Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller" or "Customer") and Twomiah Software Ventures ("Processor"), and governs the processing of Personal Data under applicable data protection laws, including the General Data Protection Regulation (GDPR).

1. Definitions

• "Personal Data" — any information relating to an identified or identifiable natural person
• "Processing" — any operation performed on Personal Data (collection, storage, use, transmission, deletion)
• "Controller" — the entity that determines the purposes and means of processing (you, the Customer)
• "Processor" — the entity that processes data on behalf of the Controller (Twomiah)
• "Sub-processor" — a third party engaged by the Processor to process Personal Data

2. Scope & Roles

The Controller determines the purposes of processing. The Processor processes Personal Data solely on the Controller's documented instructions and solely for the purpose of providing the Service.

The Processor shall not:

• Sell Personal Data
• Use Personal Data for purposes unrelated to providing the Service
• Process Personal Data in a manner inconsistent with the Controller's instructions

3. Nature & Purpose of Processing

Processing activities include hosting, storage, transmission, display, and support services necessary to operate the Twomiah platform. This includes:

Categories of Data

• Name, email address, phone number, business address
• Account credentials (stored as bcrypt hashes)
• Business data (contacts, jobs, quotes, invoices, schedules)
• Payment information (processed by Stripe; not stored by Twomiah)
• Usage data and device information
• Communications (email, SMS via Twilio/SendGrid)
• Uploaded files, photos, and documents

Categories of Data Subjects

• Customers (businesses using Twomiah products)
• End users (employees, clients, and contacts within customer accounts)

4. Processor Obligations

4.1 Follow Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required by applicable law.

4.2 Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.

4.3 Security Measures

The Processor shall implement appropriate technical and organizational measures to protect Personal Data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Dedicated, isolated database instances per customer
• Role-based access controls
• Password hashing (bcrypt, cost factor 12)
• Short-lived JWT authentication tokens
• Error monitoring with PII scrubbing (Sentry)
• Environment-based secret management

Full details are published at twomiah.com/security.

4.4 Data Minimization

The Processor shall only process Personal Data that is necessary for service delivery.

5. Sub-Processors

The Processor may engage Sub-processors to assist in providing the Service. The Processor shall:

• Ensure Sub-processors are bound by equivalent data protection obligations
• Remain liable for the actions of its Sub-processors
• Maintain a current list of Sub-processors at twomiah.com/sub-processors
• Provide notice of new Sub-processors where required by applicable law

6. Data Subject Rights

The Processor shall assist the Controller in responding to data subject requests, including:

• Access requests
• Correction requests
• Deletion requests ("right to be forgotten")
• Data portability requests
• Objection to processing

The Processor will respond to assistance requests within a reasonable timeframe.

7. Data Breach Notification

The Processor shall:

• Notify the Controller without undue delay after becoming aware of a Personal Data breach
• Provide relevant details including the nature of the breach, categories of data affected, and mitigation steps
• Cooperate with the Controller in meeting any breach notification obligations under applicable law

8. Data Retention & Deletion

Upon termination of the Service:

• Customer data will be available for export for 30 days
• After 30 days, data will be permanently deleted
• Backups containing the data will expire within 30 days on a rolling basis
• Certain data may be retained where required by law (e.g., payment records for 7 years)

9. Audits

The Processor shall:

• Provide information reasonably necessary to demonstrate compliance with this DPA
• Allow reasonable audits by the Controller or an authorized third-party auditor, subject to confidentiality obligations, reasonable notice, and security safeguards

10. International Transfers (Standard Contractual Clauses)

Where Personal Data is transferred outside the European Economic Area (EEA) or the United Kingdom, the parties agree to the European Commission's Standard Contractual Clauses (2021 Decision 2021/914/EU) as follows:

Description of Transfer

Personal Data as described in Section 3 of this DPA is transferred on a continuous basis for the duration of the Service.

Technical & Organizational Measures

As described in Section 4.3 and at twomiah.com/security, including:

• Encryption in transit (TLS 1.2+)
• Encryption at rest (AES-256)
• Isolated per-tenant databases
• Role-based access controls
• Incident response procedures

Government Access Requests

The Processor shall:

• Review the legality of any government request for access to Personal Data
• Challenge requests that are unlawful or disproportionate where reasonable
• Notify the Controller where permitted by law

Sub-Processors (Onward Transfers)

The Processor may transfer data to Sub-processors subject to equivalent safeguards and written agreements. See twomiah.com/sub-processors.

Conflict

In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

11. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service, except where prohibited by applicable law.

12. Governing Law

This DPA is governed by the same law as the Terms of Service (State of Wisconsin, United States), except that the Standard Contractual Clauses shall be governed by the law of the EU Member State in which the Data Exporter is established.

13. Contact

For questions about this DPA or data processing practices:

Twomiah Software Ventures
Jeremiah Phillips
2607 Beverly Hills Drive
Eau Claire, WI 54701
support@twomiah.com
(715) 864-5052