Data Processing Agreement
Fix Your Cloud LLC · Last updated: May 2, 2026
1. Definitions
- "Controller" means the Customer — the organization that determines the purposes and means of processing personal data.
- "Processor" means Fix Your Cloud LLC — the entity that processes personal data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1).
- "Processing" has the meaning given in GDPR Article 4(2).
- "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries (Module 2: Controller to Processor), as adopted by Commission Decision 2021/914.
- "Services" means the SpendReady Salesforce license audit services described in the Terms of Service.
2. Scope and Nature of Processing
Fix Your Cloud LLC processes personal data solely to provide the Services. The subject matter, duration, nature, purpose, type of personal data, and categories of data subjects are described in Annex I below.
Fix Your Cloud LLC processes personal data only on documented instructions from the Controller (the Terms of Service and this DPA constitute those instructions), unless required to do so by applicable law.
3. Processor Obligations
Fix Your Cloud LLC shall:
- Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country.
- Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational measures as set out in Annex II.
- Respect the conditions referred to in Clause 9 (use of sub-processors) and not engage any sub-processor without prior written authorization from the Controller (general authorization is granted via the subprocessor list at getspendready.com/legal/subprocessors).
- Assist the Controller in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIAs, prior consultation).
- At the choice of the Controller, delete or return all personal data after the end of the provision of Services and delete existing copies unless required by applicable law.
- Make available to the Controller all information necessary to demonstrate compliance with GDPR Article 28 obligations and allow for and contribute to audits.
4. Sub-processors
Fix Your Cloud LLC uses the sub-processors listed at getspendready.com/legal/subprocessors. The Controller grants general authorization for the use of these sub-processors, subject to the following conditions:
- Fix Your Cloud LLC will notify the Controller at least 30 days before adding or replacing any sub-processor by updating the subprocessors page and notifying active customers by email.
- The Controller may object to a new sub-processor within 14 days of notification. If no resolution is reached, the Controller may terminate the Services with a pro-rata refund.
- Fix Your Cloud LLC imposes data protection obligations on its sub-processors that are no less protective than those in this DPA.
5. Security
Fix Your Cloud LLC implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as described in Annex II. These measures include:
- Encryption of personal data in transit (TLS) and at rest (AES-256 via Supabase)
- Salesforce OAuth tokens encrypted at rest using pgsodium (libsodium) — separate from general database encryption
- Role-based access controls; production access limited to founding team members
- Error monitoring configured to scrub personal data before transmission to Sentry
- Product analytics (PostHog) configured without Salesforce org data
6. Personal Data Breach Notification
In the event of a personal data breach, Fix Your Cloud LLC shall notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Notification shall include:
- A description of the nature of the breach
- The approximate number of data subjects and records concerned
- The likely consequences of the breach
- Measures taken or proposed to address the breach
Breach notifications are sent to the email address on the account. To designate a security contact, email privacy@getspendready.com.
7. Data Subject Rights
Fix Your Cloud LLC shall, taking into account the nature of the processing, assist the Controller in responding to requests from data subjects to exercise their rights under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection).
To the extent the Controller cannot fulfill data subject requests directly through the SpendReady dashboard, Fix Your Cloud LLC will provide reasonable assistance upon written request to privacy@getspendready.com.
8. International Data Transfers
Fix Your Cloud LLC is based in Texas, United States. Personal data processed under this DPA is stored in the United States (Supabase us-east-1). For transfers of personal data from the European Economic Area (EEA) or United Kingdom to the United States, the parties rely on the Standard Contractual Clauses (Module 2: Controller to Processor) as the lawful transfer mechanism.
To receive a copy of the applicable SCCs or a signed DPA, please contact privacy@getspendready.com.
9. Term and Termination
This DPA remains in effect for as long as Fix Your Cloud LLC processes personal data on behalf of the Controller. Upon termination of the Services, Fix Your Cloud LLC will delete or return personal data within 30 days upon written request, and delete all remaining copies except where retention is required by applicable law.
10. Governing Law
This DPA is governed by the laws of the State of Texas. For EU/EEA data subjects, the Standard Contractual Clauses are governed by the law of the EU member state in which the Controller is established.
Annex I — Description of Processing
| Subject matter | Salesforce license utilization analysis and audit reporting |
| Duration | For the term of the Services plus up to 90 days after cancellation (data retention period) |
| Nature of processing | Collection, storage, analysis, and report generation |
| Purpose | Identifying inactive users, license waste, permission set license overallocation, and integration user security risks in the Controller's Salesforce org |
| Type of personal data | Salesforce User records (username, email, name, last login date, license type, profile); LoginHistory records; PermissionSetLicenseAssign records; AuthSession records; OAuthToken records |
| Categories of data subjects | The Controller's Salesforce users (employees, contractors, and integration accounts within the Controller's Salesforce organization) |
Annex II — Technical and Organizational Measures
- Encryption in transit: All data transmitted over TLS 1.2+
- Encryption at rest: AES-256 (Supabase managed); Salesforce OAuth tokens additionally encrypted with pgsodium (libsodium)
- Access controls: Production database access limited to founding team; role-based access enforced via Supabase Row Level Security
- Authentication: Passwordless auth via Supabase Auth (magic link); no passwords stored
- Error monitoring: Sentry configured with data scrubbing to prevent personal data inclusion in error reports
- Analytics: PostHog configured with no Salesforce org data in event properties
- Minimal data access: Salesforce OAuth limited to read-only
api+refresh_tokenscopes; SOQL SELECT only; no access to financial, opportunity, contact, or account data - Subprocessor contracts: All subprocessors are bound by DPAs or equivalent agreements with data protection obligations
Contact
To execute a signed DPA, request SCCs, or ask questions about data processing:
Fix Your Cloud LLC
Email: privacy@getspendready.com
Texas, United States