Skip to main content

Data Processing Agreement

Last updated: March 2, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between the organization owner (“Controller”) and Person Trail, Inc. (“Processor”) for the use of the Person Trail service at persontrail.com (“Service”). This DPA governs how the Processor handles personal data on behalf of the Controller in compliance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable data protection laws.

By using Person Trail, the Controller agrees to this DPA. If you do not agree, please do not use the Service.

1. Definitions

Controller: The organization owner who determines the purposes and means of processing personal data through the Service. Each Person Trail organization account represents a separate Controller.

Processor: Person Trail, Inc., which processes personal data on behalf of the Controller to deliver the Service.

Sub-processor: A third-party service provider engaged by the Processor to assist in processing personal data. A full list of sub-processors is provided in Section 4.

Personal Data: Any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, phone numbers, physical addresses, and job-related data processed through the Service.

Processing: Any operation performed on personal data, whether automated or manual, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Data Subject: An identifiable natural person whose personal data is processed through the Service, including organization owners, crew members, and any other individuals whose data is entered into Person Trail.

2. Scope of Processing

Categories of personal data processed:

  • Crew Member PII: Names, email addresses, phone numbers, skill sets, availability, location, and performance ratings of crew members entered by the Controller.
  • Job data: Property addresses, job descriptions, scheduling information, assignment records, status updates, and job outcome data (completion times, duration estimates vs. actuals).
  • Account data: Organization owner names, email addresses, hashed passwords, company names, and Stripe customer identifiers.
  • Usage data: IP addresses, browser type, device information, pages visited, features used, and actions taken within the Service.
  • Communication data: Transactional email records, notification delivery logs, and assignment accept/decline responses.
  • AI interaction data: Messages, prompts, and questions submitted to the AI chat assistant and content suggestion features. Transmitted to Groq for large language model processing. Not persisted on the Processor's servers after the session ends. Usage metrics (daily message counts) are recorded for quota enforcement.
  • Calendar data: When individual users opt in to Google Calendar sync, calendar event data (event titles, times, descriptions, and locations) is read from and written to the user's Google Calendar. OAuth tokens (access and refresh) are stored encrypted (AES-256-GCM) for maintaining the connection. This integration is per-user and opt-in.

Purposes of processing:

  • Service delivery: Operating the platform, authenticating users, managing organizations, and maintaining data isolation between tenants.
  • Scheduling and assignment: Matching crew members to jobs based on skills, availability, workload, travel distance, priority, and (on paid plans) historical performance data.
  • Notifications: Sending transactional emails for job assignments, status updates, password resets, and magic link authentication.
  • Payment processing: Managing subscriptions and billing through Stripe.
  • Security and compliance: Maintaining audit logs, enforcing rate limits, detecting abuse, and preventing unauthorized access.
  • AI feature provision: Processing user prompts through Groq's large language model API to generate chat responses and content suggestions. Usage tracked for tier-based quota enforcement.

Data subjects:

  • Organization owners: Individuals who create and manage Person Trail accounts with the OWNER role.
  • Crew Members: Individuals added to the platform by organization owners, who may access the Service through the crew portal.

3. Processor Obligations

Documented instructions: The Processor will process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organization, unless required to do so by applicable law. In such a case, the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.

Confidentiality: The Processor ensures that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is restricted to personnel who require it to operate, maintain, and support the Service.

Security measures: The Processor implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures are detailed in Section 6.

Sub-processor management: The Processor will not engage a new sub-processor without providing the Controller with prior notice and the opportunity to object. The Processor imposes data protection obligations on each sub-processor by way of contract, providing at least the same level of protection as set out in this DPA.

Assistance to the Controller: Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR.

Deletion or return: At the choice of the Controller, the Processor will delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the personal data. Details are provided in Section 8.

4. Sub-processors

The Processor uses the following sub-processors to deliver the Service. Each sub-processor processes only the minimum data necessary for its stated purpose:

Vercel, Inc.

Purpose: Application hosting, serverless function execution, content delivery network (CDN), and edge caching. Vercel processes request metadata (IP addresses, HTTP headers) as part of serving the application.

Location: United States

Neon, Inc.

Purpose: Managed PostgreSQL database hosting. All user, organization, contractor, job, and scheduling data is stored in Neon. Data is encrypted at rest using AES-256 and in transit using TLS.

Location: US East (AWS us-east-1)

Resend, Inc.

Purpose: Transactional email delivery. Email addresses and email content are shared with Resend to deliver notifications including job assignments, status updates, password resets, and magic link authentication emails.

Location: United States

Stripe, Inc.

Purpose: Payment processing and subscription management. Stripe processes payment card details, billing addresses, and transaction records. Person Trail does not store payment card details directly. Stripe's own Data Processing Agreement applies to data handled by Stripe.

Location: United States

Cloudflare, Inc.

Purpose: CAPTCHA verification (Turnstile) for bot protection and abuse prevention during authentication flows. Cloudflare processes request metadata (IP addresses, browser fingerprints) to distinguish legitimate users from automated traffic.

Location: Global (edge network)

Pusher, Ltd.

Purpose: Real-time WebSocket notification delivery. Pusher transmits instant status updates and notifications within the dashboard. Channel names are scoped to organization IDs. No personal data is stored by Pusher beyond the duration of active connections.

Location: United States (US East cluster)

Upstash, Inc.

Purpose: Redis-based rate limiting. Upstash processes hashed IP addresses and request counts to enforce rate limits on API endpoints and authentication flows. No personal data beyond hashed identifiers is stored, and rate limit records expire automatically.

Location: United States

Groq, Inc.

Purpose: Large language model inference for AI-powered features including the chat assistant and content suggestions. User prompts and messages are transmitted to Groq's API for processing. Groq processes prompts to generate responses. Chat sessions are not persisted on the Processor's servers after the session ends.

Location: United States

PostHog, Inc.

Purpose: Product analytics. Collects anonymized usage events (page views, feature clicks) to help improve the Service. GDPR consent gating is enforced: no data is collected until the user opts in via the cookie consent banner. No personal data profiles are built.

Location: United States

Functional Software, Inc. (Sentry)

Purpose: Error monitoring and performance tracking. Collects error reports, stack traces, and request metadata to help the Processor identify and fix software defects. PII is stripped before transmission. Error reports are tunneled through the Processor's own domain to ensure delivery.

Location: United States

Intuit Inc. (QuickBooks Online)

Purpose: Accounting data synchronization. When the Controller opts in to the QuickBooks integration (Pro plan only), client data, invoice data, and estimate data are synced to the Controller's connected QuickBooks Online account.

Location: United States

Google LLC (Google Analytics)

Purpose: Web analytics. Collects page views, traffic sources, and user journey data to help improve the website experience. GDPR consent gating is enforced: no data is collected until the user opts in via the cookie consent banner. No personal data profiles are built by Person Trail using Google Analytics data.

Location: United States (global infrastructure)

Google LLC (Google Calendar API)

Purpose: Calendar event synchronization. When individual users opt in to Google Calendar sync (available on all plans), jobs and phases are written as calendar events, and time changes made in Google Calendar can be pulled back. Per-user OAuth tokens are stored encrypted (AES-256-GCM). Google receives only event-level data (job type, property address, scheduled times).

Location: United States (global infrastructure)

DocuSign, Inc.

Purpose: E-signature processing for proposals, estimates, and change orders. Document content and recipient contact information (name, email) are transmitted to DocuSign when an e-signature request is initiated.

Location: United States

Open-Meteo (open-source)

Purpose: Weather forecast data for job site weather widgets and severe weather alerts. Only geographic coordinates (latitude, longitude) are transmitted. No personal data is sent to Open-Meteo. Open-Meteo is a free, open-source weather API that does not require authentication or store any user data.

Location: Europe (open-source, globally distributed)

The Controller will be notified of any changes to this list of sub-processors prior to the change taking effect. The Controller may object to a new sub-processor by contacting the Processor at [email protected] within 14 days of receiving notice. If the objection cannot be resolved, the Controller may terminate the Service agreement.

5. Data Subject Rights

The Processor assists the Controller in fulfilling data subject rights requests under Articles 15 through 22 of the GDPR. The following mechanisms are available:

Right of access (Article 15): Controllers can export all data associated with their organization through the data export feature in the Service dashboard. This export includes contractor records, job data, assignments, ratings, and activity logs in a machine-readable format.

Right to rectification (Article 16): Controllers can update and correct personal data directly through the Service interface. Crew members can update their own profile data through the crew portal.

Right to erasure (Article 17): Controllers can request account deletion, which triggers anonymization of all associated personal data. The Processor completes hard deletion of personal data within 30 days of the deletion request. Crew members may request deletion of their data by contacting their organization owner or by emailing the Processor directly.

Right to restriction of processing (Article 18): Controllers may request restriction of processing by contacting the Processor. The Processor will flag the relevant data and cease active processing while retaining the data as required.

Right to data portability (Article 20): Controllers can export their organization's data in JSON format through the data export API. This export is structured to allow transfer to another service provider.

Right to object (Article 21): Data subjects may object to specific processing activities by contacting the Processor at [email protected]. The Processor will evaluate each objection and respond within 30 days.

Rights related to automated decision-making (Article 22): Person Trail's scheduling algorithm generates recommendations only. No automated decision is made without human review and confirmation by the organization owner. Crew members on Starter and Pro plans can accept or decline assignments. See our Privacy Policy for full details on algorithmic features. AI chat and content suggestion features are not automated decision-making systems. They generate text suggestions only and do not determine job assignments, ratings, or any contractual outcomes.

6. Security Measures

The Processor implements the following technical and organizational measures to protect personal data in accordance with Article 32 of the GDPR:

Encryption at rest: All data stored in the Neon PostgreSQL database is encrypted at rest using AES-256 encryption. Database backups are encrypted using the same standard.

Encryption in transit: All data transmitted between the user's browser and the Service, and between the Service and its sub-processors, is encrypted using TLS 1.2 or higher. HTTPS is enforced on all endpoints with no fallback to unencrypted connections.

Password security: User passwords are hashed using bcrypt with a cost factor that meets current security best practices. Plaintext passwords are never stored or logged.

Role-based access control: The Service enforces strict role-based access control (RBAC) with distinct roles including OWNER, ADMIN, COORDINATOR, and CREW MEMBER. Each role has precisely scoped permissions. All API endpoints verify role and organization membership before processing requests.

Multi-tenant data isolation: All data is scoped by organization ID. Row-level security (RLS) policies enforce tenant isolation at the database level, preventing cross-organization data access. Every query is filtered through organization-scoped middleware.

Audit logging: The Service maintains comprehensive audit logs of all significant actions, including user authentication events, data modifications, job assignments, and administrative operations. Audit logs are designed to be PII-safe, recording action types and entity IDs without logging raw personal data.

Rate limiting: API endpoints are protected by Redis-backed rate limiting (via Upstash) to prevent brute-force attacks, credential stuffing, and abuse. Authentication endpoints have stricter rate limits.

CAPTCHA protection: Login and registration flows are protected by Cloudflare Turnstile CAPTCHA verification to prevent automated attacks.

Session security: Authentication tokens are short-lived JWTs carrying only the minimum claims required (user ID, role, organization ID, subscription status). Tokens are validated on every request.

Input validation: All user inputs are validated and sanitized at the API layer to prevent injection attacks and data corruption.

AI service data handling: Prompts submitted to AI features are transmitted to Groq over TLS-encrypted connections. The Processor does not persist chat messages or AI-generated responses after the session ends. Only usage metrics (daily message counts per user) are stored for quota enforcement.

7. Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR.

The breach notification will include:

  • A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.
  • The name and contact details of the Processor's point of contact where more information can be obtained.
  • A description of the likely consequences of the personal data breach.
  • A description of the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where it is not possible to provide all information at the same time, the Processor will provide the information in phases without further undue delay. The Processor will document all breaches, including the facts relating to the breach, its effects, and the remedial action taken.

The Processor will cooperate with the Controller in the Controller's obligation to notify the relevant supervisory authority and, where required, the affected data subjects.

8. Data Return and Deletion

Data export on demand: The Controller may export all organization data at any time through the Service's data export feature. Exports are provided in JSON format and include all contractor records, job data, assignments, ratings, and scheduling history.

Anonymization on account deletion: When the Controller requests account deletion, the Processor immediately anonymizes all personal data associated with the organization. Anonymization replaces personal identifiers (names, emails, phone numbers, addresses) with non-reversible tokens, rendering the data no longer attributable to any identifiable person.

Hard deletion: The Processor permanently deletes all anonymized data and associated records within 30 days of the account deletion request. This includes database records, audit logs referencing the organization, and any cached data.

Automated retention: The Processor operates automated data retention processes that identify and purge expired or orphaned data on a regular schedule. Rate limiting records, session tokens, and temporary authentication data are automatically expired and removed.

Sub-processor data: Upon account deletion, the Processor takes commercially reasonable steps to ensure that sub-processors delete or anonymize the Controller's personal data in accordance with their respective data processing agreements and retention policies.

Exceptions: The Processor may retain limited data where required by applicable law, regulation, or legitimate legal obligation (e.g., financial transaction records required for tax purposes). Any such retained data will be restricted from further processing and deleted as soon as the legal obligation expires.

9. Audit Rights

The Controller has the right to verify the Processor's compliance with this DPA. To exercise this right:

Compliance documentation: The Controller may request a summary of the Processor's current security measures, sub-processor list, and data processing practices. The Processor will provide this documentation within 30 days of receiving a written request.

Audit cooperation: The Processor will cooperate with reasonable audit requests from the Controller or the Controller's appointed independent auditor. Audits will be conducted during normal business hours, with reasonable advance notice (minimum 30 days), and in a manner that does not disrupt the Processor's operations or compromise the security or privacy of other customers' data.

Scope of audits: Audits may cover the Processor's data processing activities, security measures, sub-processor management, breach response procedures, and compliance with this DPA. The Controller bears the cost of any audit it initiates, unless the audit reveals a material breach of this DPA by the Processor.

Third-party certifications: Where available, the Processor may satisfy audit requests by providing relevant third-party certifications, audit reports, or compliance attestations from its sub-processors (e.g., SOC 2 reports from Neon, Stripe, or Vercel).

All audit requests should be directed to [email protected].

10. Term and Termination

Effective date: This DPA is effective from the date the Controller begins using the Service and remains in effect for the duration of the Controller's use of Person Trail.

Survival: The Processor's obligations regarding the processing and protection of personal data survive termination of the Service agreement. Specifically, confidentiality obligations, data return and deletion obligations (Section 8), breach notification obligations (Section 7), and audit cooperation (Section 9) continue to apply until all personal data has been deleted or returned.

Post-termination processing: Upon termination, the Processor will cease all processing of the Controller's personal data except as necessary to fulfill the data return and deletion obligations described in Section 8, or as required by applicable law.

Data deletion timeline: Unless the Controller requests a data export before termination, the Processor will delete all of the Controller's personal data in accordance with Section 8 within 30 days of account closure.

Contact

For questions about this Data Processing Agreement, to report a data breach, or to exercise any rights under this DPA, contact us at:

Person Trail, Inc.
[email protected]