fieldsmith
← HomeStart free — 14 days

Data Processing Addendum

Last updated: 2026-04-29

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer,” acting as data controller) and Fieldsmith (“Fieldsmith,” acting as data processor) when Fieldsmith processes personal data on your behalf. It applies to the extent required by the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), or equivalent data-protection laws.

1. Roles and subject matter

For personal data about your end-customers, jobs, crew, invoices, and similar records that you enter into the Fieldsmith service (“Customer Personal Data”), Customer is the controller and Fieldsmith is the processor. Fieldsmith processes Customer Personal Data only to provide the service and only on documented instructions from Customer, including the instructions embedded in Customer's use of the service.

The subject matter of processing is the provision of field-service management software. Processing lasts for the duration of the Customer's subscription plus any applicable retention period described in our Privacy Policy.

2. Categories of data and data subjects

  • Data subjects: Customer's end-customers, crew members, employees, contractors, and other individuals whose personal data Customer chooses to process in Fieldsmith.
  • Categories of personal data: identifiers (name, email, phone, address), job and service history, payment metadata (via Stripe), communication records, and — where Customer enables the feature — crew location data during active jobs.
  • Special category data: Customer agrees not to upload special categories of personal data (health data, biometric data, government IDs, etc.) into Fieldsmith without our prior written agreement.

3. Fieldsmith's obligations

  • Process Customer Personal Data only on Customer's documented instructions, unless required to do otherwise by applicable law (and in that case, to notify Customer unless the law prohibits notice).
  • Ensure personnel with access are bound by confidentiality.
  • Implement appropriate technical and organizational measures to secure Customer Personal Data (see section 7).
  • Assist Customer in responding to data-subject requests and in meeting Customer's obligations under Articles 32 to 36 of GDPR (security, breach notification, DPIAs).
  • Delete or return Customer Personal Data at the end of the service, as described in section 8.
  • Make available all information necessary to demonstrate compliance with this DPA, and cooperate with audits as described in section 9.

4. Sub-processors

Customer gives Fieldsmith general authorization to engage sub-processors across the categories below to operate the service. Each sub-processor is bound by a written agreement containing data-protection obligations equivalent to those in this DPA.

  • Database and application hosting (U.S.).
  • Web hosting and content delivery (U.S.).
  • Payment processing (U.S.).
  • Transactional email delivery (U.S.).
  • AI model processing (U.S.).
  • Mapping and routing (U.S.).
  • Error monitoring and analytics (U.S.).

The current named list of sub-processors is available on request to privacy@fieldsmith.work. Fieldsmith will give Customer at least 30 days' notice of any new or replacement sub-processor in a category by email or in-product notice. Customer may object in writing on reasonable data-protection grounds within that period; if Fieldsmith can't reasonably accommodate the objection, Customer may terminate the affected service for the remainder of the current term on a pro-rata refund basis.

5. International data transfers

Fieldsmith's infrastructure is primarily located in the United States. Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (module two, controller-to-processor) and, where applicable, the UK International Data Transfer Addendum. The SCCs are incorporated into this DPA by reference; the relevant annexes (parties, description of processing, security measures, sub-processor list) are populated by this DPA and the Privacy Policy.

6. Data-subject requests

Fieldsmith will promptly notify Customer of any request received directly from a data subject relating to Customer Personal Data and, taking into account the nature of processing, will provide reasonable assistance so that Customer can respond within legal timelines. Customer is responsible for responding to end-user requests, including as an “authorized agent” under CCPA/CPRA where applicable.

7. Security measures

Fieldsmith implements at minimum the following safeguards:

  • Encryption — TLS 1.2+ in transit; AES-256 encryption at rest via the database provider.
  • Access control — least-privilege access, role-based authorization, audit logging, and SSO/MFA for privileged accounts.
  • Secure development — dependency scanning, code review, separated staging and production environments, least-exposure secret management.
  • Monitoring — centralized error and access logging, alerting on suspicious activity, quarterly review of access lists.
  • Business continuity — daily database backups, periodic restore tests.
  • Personnel — confidentiality obligations for all staff with access; security and privacy training.

Fieldsmith may update these measures from time to time, provided the updates don't materially reduce the overall level of security.

8. Deletion and return of data

On Customer's termination of the service, Fieldsmith retains Customer Personal Data for 30 days so Customer can export it, then deletes or anonymizes Customer Personal Data from live systems within 90 days. Backups are purged on the next scheduled rotation, not to exceed 12 months. Fieldsmith may retain limited data where required by law (e.g., billing records for tax) and, in that case, keeps it secured and doesn't further process it.

9. Audits

Fieldsmith will make available, on reasonable written request and no more than once per 12 months (or more frequently if required by a supervisory authority or after a security incident), information necessary to demonstrate compliance with this DPA. Audits are conducted during normal business hours with at least 30 days' notice, do not disrupt Fieldsmith's operations or other customers' confidentiality, and are at Customer's cost unless they reveal material non-compliance.

10. Data-breach notification

Fieldsmith will notify Customer without undue delay (and, where feasible, within 72 hours) after becoming aware of a personal-data breach affecting Customer Personal Data. The notice will include the information required by Article 33(3) GDPR to the extent known, and Fieldsmith will provide further information as it becomes available.

11. General

If there's a conflict between this DPA and the Terms of Service, this DPA governs for data-protection matters. Each party's liability under this DPA is subject to the limitations in the Terms. This DPA takes effect when Customer accepts the Terms of Service, with no separate signature required.

12. Contact

For DPA questions, contact privacy@fieldsmith.work.