Effective Date: April 1, 2026 | Last Updated: March 31, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between Silent Storm Elite Corp ("Processor," "we," "us") and the organization subscribing to the Field Service Control Tower platform ("Controller," "Customer," "you"). This DPA applies where and to the extent that we process Personal Data on your behalf in the course of providing the Service.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable Data Protection Laws.
"Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and any other applicable privacy or data protection legislation.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
2.1 The Customer is the Controller of Personal Data submitted to the Platform. Silent Storm Elite Corp is the Processor, processing Personal Data solely on the Customer's behalf and in accordance with the Customer's documented instructions.
2.2 This DPA applies to all Personal Data processed by the Processor in connection with the Service, including but not limited to: technician names, email addresses, and phone numbers; customer and end-client contact information; work order service addresses; completion report data; and any other Personal Data submitted through the Platform.
| Subject Matter | Provision of the Field Service Control Tower platform |
| Duration | For the term of the Agreement, plus data retention period |
| Nature and Purpose | Processing to provide field service management, work order tracking, scheduling, dispatch, reporting, and related services |
| Categories of Data Subjects | Customer employees (technicians, dispatchers, managers), Customer's end-clients, vendors and subcontractors |
| Types of Personal Data | Names, email addresses, phone numbers, job titles, service addresses, IP addresses, device identifiers, usage data, location data (with consent) |
The Processor shall:
4.1 Process Personal Data only on documented instructions from the Controller, unless required by applicable law. If the Processor is required by law to process Personal Data for another purpose, it will inform the Controller before processing (unless prohibited by law).
4.2 Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Implement appropriate technical and organizational security measures, including: encryption of Personal Data in transit (TLS 1.2+) and at rest; multi-tenant data isolation at the database level with row-level security; role-based access controls with principle of least privilege; bcrypt password hashing; rate limiting and brute-force protection; comprehensive audit logging; and regular security assessments.
4.4 Not engage another processor (Sub-processor) without prior specific or general written authorization of the Controller. In the case of general authorization, the Processor shall inform the Controller of any intended changes and provide the Controller an opportunity to object.
4.5 Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection) by providing appropriate technical and organizational measures.
4.6 Assist the Controller in ensuring compliance with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of processing and information available to the Processor.
4.7 At the Controller's choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
4.8 Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
5.1 The Controller provides general authorization for the Processor to engage Sub-processors. The current list of Sub-processors is:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloud Infrastructure Provider | Application hosting and database | United States |
| Stripe, Inc. | Payment processing | United States |
| Email Service Provider | Transactional email delivery | United States |
| Object Storage Provider | File and document storage | United States |
5.2 The Processor shall notify the Controller of any intended changes to Sub-processors at least 30 days in advance. The Controller may object to a new Sub-processor within 14 days of notification. If the Controller objects and the parties cannot resolve the objection, the Controller may terminate the affected Service.
5.3 The Processor shall impose data protection obligations on each Sub-processor that are no less protective than those in this DPA.
6.1 The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach.
6.2 The notification shall include: the nature of the breach, including the categories and approximate number of Data Subjects and records affected; the name and contact details of the Processor's point of contact; a description of the likely consequences; and a description of the measures taken or proposed to address the breach.
6.3 The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.
7.1 Personal Data may be transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, the parties agree to the EU Standard Contractual Clauses (SCCs) as approved by the European Commission, which are incorporated into this DPA by reference.
7.2 The Processor shall implement appropriate supplementary measures to ensure that the level of protection of Personal Data is not undermined by the transfer.
8.1 Upon termination of the Agreement, the Processor shall, at the Controller's election, return or delete all Personal Data within 30 days, and certify such deletion in writing.
8.2 Backup copies shall be purged within 90 days of termination.
8.3 The Processor may retain Personal Data to the extent required by applicable law, in which case it shall inform the Controller and continue to protect such data in accordance with this DPA.
9.1 The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
9.2 The Controller may conduct an audit (or appoint a qualified third-party auditor) no more than once per year, with at least 30 days' prior written notice, during normal business hours, and subject to reasonable confidentiality obligations.
9.3 The Processor shall cooperate with such audits and provide reasonable assistance. The Controller shall bear the costs of any audit.
Legal Entity: Silent Storm Elite Corp
Address: 435 Golf Dr, Oceanside, NY 11572, United States
Tax ID (EIN): 27-4814373
Email: [email protected]
Jurisdiction: State of New York, United States
This DPA shall be governed by and construed in accordance with the laws of the State of New York, United States, without regard to conflict of law principles, except to the extent that applicable Data Protection Laws require otherwise.
© 2026 Silent Storm Elite Corp. All rights reserved.
To execute this DPA, contact us at [email protected] with your organization name and authorized signatory details.