Mascot
Get Started
DPA — Gasher

Data Processing Addendum (DPA)

Effective: August 21, 2025 • Last updated: August 21, 2025

This Data Processing Addendum (“DPA”) forms part of the Agreement between Gasher Solutions LLC (the “Processor”) and the Customer (the “Controller”). Capitalized terms not defined here have the meaning in the Agreement.

A1. Purpose & subject matter

Processor will process Personal Data solely to provide, secure, and improve the Services; to provide support; and to comply with law and Controller’s documented instructions.

A2. Roles & categories

  • Controller: Customer (determines purposes/means of processing)
  • Processor: Gasher Solutions LLC
  • Data subjects: Controller’s customers, leads, employees, and other end-users
  • Data types: Contact identifiers, communications content/metadata, booking details, and technical logs; no special categories intentionally collected

A3. Processor obligations

  • Process only on Controller’s documented instructions.
  • Ensure staff confidentiality and appropriate training.
  • Maintain technical and organizational security measures (see Annex 1).
  • Assist Controller with data subject requests and DPIAs (where applicable).
  • Breach notice: Notify Controller without undue delay and within 72 hours of confirmation of a Personal Data Breach, and provide relevant information as it becomes available.
  • Sub-processors: May engage vetted providers (telephony/SMS, email, hosting, analytics, AI, payments). Processor will impose written, data-protection terms at least as protective as this DPA and remains liable for sub-processor acts.

A4. International transfers

If, in the future, EU/UK Personal Data is processed, the parties incorporate the EU Standard Contractual Clauses (SCCs) Module 2 and, for UK transfers, the UK Addendum, with Controller as data exporter and Processor as data importer. Conflicts are resolved per A8 below.

A5. Return or deletion

At termination, Processor will delete or return Personal Data at Controller’s choice, subject to legal retention obligations. Routine backups age out per retention schedules.

A6. Audits

Upon reasonable notice, Processor will make available relevant audit reports or summaries (e.g., third-party assessments) and respond to reasonable questionnaires. On-site audits are permitted where required by law and limited to scope, timing, and confidentiality constraints.

A7. Liability

Each party’s aggregate liability under this DPA is subject to, and forms part of, the liability cap in the Agreement.

A8. Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls to the extent of the conflict regarding data protection.

Annex 1 — Summary of Security Measures

  • Access controls: MFA where available; role-based access; least-privilege.
  • Encryption: Data in transit via TLS; encryption at rest where supported by infrastructure providers.
  • Network & app security: Firewalls, patching, vulnerability management, and separation of environments.
  • Monitoring & logging: Centralized logging and alerting for unusual activity.
  • Backups & continuity: Regular backups and disaster-recovery procedures.
  • Vendor management: Sub-processor due diligence and contractual safeguards.
  • Employee practices: Security awareness training and confidentiality agreements.

Annex 2 — Authorized Sub-processors

  • HighLevel / LeadConnector — application platform, CRM, websites/funnels, automations, LeadConnector Email (native email), LC Phone (telephony/SMS).
  • Stripe — payments processing and billing.

We may update the above list from time to time. We will provide reasonable prior notice for material changes and offer an opportunity to object where required by law.