Data Processing Agreement

The following terms have the meanings set forth below when used in this Data Processing Agreement:

“Controller” — means the entity that determines the purposes and means of processing personal data. In most cases, this is you, the customer.

“Processor” — means CJD Technologies LLC, doing business as FSM Navigator, which processes personal data on behalf of the Controller.

“Personal Data” — means any information relating to an identified or identifiable natural person, as defined under applicable data protection law.

“Processing” — means any operation performed on personal data, including collection, storage, use, disclosure, and deletion.

“Data Subject” — means the identified or identifiable natural person to whom personal data relates.

“Subprocessor” — means a third party engaged by the Processor to process personal data on behalf of the Controller.

“Data Breach” — means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

This DPA applies to all personal data processed by FSM Navigator on behalf of the customer (“Controller”) in connection with the provision of our field service management platform (“Service”).

This DPA supplements the Terms of Service and applies to all subscription plans, including the Free, Pro, and Enterprise tiers.

FSM Navigator processes personal data solely for the purpose of providing the Service as described in the Terms of Service. We do not process personal data for any purpose beyond the delivery, maintenance, and improvement of the Service.

This DPA is effective as of the date the customer agrees to the Terms of Service, and remains in effect for the duration of the service relationship.

The customer (“you”) is the Controller with respect to personal data of your employees, technicians, and customers entered into the Service. As the Controller, you determine the purposes and means of processing such personal data.

CJD Technologies LLC, doing business as FSM Navigator is the Processor, processing personal data on the Controller’s behalf and in accordance with the Controller’s documented instructions as set forth in this DPA and the Terms of Service.

The Processor will not process personal data for any purpose other than providing the Service, unless required to do so by applicable law. In such case, the Processor will inform the Controller of that legal requirement before processing, unless prohibited by law from doing so.

Each party will comply with its respective obligations under applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant legislation.

The Processor will process personal data only on documented instructions from the Controller, unless required to do so by applicable law to which the Processor is subject.

The primary processing instructions are set forth in the Terms of Service and this DPA. Together, these documents constitute the Controller’s complete written instructions for data processing under this agreement.

If the Processor believes that an instruction from the Controller infringes applicable data protection law, the Processor will promptly notify the Controller and will not carry out the instruction until the Controller confirms or modifies it.

The Processor will not sell, share, or use personal data for its own commercial purposes outside the scope of providing the Service. Personal data processed under this DPA will never be used for advertising, profiling, or any purpose unrelated to the Service.

The following categories of personal data may be processed by FSM Navigator on behalf of the Controller in connection with the Service:

• Contact information (names, email addresses, phone numbers)
• Business addresses and service locations
• Job and work order details (descriptions, schedules, notes)
• Invoicing and payment information
• User account credentials (encrypted)
• Device information and session data
• Communication records (in-app chat messages)
• File uploads (task images, documents)
• Geolocation data (technician locations during active service)

The specific categories of data processed depend on how the Controller configures and uses the Service, including which features and subscription plan are active.

The personal data processed under this DPA relates to the following categories of data subjects:

• Company administrators and owners
• Dispatchers and office staff
• Field technicians
• End customers and their contact persons
• Customer portal users
• Invited users (pending acceptance)

The Controller is responsible for ensuring that it has a valid legal basis for providing personal data of these data subjects to the Processor.

The Controller authorizes the Processor to engage subprocessors to assist in providing the Service. The Processor remains fully liable for the acts and omissions of its subprocessors to the same extent as if the Processor were performing the services directly.

A current list of subprocessors is maintained on our Subprocessors page. This list includes the name, purpose, and location of each subprocessor.

The Processor will notify the Controller of any intended changes to subprocessors — including additions or replacements — by updating the Subprocessors page. The Controller may subscribe to notifications of such changes.

The Controller may object to a new subprocessor by contacting us in writing within thirty (30) days of notification. If the Controller raises a reasonable objection, the Processor will make commercially reasonable efforts to provide an alternative or allow the Controller to terminate the affected Service without penalty.

The Processor requires all subprocessors to enter into data processing agreements that provide at least the same level of data protection as this DPA, including obligations of confidentiality and data security.

The Processor implements appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:

• Encryption of personal data at rest and in transit using industry-standard encryption that meets or exceeds current security best practices
• Multi-factor authentication (MFA) enforcement capabilities
• Role-based access controls with the principle of least privilege
• Multi-tenant data isolation ensuring strict separation between customer accounts
• Regular security assessments and vulnerability testing
• Secure software development lifecycle practices
• Employee and contractor access restricted on a need-to-know basis, subject to the personnel access controls described in Section 8A below
• Automated malware scanning on all file uploads
• Audit logging of access to and modifications of personal data

The Processor regularly reviews and updates its security measures to ensure they remain appropriate to the risks presented by the processing. For more detail, see our Security & Trust page.

Pursuant to Article 28(3)(b) of the GDPR, the Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Confidentiality Obligations. All Processor personnel (including employees and contractors) who may access the Controller’s personal data are bound by written confidentiality agreements. These obligations survive the termination of employment or engagement.

Authorized Support Access. In the course of providing technical support, diagnosing reported issues, and maintaining the security and integrity of the Service, authorized Processor personnel may access the Controller’s personal data. Such access is subject to the following safeguards:

• Access is limited to the minimum scope and duration necessary to resolve the matter
• All access sessions are recorded in tamper-evident audit logs, including the identity of the support representative, the duration of access, and the actions performed
• Certain sensitive operations (including financial transactions, credential changes, and data deletion) are technically prohibited during support access sessions
• Account administrators of the affected Controller organization are notified when support access occurs
• Support access capabilities may be revoked at any time by the Processor’s security administration

For details on the technical controls governing support access, see our Security & Trust page.

The Processor will notify the Controller without undue delay — and no later than seventy-two (72) hours — after becoming aware of a data breach affecting the Controller’s personal data.

The notification will include, to the extent available at the time of notification:

• The nature of the data breach, including the categories and approximate number of data subjects affected
• The categories and approximate number of personal data records concerned
• The likely consequences of the data breach
• The measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects

The Processor will cooperate with the Controller in investigating and mitigating the data breach, including providing all reasonably requested information and assistance to enable the Controller to fulfill its own notification obligations under applicable data protection law.

The Processor will document all data breaches, including the facts relating to the breach, its effects, and the remedial actions taken. This documentation will be made available to the Controller upon request.

The Processor will assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection law. These rights may include the right of access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, and the right to object.

If the Processor receives a request directly from a data subject regarding the Controller’s personal data, the Processor will promptly forward the request to the Controller and will not respond to the data subject directly unless instructed to do so by the Controller.

Assistance with data subject requests will be provided at no additional charge for standard requests. For requests that are manifestly unfounded, excessive, or unusually complex, the Processor may charge a reasonable fee based on the administrative costs involved.

The Service includes a self-service account deletion feature that allows individual data subjects (users) to permanently delete their own account and associated personal data immediately, without requiring a formal written request. This feature directly supports the right to erasure under applicable data protection law.

Personal data processed under this DPA is primarily stored and processed within the United States.

If personal data is transferred to a country outside the originating jurisdiction, the Processor will ensure that appropriate safeguards are in place in accordance with applicable data protection law. Such safeguards may include Standard Contractual Clauses (SCCs) approved by the European Commission, or other legally approved transfer mechanisms.

The Processor will only transfer personal data to countries that provide an adequate level of data protection as determined by the relevant supervisory authority, or where appropriate safeguards — such as binding corporate rules or contractual protections — have been established.

Upon request, the Processor will provide the Controller with information about the safeguards in place for any international data transfers.

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection law.

The Controller may conduct or commission audits of the Processor’s data processing activities, subject to the following conditions:

• The Controller must provide at least thirty (30) days’ prior written notice
• Audits must be conducted during regular business hours
• Audits must not unreasonably disrupt the Processor’s operations
• Audits must not compromise the security or confidentiality of other customers’ data
• The auditor must agree to appropriate confidentiality obligations

The Processor will cooperate with audits and inspections conducted by supervisory authorities, and will assist the Controller in responding to any regulatory inquiries related to the processing of personal data under this DPA.

The Processor retains personal data for the duration of the service relationship, plus a retention period of three (3) years as described in our Privacy Policy. This retention period enables the Controller to maintain access to historical records for regulatory, legal, or operational purposes.

Upon termination of the service agreement, the Controller may request deletion of their personal data by contacting us in writing at the address provided in the Contact Us section below.

In addition to written requests, individual users may permanently delete their own account and personal data at any time through the self-service option in their profile settings. Company owners may delete the entire company account through the company settings. Self-service deletions are processed immediately upon confirmation.

The Processor will delete or return all personal data within ninety (90) days of receiving a written deletion request, unless retention is required by applicable law, regulation, or legal proceedings. In such cases, the Processor will inform the Controller of the legal basis for continued retention.

Encrypted backups may be retained for up to ninety (90) days after deletion for disaster recovery purposes and will then be permanently destroyed. During this period, backup data remains encrypted and is not actively processed.

Liability arising from or in connection with data processing under this DPA is governed by the Terms of Service, including the limitation of liability provisions set forth therein.

Each party is responsible for its own compliance with applicable data protection laws. The Controller is responsible for the lawfulness of the processing instructions it provides, and the Processor is responsible for processing personal data in accordance with those instructions and the terms of this DPA.

The Processor’s total aggregate liability under this DPA — whether in contract, tort, or otherwise — is subject to the limitations and exclusions set forth in the Terms of Service.

If you have any questions about this Data Processing Agreement or wish to exercise your rights, please contact us: