Legal

Data Processing Addendum

Effective: April 26, 2026

This Data Processing Addendum ("DPA") forms part of the Hailroad Terms of Service between Customer ("Controller") and Digital Architects, operator of Hailroad ("Processor"), and applies when Customer Data includes personal data subject to GDPR, UK GDPR, CCPA, or other applicable data protection laws.

1. Roles

Customer is the data controller of personal data it inputs into Hailroad (e.g., contact names, phone numbers, addresses of homeowners or property managers). Hailroad is the data processor and processes such personal data on Customer's behalf and instructions.

2. Scope & purpose

Hailroad processes Customer's personal data only to deliver the Service: knock list management, lead pipeline, roof measurement, document generation, and account administration.

3. Sub-processors

Customer authorizes Hailroad to engage the sub-processors listed in our Privacy Policy Section 4. We will give Customer 30 days' notice before adding new sub-processors. Customer may object in writing; if we cannot accommodate the objection, Customer may terminate without penalty.

4. Security

• TLS 1.3 in transit, encryption at rest (Supabase / Vercel managed)
• Row-Level Security enforcing workspace isolation
• Service-role credentials stored in Vercel encrypted env vars only
• Daily encrypted backups, point-in-time recovery
• Access to production data restricted to authorized personnel and audit-logged

5. Data subject requests

We will assist Customer in responding to data subject requests (access, deletion, correction, portability) within 5 business days of Customer's notice, where technically feasible.

6. Breach notification

We will notify Customer without undue delay (and within 72 hours) of becoming aware of any unauthorized access, loss, or disclosure of Customer Data, including a description of the nature, scope, likely consequences, and mitigating actions taken.

7. International transfers

Customer Data is hosted in US-based data centers. For Customers transferring personal data from the EU/UK to the US, we rely on Standard Contractual Clauses (Module 2: Controller to Processor) which are incorporated by reference. A signed copy is available on request.

8. Audit

On Customer's reasonable written request (no more than once per 12 months), we will provide a summary of our security and processing practices. For Operation and Enterprise tier Customers we will support a third-party audit at Customer's expense, conducted under NDA.

9. Return / deletion

On termination, Customer may export all Customer Data within 30 days. Thereafter we delete Customer Data from production systems and from backups within 90 days, except where law requires longer retention.

10. Liability

Liability under this DPA is governed by the limitation of liability in the Terms of Service.

11. Contact

Privacy / DPA questions: hello@hailroad.com