Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the agreement between you (the "Controller" or "Customer") and CW Timer, LLC, operating the CW Timerservice (the "Processor"), collectively referred to as the "Parties." CW Timer, LLC operates under MFLIT LLC.

This DPA applies where the Processor processes personal data on behalf of the Controller in connection with the provision of the CW Timer service, and is designed to comply with Article 28 of the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

• Controller — the MSP or organization that subscribes to CW Timer and determines the purposes and means of processing personal data.
• Processor — CW Timer, LLC, which processes personal data on behalf of the Controller to provide the CW Timer service.
• Personal Data — any information relating to an identified or identifiable natural person, as defined by applicable data protection law.
• Sub-processor — a third party engaged by the Processor to assist in processing personal data on behalf of the Controller.
• Data Subject— the individual to whom personal data relates, such as the Controller's employees or technicians who use CW Timer.

3. Roles and Responsibilities

The Customer (MSP) acts as the Data Controller. The Customer determines which employees and technicians use CW Timer, what ConnectWise data is accessed, and how time entries are managed.

CW Timer, LLC acts as the Data Processor. We process personal data solely on behalf of and under the documented instructions of the Controller, and only to the extent necessary to provide the CW Timer service.

4. Processing Purposes and Scope

The Processor processes personal data only for the following purposes:

• Providing the CW Timer time tracking service and synchronizing data with ConnectWise Manage
• Authenticating users and managing account access
• Processing subscription payments through Stripe
• Maintaining service security and preventing abuse
• Providing customer support

Categories of personal data processed include: names, email addresses, ConnectWise member identifiers, time entry data, usage metadata, IP addresses, and optionally GPS location data.

Categories of data subjects include: the Controller's employees, contractors, and technicians who use the CW Timer service.

5. Processor Obligations

The Processor shall:

• Process personal data only on documented instructions from the Controller, unless required by law
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures as described in Section 7
• Assist the Controller in responding to data subject requests
• Assist the Controller in ensuring compliance with data protection obligations, including breach notification, impact assessments, and prior consultation with supervisory authorities
• At the Controller's choice, delete or return all personal data upon termination of the service, unless retention is required by law
• Make available to the Controller all information necessary to demonstrate compliance with this DPA

6. Sub-processors

The Controller authorizes the Processor to engage the following sub-processors:

• Stripe — payment processing and subscription billing (San Francisco, USA)
• Vercel — application hosting and edge deployment (San Francisco, USA)
• Neon — PostgreSQL database hosting (USA)
• Anthropic — AI chat feature on the marketing website only (San Francisco, USA)

The Processor will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. If the Controller objects on reasonable grounds, the Parties will work together in good faith to find an alternative arrangement. If no resolution is reached, the Controller may terminate the affected portion of the service.

The Processor ensures that each sub-processor is bound by data protection obligations no less protective than those in this DPA.

7. Security Measures

The Processor implements the following technical and organizational measures to protect personal data:

7.1 Encryption

• Data at rest is encrypted using AES-256-GCM
• Data in transit is encrypted using TLS 1.2 or higher
• ConnectWise API credentials receive additional application-layer encryption

7.2 Access Controls

• Role-based access controls limit data access to authorized personnel
• Administrative access requires multi-factor authentication
• Least-privilege principles are applied to all system access

7.3 Infrastructure

• Application hosted on Vercel's infrastructure with automatic scaling and isolation
• Database hosted on Neon with automated backups and point-in-time recovery
• Regular security reviews and dependency updates

8. Data Subject Rights

The Processor will assist the Controller in fulfilling data subject requests, including requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing.

If the Processor receives a request directly from a data subject, the Processor will promptly notify the Controller and will not respond to the request without the Controller's instructions, unless required by law.

9. Data Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include:

• A description of the nature of the breach, including the categories and approximate number of data subjects and records affected
• The name and contact details of the point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its effects

The Processor will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any breach.

10. Data Deletion and Return

Upon termination of the service or upon the Controller's written request, the Processor will, at the Controller's election:

• Return all personal data to the Controller in a commonly used, machine-readable format
• Delete all personal data and confirm deletion in writing

Deletion will be completed within 30 days of the request, unless retention is required by applicable law. Time entries previously synchronized to the Controller's ConnectWise Manage instance are not affected by deletion within CW Timer.

11. Audit Rights

The Processor will make available to the Controller all information necessary to demonstrate compliance with this DPA and applicable data protection laws. The Controller may conduct audits, including inspections, either directly or through an independent third-party auditor, subject to reasonable advance notice of at least 30 days.

Audits will be conducted during normal business hours and in a manner that minimizes disruption to the Processor's operations. The Controller will bear the costs of any audit unless the audit reveals material non-compliance by the Processor.

12. International Data Transfers

Personal data is processed and stored in the United States. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States, the Processor relies on appropriate transfer mechanisms, including the EU-U.S. Data Privacy Framework where applicable, and standard contractual clauses as adopted by the European Commission.

13. Term and Termination

This DPA remains in effect for the duration of the Controller's use of the CW Timer service and for as long as the Processor retains any personal data processed on behalf of the Controller. The obligations in this DPA survive termination to the extent necessary to fulfill their purpose.

14. Governing Law

This DPA is governed by the laws of the State of Texas, without regard to its conflict of law provisions, except where mandatory data protection laws (such as the GDPR) require otherwise.

15. Contact

For questions about this DPA or to exercise any rights under it, contact us:

• Email: privacy@cwtimer.com
• Contact page: cwtimer.com/contact