Data Processing Agreement

This Data Processing Agreement ("DPA") supplements and forms part of the Terms of Service ("Agreement") between Pillar ("Processor", "we", "us") and the customer entity agreeing to these terms ("Controller", "you", "your").

This DPA applies to the extent that Pillar processes Personal Data on your behalf in the course of providing the Pillar field service management platform ("Services"). It reflects the parties' commitment to comply with applicable data protection laws.

Pillar processes Personal Data only in accordance with your documented instructions and solely for the purpose of delivering the Services. We do not sell Personal Data or use it for purposes unrelated to providing the Services.

Processing activities include:

• Storing and managing customer records, job data, and scheduling information
• Processing invoices, estimates, and payment transactions
• Sending communications (email, SMS) on your behalf to your customers
• Geocoding addresses for routing and dispatch functionality
• Generating reports and analytics from your operational data
• Maintaining audit logs for security and compliance purposes

Pillar personnel authorized to process Personal Data are bound by confidentiality obligations.

Pillar engages the following sub-processors to assist in delivering the Services. Each sub-processor is contractually bound to data protection obligations consistent with this DPA.

We will notify you before adding or replacing sub-processors that process Personal Data. You may object to a new sub-processor by contacting us within 30 days of notification. If we cannot reasonably accommodate your objection, you may terminate the affected Services.

Pillar implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Multi-tenant data isolation — Every database table includes a company identifier for complete data isolation between tenants. Unique constraints prevent cross-tenant data access.
• Encryption in transit — All data transmitted between clients and servers is encrypted using TLS.
• Encryption at rest — Data stored in databases and object storage is encrypted at rest using industry-standard encryption provided by our infrastructure providers.
• Role-based access control (RBAC) — Access to data is restricted based on user roles (Owner, Dispatcher, Technician, Customer), with permissions enforced on every API endpoint.
• Audit logging — Security-relevant events are logged with actor identification, IP address, timestamp, and action details for accountability and incident investigation.
• Rate limiting — API endpoints are protected by rate limiting to prevent abuse, with stricter limits on authentication and sensitive operations.
• Input validation — All inputs are validated and sanitized to prevent injection attacks and data corruption.
• Authentication security — Passwords are hashed using bcrypt. Authentication tokens are stored in HttpOnly cookies and have short expiration windows with automatic refresh mechanisms.

Pillar will assist you in fulfilling your obligations to respond to data subject requests, including requests for access, rectification, erasure, data portability, and restriction of processing.

If Pillar receives a request directly from a data subject regarding Personal Data processed on your behalf, we will promptly redirect the data subject to you and notify you of the request, unless legally prohibited from doing so.

The platform provides data export capabilities and administrative tools that allow you to access, correct, and delete customer records to support your compliance with data subject requests.

In the event of a confirmed Data Breach affecting Personal Data processed on your behalf, Pillar will notify you without undue delay and in any case within 72 hours of becoming aware of the breach.

The notification will include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
• The name and contact details of the point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its effects

Pillar will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

Personal Data is retained for the duration of your active account and service agreement with Pillar.

Upon termination of the Agreement, Pillar will, at your election, delete or return all Personal Data within 30 days of receiving a written request. This includes data stored in primary databases, file storage, and backups, subject to any legal retention obligations.

Certain data may be retained beyond this period where required by applicable law (for example, financial transaction records or audit logs required for regulatory compliance). In such cases, the retained data will continue to be protected in accordance with this DPA.

If Personal Data is transferred to a jurisdiction outside of the country where it was collected, Pillar will ensure that appropriate safeguards are in place in accordance with applicable data protection laws.

Where required, transfers will be governed by standard contractual clauses or other approved transfer mechanisms to ensure an adequate level of data protection.

You have the right to verify Pillar's compliance with this DPA. Pillar will make available to you, upon reasonable request, the information necessary to demonstrate compliance with the obligations set forth in this agreement.

Audit requests should be submitted in writing with reasonable advance notice. Pillar may satisfy audit requests by providing relevant compliance documentation, certifications, or third-party audit reports. On-site audits may be conducted where documentation alone is insufficient, subject to reasonable scope, timing, and confidentiality requirements.

This DPA is effective for the duration of your service agreement with Pillar. It will automatically terminate upon the expiration or termination of the Agreement, subject to Section 8 (Data Retention and Deletion) which will survive termination.

Pillar reserves the right to update this DPA to reflect changes in applicable law, sub-processors, or security practices. Material changes will be communicated to you in advance.

For questions about this Data Processing Agreement or to exercise any rights described herein, contact us at:

admin@pillarfsm.com