Data Processing Agreement

1. Scope & Purpose

This Data Processing Agreement ("DPA") forms part of the agreement between Hydrovac Hotline ("we," "us," or "Processor") and the user ("you" or "Data Controller") who uses our platform and services. This DPA applies to all processing of personal data by Hydrovac Hotline on behalf of users of the platform.

The purpose of this DPA is to ensure that Hydrovac Hotline processes personal data in compliance with applicable data protection laws, including but not limited to:

• The General Data Protection Regulation (GDPR) (EU) 2016/679
• The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• Other applicable state, federal, and international data protection laws

This DPA should be read in conjunction with our Privacy Policy and Terms of Service.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Data Controller" means the entity that determines the purposes and means of the processing of Personal Data. In the context of our platform, hydrovac providers who submit their business and customer data are Data Controllers.
• "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller. Hydrovac Hotline acts as a Data Processor when handling data submitted by providers and customers.
• "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and deletion.
• "Sub-Processor" means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

3. Types of Personal Data Processed

We process the following categories of personal data in connection with our platform services:

Provider Information

• Contact person names and titles
• Business email addresses
• Business phone numbers
• Company names and business addresses
• Service area information
• Payment and billing information (processed via Stripe)
• Company logos and photos
• Account credentials (passwordless authentication tokens)

Customer Quote Request Information

• Full name
• Email address
• Phone number
• Project location and details
• Timeline and project requirements

Communication Data

• Chat conversation transcripts
• Phone call recordings and transcripts
• SMS message content
• Email correspondence

Technical Data

• IP addresses
• Browser type and version
• Device information
• Session identifiers
• Pages visited and usage patterns

4. Data Processor Obligations

As a Data Processor, Hydrovac Hotline agrees to the following obligations:

• Lawful processing: Process Personal Data only on documented instructions from the Data Controller and in accordance with applicable data protection laws.
• Purpose limitation: Process Personal Data only for the specific purposes described in this DPA and our Privacy Policy, including facilitating connections between customers and hydrovac providers, managing provider accounts, and processing payments.
• Confidentiality: Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Security measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 6.
• Sub-processor management: Not engage another processor without prior general or specific written authorization of the Data Controller, as described in Section 7.
• Assistance: Assist the Data Controller in ensuring compliance with obligations related to data subject rights, security of processing, breach notification, and data protection impact assessments.
• Data return and deletion: At the choice of the Data Controller, delete or return all Personal Data after the end of the provision of services and delete existing copies unless applicable law requires storage.
• Audit support: Make available to the Data Controller all information necessary to demonstrate compliance with data processing obligations and allow for audits.

5. Data Subject Rights

We will assist Data Controllers in fulfilling data subject requests. Data subjects have the following rights, which we support:

• Right of access: Data subjects may request a copy of their Personal Data that we process.
• Right to rectification: Data subjects may request correction of inaccurate or incomplete Personal Data.
• Right to erasure: Data subjects may request deletion of their Personal Data, subject to legal retention requirements.
• Right to restrict processing: Data subjects may request that we restrict the processing of their Personal Data in certain circumstances.
• Right to data portability: Data subjects may request their Personal Data in a structured, commonly used, and machine-readable format.
• Right to object: Data subjects may object to the processing of their Personal Data in certain circumstances.

To exercise any of these rights, data subjects or Data Controllers may contact us at support@hydrovachotline.org. We will respond to all requests within 30 days.

6. Data Security Measures

We implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

Technical Measures

• Encryption in transit: All data transmitted between users and our servers is encrypted using HTTPS/TLS
• Secure authentication: Passwordless authentication via email magic links, with session tokens stored in HttpOnly, Secure cookies
• PCI-DSS compliance: Payment data is processed by Stripe (PCI-DSS Level 1 certified) and never stored on our servers
• Access controls: Role-based access controls limit data access to authorized personnel only
• Secure infrastructure: Application hosted on secure cloud infrastructure with regular security updates

Organizational Measures

• Confidentiality agreements with all personnel who access Personal Data
• Regular review of data access permissions
• Data minimization practices ensuring we only collect and retain data necessary for our services
• Incident response procedures for handling potential data breaches

7. Sub-Processors

We use the following sub-processors to deliver our services. Each sub-processor is bound by contractual obligations to protect Personal Data:

We will notify Data Controllers of any intended changes concerning the addition or replacement of sub-processors, giving them the opportunity to object to such changes. If we add new sub-processors, we will update this list and note the change on our website.

All sub-processors are required to enter into data processing agreements with us that provide at least the same level of protection as this DPA.

8. Data Breach Notification

In the event of a Data Breach involving Personal Data, we will:

• Notify promptly: Notify the affected Data Controller(s) without undue delay, and no later than 72 hours after becoming aware of the breach, where feasible.
• Provide details: Include in the notification the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach.
• Cooperate: Cooperate with the Data Controller in investigating the breach and fulfilling any legal notification obligations.
• Document: Document all Data Breaches, including the facts surrounding the breach, its effects, and remedial action taken.
• Mitigate: Take immediate steps to contain the breach and minimize any potential harm to data subjects.

9. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law. Our standard retention periods are:

• Quote requests: 2 years after the request is fulfilled or expires
• Provider accounts: Duration of the account plus 3 years after account closure
• Call recordings and transcripts: 1 year
• Chat conversations: 1 year
• SMS conversations: 1 year
• Session data: 30 days
• Payment records: As required by tax and financial regulations (typically 7 years)

Upon expiration of the retention period, Personal Data will be securely deleted or anonymized. Data Controllers may request earlier deletion by contacting us at support@hydrovachotline.org.

10. International Data Transfers

Hydrovac Hotline is based in the United States, and our primary data processing occurs within the United States. If you are accessing our platform from outside the United States, please be aware that your Personal Data will be transferred to and processed in the United States.

Where required by applicable law, we will ensure appropriate safeguards are in place for international data transfers, such as Standard Contractual Clauses (SCCs) or other legally recognized transfer mechanisms.

11. Termination & Data Return

Upon termination of the services or at the Data Controller's request:

• We will return or delete all Personal Data processed on behalf of the Data Controller, at their choice, within 30 days
• We will provide the Data Controller with a copy of their data in a commonly used, machine-readable format upon request
• We will delete all existing copies of the data unless applicable law requires continued storage
• We will provide written confirmation of data deletion upon request

12. Contact Information

For questions about this Data Processing Agreement or our data processing practices, please contact us:

We will respond to all data processing inquiries within 30 days.