Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the agreement between you (the “Customer”) and RepairStep (the “Agreement”) governing your use of the RepairStep product (the “Service”).

It sets out how RepairStep handles personal data on your behalf when you use the Service. Where this DPA conflicts with the rest of the Agreement on data protection topics, this DPA wins.

For personal data you put into the Service — your customers’ details, repair records, contact information, photos, notes and so on (“Customer Data”):

• You are the data controller. You decide what data goes in, why, and what to do with it.
• RepairStep is the data processor. We process Customer Data only to provide the Service, follow your documented instructions (which include the configuration options inside the product), and comply with the law.

For data about you directly — your account, sign-in credentials, billing, support requests — we act as a controller. That data is governed by our Privacy Policy, not this DPA.

Subject matter: Provision of the RepairStep Service.

Duration: For as long as your account is active, plus the wind-down period in section 12.

Nature and purpose: Storing, displaying, transmitting, organising and otherwise handling Customer Data so that you can manage your repair operation through RepairStep.

Categories of personal data: Names, contact details (email, phone, address), product and repair details, photographs, communications history, payment status information, and any other personal data you choose to put into the Service.

Categories of data subjects: Your customers, your staff, your suppliers’ staff (where you record them), and any other individuals whose information you enter into the Service.

Your use of the Service is your instruction to us to process Customer Data for the purposes set out in the Agreement and this DPA. If you want us to process Customer Data differently, you can send written instructions to info@repairstep.com.

We’ll let you know if an instruction would, in our reasonable opinion, breach the law. We’ll also let you know if we’re required by law to process Customer Data in a way that goes beyond your instructions — unless that law itself prevents us from telling you.

The Service is designed to let you connect to and share Customer Data with other organizations that also use RepairStep, and to send specific Customer Data to off-platform recipients (for example, suppliers you contact via a magic link). When you do that:

• Your decision. Forwarding a repair, connecting to a partner, or sending a magic link is your instruction to us, and we’ll give effect to it through the Service.
• They become independent controllers. Another RepairStep organization that receives Customer Data from you holds and processes it as an independent controller for their own purposes — not as your sub-processor. They’re responsible for what they do with the data under applicable data-protection law.
• You confirm the lawful basis. You’re responsible for having an appropriate legal basis and notice in place with the relevant data subjects to share their data with the recipient.
• Off-platform recipients. Where you authorise a magic-link share with a recipient who isn’t a RepairStep customer, that recipient receives Customer Data outside the scope of this DPA. You choose who to send the link to and what data to share.

We provide the technical means for these sharing flows. We don’t pick the recipients or decide what data is shared.

You authorise us to engage the third-party sub-processors below. Each is contractually bound to data-protection obligations no less protective than those in this DPA.

We’ll give you at least 30 days’ notice (by email to your account contact, or by updating this page) before we add or replace a sub-processor. If you reasonably object on data-protection grounds, you can terminate the affected portion of the Service.

Customer Data may be transferred to and processed in countries outside the country you operate from — primarily the EU and the USA — because that’s where our sub-processors run.

Where data is transferred out of the EEA or UK to a country that isn’t covered by an adequacy decision, we rely on recognised legal transfer mechanisms (typically the Standard Contractual Clauses, with the UK Addendum where applicable).

We maintain appropriate technical and organisational measures to protect Customer Data, including:

• Encryption in transit (TLS) for all traffic, and encryption at rest for the database and file storage.
• Role-based access controls and the principle of least privilege internally. Production data access is limited to personnel who need it.
• Activity logging, monitoring and regular review of access.
• Routine backups, with backup retention scoped to support recovery without indefinite data accumulation.
• Documented incident-response procedures.

We may update these measures over time so long as the level of protection doesn’t materially decrease.

Anyone we authorise to process Customer Data is committed to confidentiality (either by contract or under a statutory obligation) and has received appropriate training on their data protection responsibilities.

The Service includes tools that let you respond to data subject requests yourself — viewing, exporting, correcting and deleting Customer Data inside the product.

If a data subject contacts us directly with a request about their data, we’ll either redirect them to you or, where we’re permitted, pass the request on to you without delay. We’ll provide reasonable assistance to help you respond within the deadlines the law gives you.

If we become aware of a personal data breach affecting Customer Data, we’ll let you know without undue delay and in any event within 72 hours of becoming aware. Our notice will include, to the extent we can:

• The nature of the breach and the data affected.
• The likely consequences and the measures we’ve taken or plan to take to address it.
• A contact point for more information.

We’ll cooperate with you in fulfilling your own notification obligations (to regulators and affected individuals) where the law requires them.

When your account ends — whether you cancel or we terminate — you can export your Customer Data using the in-product export tools.

We’ll delete or anonymise the Customer Data we hold within 90 days after the end of your account, except where we’re required by law to keep it longer (e.g. for tax or accounting records). Backups will roll off on their own retention schedule (typically within a further 30 days).

On reasonable request — no more than once per year unless required by a regulator — we’ll provide you with the information you reasonably need to demonstrate our compliance with this DPA. This will normally take the form of questionnaires, security summaries, or certifications. Physical or onsite audits are by mutual agreement.

This DPA applies for as long as we process Customer Data on your behalf, and the obligations that should reasonably survive termination (security, deletion, confidentiality) will survive.

We may update this DPA from time to time. We’ll change the “Last updated” date below and, for material changes, notify account holders before they take effect.

For DPA-related questions or to send formal instructions, email info@repairstep.com.