposes and means of processing personal data via the RemoteOps platform. "Processor" means RemoteOps, which processes personal data on behalf of the Controller. "Data Subject" means an identified or identifiable natural person whose personal data is processed. "Personal Data" means any information relating to a Data Subject. "Processing" means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and erasure.

Scope and Purpose of Processing

The Processor processes personal data solely for the purpose of providing the RemoteOps field service management platform to the Controller. Categories of data subjects include the Controller's employees, technicians, dispatchers, and end customers. Categories of personal data include names, email addresses, phone numbers, location data (when navigation features are active), work order history, and call metadata.

Obligations of the Processor

The Processor shall: (a) process personal data only on documented instructions from the Controller; (b) ensure that persons authorised to process personal data are bound by confidentiality obligations; (c) implement appropriate technical and organisational security measures; (d) not engage another processor without prior written authorisation from the Controller; (e) assist the Controller in responding to data subject requests; (f) assist the Controller in ensuring compliance with GDPR obligations regarding security, breach notification, and impact assessments; (g) delete or return all personal data upon termination of the agreement; (h) make available all information necessary to demonstrate compliance with this DPA.

Sub-processors

The Processor maintains a list of approved sub-processors. The Controller grants general authorisation for the Processor to engage sub-processors, subject to the following conditions: (a) the Processor will notify the Controller of any intended addition or replacement of sub-processors at least 30 days in advance; (b) the Controller may object to a new sub-processor within 14 days of notification; (c) each sub-processor is bound by data protection obligations no less protective than this DPA.

Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under GDPR Articles 15-22 (access, rectification, erasure, portability, restriction, and objection). The Processor will promptly forward any data subject request received directly to the Controller.

Security Measures

The Processor implements technical and organisational measures appropriate to the risk, including: (a) encryption of personal data in transit (TLS 1.3) and at rest (AES-256); (b) multi-tenant data isolation ensuring no cross-tenant data access; (c) role-based access control with principle of least privilege; (d) regular security assessments and vulnerability scanning; (e) employee security awareness training; (f) access logging and audit trails.

Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification shall include: (a) a description of the nature of the breach; (b) the categories and approximate number of data subjects affected; (c) the likely consequences of the breach; (d) the measures taken or proposed to address the breach.

Data Transfers

Personal data is primarily stored and processed within the European Union. Where transfers outside the EU are necessary (e.g., for specific sub-processors), the Processor relies on Standard Contractual Clauses (SCCs) approved by the European Commission or other legally recognised transfer mechanisms under GDPR Chapter V.

Audit Rights

The Controller has the right to conduct audits or appoint an independent auditor to verify the Processor's compliance with this DPA. Audits require 30 days advance notice and shall be conducted during business hours with minimal disruption to operations. The Processor will cooperate fully and provide access to relevant documentation, systems, and facilities.

Data Deletion and Return

Upon termination of the service agreement, the Processor shall, at the Controller's choice, delete or return all personal data within 30 days. Certifiable deletion will be completed within 90 days of termination. The Processor may retain data only where required by EU or member state law, and will inform the Controller of such requirement.

Term and Termination

This DPA takes effect when the Controller begins using the RemoteOps platform and remains in effect for as long as the Processor processes personal data on behalf of the Controller. The obligations of the Processor regarding data protection survive termination of this DPA.