This Data Processing Addendum ("DPA") is incorporated into and forms part of the TowSpark Terms of Service ("Agreement") between Leadbridge Solutions, LLC d/b/a TowSpark ("we," "us," "our," or "TowSpark") and the entity agreeing to the Agreement ("Customer," "you," or "your").
This DPA applies to our Processing of Personal Data on your behalf as part of the Service.
Terms not defined here have the meaning given in the Agreement or as defined by Applicable Data Protection Law.
"Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data, including but not limited to the GDPR and the CCPA.
"CCPA" means the California Consumer Privacy Act, as amended.
"Controller" means the entity that determines the purposes and means of Processing Personal Data. For the purpose of this DPA, Customer is the Controller.
"Data Subject" means the individual to whom Personal Data relates.
"GDPR" means the EU General Data Protection Regulation 2016/679.
"Personal Data" means any information Processed by us on your behalf pursuant to the Agreement that relates to an identified or identifiable Data Subject.
"Processing" (and "Process") means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
"Processor" means the entity that Processes Personal Data on behalf of the Controller. For the purpose of this DPA, TowSpark is the Processor.
"Standard Contractual Clauses" (or "SCCs") means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission.
"Sub-processor" means any third party engaged by TowSpark to Process Personal Data.
(a) Roles of the Parties. The parties acknowledge and agree that for the Processing of Personal Data, Customer is the Controller and TowSpark is the Processor.
(b) Customer's Obligations. Customer represents and warrants that it has a lawful basis for the Processing of all Personal Data and has provided all necessary notices and obtained all necessary consents from Data Subjects.
(c) TowSpark's Obligations. We will Process Personal Data only on behalf of Customer and in accordance with Customer's documented lawful instructions. The parties agree that this DPA and the Agreement (including Customer's use and configuration of the Service) constitute Customer's complete and final instructions to TowSpark for the Processing of Personal Data.
(d) California Consumer Privacy Act (CCPA) Certification. To the extent the CCPA applies, TowSpark acts as a "Service Provider." We certify that we understand the restrictions of the CCPA and will not: (i) "sell" or "share" Personal Data (as defined by CCPA); (ii) retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Service; or (iii) retain, use, or disclose Personal Data outside of the direct business relationship between TowSpark and Customer.
We will implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures will ensure a level of security appropriate to the risk of Processing.
We will ensure that our personnel who are authorized to Process Personal Data are subject to binding obligations of confidentiality.
(a) General Authorization. Customer grants TowSpark general written authorization to engage Sub-processors to Process Personal Data, provided that TowSpark enters into a written agreement with each Sub-processor containing data protection obligations no less protective than those in this DPA.
(b) Sub-processor List and Objections. We will maintain a list of our current Sub-processors as set forth in Annex II (or at a designated URL). We will provide Customer with at least ten (10) days' prior written notice of any new Sub-processor. Customer may object to a new Sub-processor on reasonable, data-protection-related grounds by notifying us in writing within ten (10) days of our notice. If Customer objects, the parties will work in good faith to resolve the objection.
We will, to the extent legally permitted, provide reasonable assistance to Customer to help Customer respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Law (e.g., access, correction, deletion). Customer is responsible for handling all such requests directly.
We will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer's Personal Data. We will provide Customer with sufficient information (to the extent known to us) to allow Customer to meet its breach notification obligations under Applicable Data Protection Law.
(a) Processing Location. Customer acknowledges that TowSpark may transfer and Process Personal Data in the United States and other locations where we or our Sub-processors maintain operations.
(b) Transfer Mechanism. To the extent that the Processing of Personal Data involves a transfer from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country not recognized as providing an adequate level of data protection, the parties agree that such transfers are subject to the Standard Contractual Clauses (SCCs), which are incorporated by reference.
For such transfers, Module Two (Controller to Processor) of the SCCs will apply.
The parties agree that for the purposes of the SCCs, Customer is the "data exporter" and TowSpark is the "data importer."
Annex I and II of this DPA will serve as Annex I and II of the SCCs, respectively.
Upon Customer's written request (no more than once annually), we will provide Customer with confidential responses to a reasonable security questionnaire or a security self-assessment to demonstrate our compliance with this DPA. If we undergo independent third-party audits in the future (e.g., SOC 2), we may provide those reports in satisfaction of this requirement.
Upon termination of the Agreement, we will delete or return all Personal Data to Customer, at Customer's choice, in accordance with the data deletion and export procedures set forth in the Agreement.
(a) Conflict. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall govern with respect to the subject matter of data Processing.
(b) Governing Law. This DPA and any disputes arising from it shall be governed by the "Governing Law & Dispute Resolution" section of the Agreement.
If you have any questions or concerns about this Policy or our data practices, please contact us at:
Leadbridge Solutions, LLC (TowSpark)
8605 Santa Monica Blvd PMB 522267
West Hollywood, California 90069-4109
Email: [email protected]
Data Exporter / Controller: Customer.
Data Importer / Processor: TowSpark.
Nature and Purpose of Processing:
Duration of Processing:
For the duration of the Subscription Term as specified in the Agreement, and until the data is returned or deleted in accordance with the Agreement.
Authorized User Data: Name, email address, phone number, account credentials.
Customer's Customer Data: Name, phone number, pickup and drop-off location data, vehicle information, and any other data Customer chooses to input into the Service.
Employee/Driver Data: Name, phone number, dispatch assignments, and web-based real-time location data.
Special Categories of Data (if any): None anticipated or intentionally collected. Customer agrees not to upload any special categories of data not required for the ordinary use of the Service.
TowSpark uses the following Sub-processors to provide the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | Cloud Hosting & Infrastructure | United States |
| Google LLC | Analytics & Email Delivery | United States |
| Stripe, Inc. | Payment Processing | United States |
| Resend | United States |