This DPA is incorporated into and forms part of the Gloss Terms of Service.
1. Purpose and Scope
This Data Processing Agreement ("DPA") governs the processing of personal data by Gloss Technologies, LLC ("Processor") on behalf of the Customer ("Controller") in connection with the Gloss platform. This DPA applies when the Controller uploads or inputs personal data of third parties (such as the Controller's own customers) into the Gloss platform.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Processing" means any operation performed on personal data
- "Controller" means the Gloss customer who determines the purposes and means of processing
- "Processor" means Gloss Technologies, LLC, which processes data on the Controller's behalf
- "Sub-processor" means any third party engaged by the Processor to process personal data
- "Data Subject" means the individual whose personal data is processed
3. Details of Processing
Subject matter: Operation of the Gloss detailing CRM platform
Duration: For the term of the Controller's subscription to Gloss
Nature and purpose: Storage, retrieval, and processing of customer data to provide CRM, scheduling, invoicing, SMS, and portal services
Types of personal data: Names, phone numbers, email addresses, postal addresses, vehicle information, service history, photos, payment information
Categories of data subjects: The Controller's customers and prospective customers
4. Processor Obligations
The Processor agrees to:
- Process personal data only on documented instructions from the Controller (including as set forth in the Terms of Service)
- Ensure that persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Not engage new sub-processors without prior general or specific authorization
- Assist the Controller in responding to data subject requests (access, correction, deletion, portability)
- Notify the Controller of any personal data breach within 72 hours of becoming aware of it
- Delete or return all personal data upon termination of the DPA, at the Controller's choice
- Make available all information necessary to demonstrate compliance with this DPA
5. Controller Obligations
The Controller agrees to:
- Have a lawful basis for processing personal data entered into Gloss
- Provide data subjects with adequate notice about how their data is processed
- Obtain all necessary consents (including SMS consent under TCPA)
- Ensure personal data entered into Gloss is accurate and up-to-date
- Only instruct the Processor to process personal data in ways that comply with applicable law
6. Sub-processors
The Controller authorizes the Processor to engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|
| Supabase Inc. | Database and authentication | USA / EU |
| Stripe Inc. | Payment processing | USA |
| Twilio Inc. | SMS delivery | USA |
| Resend Inc. | Transactional email | USA |
| OpenAI, LLC | AI feature processing | USA |
| Vercel Inc. | Application hosting | USA / Global |
| Inngest Inc. | Background job processing | USA |
The Processor will notify the Controller of any planned changes to sub-processors and give the Controller an opportunity to object. Notice will be provided via email or in-platform notification at least 14 days before the change takes effect.
7. International Data Transfers
Personal data may be transferred to and processed in the United States and other countries where our sub-processors operate. For transfers from the European Economic Area (EEA) or United Kingdom, we rely on:
- Standard Contractual Clauses (SCCs) with sub-processors
- Adequacy decisions where applicable
8. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security ensuring each Controller's data is isolated
- Access controls and authentication requirements
- Regular security testing and vulnerability assessments
- Incident response procedures
- Employee confidentiality agreements
9. Data Subject Rights
When a data subject exercises a right (access, deletion, portability, correction) with respect to data held by the Processor:
- The Processor will, where possible, inform the Controller and provide relevant data to assist the Controller in responding
- The Processor will not respond directly to data subjects on the Controller's behalf without the Controller's prior authorization
- The Controller remains responsible for responding to data subject requests within required timeframes
10. Data Breach Notification
In the event of a personal data breach affecting Controller data, the Processor will:
- Notify the Controller within 72 hours of becoming aware of the breach
- Provide information including the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
- Cooperate with the Controller's investigation and remediation efforts
11. Termination
This DPA terminates automatically upon termination of the Gloss Terms of Service. Upon termination:
- The Processor will retain Controller data for 30 days to allow data export
- After 30 days, all personal data will be deleted or anonymized, unless retention is required by law
- The Processor will provide written confirmation of deletion upon request
12. Contact
For data protection inquiries:
Gloss Technologies, LLC
Email: legal@gloss.app