Data Processing Agreement

Purpose and Scope

This DPA applies to all personal data processing activities conducted by Heffl Ventures - LLC in the course of providing our services. It covers:

• Personal data collected directly from users
• Personal data processed on behalf of our customers
• Personal data shared with third-party service providers
• Data transfers across borders

This agreement supplements our Privacy Policy and Terms of Service.

Data Controller and Processor Information

Data Controller: Heffl Ventures - LLC is the data controller for personal data collected directly from users of our website and services. As a data controller, we determine the purposes and means of processing personal data.

Data Processor: When our customers use our services to process their own data or data of their clients, we act as a data processor. In such cases, our customers are the data controllers, and we process data according to their instructions and in accordance with this DPA.

Types of Data Processed

We process the following categories of personal data:

• Identity Data: Name, email address, phone number, postal address
• Account Data: Username, password (hashed), account preferences, subscription information
• Business Data: Company name, business information, payment details
• Usage Data: Website usage, feature usage, interaction data
• Technical Data: IP address, browser type, device information, cookies
• Google Workspace Data: When authorized, data from Google Calendar, Gmail, Contacts, and Drive
• Customer Content: Data entered by users into our platform, including client information, projects, invoices, and other business data

Processing Purposes

We process personal data for the following purposes:

• Service Delivery: To provide, maintain, and improve our services
• Account Management: To manage user accounts, subscriptions, and billing
• Customer Support: To respond to inquiries, provide support, and resolve issues
• Communication: To send service-related communications, updates, and notifications
• Analytics: To analyze usage patterns and improve our services (with consent)
• Security: To protect against fraud, abuse, and security threats
• Legal Compliance: To comply with applicable laws and regulations
• Business Operations: To manage our business operations and relationships

Security Measures

We implement comprehensive technical and organizational measures to protect personal data:

• Encryption: Data encrypted in transit (TLS) and at rest (AES-256)
• Access Controls: Role-based access controls, authentication, and authorization mechanisms
• Network Security: Firewalls, intrusion detection, and monitoring systems
• Data Backup: Regular backups with secure storage and recovery procedures
• Security Audits: Regular security assessments and vulnerability testing
• Employee Training: Security awareness training and confidentiality agreements
• Incident Response: Procedures for detecting, reporting, and responding to security incidents

For more detailed information about our security measures, please see our Privacy Policy.

Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this DPA, unless a longer retention period is required or permitted by law. Our retention periods are based on:

• The purpose for which the data was collected
• Legal and regulatory requirements
• Contractual obligations
• Legitimate business interests

When data is no longer needed, we securely delete or anonymize it in accordance with our data retention policies. Account data is typically deleted within 30 days of account closure, unless retention is required for legal or regulatory purposes.

Sub-Processors

We may engage third-party service providers (sub-processors) to assist in providing our services. These sub-processors process personal data on our behalf and are contractually bound to:

• Process data only according to our instructions
• Implement appropriate security measures
• Comply with applicable data protection laws
• Not use data for their own purposes

Categories of Sub-Processors:

• Cloud hosting and infrastructure providers
• Payment processors
• Analytics and monitoring services
• Customer support tools
• Email service providers
• Backup and storage services

We maintain a list of our key sub-processors. For a complete and up-to-date list, please see our Subprocessors page. We will notify customers of any material changes. If you require specific information about our sub-processors, please contact us.

Data Transfers

Personal data may be transferred to and processed in countries outside the EU/EEA/UK. When we transfer data to countries that are not considered to have adequate data protection laws, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses approved by the European Commission
• Binding Corporate Rules where applicable
• Other appropriate safeguards as required by GDPR

By using our services, you consent to the transfer of your data to these countries in accordance with this DPA and our Privacy Policy.

Data Subject Rights

We respect and facilitate the exercise of data subject rights under applicable data protection laws, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Rights related to automated decision-making

For detailed information about your rights and how to exercise them, please see our Data Subject Rights page.

Contact for DPA Requests

If you have questions about this Data Processing Agreement or need to request a formal DPA for your organization, please contact us:

For EU/UK specific inquiries, you may also contact our GDPR representatives as outlined in our Privacy Policy.

Updates to This Agreement

We may update this Data Processing Agreement from time to time to reflect changes in our practices, services, or legal requirements. We will notify you of any material changes by posting the updated agreement on this page and updating the "Last updated" date. Continued use of our services after such changes constitutes acceptance of the updated agreement.