Data Processing Addendum
Effective May 24, 2026
Overview
This Data Processing Addendum ("DPA") supplements the Terms of Service and applies when ASR Enterprises LLC ("we," "Processor") processes data on behalf of a consulting client ("you," "Controller"). This includes situations where we build, host, or manage systems that collect data from your customers, employees, or other third parties.
If there is a conflict between this DPA and the Terms of Service on matters of data handling, this DPA controls.
Definitions
- Client Data: Any data, content, or information submitted to, processed by, or accessible through systems we operate or access on your behalf.
- Personal Data: Any information relating to an identified or identifiable individual within Client Data.
- Processing: Any operation performed on Client Data, including collection, storage, retrieval, transmission, analysis, and deletion.
- Subprocessor: Any third-party service we use to process Client Data.
Roles
You are the Data Controller. You determine what data is collected, why it is collected, and how it should be handled. We are the Data Processor. We process Client Data only as necessary to provide the services you have engaged us for, and only according to your instructions.
Scope of Processing
We process Client Data only to the extent necessary to perform the consulting, technology, or operational services outlined in our engagement with you. This may include:
- Building and maintaining data collection forms, ticketing systems, or intake workflows on platforms like Airtable.
- Accessing your business platforms (CRM, email marketing, website management) to perform authorized work.
- Exporting data for analysis on encrypted local devices when required for the engagement.
- Processing voter data or audience data for political campaign targeting and advertising.
We will not process Client Data for any purpose other than providing the agreed-upon services, except where required by law.
Sensitive and Regulated Data
Some engagements involve processing regulated identifiers such as government-issued ID numbers (driver's licenses, federal tax identification numbers), financial account information, or other data classified as sensitive under applicable breach notification laws. Where Client Data includes regulated identifiers:
- Such data is stored only in encrypted systems (at rest and in transit).
- Access is restricted to the minimum personnel necessary for the specific task requiring that data.
- We do not copy regulated identifiers to local devices unless strictly required, and any local copies are deleted immediately after the task is complete.
- Breach notification obligations for regulated identifiers follow the shortest applicable statutory timeline (for South Carolina, notification to affected individuals in the most expedient time possible and without unreasonable delay per the SC Identity Theft Protection Act).
If your engagement involves data subject to industry-specific regulations (insurance data, health information, financial records subject to GLBA), please identify this during engagement setup so we can implement any additional required safeguards.
Data Security
We implement technical and organizational measures to protect Client Data, including:
- Encrypted storage (at rest and in transit) on all devices and systems that store or access Client Data.
- OAuth 2.0 for authorized connections to your platforms, with automatic token refresh and no retention of expired tokens.
- Access limited to authorized personnel within ASR Enterprises LLC who need it to perform the engagement. All personnel with access to Client Data are bound by confidentiality obligations.
- Multi-factor authentication on all accounts used to access Client Data.
- No storage of Client Data in shared cloud databases or third-party storage services outside of the platforms specified in the Subprocessors section below.
Subprocessors
We use the following third-party services that may process Client Data in the course of providing our services:
| Subprocessor | Purpose | Location |
|---|---|---|
| Airtable | Data collection forms, workflow management | USA |
| Resend | Email delivery and notifications | USA |
| OpenAI | AI processing (where applicable) | USA |
| Cloudflare | Bot protection on forms | USA |
| Vercel | Application hosting | USA |
| Zapier | Workflow automation between platforms | USA |
| Shopify | E-commerce and product catalog | USA/Canada |
| Odoo | CRM and lead management | USA |
| HubSpot | CRM and customer support | USA |
| Mailchimp | Email marketing | USA |
| Squarespace | Website hosting and forms | USA |
| Stripe | Payment processing | USA |
| Slack | Team communication | USA |
| Dropbox | File storage and sharing | USA |
| Meta (Facebook/Instagram) | Advertising and social media | USA |
| Social media management | USA | |
| Anedot | Donation and payment processing | USA |
| Advertising, analytics, workspace tools | USA |
Not all subprocessors apply to every engagement. The specific platforms involved depend on the services we provide to you. We may also connect to industry-specific platforms (insurance CRMs, nonprofit donor systems, scheduling tools, etc.) as required by your engagement. We will notify you before adding any new subprocessor that processes your Client Data.
Data Subject Requests
If we receive a request from an individual to access, correct, or delete their personal data, and that data was collected through a system we operate on your behalf, we will promptly notify you and provide reasonable assistance in responding to the request. We will not respond directly to data subject requests without your authorization, unless required by law.
Data Retention and Deletion
Client Data is retained only as long as necessary to provide the agreed-upon services. Upon termination of the engagement:
- Data stored in systems we manage on your behalf (Airtable bases, forms, etc.) will be transferred to you or deleted within 30 days of your written request.
- Data exported to local devices for analysis will be securely deleted within 30 days of engagement termination.
- OAuth tokens and access credentials will be revoked or deleted immediately.
- Data may be retained beyond these periods only where required by law or contractual obligation.
Breach Notification
If we become aware of any unauthorized access to, disclosure of, or loss of Client Data, we will notify you within 72 hours of becoming aware of the incident. The notification will include the nature of the breach, the categories and approximate number of individuals affected, and the measures taken or proposed to address the breach. We will cooperate with you and any relevant authorities in investigating and responding to the incident.
Your Obligations
As the Data Controller, you are responsible for:
- Ensuring you have the legal basis to collect and process the data you instruct us to handle.
- Obtaining any necessary consents from individuals whose data is collected through systems we operate on your behalf.
- Providing clear instructions about how Client Data should be processed.
- Complying with applicable data protection laws, including any restrictions on the types of data that may be collected through your forms and systems.
Audit Rights
Upon reasonable written request (no more than once per year), you may ask us to confirm our compliance with this DPA. We will provide written responses to reasonable questions about our data handling practices. If a written response is insufficient to resolve a specific concern, we will cooperate with a mutually agreed-upon review process at your expense. Any audit must be scoped to the specific engagement and must not interfere with our obligations to other clients.
Engagement-Specific Terms
This DPA provides baseline data processing terms. Individual consulting engagements may include additional data handling requirements (for example, specific retention periods, additional security measures, or restrictions on data use). Where an engagement agreement includes data processing terms that exceed the requirements of this DPA, the more protective terms apply.
Contact
For questions about this addendum or to make a data-related request, contact a@alexreynolds.com.