Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Servicebetween Morrow Systems Group LLC (“Morrow”) and the Contractor that subscribes to Trodelo (the “Service”). It governs how Morrow processes personal information on the Contractor’s behalf in providing the Service. Capitalized terms not defined here have the meaning given in the Terms of Service. If there is a conflict between this DPA and the Terms of Service regarding the processing of personal information, this DPA controls.

1. Definitions

• “Applicable Data Protection Law”means all privacy and data-protection laws applicable to a party’s processing of Personal Data under this DPA, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (the “CCPA”) and comparable U.S. state privacy laws.
• “Personal Data”means information within Customer Data that identifies or relates to an identified or identifiable individual and is processed by Morrow on the Contractor’s behalf.
• “Controller” and “Processor” (and, under the CCPA, “Business” and “Service Provider”) describe the parties’ roles: the Contractor is the Controller / Business and Morrow is the Processor / Service Provider.
• “Subprocessor” means a third party engaged by Morrow to process Personal Data in connection with the Service.
• “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by Morrow.

2. Roles and scope

As between the parties, the Contractor is the Controller of Personal Data and Morrow is the Processor, processing Personal Data only to provide the Service. The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of data subjects are described in Annex A. Each party is responsible for complying with the obligations that apply to it in its role under Applicable Data Protection Law.

3. Processing instructions

Morrow will process Personal Data only on the Contractor’s documented instructions, which consist of the Terms of Service, this DPA, the Contractor’s configuration and use of the Service, and any further written instructions the Contractor gives that the parties agree to. Morrow will inform the Contractor if, in Morrow’s opinion, an instruction violates Applicable Data Protection Law, unless legally prohibited from doing so. Morrow will not process Personal Data for any purpose other than providing the Service.

4. Confidentiality

Morrow ensures that personnel authorized to process Personal Data are bound by appropriate obligations of confidentiality and process Personal Data only as necessary to provide the Service.

5. Security measures

Morrow maintains technical and organizational measures designed to protect Personal Data, as described in Annex B, taking into account the nature of the processing and the risks involved. Morrow may update these measures from time to time provided the overall level of protection is not materially reduced.

6. Security Incident notification

Morrow will notify the Contractor of a Security Incident affecting the Contractor’s Personal Data without undue delay, and in no event later than seventy-two (72) hoursafter Morrow becomes aware of it. The notice will describe, to the extent known, the nature of the incident, the data affected, and the measures Morrow has taken or proposes to take. Morrow will reasonably cooperate with the Contractor in investigating and mitigating the incident. Morrow’s notification is not an acknowledgment of fault or liability.

7. Subprocessors

The Contractor provides a general authorization for Morrow to engage Subprocessors to process Personal Data in providing the Service. Morrow imposes data-protection obligations on each Subprocessor that are no less protective than those in this DPA, and remains responsible for each Subprocessor’s performance. The categories of Subprocessors are described in Annex C; a current list of Subprocessors is available to the Contractor on request, subject to confidentiality obligations. Morrow will make available a means to be notified of new Subprocessors; if the Contractor reasonably objects to a new Subprocessor on data-protection grounds, the parties will work in good faith to resolve the objection, and if they cannot, the Contractor may terminate the affected portion of the Service.

8. Assistance to the Contractor

Taking into account the nature of the processing, Morrow will provide reasonable assistance to enable the Contractor to: (a) respond to requests from data subjects (end customers) to exercise their rights; (b) meet the Contractor’s own Security-Incident and notification obligations; and (c) conduct any data protection assessment or consultation required of the Contractor. Because the Contractor is the Controller of end-customer Personal Data, requests from end customers to access, correct, or delete their data are directed to the Contractor; Morrow will not respond to such a request directly except to route it to the Contractor or as the Contractor instructs, and the Contractor may also use the Data Deletion flow.

9. CCPA / CPRA Service-Provider terms

With respect to Personal Data Morrow processes as a Service Provider under the CCPA, Morrow:

• processes Personal Data solely to perform the Service for the Contractor under the Terms of Service, and for the business purposes described in this DPA;
• does not sell and does not sharePersonal Data (as “sell” and “share” are defined under the CCPA);
• does not retain, use, or disclose Personal Data outside the direct business relationship with the Contractor or for any purpose other than the business purposes specified, including not combining Personal Data with personal information received from, or on behalf of, anyone else except as the CCPA permits a Service Provider to do; and
• certifies that it understands and will comply with these restrictions.

Morrow will notify the Contractor if it determines it can no longer meet its obligations under the CCPA, and the Contractor may take reasonable steps to stop and remediate unauthorized use of Personal Data.

10. Where Personal Data is processed

Morrow processes Personal Data in the United States, by itself and its Subprocessors. The Service is operated from and intended for use in the United States.

11. Return and deletion

On expiration or termination of the Service, Morrow will, at the Contractor’s direction, delete or return Personal Data in accordance with the Data Deletion process and the retention provisions of the Privacy Policy, except to the extent Morrow is required by law to retain it. Temporary access links expire automatically.

12. Demonstrating compliance

Morrow will make available to the Contractor information reasonably necessary to demonstrate compliance with this DPA. Audit rights, where they apply, are satisfied by Morrow providing relevant documentation and responding to reasonable written security questionnaires no more than once per twelve (12) months, subject to confidentiality, except where Applicable Data Protection Law or a regulator requires otherwise.

13. Liability

Each party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

14. Order of precedence and term

This DPA is incorporated into and forms part of the Terms of Service. In case of conflict regarding the processing of Personal Data, this DPA prevails over the body of the Terms of Service. This DPA remains in effect for as long as Morrow processes Personal Data on the Contractor’s behalf.

Annex A — Details of processing

• Subject matter: provision of the Trodelo Service (AI receptionist, job and evidence management, customer communication, scheduling, and payments) to the Contractor.
• Duration:the term of the Contractor’s subscription, plus any period required to return or delete Personal Data.
• Nature and purpose:hosting, recording and transcription of inbound calls, sending SMS and email on the Contractor’s behalf, AI-assisted discovery/estimates/assessment, scheduling, and payment processing — in each case to provide the Service.
• Types of Personal Data:contact details (name, phone number, email, service address); call recordings and transcripts; photos and job evidence; job, estimate, and service records; and the Contractor’s own account and billing data.
• Categories of data subjects:the Contractor’s end customers (callers, leads, homeowners) and the Contractor’s own personnel and account users.

Annex B — Technical and organizational measures

• Encryption of Personal Data in transit (TLS) and encryption of sensitive credentials at rest.
• Access controls and role-based authorization; least-privilege access for personnel.
• Logical separation of each organization’s data within the multi-tenant Service.
• Logging and monitoring of access and processing activity.
• Use of reputable infrastructure and Subprocessors that maintain their own recognized security controls.
• Procedures to detect, respond to, and notify the Contractor of Security Incidents (Section 6).

Annex C — Subprocessors

Morrow engages Subprocessors in the following categories to provide the Service: payment processing (Stripe and Square); calendar integration (Google); and additional providers for telephony and SMS, AI and voice processing, cloud hosting and storage, and email delivery. Consistent with the Privacy Policy, Morrow does not publicly enumerate every Subprocessor; a current, named list is available to the Contractor on request under a confidentiality obligation.

Contact

Questions about this DPA, or a request for the Subprocessor list, may be sent to:
Morrow Systems Group LLC
[email protected]