Data Processing Addendum

Effective Date: June 27, 2026

1. Introduction

This Data Processing Addendum (“DPA”) supplements and forms part of the Terms of Use (the “Agreement”) between Superlab LLC dba ContentsOps (“Company,” “we,” “us”) and the business customer that uses the Service (“Subscriber,” “you”). It governs our processing of Personal Data on the Subscriber's behalf in connection with the ContentsOps platform. Capitalized terms not defined here have the meanings given in the Agreement and our Privacy Policy. In the event of a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls.

2. Roles of the Parties

For Personal Data that the Subscriber and its Authorized Users enter into or generate through the Service—including End Customer data, employee and Authorized User data, time and location records, photographs, and operational data—the Subscriber is the controller (or “business” under the California Consumer Privacy Act) and the Company is the processor (or “service provider”). The Company processes such Personal Data only on the Subscriber's documented instructions, including as set out in the Agreement, this DPA, and the Subscriber's configuration of the Service, except where otherwise required by applicable law (in which case we will inform the Subscriber unless legally prohibited).

The Company does not “sell” or “share” Personal Data (as those terms are defined under applicable U.S. state privacy laws) and does not retain, use, or disclose Personal Data for any purpose other than performing the Service or as otherwise permitted by applicable law.

3. Scope and Purpose of Processing

  • Subject matter: provision of the ContentsOps field-operations platform.
  • Duration: the term of the Agreement, plus the limited periods described in Section 8 for return and deletion.
  • Nature and purpose: hosting, storage, transmission, scheduling, time and location tracking, document and photo management, notifications, and related operational processing performed to deliver the Service.
  • Categories of data subjects: the Subscriber's employees, contractors, and field personnel (Authorized Users); and the Subscriber's End Customers, including homeowners, property managers, insurance adjusters, and other contacts.
  • Categories of Personal Data: identifiers (name, email, phone); professional/employment data; precise geolocation collected during active work sessions; time and attendance records; property addresses and details; photographs and documents (which may include device metadata); and technical/usage data, as further described in our Privacy Policy.
  • Sensitive data: precise geolocation, which is treated as sensitive personal information under certain U.S. state laws and is processed solely to provide the timekeeping, dispatch, and navigation features the Subscriber enables.

4. Confidentiality and Security

The Company restricts access to Personal Data to personnel who need it to provide the Service and who are bound by confidentiality obligations. The Company maintains technical and organizational security measures consistent with those described in Section 6 of our Privacy Policy, including encryption in transit and at rest, organization-level data isolation, role-based access controls, multi-factor authentication for administrative access, and audit logging.

5. Sub-Processors

The Subscriber provides general authorization for the Company to engage the sub-processors listed at contentsops.com/subprocessors to process Personal Data in connection with the Service. The Company remains responsible for its sub-processors' performance of their obligations and imposes data protection terms on them that are consistent with this DPA.

The Company will provide notice of any new sub-processor (for example, by updating the sub-processor page and, where the Subscriber subscribes to notifications, by email) before that sub-processor begins processing Personal Data, giving the Subscriber a reasonable opportunity to object on reasonable data-protection grounds. If the Subscriber reasonably objects and the parties cannot resolve the objection, the Subscriber's remedy is to terminate the affected portion of the Service.

6. Assistance with Data Subject and Compliance Requests

Taking into account the nature of the processing, the Company will provide reasonable assistance to enable the Subscriber to respond to requests from individuals exercising their rights under applicable privacy laws (such as access, correction, deletion, and limiting the use of sensitive personal information), and to meet the Subscriber's own obligations for data protection assessments and consultations, in each case insofar as the Subscriber cannot reasonably fulfill the request through the self-service functionality of the Service. If the Company receives such a request directly from a data subject, it will, where permitted, direct the individual to the relevant Subscriber.

7. Security Incident Notification

The Company will notify the affected Subscriber without undue delay after becoming aware of a confirmed security incident that compromises the security, confidentiality, or integrity of the Subscriber's Personal Data, and will provide information reasonably available to the Company to assist the Subscriber in meeting its own breach notification obligations. The Company's notification is not an acknowledgment of fault or liability.

8. Return and Deletion of Personal Data

Following expiration or termination of the Agreement, the Company will make Subscriber Data available for export for the period stated in the Agreement (currently 30 days), after which the Company will delete or anonymize Personal Data within the period stated in the Agreement (currently within 90 days), except where retention is required by applicable law or is part of routine backup cycles that are subsequently overwritten.

9. Audits

Upon reasonable prior written request, and no more than once per twelve-month period (unless required by a supervisory authority or following a security incident), the Company will make available information reasonably necessary to demonstrate compliance with this DPA, which may take the form of third-party reports, certifications, or written responses to a reasonable security questionnaire. Any on-site audit is subject to reasonable scheduling, scope, confidentiality, and cost-allocation terms agreed by the parties and must not disrupt the Company's operations or compromise the security of other customers' data.

10. International and Cross-Border Processing

The Service is operated for businesses located in the United States and Canada, and Personal Data is primarily stored and processed in the United States. The Subscriber is responsible for ensuring that its transfer of Personal Data to the Company is lawful under the laws applicable to the Subscriber, including any Canadian provincial requirements regarding cross-border processing.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

12. Contact

Questions about this DPA, or requests for a countersigned copy, may be directed to:

Superlab LLC dba ContentsOps
Attn: Privacy Inquiries
Email: privacy@contentsops.com
Website: https://contentsops.com