Legal
Data Processing Addendum.
Last updated: June 16, 2026
This Data Processing Addendum (“DPA”) is entered into between TradelyHQ Inc., a Delaware corporation (“TradelyHQ,” “we,” “us,” or “our”), and the customer that has agreed to our Terms of Service (the “Customer,” “you,” or “your”). It governs how we process personal data on your behalf when you use our software-as-a-service application, websites, and related services (the “Service”). TradelyHQ is a business-to-business product for U.S. commercial maintenance contractors. It is not directed to consumers or to anyone under 18, and the Service is offered only within the 50 United States.
1. Scope, parties & order of precedence
This DPA forms part of, and is incorporated into, the agreement between you and us for your use of the Service (the “Terms”). It applies whenever and to the extent that TradelyHQ processes Customer Personal Data (as defined below) on your behalf in connection with the Service.
For Customer Personal Data, you are the controller (or business), and TradelyHQ is the processor (or service provider). In the event of a conflict, this DPA controls over the rest of the Terms on matters of data protection and the processing of Customer Personal Data; the Terms otherwise control on all other matters. If any provision of this DPA conflicts with a separately negotiated written data-processing agreement signed by both parties, that signed agreement controls to the extent of the conflict.
2. Definitions
Capitalized terms not defined here have the meaning given in the Terms or in Applicable Data Protection Law.
- Applicable Data Protection Law means all data-protection and privacy laws that apply to a party’s processing of Customer Personal Data under this DPA, including, as applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act and its regulations (collectively, the “CCPA/CPRA”), and the comprehensive consumer-privacy laws of Virginia, Colorado, Connecticut, Utah, and other U.S. states, in each case as amended and together with their implementing regulations. Because the Service is U.S.-only and business-to-business, the parties do not anticipate that the EU/UK General Data Protection Regulation applies; Section 12 addresses the limited case in which a non-U.S. transfer mechanism is requested.
- Controller (or, under the CCPA/CPRA, Business) means the entity that determines the purposes and means of the processing of Personal Data. For Customer Personal Data, the Customer is the Controller / Business.
- Processor (or, under the CCPA/CPRA, Service Provider) means the entity that processes Personal Data on behalf of the Controller / Business. For Customer Personal Data, TradelyHQ is the Processor / Service Provider.
- Personal Data means any information relating to an identified or identifiable natural person, and any information that constitutes “personal information” or “personal data” under Applicable Data Protection Law.
- Customer Personal Data means the Personal Data contained within the Customer Data that you and your authorized users submit to, or that is generated within, the Service, and that TradelyHQ processes on your behalf as a Processor / Service Provider. It does not include Personal Data for which TradelyHQ acts as a Controller / Business in its own right (such as your account-administrator contact details, billing data, and the usage, log, and device data we generate to run the Service), which is governed by our Privacy Policy.
- Processing (and “process”) means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organization, storage, use, disclosure, transmission, or deletion.
- Subprocessor means a third party engaged by TradelyHQ to process Customer Personal Data on TradelyHQ’s behalf in connection with the Service.
- Data Subject (or Consumer under the CCPA/CPRA) means the identified or identifiable natural person to whom Customer Personal Data relates.
- Security Incident means a confirmed breach of TradelyHQ’s security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Customer Personal Data processed by TradelyHQ. A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, such as pings, port scans, denial-of-service attacks, or unsuccessful log-in attempts.
- Sell, Share, De-identified, and other capitalized terms specific to the CCPA/CPRA or another U.S. state privacy law have the meaning given to them in that law. As used here, “business purpose” means the purposes described in the Terms and this DPA for which TradelyHQ may process Customer Personal Data.
3. Roles & details of processing
The parties acknowledge that, with respect to Customer Personal Data, you act as the Controller / Business and TradelyHQ acts as the Processor / Service Provider. The following describes the processing TradelyHQ carries out on your behalf.
| Item | Details |
|---|---|
| Subject matter | Provision of the Service: a multi-tenant work-order, quote, and invoice platform for U.S. commercial maintenance contractors. |
| Duration | For the term of the Terms, plus the limited return-and-deletion period described in Section 11. |
| Nature & purpose | Hosting, storing, organizing, transmitting, and otherwise processing Customer Personal Data so that you can create and manage work orders, quotes, schedules, invoices, field documentation, and team and client records, and so that we can provide related features (such as AI writing-assist, voice-note transcription, translation, AI-assisted dispatching, scheduling, and automation and agent features, push notifications, optional QuickBooks Online sync, support, and security and reliability operations). |
| Categories of Data Subjects | Your clients (the commercial customers you serve) and their personnel; your technicians and other staff; and any other individuals whose Personal Data you or your users choose to enter into the Service. |
| Categories of Personal Data | Contact and identification details (such as names, business names, email addresses, phone numbers, and addresses); work-order, quote, and invoice content; precise geolocation and timestamps associated with field activity; work-order and job-site photos and other uploaded media; customer e-signatures and completion sign-offs; device push-notification tokens; and audit-, log-, and activity data. You decide what Customer Personal Data you upload to or generate within the Service. |
| Sensitive data | The Service is not designed or intended for sensitive categories of Personal Data, and you agree not to submit such data except where the Service is expressly built to handle it (for example, precise geolocation tied to field work). You are responsible for any sensitive data you choose to enter. |
4. Your obligations & instructions
As the Controller / Business, you are responsible for the lawfulness of the Customer Personal Data you process through the Service. In particular, you represent and warrant that:
- you have a valid legal basis, and have provided all required notices and obtained all required consents and authorizations, for the collection and processing of Customer Personal Data, including for technician location and GPS tracking, photography of premises and job sites, and the capture of customer e-signatures and completion sign-offs;
- your use of the Service, and any configuration, integration, or instruction you give through it, constitutes your documented instructions to TradelyHQ for the processing of Customer Personal Data, and any additional instruction must be agreed in writing;
- your instructions, and the processing you direct, comply with Applicable Data Protection Law and do not require TradelyHQ to act in violation of it; and
- you are responsible for the accuracy, quality, and legality of Customer Personal Data and for the means by which you acquired it.
TradelyHQ may suspend, refuse, or seek to clarify any instruction that, in its reasonable judgment, conflicts with Applicable Data Protection Law or this DPA, and it will inform you if it does so. Nothing in this DPA obligates TradelyHQ to process Customer Personal Data in a manner that would violate the law.
5. Our obligations as Processor
TradelyHQ will:
- process Customer Personal Data only on your documented instructions (including as set out in this DPA and the Terms), and only to provide and support the Service, except where Applicable Data Protection Law requires otherwise, in which case TradelyHQ will inform you of that requirement unless the law prohibits it;
- notify you if, in its reasonable opinion, an instruction appears to infringe Applicable Data Protection Law;
- ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality;
- implement and maintain the technical and organizational measures described in Section 7; and
- provide reasonable assistance to you, taking into account the nature of the processing and the information available to TradelyHQ, in connection with your obligations regarding data-subject requests (Section 10), security (Section 7), Security Incident handling (Section 9), data-protection impact assessments, and consultations with regulators.
Assistance under this Section is best-effort and customer-directed, is generally delivered through the Service’s self-service tools and our standard documentation, and, to the extent it requires materially more than de minimis effort, may be provided at your expense on a reasonable, time-and-materials basis.
6. Service-provider certification (CCPA/CPRA & other U.S. state laws)
TradelyHQ acts as a Service Provider (and, under other U.S. state laws, as a processor or contractor) with respect to Customer Personal Data. TradelyHQ certifies that it:
- processes Customer Personal Data only to perform the Services and for the business purposes specified in the Terms and this DPA, and pursuant to your written instructions;
- does not Sell and does not Share Customer Personal Data, and receives no monetary or other valuable consideration in exchange for it;
- does not retain, use, or disclose Customer Personal Data for any purpose other than performing the Services, including not for any commercial purpose other than those business purposes, and not outside the direct business relationship between you and TradelyHQ, except as permitted by Applicable Data Protection Law;
- does not combine Customer Personal Data with Personal Data it receives from, or on behalf of, any other person, or that it collects from its own interaction with a Data Subject, except as permitted by the CCPA/CPRA (for example, to perform a business purpose); and
- will comply with the applicable obligations of the CCPA/CPRA and the other U.S. state privacy laws referenced in this DPA, and will provide the same level of privacy protection as those laws require of Service Providers.
TradelyHQ will notify you if it determines that it can no longer meet its obligations under Applicable Data Protection Law. You may, upon reasonable written notice, take reasonable and appropriate steps to stop and remediate unauthorized processing of Customer Personal Data. TradelyHQ grants you the right, on reasonable notice, to take the reasonable and appropriate steps contemplated by the CCPA/CPRA to ensure that TradelyHQ uses Customer Personal Data in a manner consistent with your obligations.
7. Security measures
TradelyHQ implements and maintains technical and organizational measures designed to protect Customer Personal Data against a Security Incident, appropriate to the nature of the data and the risks involved. These measures are summarized in the Exhibit below. They are designed to provide a level of security appropriate to the risk; no method of transmission or storage is completely secure, and TradelyHQ does not guarantee absolute security. You remain responsible for safeguarding your credentials and for configuring access, roles, and sharing within your account appropriately.
Exhibit: technical & organizational measures
Technical measures. TradelyHQ’s measures are designed to include:
- Encryption. Customer Personal Data is encrypted in transit using TLS and encrypted at rest in our primary data stores.
- Tenant isolation. Each customer’s data is logically separated from every other customer’s through row-level security and per-tenant access scoping, so that one customer’s users cannot access another customer’s data.
- Access control. Role-based access controls and least-privilege principles govern access to systems and data; administrative access is limited to personnel who need it to operate the Service. Multi-factor authentication is available to account users.
- Audit logging. Meaningful actions within the Service are recorded in audit logs designed to support investigation and accountability.
- Change and vulnerability management. Automated security checks and guardrails run against changes before they are shipped, and TradelyHQ maintains a vulnerability-management practice designed to identify and remediate issues on a risk-prioritized basis.
- Backups and resilience. Customer data is backed up on a rolling basis to support recovery, with backups cycling out of retention over time.
Organizational measures. TradelyHQ maintains internal policies and practices designed to support the security of Customer Personal Data, including confidentiality obligations for personnel, least-privilege provisioning and de-provisioning of access, a periodic review of its security posture rather than a one-time assessment at launch, and contractual data-protection commitments imposed on its Subprocessors as described in Section 8. TradelyHQ may update its security measures from time to time, provided that any update does not materially reduce the overall level of protection for Customer Personal Data during the term.
8. Subprocessors
You provide a general authorization for TradelyHQ to engage the Subprocessors listed below to process Customer Personal Data in connection with the Service. Each Subprocessor processes Customer Personal Data under the data-protection terms applicable to the service it provides, and TradelyHQ remains responsible for its use of Subprocessors in connection with the Service.
TradelyHQ will provide notice (for example, by updating this page or our Security page, or by email or in-app notice) before adding or replacing a Subprocessor that will process Customer Personal Data. You may object on reasonable, documented data-protection grounds within a reasonable window after notice. If you do, the parties will work in good faith to resolve the objection; if it cannot be resolved, your remedy is to stop using the affected feature or, where the Subprocessor is essential to the Service and no reasonable alternative exists, to terminate the affected portion of the Service as your sole remedy.
The following Subprocessors are currently engaged. This list is consistent with our Privacy Policy and Security page; we update it when a Subprocessor is added, changed, or removed.
| Subprocessor | Location | Processing activity |
|---|---|---|
| Supabase | United States | Database, authentication, file storage, and back-end functions. |
| Vercel | United States | Hosting for the website and app, plus product analytics and speed insights. |
| Stripe | United States | Subscription payment processing. We do not store full payment-card numbers. |
| Cloudflare R2 | United States | Storage for uploaded photos and media. |
| Cloudflare Turnstile | United States | Bot defense on signup. |
| Resend | United States | Transactional email delivery (invoice reminders, password resets, team invites). |
| Crisp | France (EU) | In-app support chat. Processes data only from people who start a chat. |
| Sentry | United States | Error monitoring (active only where analytics is accepted). Form values are masked. |
| Better Stack | European Union | Uptime monitoring and back-end logs (service-health signals). |
| Anthropic | United States | AI writing-assist, intake-autofill, on-demand translation, and AI-assisted dispatching, scheduling, and automation and agent features. Processes the text and the work-order, scheduling, and related details needed to perform those features. |
| OpenAI | United States | Voice-note transcription. Processes only the audio you submit for transcription. |
| Apple Push Notification service | United States | Delivery of push notifications to Apple devices. |
| Google (Firebase Cloud Messaging) | United States | Delivery of push notifications to Android devices. |
| U.S. Census Bureau Geocoder | United States | Converts site and customer addresses you enter into map coordinates, for route planning and sales-tax jurisdiction lookup. |
| OpenStreetMap Foundation / Nominatim | European Union | Fallback address-to-coordinate lookup when the Census geocoder returns no match. |
| QuickBooks Online (Intuit) | United States, optional | Used only if you connect QuickBooks to sync invoices and customers. |
9. Security incidents
TradelyHQ will notify you without undue delay after becoming aware of a confirmed Security Incident affecting Customer Personal Data. The notice will describe, to the extent then known and as information becomes available, the nature of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address it. TradelyHQ will provide you with the information reasonably available to it to help you meet any obligation you have to notify regulators or affected individuals; the obligation to make any such notification rests with you as the Controller / Business. TradelyHQ’s notice of, or response to, a Security Incident is not an acknowledgment or admission of fault or liability.
10. Data-subject requests
Taking into account the nature of the processing, TradelyHQ will provide self-service tools within the Service, together with reasonable assistance, so that you can respond to requests from Data Subjects to exercise their rights (such as access, correction, deletion, or portability) under Applicable Data Protection Law. If TradelyHQ receives such a request directly from a Data Subject relating to Customer Personal Data, it will, where lawful, redirect the individual to you as the Controller / Business and will not respond to the substance of the request except on your instruction or as required by law.
11. Return & deletion on termination
Following expiration or termination of the Terms, and consistent with the Terms, TradelyHQ will make Customer Personal Data available for export for a period of 30 days. After that window, TradelyHQ will delete or de-identify Customer Personal Data in the ordinary course, and will make best efforts to propagate the deletion to its Subprocessors. Residual copies that remain in routine backups will cycle out of retention on TradelyHQ’s standard backup schedule. TradelyHQ may retain Customer Personal Data to the limited extent, and for the limited period, required by law or to comply with a legal hold, in which case the data remains subject to the protections of this DPA for as long as it is retained.
12. International transfers
The Service is hosted in, and intended for businesses located in, the United States, and Customer Personal Data is processed primarily in the United States. Certain Subprocessors listed in Section 8 process a limited volume of data in the European Union, the European Economic Area, or the United Kingdom, including Crisp (France), Better Stack (EU), and OpenStreetMap Foundation / Nominatim (EU). To the extent Customer Personal Data is processed by those Subprocessors in the EU/EEA/UK, the basis for that processing is each such Subprocessor’s own data-processing terms, which, where applicable, incorporate Standard Contractual Clauses or another lawful transfer mechanism. TradelyHQ relies on those Subprocessors’ terms for any cross-border processing they carry out, and will cooperate in good faith and discuss appropriate standard mechanisms on request where a further mechanism is reasonably required.
13. Audits
You may verify TradelyHQ’s compliance with this DPA through TradelyHQ’s responses to reasonable written security questionnaires and through the reports, certifications, and documentation that TradelyHQ makes available. Such verification may take place no more than once per twelve-month period, except where a regulator requires it or following a Security Incident affecting your Customer Personal Data. Any verification will be conducted on reasonable prior written notice, during business hours, subject to confidentiality obligations, at your expense, and in a manner that does not disrupt TradelyHQ’s operations. Verification does not include access to any other customer’s data, and does not include access to TradelyHQ’s systems, premises, or facilities beyond what is strictly necessary and expressly agreed in writing. The documentation and questionnaire process described in this Section is the primary and preferred means of verification, and an on-site audit will be considered only where the available documentation is demonstrably insufficient to verify compliance and a regulator requires it.
14. Liability
Each party’s liability arising out of or related to this DPA, whether in contract, tort, or any other theory, is subject to the limitations and exclusions of liability set out in the Terms, and any reference in the Terms to the liability of a party or its affiliates means the aggregate liability of that party and its affiliates under the Terms and this DPA together. All claims under this DPA and the Terms count toward, and do not increase, that single aggregate cap.
15. Aggregated & de-identified data
TradelyHQ may create and use de-identified or aggregated data derived from the operation of the Service, consistent with the Terms and Applicable Data Protection Law. TradelyHQ will maintain and use such data only in de-identified or aggregated form, will not attempt to re-identify it, and may use it for any lawful purpose, including operating, securing, analyzing, and improving the Service and developing new features. This right survives termination of the Terms and this DPA.
16. General
Term & survival. This DPA takes effect when you accept the Terms and remains in effect for as long as TradelyHQ processes Customer Personal Data on your behalf. Provisions that by their nature should survive termination (including Sections 11, 14, 15, and this Section 16) survive.
Conflicts. As stated in Section 1, this DPA controls over the rest of the Terms on matters of data protection and the processing of Customer Personal Data; the Terms control on all other matters.
Changes. TradelyHQ may update this DPA and its list of Subprocessors from time to time. If a change is material, TradelyHQ will update the “Last updated” date above and provide reasonable notice (for example, by email or an in-app notice). Your continued use of the Service after a change takes effect means you accept the updated DPA, except where Applicable Data Protection Law requires your express agreement.
Governing law. This DPA is governed by, and construed in accordance with, the laws of the State of Delaware, consistent with the Terms, without regard to its conflict-of-laws rules.
Contact & signed copies. For questions about this DPA, or to request a counter-signed copy for your procurement records, contact us at privacy@tradelyhq.com. We will provide a signed copy on request, referencing your account and these published terms.
Last updated: June 16, 2026