Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Fixty Inc. ("Fixty," "Processor," "we," or "us") and the mechanic subscribing to the Fixty platform ("Controller," "you," or "your"). It governs the processing of personal data that you entrust to Fixty through your use of the platform.
When you use Fixty to manage your customers, vehicles, jobs, quotes, invoices, and communications, you act as the data controller for the personal data of your customers. Fixty acts as the data processor, processing that data on your behalf and in accordance with your instructions as described in this DPA.
This DPA is designed to ensure compliance with applicable data protection laws, including the California Consumer Privacy Act (CCPA) and, where applicable, the General Data Protection Regulation (GDPR).
Definitions
The following terms have the meanings set out below when used in this DPA.
Controller
The natural or legal person (the mechanic) who determines the purposes and means of the processing of personal data. In the context of Fixty, the Controller is the mechanic who subscribes to the platform and enters customer data.
Processor
The natural or legal person that processes personal data on behalf of the Controller. Fixty Inc. acts as the Processor when handling customer data entered by mechanics into the platform.
Personal Data
Any information relating to an identified or identifiable natural person. In the context of Fixty, this includes customer names, phone numbers, email addresses, physical addresses, vehicle identification numbers (VINs), license plate numbers, and any other information entered into the platform that can be used to identify an individual.
Processing
Any operation or set of operations performed on personal data, whether or not by automated means. This includes collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, and destruction.
Sub-processor
A third-party service provider engaged by Fixty to assist in processing personal data on behalf of the Controller. Sub-processors are subject to contractual obligations consistent with this DPA.
Data Subject
The identified or identifiable natural person to whom personal data relates. In the context of Fixty, Data Subjects are primarily the customers of mechanics who use the platform.
Scope of Processing
Fixty processes the following categories of personal data on behalf of the Controller: customer records (names, phone numbers, email addresses, and physical addresses), vehicle data (VINs, license plate numbers, mileage, make, model, and year), job records (service descriptions, labor hours, parts used, and job status), quotes and invoices (itemized pricing, payment status, and approval records), appointment data (scheduling information and location details), and communications (SMS messages sent and received through the platform via Twilio).
This data is processed solely for the purposes of storing, organizing, and managing CRM data on behalf of the mechanic. Specific processing activities include maintaining customer and vehicle databases, generating and delivering quotes and invoices, scheduling and managing appointments, sending transactional SMS notifications, processing payment references through Stripe, and providing geocoding services through Google Maps.
Fixty does not process personal data for any purpose other than those specified by the Controller or as required by applicable law.
Obligations of the Processor
As the Processor, Fixty commits to the following obligations.
Processing on Controller Instructions
Fixty will process personal data only on documented instructions from the Controller, including with respect to transfers of personal data to a third country, unless required to do so by applicable law. If Fixty is required by law to process personal data beyond the Controller's instructions, Fixty will inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.
Confidentiality
Fixty ensures that all persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is restricted to personnel who require it to perform their duties.
Security Measures
Fixty implements and maintains appropriate technical and organizational security measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures are described in detail in the Security Measures section of this DPA.
Assistance with Data Subject Requests
Fixty will assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, to fulfill the Controller's obligation to respond to requests from Data Subjects exercising their rights under applicable data protection laws.
Breach Notification
Fixty will notify the Controller without undue delay after becoming aware of a personal data breach. The notification procedures are described in detail in the Data Breach Notification section of this DPA.
Deletion on Termination
Upon termination of the Controller's account, Fixty will delete all personal data processed on behalf of the Controller within 30 days, unless retention is required by applicable law. The Controller may request an export of their data prior to account termination.
Security Measures
Fixty implements the following technical and organizational security measures to protect personal data processed on the platform.
Row-Level Security (RLS) is enforced at the database level through Supabase, ensuring that each mechanic can only access their own data. No mechanic can view, modify, or delete the data of another mechanic, even in the event of an application-level vulnerability.
All data is encrypted at rest using AES-256 encryption provided by Supabase's underlying infrastructure. All data transmitted between users and the platform is encrypted in transit using TLS 1.2 or higher.
Authentication is handled through JSON Web Tokens (JWT) issued by Supabase Auth. Tokens are short-lived and validated on every API request. Session management follows industry best practices for secure authentication.
Fixty conducts regular access reviews to ensure that only authorized personnel have access to production systems and personal data. Access is granted on a least-privilege basis and revoked promptly when no longer needed.
Fixty maintains incident response procedures to detect, investigate, and respond to security incidents in a timely manner. These procedures include defined roles and responsibilities, communication protocols, and post-incident review processes.
Sub-processors
The Controller authorizes Fixty to engage the following sub-processors for the processing of personal data.
Supabase Inc. (United States) provides database hosting, authentication, and real-time data services. Supabase processes and stores all personal data entered into the Fixty platform.
Stripe Inc. (United States) provides payment processing services. Stripe processes payment references, customer billing information, and subscription data.
Twilio Inc. (United States) provides SMS delivery services. Twilio processes customer phone numbers and message content for transactional notifications sent through the platform.
Google LLC (United States) provides geocoding and mapping services through the Google Maps Platform. Google processes address data to provide location-based features within the platform.
Fixty will provide the Controller with at least 30 days' advance written notice before engaging any new sub-processor. The notice will include the name of the sub-processor, the nature of the processing, and the location of processing. The Controller may object to the engagement of a new sub-processor by notifying Fixty in writing within the 30-day notice period.
Data Subject Rights
Fixty will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, and the right to object to processing.
Upon receiving a Data Subject request that relates to data processed through the Fixty platform, the Controller should notify Fixty at privacy@fixty.com. Fixty will provide reasonable assistance to facilitate the Controller's response within 10 business days of receiving the request.
If Fixty receives a Data Subject request directly, Fixty will promptly redirect the request to the relevant Controller and will not respond to the Data Subject directly unless authorized by the Controller or required by law.
Data Breach Notification
In the event of a personal data breach, Fixty will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach.
The notification will include, to the extent available: a description of the nature of the breach, including the categories and approximate number of Data Subjects and personal data records concerned; the name and contact details of the point of contact at Fixty where more information can be obtained; a description of the likely consequences of the breach; and a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.
Fixty will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. Fixty will document all personal data breaches, including the facts surrounding the breach, its effects, and the remedial actions taken.
Data Transfers
All personal data processed by Fixty and its sub-processors is stored and processed within the United States. Fixty does not transfer personal data outside of the United States in the ordinary course of providing the platform.
If a transfer of personal data to a country outside of the United States becomes necessary, Fixty will ensure that appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms, prior to any such transfer. Fixty will inform the Controller before making any such transfer.
Term and Termination
This DPA takes effect when the Controller creates a Fixty account and remains in effect for as long as the Controller maintains an active account on the platform.
Upon termination of the Controller's account, for any reason, Fixty will cease processing personal data on behalf of the Controller and will delete all personal data within 30 days of termination, unless retention is required by applicable law or the Controller requests a data export prior to termination.
The obligations of confidentiality, data protection, and breach notification set forth in this DPA will survive the termination of the Controller's account.
Audit Rights
The Controller may request an audit of Fixty's data processing activities and security measures to verify compliance with this DPA. Audit requests must be submitted in writing to privacy@fixty.com with at least 30 days' advance notice.
Audits may be conducted no more than once per calendar year, unless a data breach or a specific compliance concern necessitates an additional audit. Audits will be conducted during normal business hours and in a manner that minimizes disruption to Fixty's operations.
Fixty may satisfy audit requests by providing the Controller with relevant certifications, audit reports from independent third-party auditors, or other documentation that reasonably demonstrates compliance with the obligations set forth in this DPA.
Liability
The liability of each party under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of its obligations under applicable data protection laws to the extent such limitations are not permitted by law.
Contact
For any questions, requests, or concerns regarding this Data Processing Agreement, please contact us at privacy@fixty.com.