Data Processing Agreement
Effective Date: February 1, 2026
Last Updated: February 1, 2026
Company: Otesse LLC
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Otesse LLC ("Processor," "we," "us," or "our") and the entity or individual agreeing to these terms ("Controller," "you," or "your"). This DPA sets out the terms and conditions under which Otesse processes personal data on behalf of the Controller in connection with the provision of our field service management platform and related services (the "Services").
This DPA applies where Otesse processes personal data on your behalf as a data processor, for example when you are a business customer using the platform to manage your own customer relationships, bookings, and service operations.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws.
- "Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, combination, restriction, erasure, or destruction.
- "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
- "Sub-processor" means any third party engaged by Otesse to process Personal Data on behalf of the Controller.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
- "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data, including but not limited to the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Oregon Consumer Privacy Act (OCPA), and the General Data Protection Regulation (GDPR) where applicable.
2. Scope and Purpose of Processing
2.1 Subject Matter
Otesse processes Personal Data as necessary to provide the Services described in the Terms of Service, including but not limited to:
- Managing user accounts and authentication
- Processing and fulfilling service bookings
- Facilitating communication between customers and service providers
- Processing payments through Stripe
- Generating invoices and financial records
- Providing customer support
- Sending transactional notifications (booking confirmations, reminders, invoices)
2.2 Categories of Data Subjects
- Customers (end users who book services)
- Service providers and field workers
- Administrative users of the platform
2.3 Types of Personal Data Processed
- Contact information (name, email, phone number)
- Account credentials (email, hashed password)
- Address information (service addresses, billing addresses)
- Payment information (processed by Stripe; Otesse stores only last 4 digits and card brand)
- Booking and service history
- Communication records (messages, support tickets, reviews)
- Technical data (IP addresses, device identifiers, usage logs)
2.4 Duration of Processing
Processing will continue for the duration of the service agreement between the parties, plus any retention periods required by applicable law or as described in our Privacy Policy.
3. Controller Obligations
The Controller shall:
- Ensure that it has a lawful basis for processing Personal Data and for instructing Otesse to process Personal Data on its behalf.
- Provide clear and complete instructions to Otesse regarding the processing of Personal Data.
- Ensure that Data Subjects have been informed about the processing of their Personal Data, including the involvement of Otesse as a processor.
- Comply with all applicable data protection laws regarding its own processing activities.
- Promptly notify Otesse of any Data Subject requests that require Otesse's assistance.
4. Processor Obligations
Otesse shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law to do otherwise. In such case, Otesse will inform the Controller of that legal requirement before processing, unless prohibited by law.
- Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational security measures as described in Section 6.
- Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller, as described in Section 5.
- Assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws.
- Assist the Controller in ensuring compliance with data breach notification obligations, data protection impact assessments, and prior consultation with supervisory authorities, where applicable.
- At the Controller's choice, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires storage of the Personal Data.
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
5. Sub-processors
5.1 Current Sub-processors
The Controller hereby grants general authorization for Otesse to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | United States |
| Convex, Inc. | Database and backend services | United States |
| Vercel, Inc. | Website hosting and delivery | United States |
| Postmark (ActiveCampaign) | Transactional email delivery | United States |
| Google LLC | Address verification and geocoding | United States |
| Mapbox, Inc. | Mapping and location services | United States |
| Geoapify GmbH | Geographic data services | Germany |
5.2 Changes to Sub-processors
Otesse will notify the Controller of any intended changes to the list of sub-processors by updating this DPA and providing notice through the Services or via email at least 14 days before the new sub-processor begins processing Personal Data. The Controller may object to the new sub-processor within 14 days of receiving notice. If the Controller objects and Otesse cannot reasonably accommodate the objection, either party may terminate the affected Services.
5.3 Sub-processor Obligations
Otesse shall impose data protection obligations on each sub-processor that are no less protective than those set out in this DPA. Otesse remains fully liable to the Controller for the performance of each sub-processor's obligations.
6. Security Measures
Otesse implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, or disclosure. These measures include but are not limited to:
- Encryption — All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 or equivalent.
- Access Controls — Role-based access controls, multi-factor authentication for administrative access, and least-privilege principles.
- Network Security — Firewalls, intrusion detection systems, and regular vulnerability scanning.
- Password Security — User passwords are hashed using bcrypt with appropriate cost factors. Otesse never stores plaintext passwords.
- Monitoring — Continuous monitoring of systems for security events and anomalies.
- Incident Response — Documented incident response procedures with defined roles and escalation paths.
- Employee Training — Regular security awareness training for all employees with access to Personal Data.
- Physical Security — Cloud infrastructure providers (Convex, Vercel) maintain SOC 2 Type II certified data centers with physical access controls.
7. Data Breach Notification
In the event of a Data Breach, Otesse shall:
- Notify the Controller without undue delay and in any event within 72 hours of becoming aware of the Data Breach.
- Provide the Controller with sufficient information to enable the Controller to meet any obligations to report the breach to supervisory authorities or Data Subjects under applicable data protection laws.
- The notification shall include, to the extent known: (a) the nature of the Data Breach, including categories and approximate number of Data Subjects and records affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its effects; and (d) the name and contact details of Otesse's point of contact for further information.
- Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
8. Audit Rights
Upon reasonable notice (at least 30 days) and no more than once per year, the Controller may audit Otesse's compliance with this DPA. Audits shall be conducted during normal business hours and shall not unreasonably interfere with Otesse's operations. The Controller shall bear the costs of any audit. Otesse may satisfy audit requests by providing relevant third-party audit reports or certifications (e.g., SOC 2 reports from infrastructure providers).
9. Data Deletion and Return
Upon termination of the Services or upon the Controller's written request:
- Otesse will, at the Controller's election, delete or return all Personal Data processed on behalf of the Controller within 30 days.
- Otesse will provide written confirmation of deletion upon request.
- Otesse may retain Personal Data to the extent required by applicable law, and such retained data will continue to be protected in accordance with this DPA.
10. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits or excludes either party's liability for: (a) fraud or fraudulent misrepresentation; (b) death or personal injury caused by negligence; or (c) any liability that cannot be limited or excluded by applicable law.
11. Contact
For questions about this Data Processing Agreement, please contact:
Otesse LLC
Email: hello@otesse.com
Website: otesse.com
Location: Oregon, USA
On this page