Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the Contractor (“you”) and Toverra Ltd (“Toverra”) and governs our processing of personal information on your behalf.

1. Roles

• For Homeowner data ingested from your Jobber account and used for extraction and scoring, you are the controller / business and Toverra is the processor / service provider, processing only on your documented instructions.
• Carve-out for outreach email: when the Service sends email, Toverra acts as the sender of record under CAN-SPAM and, for that limited purpose, as a controller — but acts only on your documented instruction, using recipients and content you select or approve. You remain responsible for the lawful basis to contact each recipient.

2. Scope of processing

• Subject matter: provision of the Toverra Service.
• Categories of data subject: your customers (homeowners) and your personnel.
• Categories of personal data: identifiers and contact details (name, address, email, phone), service/equipment history and notes, and data we derive (estimated age, scores, suppression status, email events).
• Purpose: equipment-age estimation, replacement scoring, and sending outreach email on your instruction.

3. Our obligations as processor / service provider

• process personal information only on your documented instructions and for the purposes of providing the Service;
• not retain, use, or disclose personal information for any purpose other than performing the Service, and not for our own commercial benefit;
• not sell or share personal information, and not pool or combine it with data from any other source or customer except as permitted by applicable law to provide the Service;
• impose confidentiality obligations on personnel with access;
• implement the security measures in Section 6.

4. CCPA / CPRA service-provider terms

The parties acknowledge that you disclose personal information to Toverra only for the limited and specified business purpose of providing the Service. Toverra is a service provider and shall not: (a) sell or share the personal information; (b) retain, use, or disclose it for any purpose other than the business purposes specified, including outside the direct business relationship; or (c) combine it with personal information from other sources except as permitted for a service provider. Toverra certifies that it understands and will comply with these restrictions.

5. Sub-processors

You authorise Toverra to engage the sub-processors listed on our sub-processor page, each bound by terms no less protective than this DPA. We will give notice of new sub-processors with a reasonable opportunity to object; if you reasonably object on data-protection grounds, you may terminate the affected Service.

6. Security

• encryption of sensitive data (including access tokens) at rest and TLS in transit;
• strict per-tenant isolation enforced at the database level;
• access controls and least-privilege;
• exclusion of customer personal information from error-reporting tooling.

7. Personal-data breach

We will notify you without undue delay after becoming aware of a personal- data breach affecting your data, with information reasonably available to help you meet your own notification obligations. As controller, you are responsible for notifying affected individuals and regulators where required.

8. Assistance and data-subject requests

We will provide reasonable assistance to help you respond to data-subject requests (access, correction, deletion, portability, opt-out) and to meet your security, breach-notification, and impact-assessment obligations. If we receive a request directly from a Homeowner, we will action it and/or refer it to you as controller.

9. CAN-SPAM and outreach warranties

For any outreach you instruct us to send, you warrant that:

• you have a lawful basis and the right to send marketing email to each recipient, and do not use purchased, rented, or scraped lists;
• recipients are in the United States; you will not target Canadian recipients unless you have CASL-compliant express consent;
• you maintain an accurate physical postal address and reply-to that are included in every message.

Toverra will, as sender of record, include accurate header information, your physical postal address, and a working one-click and visible unsubscribe link in every message, and will honour opt-outs promptly.

10. Deletion and return

On disconnection or termination, we will delete your Customer Data and the data we derived from it, and revoke stored access tokens. We can certify deletion on request, subject to any minimal records we must retain to comply with law or to ensure opted-out recipients are not contacted again.

11. International transfers

We process data in the United Kingdom and via US-based sub-processors. Where personal data subject to UK or EU data-protection law is involved, the parties will put in place an appropriate transfer mechanism (for example the UK IDTA or EU Standard Contractual Clauses).

12. General

This DPA is governed by the same law as the Terms. In the event of a conflict between this DPA and the Terms regarding processing of personal information, this DPA controls. Contact: privacy@toverra.com.