Data Processing Addendum

For data your business puts into Foreman about your own customers (the “Customer Data”), you are the Controller and Foreman is the Processor. We process Customer Data only on your documented instructions — primarily, to provide the Service.

We process Customer Data for as long as you use the Service, and delete or return it on termination per the Terms. Categories of data may include contact details, call recordings, transcripts, bookings, and notes. Data subjects are your end-customers and contacts.

• Process Customer Data only on your instructions and for the Service;
• Keep Customer Data confidential and ensure staff are bound by confidentiality;
• Apply appropriate technical and organizational security measures (encryption in transit, access controls, tenant isolation, audit logging);
• Assist you, where reasonable, with data-subject requests and breach notifications; and
• Notify you without undue delay after becoming aware of a personal-data breach affecting Customer Data.

You authorize us to engage sub-processors to deliver the Service, including Stripe (payments), telephony and voice-AI providers, and cloud hosting/database providers (e.g. Supabase, Vercel). We remain responsible for their compliance and will give notice of material changes to our sub-processor list.

Authorized Foreman personnel may access Customer Data for support, security, and maintenance, subject to authentication and audit logging, as described in our Privacy Policy.

Customer Data is processed on infrastructure in the United States. Where required, the parties will rely on appropriate transfer mechanisms (e.g. Standard Contractual Clauses). This DPA is governed by the law specified in the Terms.

Data-protection questions or to request a signed copy: privacy@foremanbooks.com.