Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the Terms of Service between ClimatePro ("Processor") and the customer identified in the applicable order, subscription, or account registration ("Controller").
1. Purpose
This DPA applies where ClimatePro processes Personal Data on behalf of the Controller in connection with the provision of the Service.
2. Definitions
"Personal Data", "Controller", "Processor", "Data Subject", "Processing", and related terms shall have the meanings given in applicable data protection laws, including the UK GDPR and EU GDPR where applicable.
3. Subject matter and duration
ClimatePro will process Personal Data solely for the purpose of providing, maintaining, securing, and supporting the Service.
Processing will continue for the duration of the customer's use of the Service and for any retention period reasonably necessary for security, legal compliance, backup, or dispute resolution purposes.
4. Nature and purpose of processing
Processing activities may include:
- Storage of customer account information
- User authentication
- Hosting and database services
- Customer support
- Email delivery
- Subscription and billing administration
- Security monitoring and fraud prevention
- Generation of reports and platform outputs
5. Categories of data subjects
Data Subjects may include:
- Customer employees
- Customer contractors
- Customer representatives
- Authorized users of the Service
- Individuals whose personal information is included within customer-provided content
6. Categories of personal data
Personal Data may include:
- Names
- Email addresses
- User account identifiers
- Authentication information
- Business contact details
- IP addresses
- Device and browser information
- Customer-submitted content containing personal data
- Billing and subscription metadata
ClimatePro does not intentionally require special category data and customers should avoid uploading special category data unless necessary and lawful.
7. Processor obligations
ClimatePro shall:
- Process Personal Data only on documented instructions from the Controller;
- Ensure persons authorized to process Personal Data are subject to confidentiality obligations;
- Implement appropriate technical and organizational security measures;
- Notify the Controller without undue delay upon becoming aware of a Personal Data Breach affecting Controller Personal Data;
- Assist the Controller in responding to Data Subject requests where reasonably possible;
- Assist the Controller with compliance obligations under applicable data protection laws where reasonably required.
8. Security measures
ClimatePro maintains reasonable technical and organizational measures designed to protect Personal Data, including as appropriate:
- Access controls and authentication mechanisms
- Encryption in transit using TLS
- Hosted infrastructure provided by reputable cloud providers
- Logical segregation of customer data
- Monitoring and logging of platform activity
- Secure software development and deployment practices
No security measure can guarantee absolute protection against all threats.
9. Subprocessors
The Controller authorizes ClimatePro to engage the following subprocessors:
| Subprocessor | Purpose |
|---|---|
| Stripe | Subscription billing and payment processing |
| Vercel | Application hosting and infrastructure |
| Neon | Managed PostgreSQL database hosting |
| Resend | Transactional email delivery |
| Sender | Marketing and customer communications |
| Google Identity Services | User authentication and login |
| Microsoft Identity Platform | User authentication and login |
ClimatePro may add or replace subprocessors from time to time. An updated subprocessor list will be maintained on request or through ClimatePro documentation. ClimatePro will impose appropriate data protection obligations on subprocessors where required by law.
10. International transfers
Where Personal Data is transferred outside the United Kingdom or European Economic Area, ClimatePro will implement appropriate safeguards as required by applicable law, including reliance on adequacy regulations, standard contractual clauses, international data transfer agreements, or equivalent mechanisms.
11. Data subject requests
If ClimatePro receives a request from a Data Subject relating to Personal Data processed on behalf of the Controller, ClimatePro will, where legally permitted, direct the Data Subject to the Controller or notify the Controller of the request.
12. Personal data breaches
ClimatePro shall notify the Controller without undue delay after becoming aware of a confirmed Personal Data Breach affecting Controller Personal Data and shall provide information reasonably available to assist the Controller in meeting its legal obligations.
13. Deletion and return of data
Upon termination of the Service and upon written request, ClimatePro will delete or return Personal Data, unless retention is required by applicable law or reasonably necessary for security, backup, fraud prevention, or dispute resolution purposes.
14. Audit rights
No on-site audits shall be required unless mandated by applicable law. Upon reasonable written request, ClimatePro may provide information reasonably necessary to demonstrate compliance with this DPA.
15. Limitation of liability
The liability limitations set forth in the Terms of Service apply to this DPA and form an integral part of it.
16. Governing law
This DPA shall be governed by the laws of England and Wales.