This Data Processing Agreement (“DPA”) supplements the Terms of Service and governs our processing of Customer Data on behalf of the pool service companies that use DeweyIQ (“Controllers”).
Parties
Processor: Coastal Bay Digital LLC (d/b/a DeweyIQ).
Controller: The organization that signs up for DeweyIQ.
Processing details
- Subject matter: Provision of pool service management software.
- Duration:For the term of the Controller's subscription, plus a reasonable export window.
- Categories of data subjects:Controller's end customers, staff, and leads.
- Types of data: Contact info, service history, chemistry, photos, payment metadata (card numbers never touched — see Stripe DPA).
Subprocessors
- Supabase — authentication, database, and storage.
- Stripe — payments and subscription billing.
- Twilio — SMS delivery.
- Resend — transactional email.
- Vercel — hosting and edge network.
- Anthropic — AI-powered features (photo diagnosis, smart reports).
- Mapbox / OpenRouteService — routing and map services.
Security measures
We maintain commercially reasonable technical and organizational measures including encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access controls, audit logging of administrative activity, and regular dependency and vulnerability review. Access to production systems is limited to authorized personnel and requires multi-factor authentication.
Breach notification
We will notify Controllers without undue delay (and within 72 hours when applicable) of any confirmed breach affecting Customer Data.
International transfer
Customer Data is processed in the United States. DeweyIQ currently serves U.S.-based customers only; if that changes, this DPA will be updated with the appropriate cross-border transfer mechanisms (Standard Contractual Clauses, UK IDTA, or the EU-U.S. Data Privacy Framework, as applicable).
Term & termination
This DPA terminates with the Controller's subscription. On termination we will delete or return Customer Data in accordance with the Terms.