Data Processing Agreement
Last updated: April 29, 2026
Who needs this: This Data Processing Agreement ("DPA") applies to all businesses using the Tredovo platform. It governs how Tredovo processes personal data on your behalf as part of providing the service. If you are subject to GDPR or operate in a jurisdiction with similar data protection laws, this DPA satisfies those requirements.
1. Definitions
For the purposes of this DPA:
- "Controller" means the business or individual that determines the purposes and means of processing personal data — that is, you, the Tredovo customer.
- "Processor" means the entity that processes personal data on behalf of the Controller — that is, Tredovo.
- "Data Subject" means any identified or identifiable natural person whose personal data is processed — primarily your customers who contact you.
- "Personal Data" means any information relating to an identified or identifiable natural person, including names, phone numbers, addresses, and message content.
- "Processing" means any operation performed on personal data, including collection, storage, use, transmission, and deletion.
- "Sub-processor" means any third party engaged by Tredovo to assist in processing personal data.
- "Applicable Data Protection Law" means the GDPR, CCPA, and any other privacy laws applicable to the processing activities described herein.
2. Roles and Responsibilities
2.1 Controller Responsibilities
You, as the Controller, are responsible for:
- Ensuring you have a lawful basis for collecting and processing your customers' personal data
- Providing appropriate privacy notices to your customers
- Ensuring your use of Tredovo complies with all applicable data protection laws in your jurisdiction
- Responding to data subject requests from your customers
- Ensuring your instructions to Tredovo comply with applicable law
- Determining the purposes for which personal data is processed
2.2 Processor Responsibilities
Tredovo, as the Processor, will:
- Process personal data only on documented instructions from you, except where required by law
- Ensure persons authorized to process personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist you in fulfilling your obligations to respond to data subject requests
- Assist you with security, breach notification, impact assessments, and prior consultations
- Delete or return personal data upon termination of the service
- Provide you with all information necessary to demonstrate compliance with this DPA
3. Nature and Purpose of Processing
| Category | Details |
|---|---|
| Subject matter | AI-powered SMS CRM services including missed call response, lead management, and customer communication |
| Duration | For the term of the service agreement plus applicable retention periods |
| Nature | Collection, storage, use, transmission, and deletion of personal data to provide the Tredovo service |
| Purpose | Enabling businesses to respond to missed calls via SMS and manage customer leads |
| Type of data | Names, phone numbers, addresses, SMS message content, service information, timestamps |
| Data subjects | Customers and prospective customers of businesses using Tredovo |
4. Instructions for Processing
Tredovo processes personal data solely according to your documented instructions, which include:
- Processing necessary to provide the services described in the Terms of Service
- Processing required to comply with applicable laws
- Processing as further specified in your account configuration and AI setup
If Tredovo believes any instruction violates applicable data protection law, Tredovo will notify you promptly. Tredovo is not required to follow instructions that would cause it to violate applicable law.
5. Security Measures
Tredovo implements and maintains the following technical and organizational security measures:
5.1 Technical Measures
- Encryption of personal data in transit using TLS 1.2 or higher
- Encryption of personal data at rest via AES-256 encryption through Supabase
- Row-level security ensuring data isolation between business accounts
- Access controls limiting access to personal data to authorized personnel only
- Regular dependency updates and security patches
- Secure API key management
5.2 Organizational Measures
- Confidentiality agreements for all personnel with access to personal data
- Access granted on a need-to-know basis only
- Regular review of access permissions
- Incident response procedures for data breaches
6. Sub-processors
You authorize Tredovo to engage the following sub-processors to process personal data in connection with providing the service:
| Sub-processor | Location | Processing Activity | Data Categories |
|---|---|---|---|
| Supabase Inc. | United States | Database hosting and authentication | All personal data categories |
| Twilio Inc. | United States | SMS and voice telecommunications | Phone numbers, message content |
| OpenAI LLC | United States | AI message generation | Conversation context (minimized) |
| Vercel Inc. | United States | Application hosting and CDN | Application data, logs |
| Stripe Inc. | United States | Payment processing | Billing data only |
| Resend Inc. | United States | Transactional email | Email addresses, email content |
Tredovo will notify you of any intended changes to sub-processors by updating this DPA with at least 30 days notice. You may object to new sub-processors within 14 days of notice. If you reasonably object and Tredovo cannot accommodate your objection, you may terminate the service with a pro-rata refund.
Tredovo ensures all sub-processors are bound by data protection obligations equivalent to those in this DPA.
7. International Data Transfers
All Tredovo sub-processors are located in the United States. If you are located in the European Economic Area, United Kingdom, or Switzerland and your customers' personal data is transferred to the United States, such transfers are made pursuant to:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- The EU-U.S. Data Privacy Framework where applicable
- Other lawful transfer mechanisms under applicable data protection law
Upon request, Tredovo will provide copies of applicable Standard Contractual Clauses.
8. Data Subject Rights
Tredovo will assist you in responding to data subject requests to the extent technically feasible. If a data subject submits a request directly to Tredovo, Tredovo will promptly notify you and direct the data subject to contact you.
To request assistance with a data subject request, email contact@tredovo.com with the subject line "Data Subject Request Assistance."
9. Data Breach Notification
Tredovo will notify you without undue delay, and in any event within 72 hours, of becoming aware of a personal data breach affecting personal data processed on your behalf. The notification will include:
- Nature of the breach, including categories and approximate number of data subjects affected
- Contact information for the Tredovo data protection contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
You are responsible for determining whether you must notify data subjects or regulatory authorities in your jurisdiction.
10. Data Retention and Deletion
Upon termination of the service for any reason, Tredovo will:
- Provide you with an export of your data in a standard format within 30 days upon request
- Delete your personal data within 90 days of account termination
- Retain opt-out records indefinitely as required for TCPA compliance
- Retain billing records for 7 years as required by applicable tax law
- Certify deletion in writing upon request
11. Audit Rights
You have the right to conduct audits to verify Tredovo's compliance with this DPA, subject to reasonable notice (at least 30 days), confidentiality obligations, and agreement not to disrupt Tredovo's operations. Tredovo may satisfy audit requests by providing relevant third-party audit reports (SOC 2, ISO 27001, or equivalent) where available.
12. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. Tredovo is liable to you only for direct damages caused by Tredovo's failure to comply with its obligations as a Processor under this DPA.
13. Order of Precedence
In the event of conflict between this DPA and the Terms of Service, this DPA governs with respect to data protection obligations. In all other respects, the Terms of Service govern.
14. Contact
For data protection inquiries, to exercise rights under this DPA, or for breach notifications:
- Email: contact@tredovo.com
- Subject line: "Data Protection" or "DPA Inquiry"