Data Processing Agreement
Last updated: February 20, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between FixReminder ("Processor") and the customer ("Controller") and governs the processing of personal data in connection with the FixReminder service.
1. Definitions
- Controller: The customer who determines the purposes and means of processing personal data (you, the FixReminder account holder).
- Processor: FixReminder, which processes personal data on behalf of the Controller.
- Personal Data: Any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
- Processing: Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, or erasure.
- Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
2. Scope and Purpose
This DPA applies to all personal data processed by FixReminder in the course of providing the property maintenance scheduling and landlord CRM service. The categories of data processed include:
- Account data (email, password hash, phone number)
- Property and unit information
- Tenant contact information and lease details
- Maintenance task records and completion history
- Communication logs (email, SMS)
- Payment information (processed by Stripe)
3. Processor Obligations
FixReminder as Processor shall:
- Process personal data only on documented instructions from the Controller
- Ensure that persons authorized to process personal data have committed to confidentiality
- Implement appropriate technical and organizational security measures
- Not engage another processor without prior written authorization from the Controller
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability)
- Delete or return all personal data upon termination of the service, at the Controller's choice
- Make available all information necessary to demonstrate compliance with GDPR obligations
4. Sub-processors
FixReminder uses the following sub-processors to provide the service. The Controller authorizes the use of these sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Hosting, CDN, and serverless compute | United States |
| Supabase Inc. | PostgreSQL database hosting | United States |
| Stripe Inc. | Payment processing and billing | United States |
| Resend Inc. | Transactional email delivery | United States |
| Twilio Inc. | SMS messaging | United States |
| Google LLC (Firebase) | Push notifications (FCM/APNs) | United States |
| Google LLC (Analytics) | Website analytics and usage reporting | United States |
FixReminder will inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
5. Technical and Organizational Measures
FixReminder implements the following measures to protect personal data:
- Encryption in transit: All data transmitted via TLS 1.2 or higher
- Encryption at rest: Database encryption (AES-256) provided by Supabase
- Password hashing: bcrypt with cost factor 12
- Access control: Role-based access, organization-scoped data isolation
- Input validation: Zod schema validation on all API inputs
- SQL injection prevention: Prisma ORM with parameterized queries
- CSRF protection: Token-based CSRF protection via NextAuth
- Audit logging: Administrative actions logged with timestamps and change details
6. Data Breach Notification
In the event of a personal data breach, FixReminder will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include:
- The nature of the breach, including categories and approximate number of data subjects affected
- The name and contact details of the data protection point of contact
- The likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
7. International Data Transfers
Personal data is processed in the United States. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, FixReminder relies on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Sub-processor-specific transfer mechanisms (e.g., Stripe's and Google's SCCs)
8. Audit Rights
The Controller has the right to audit FixReminder's compliance with this DPA. Audit requests should be submitted in writing with reasonable notice. FixReminder will provide reasonable cooperation and access to relevant documentation.
9. Data Deletion on Termination
Upon termination of the service or at the Controller's request, FixReminder will:
- Provide the Controller with the ability to export their data (available in Settings)
- Delete all personal data within 30 days of account deletion, except where retention is required by law
- Cascade-delete all associated records (properties, tasks, tenants, leases, messages, etc.)
- Confirm deletion in writing upon request
10. Contact
For questions about this DPA or to exercise your rights, contact us at: customerservice@fixreminder.com