This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the PracticPro LLC Services Agreement (the "Services Agreement") entered into between PracticPro LLC, a California limited liability company located at 6700 Platt Avenue, West Hills, CA 91307 ("PracticPro", "we", "us", "our"), and the customer that has executed the Services Agreement (the "Customer", "you", "your") (each a "Party" and collectively the "Parties").
This DPA governs PracticPro's processing of Personal Data on behalf of the Customer in connection with the Services. In the event of any conflict between this DPA and the Services Agreement with respect to the subject matter of this DPA, this DPA controls.
1. Definitions
Capitalized terms used in this DPA but not defined here have the meanings given in the Services Agreement.
1.1 "Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), (b) the GDPR as incorporated into the law of the United Kingdom ("UK GDPR"), (c) the Swiss Federal Act on Data Protection ("FADP"), (d) the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and (e) any other privacy or data protection laws applicable to a Party in its role under this DPA.
1.2 "Controller", "Processor", "Data Subject", "Personal Data", "Processing", "Personal Data Breach", and "Supervisory Authority" have the meanings given in Applicable Data Protection Law. Where the CCPA applies, "Controller" is interpreted to mean "Business" and "Processor" is interpreted to mean "Service Provider".
1.3 "Customer Personal Data" means Personal Data that PracticPro processes on behalf of the Customer in the course of providing the Services. This includes Personal Data relating to the Customer's employees, contractors, and the Customer's own end clients, leads, and contacts.
1.4 "Standard Contractual Clauses" or "SCCs" means (a) for transfers from the European Economic Area: the standard contractual clauses adopted by the European Commission in Implementing Decision (EU) 2021/914, Module Two; (b) for transfers from the United Kingdom: the International Data Transfer Addendum issued by the UK Information Commissioner; and (c) for transfers from Switzerland: the SCCs as modified by guidance issued by the Swiss Federal Data Protection and Information Commissioner.
1.5 "Sub-processor" means any third party engaged by PracticPro to Process Customer Personal Data on PracticPro's behalf in providing the Services.
2. Scope and Roles of the Parties
2.1 Roles. For the purposes of this DPA and Applicable Data Protection Law, in respect of Customer Personal Data: (a) the Customer is the Controller (or a Processor acting on behalf of its own customer); (b) PracticPro is the Processor (or, where Customer is itself a Processor, the Sub-processor); and (c) where the CCPA applies, PracticPro acts as the Customer's Service Provider with respect to Customer Personal Data.
2.2 Customer Obligations. Customer represents and warrants that (a) it has provided all notices, obtained all consents, and otherwise established a lawful basis under Applicable Data Protection Law for the Processing of Customer Personal Data through the Services, and (b) its instructions to PracticPro comply with Applicable Data Protection Law.
2.3 PracticPro Obligations. PracticPro will Process Customer Personal Data only in accordance with this DPA, the Services Agreement, and Customer's documented instructions, except where required to do otherwise by Applicable Data Protection Law.
2.4 Customer Instructions. Customer's instructions are set out in (a) the Services Agreement, (b) this DPA, and (c) any additional documented instructions Customer provides through configuration of the Services or in writing to PracticPro.
3. Description of Processing
The subject matter, nature and purpose, duration, types of Personal Data, and categories of Data Subjects involved in the Processing under this DPA are described in Annex 1.
4. Personnel and Confidentiality
PracticPro will ensure that personnel authorized to Process Customer Personal Data (a) are subject to written confidentiality obligations or are under an appropriate statutory obligation of confidentiality; (b) receive appropriate data protection training; and (c) access Customer Personal Data only as necessary to perform their duties in support of the Services.
5. Security Measures
5.1 PracticPro will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. A summary of these measures is set out in Annex 2.
5.2 PracticPro may update or modify the measures in Annex 2 from time to time, provided that any such modifications do not materially diminish the overall level of security afforded to Customer Personal Data.
6. Sub-processors
6.1 General Authorization. Customer provides PracticPro with general authorization to engage Sub-processors to assist in the provision of the Services, subject to this Section 6.
6.2 Current Sub-processors. A current list of authorized Sub-processors is published at the URL referenced in Annex 3. Customer may subscribe at that URL to receive advance notice of changes.
6.3 Notice of New Sub-processors. PracticPro will provide Customer with at least thirty (30) days advance notice (or such shorter period as may be reasonable in case of urgency) before authorizing any new Sub-processor.
6.4 Right to Object. If Customer has a reasonable, good-faith basis to object to a new Sub-processor on data protection grounds, Customer may notify PracticPro in writing within the notice period. The Parties will work in good faith to resolve the objection. If the Parties cannot reach resolution, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services on written notice, without penalty other than payment of fees already accrued.
6.5 Sub-processor Contracts. PracticPro will enter into a written contract with each Sub-processor that imposes data protection obligations no less protective of Customer Personal Data than those in this DPA. PracticPro remains liable for the acts and omissions of its Sub-processors with respect to Customer Personal Data to the same extent PracticPro would be liable if performing the Sub-processor's services directly under this DPA, subject to the limitations of liability set out in the Services Agreement.
6.6 Customer-Initiated Integrations. The Services include functionality that allows Customer to connect Customer's PracticPro account to third-party services of Customer's choice, including (without limitation) artificial-intelligence assistants connected via the Model Context Protocol ("MCP"), automation platforms connected via PracticPro's REST API or OAuth interface, and outbound webhooks delivered to URLs configured by Customer (each a "Customer-Initiated Integration"). Third parties engaged through Customer-Initiated Integrations are not Sub-processors of PracticPro for purposes of this DPA. Customer is responsible for (a) selecting and vetting any third party engaged through a Customer-Initiated Integration, (b) entering into appropriate data protection and other agreements directly with such third party, and (c) the third party's Processing of Customer Personal Data.
7. Data Subject Rights
7.1 Assistance to Customer. Taking into account the nature of the Processing, PracticPro will provide reasonable assistance to Customer, by appropriate technical and organizational measures, to enable Customer to respond to requests from Data Subjects exercising rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction of Processing, data portability, and objection.
7.2 Self-Service Tools. Where the Services include functionality enabling Customer to access, export, correct, or delete Customer Personal Data, Customer's use of such functionality constitutes PracticPro's assistance under Section 7.1 with respect to those rights.
7.3 Direct Requests. If PracticPro receives a request directly from a Data Subject relating to Customer Personal Data, PracticPro will, where lawful, refer the Data Subject to Customer and notify Customer of the request without undue delay.
8. Personal Data Breach
8.1 Notification. PracticPro will notify Customer without undue delay, and in any event no later than seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data.
8.2 Content of Notice. To the extent known at the time of notification, the notice will describe (a) the nature of the Personal Data Breach including the categories and approximate number of Data Subjects and records concerned; (b) a point of contact at PracticPro; (c) the likely consequences; and (d) the measures taken or proposed to address it and mitigate its possible adverse effects.
8.3 Cooperation. PracticPro will reasonably cooperate with Customer in the investigation, mitigation, and remediation of any Personal Data Breach.
8.4 No Admission. Notification of a Personal Data Breach under this Section 8 is not an acknowledgment of fault or liability.
9. Data Protection Impact Assessments and Prior Consultation
PracticPro will provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under Articles 35 and 36 of the GDPR (or equivalent provisions of Applicable Data Protection Law), in each case solely in relation to Processing of Customer Personal Data by PracticPro and taking into account the nature of the Processing and the information available to PracticPro.
10. Deletion or Return of Customer Personal Data
10.1 Customer's Election. Upon termination or expiration of the Services Agreement, PracticPro will, at Customer's election, delete or return all Customer Personal Data in PracticPro's possession or control, except to the extent retention is required by Applicable Data Protection Law.
10.2 Default. If Customer does not communicate its election within thirty (30) days after termination or expiration, PracticPro will delete all Customer Personal Data in accordance with PracticPro's standard deletion procedures.
10.3 Backups. Customer Personal Data residing in routine backups will be deleted in accordance with PracticPro's standard backup-retention schedule.
10.4 Self-Service Export. During the term of the Services Agreement and for thirty (30) days following its termination or expiration, Customer may use the Services' self-service export functionality to retrieve Customer Personal Data.
10.5 Certification. Upon Customer's reasonable written request, PracticPro will provide written confirmation that the deletion required by this Section 10 has been completed.
11. Audit Rights
11.1 Information. PracticPro will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR (or equivalent provisions of Applicable Data Protection Law).
11.2 Audits. Customer may, on reasonable written notice of not less than thirty (30) days, audit PracticPro's compliance with this DPA, subject to the following: (a) audits may be conducted no more than once per calendar year except where required by a Supervisory Authority or following a confirmed Personal Data Breach; (b) audits will be conducted during PracticPro's regular business hours; (c) Customer will bear its own costs and procure that any third-party auditor enters into a customary confidentiality agreement with PracticPro; (d) any third-party auditor must not be a competitor of PracticPro; and (e) Customer will provide PracticPro with a copy of any audit report.
11.3 Third-Party Reports. Customer agrees that, in lieu of an audit under Section 11.2, PracticPro may satisfy its obligations by providing Customer with PracticPro's then-current third-party certifications, attestations, or audit reports (for example, SOC 2 or ISO 27001 reports) once available.
12. International Data Transfers
12.1 PracticPro Processes Customer Personal Data in the United States and may engage Sub-processors located in jurisdictions outside the European Economic Area, United Kingdom, and Switzerland.
12.2 Standard Contractual Clauses. Where PracticPro Processes Personal Data subject to the GDPR, UK GDPR, or FADP that is transferred to a jurisdiction not recognized as providing an adequate level of protection, the Standard Contractual Clauses are incorporated into this DPA by reference and apply to such transfer. For the EU SCCs (Module Two, Controller to Processor): Clause 7 (Docking clause) applies; Clause 9 (Use of sub-processors) Option 2 (General written authorization) applies with the notice period set in Section 6.3; Clause 17 governing law is Ireland; Clause 18 forum is the courts of Ireland; Annex I.A: Customer is the data exporter and PracticPro is the data importer; Annex I.B: as set out in Annex 1 of this DPA; Annex I.C: as identified by Customer or the Irish Data Protection Commission by default; Annex II: as set out in Annex 2 of this DPA; Annex III: as published at the URL referenced in Annex 3.
12.3 UK Addendum. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum is incorporated by reference, completed by reference to the corresponding fields of the EU SCCs as populated in Section 12.2.
12.4 Swiss Addendum. For transfers subject to the FADP, the EU SCCs are incorporated with the modifications recommended by the Swiss Federal Data Protection and Information Commissioner.
13. Artificial Intelligence and No-Training Commitment
13.1 No Training on Customer Personal Data. PracticPro does not, and will not, use Customer Personal Data to train any artificial intelligence or machine learning model owned or developed by PracticPro for the benefit of any other customer or third party, except (a) with Customer's prior written opt-in to such use, or (b) on data that has been irreversibly de-identified.
13.2 Third-Party AI Providers. PracticPro may use third-party AI providers as Sub-processors to enable AI-powered features in the Services. PracticPro contracts with such providers under terms that prohibit the use of Customer Personal Data for training the provider's models. The current list of AI-provider Sub-processors is included in the sub-processor list referenced in Annex 3, and the full AI data handling commitments are published at practicpro.com/trust/ai.
13.3 AI Disclosure to End Users. Where the Services use AI to interact with the Customer's end clients (for example, an AI receptionist), Customer is responsible for any disclosures or consents required by Applicable Data Protection Law or applicable AI-transparency laws.
14. Liability
The Parties' aggregate liability arising out of or related to this DPA, whether in contract, tort, or any other theory of liability, is subject to the limitations and exclusions of liability set out in the Services Agreement.
15. Term, Conflict, and General
15.1 Term. This DPA is effective on the later of (a) the Effective Date of the Services Agreement, or (b) the date on which both Parties have executed this DPA. It will remain in effect for so long as PracticPro Processes Customer Personal Data on Customer's behalf.
15.2 Conflict. In the event of any conflict between this DPA and the Services Agreement with respect to the Processing of Customer Personal Data, this DPA controls. In the event of any conflict between the Standard Contractual Clauses and any other terms of this DPA, the Standard Contractual Clauses control.
15.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.
15.4 Amendments. Material amendments to this DPA require the written agreement of both Parties. PracticPro may make non-material amendments (including updates to Annex 2 and Annex 3) on notice.
15.5 Counterparts and Electronic Signature. This DPA may be executed in counterparts, including by electronic signature, each of which is deemed an original.
Annex 1 - Description of Processing
Subject Matter and Duration
The subject matter is the provision of the Services as described in the Services Agreement. Processing continues for the duration of the Services Agreement and any post-termination retention period.
Nature and Purpose
PracticPro Processes Customer Personal Data to provide the Services, which include contact and client management, job and project management, communications (calls, SMS, email) and storage of communication records, document generation and electronic signature, financial recordkeeping and invoicing, task and calendar management, AI-assisted features (where enabled), and reporting and analytics.
Types of Personal Data
Identification data, contact data, financial data, communications data (including call recordings, voicemail, SMS and email content), transactional data, and any other Personal Data Customer inputs into the Services. Customer is responsible for ensuring that the Services are not used to Process special categories of Personal Data (as defined in Article 9 of the GDPR) or Personal Data relating to criminal convictions or offences, except in compliance with Applicable Data Protection Law.
Categories of Data Subjects
Customer's employees, contractors, and personnel; Customer's end clients, prospects, leads, and contacts; representatives of Customer's vendors or business partners; and other natural persons whose Personal Data Customer inputs into the Services.
Frequency
Continuous, for the duration of the Services.
Restrictions on Children's Data
The Services are not intended for the Processing of Personal Data of children under the age of 16. Customer will not use the Services to knowingly Process Personal Data of children under that age except in compliance with Applicable Data Protection Law.
Annex 2 - Technical and Organizational Measures
PracticPro implements and maintains the following measures to protect Customer Personal Data:
Encryption
Encryption in transit using TLS 1.2 or higher; encryption at rest for production databases and file storage using industry-standard algorithms.
Access Controls
Role-based access control within the Services; authentication with optional multi-factor authentication; internal access by PracticPro personnel restricted to documented business need.
Logging and Monitoring
Logging of significant administrative actions affecting Customer Personal Data; network and application monitoring designed to detect unauthorized access attempts.
Network Security
Industry-standard perimeter controls including firewalls and HTTPS termination through Cloudflare; periodic patching of operating systems and dependencies.
Personnel
Confidentiality obligations and periodic privacy and security training for personnel with access to Customer Personal Data.
Vendor Management
Sub-processors engaged under written contracts containing data-protection obligations no less protective than this DPA.
Business Continuity and Backups
Regular automated backups of Customer Personal Data; backup encryption consistent with at-rest encryption; documented restoration procedures.
Incident Response
Documented incident-response procedures including triage, containment, notification, and post-incident review; Personal Data Breach notification to Customer within 72 hours of awareness.
Physical Security
Production infrastructure hosted with reputable cloud providers whose facilities maintain industry-standard physical security controls.
Annex 3 - Authorized Sub-processors
PracticPro maintains a current list of authorized Sub-processors at practicpro.com/trust/sub-processors. Each Sub-processor listed identifies (a) the Sub-processor's legal name, (b) the type of Processing performed, and (c) the country or region in which Processing occurs. Customer may subscribe at that URL to receive advance notice of additions or changes to the list.
Annex 4 - Standard Contractual Clauses
The Standard Contractual Clauses identified in Section 1.4 and configured in Section 12 are incorporated by reference into this DPA. The current authoritative versions are:
- EU SCCs (2021/914), Module Two: eur-lex.europa.eu/eli/dec_impl/2021/914/oj
- UK International Data Transfer Addendum: issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018.
- Swiss Federal Data Protection and Information Commissioner guidance: as published by the Swiss authority from time to time.
If at any time the European Commission, the UK Information Commissioner, or the Swiss Federal Data Protection and Information Commissioner adopts revised versions of these clauses, the revised versions automatically replace the prior versions for purposes of this DPA on the date the revised versions take effect.
For questions about this DPA, contact [email protected].
Last updated: May 21, 2026
