Data Processing Agreement

Effective April 26, 2026

This Data Processing Agreement ("DPA") supplements the PointOps Terms of Service. It describes how PointOps processes personal data on behalf of customers and applies whenever Customer Data includes personal data subject to data protection laws (GDPR, UK GDPR, CCPA, etc.).

1. Definitions

Capitalized terms used here have the meaning given in the applicable law (e.g. GDPR Article 4). In short:

• Controller — the customer (the franchise or business that decides why and how personal data is used).
• Processor — PointOps, processing personal data on the controller's instructions.
• Sub-processor — a third party engaged by PointOps to process personal data on its behalf.
• Personal Data — information relating to an identified or identifiable individual within Customer Data.

2. Roles

For Personal Data within Customer Data, the customer is the Controller and PointOps is the Processor. PointOps will process Personal Data only on documented instructions from the customer, which include the customer's use of features and configuration within the service.

3. Subject matter, duration, nature, and purpose

• Subject matter: Provision of the PointOps service.
• Duration: While the customer's account is active, plus the retention periods in our Privacy Policy.
• Nature: Storage, querying, display, AI-assisted analysis, and reporting on data the customer connects (Mindbody, Shopify) or uploads.
• Purpose: Operating an analytics + operations dashboard for the customer's business.

4. Categories of data subjects and personal data

• Data subjects: the customer's clients, the customer's employees and contractors, and the customer's authorized PointOps users.
• Personal data: name, email, phone, postal address, appointment history, purchase history, membership status, internal notes, employment dates, schedule. PointOps does not require or intentionally process special-category data (health, religion, etc.) but customer free-text notes may incidentally contain it — the customer is responsible for managing that risk.

5. Security measures

PointOps implements appropriate technical and organizational measures including:

• Encryption in transit (TLS 1.2+) and at rest (provider-managed AES-256).
• Role-based access control inside the application; row-level security in the database.
• Production access limited to PointOps personnel with a need-to-know; access logged.
• Authentication via Supabase Auth (passwords hashed with bcrypt).
• Per-tenant data isolation enforced at the org level; multi-tenant isolation tests in the codebase.
• API keys to third-party services stored encrypted at rest.
• Append-only audit log for sensitive mutations.
• Daily encrypted backups of the production database.

6. Sub-processors

The customer authorizes PointOps to engage the sub-processors listed below. PointOps remains responsible for sub-processor performance.

• Supabase (Wilmington, USA) — Postgres database, authentication, file storage. Privacy
• Vercel (San Francisco, USA) — application hosting + edge functions. Privacy
• Anthropic (San Francisco, USA) — Claude API for AI features. Prompts and outputs are not retained for model training under their commercial terms. Privacy
• Mindbody (San Luis Obispo, USA) — source-of-record for appointments, sales, and clients we sync on the customer's behalf. Privacy
• Shopify (Ottawa, Canada) — only when the customer connects a Shopify store for inventory sync. Privacy
• Stripe (San Francisco, USA) — subscription billing, when applicable. Stripe acts as an independent controller for payment data per its terms. Privacy

We will notify customers of any new sub-processor at least 30 days before granting them access to Personal Data. Customers may terminate the service if they object to the change.

7. International data transfers

Personal Data is stored and processed in the United States. Where applicable, transfers from the EEA, UK, or Switzerland rely on Standard Contractual Clauses incorporated by reference.

8. Confidentiality

Personnel authorized to access Personal Data are bound by confidentiality obligations.

9. Personal data breach notification

PointOps will notify the customer without undue delay, and no later than 72 hours after becoming aware, of any confirmed Personal Data breach affecting the customer's data. The notice will describe the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed.

10. Assistance with data subject rights

We will provide reasonable assistance to the customer in responding to data subject requests (access, correction, deletion, portability, restriction, objection). Self-service export and deletion endpoints are on the roadmap; until then, requests are handled by emailing hello@pointops.io.

11. Return or deletion of personal data

On termination, PointOps will delete the customer's Personal Data from production within 90 days, unless the customer has already exported a copy or asked us to retain it for a defined period. Backups expire on a 30-day rolling cycle.

12. Audit rights

On reasonable written request (no more than once per 12 months), PointOps will provide the customer with documentation demonstrating compliance with this DPA — including security certifications, third-party audit reports (when available), and responses to a security questionnaire. On-site audits require prior written agreement on scope, timing, and a confidentiality agreement.

13. Liability

Each party's liability under this DPA is governed by the limitation-of-liability clause in the Terms of Service.

14. Order of precedence

If there is a conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA controls.

15. Contact

Privacy and DPA questions: hello@pointops.io.