Data Processing Addendum
Effective date: 2026-05-21. Last updated: 2026-05-21.
1. Parties and scope
This Data Processing Addendum ("DPA") supplements the Terms of Service between the Customer ("Controller") and Simplified Strategy Consulting, LLC, located at 2801 N Van Dyke Rd, Imlay City, MI 48444, USA ("Processor" or "SSC"). It governs the Processor's processing of personal data on behalf of the Controller in connection with the QBI Tracker service (the "Service").
2. Definitions
Capitalized terms not defined here have the meanings given in the Terms of Service. "Applicable Data Protection Law" means all laws that apply to the processing of personal data under this DPA, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act / California Privacy Rights Act ("CCPA/CPRA"), as applicable.
3. Subject matter and duration
Subject matter: the provision of the Service. Duration: for as long as the Processor processes personal data on behalf of the Controller under the Terms.
4. Nature and purpose of processing
Hosting, processing, and presenting Customer-provided sales and performance data within Controller-defined workspaces; authentication; notifications; audit logging; backup; and the security and operation of the Service.
5. Categories of data subjects and personal data
- Data subjects: Controller's employees, agents, sales representatives, contractors, and other individuals whose information is included in workspace data.
- Categories of personal data: name, work email, role within the organization, sales-performance metrics, audit/security events, and any other personal data Controller chooses to upload.
- Special categories: none expected. Controller agrees not to upload special-category data (e.g., health, biometric, religious) without a separate written agreement.
6. Processor obligations
- Process personal data only on the Controller's documented instructions, including those set out in the Terms and this DPA.
- Ensure personnel authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational measures (see Annex 1).
- Assist the Controller with data-subject requests, security incident response, data protection impact assessments, and consultations with supervisory authorities, taking into account the nature of processing.
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a personal data breach affecting the Controller's data.
- At the Controller's choice, delete or return all personal data at the end of the provision of services, subject to the retention windows described in the Privacy Policy and any legal retention obligation.
7. Sub-processors
The Controller authorizes the Processor to engage the sub-processors listed in Annex 2. The Processor will give the Controller at least thirty (30) days' prior notice of any intended addition or replacement of sub-processors, during which the Controller may object on reasonable data-protection grounds. The Processor remains liable for the acts and omissions of its sub-processors to the same extent as for its own acts.
8. International transfers
The Processor and its sub-processors process personal data in the United States. Where personal data of European or UK data subjects is transferred outside the EEA or UK, the parties rely on the European Commission's Standard Contractual Clauses (Module Two: controller-to-processor) and, where applicable, the UK International Data Transfer Addendum, each incorporated by reference and amended as necessary to reflect this DPA. Annex 3 sets out the transfer details.
9. Audits
The Processor will make available to the Controller information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. Such audits will: (a) occur no more than once per year, except where required by a supervisory authority or following a confirmed personal data breach; (b) be at the Controller's expense; (c) be conducted during business hours with reasonable prior written notice; and (d) respect the confidentiality and security of other Processor customers.
10. CCPA / CPRA terms
When the Processor acts as a "service provider" under CCPA/CPRA, the Processor will not: (a) sell or share personal information; (b) retain, use, or disclose personal information for any purpose other than the business purposes specified in the Terms and this DPA; or (c) combine personal information received from the Controller with personal information received from any other source, except as permitted by CCPA/CPRA.
11. Order of precedence
In the event of any conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls.
Annex 1 — Technical and organizational measures
- Transport encryption (TLS 1.2+) for all network connections to the Service.
- Encryption at rest on AWS-managed disks (RDS, EBS).
- Role-based access control within the Service; principle of least privilege for SSC personnel.
- Multi-tenant isolation at the application layer with tenant_id scoping on every query path.
- Audit logging of significant events for 365 days.
- Routine encrypted backups; restore tested.
- One-time-passcode authentication; provision for TOTP and SSO on Enterprise plans.
- Security incident response process with 72-hour Customer notification commitment.
Annex 2 — Authorized sub-processors
- Amazon Web Services, Inc. — hosting, managed Postgres (RDS), email (SES). Region: US-East-1.
- Stripe, Inc. — payment processing and subscription management.
Annex 3 — Transfer details
- Data exporter: the Controller.
- Data importer: Simplified Strategy Consulting, LLC, 2801 N Van Dyke Rd, Imlay City, MI 48444, USA.
- Categories of data subjects and data: as set out in Section 5.
- Frequency of transfer: continuous.
- Nature and purpose of processing: as set out in Section 4.
- Period for which personal data will be retained: as set out in the Privacy Policy § 6.
- Competent supervisory authority: as designated by the Controller's establishment under GDPR Article 56, or absent such establishment, the supervisory authority of the Member State in which the relevant data subjects are located.
Contact
DPA requests and signed counter-signatures may be sent to: privacy@simplifiedstrategyconsulting.com.