Legal · last updated 2026-05-10

Data Processing Agreement.

For B2B customers in regulated industries who need a written DPA to evidence GDPR / CCPA / state-privacy compliance. By using OutOfOfficePro under a paid subscription, this DPA is incorporated into your Terms of Service.

1. Definitions

"Customer" means the entity using OutOfOfficePro under a paid subscription. "OutOfOfficePro" or "Processor" refers to OutOfOfficePro, the SaaS service operated at outofofficepro.com. "Personal Data" has the meaning given in applicable data protection law (GDPR, CCPA, etc.). "Processing" means any operation performed on Personal Data.

2. Scope

This DPA applies to OutOfOfficePro's processing of Personal Data on behalf of Customer in the course of providing the routing service. Categories of Personal Data processed:

Customer's own contact data: name, email, business name, slug.
Customer's vendor / contact list: names, phone numbers, email addresses of third parties Customer adds for routing.
Tenant / caller data: name, phone, free-text description provided through the routing form.
Dispatch logs: timestamps, outcomes, who handled what.

3. Processor obligations

OutOfOfficePro:

Processes Personal Data only on documented instructions from Customer (use of the service constitutes such instructions).
Ensures persons authorized to process Personal Data are bound by confidentiality.
Implements appropriate technical and organizational measures (TLS, at-rest encryption via Cloudflare D1, single-use signed tokens, no password storage, magic-link-only auth, role separation between marketing-site analytics and customer dashboards).
Assists Customer in responding to data subject requests (access, deletion, portability) within reasonable timeframes.
Notifies Customer of any Personal Data breach without undue delay (within 72 hours of confirmed breach).

4. Sub-processors

Customer authorizes OutOfOfficePro to engage sub-processors. Current sub-processors:

Cloudflare — hosting, edge compute, DNS, D1 database storage. Located in US/EU.
Resend — transactional email delivery. Located in US.
Stripe — payment processing (only for paying customers). Located in US.
Google Analytics — marketing-site traffic analytics (does not process Customer's tenant/caller data).

OutOfOfficePro will notify Customer of any addition or replacement of sub-processors with at least 30 days' notice via email or dashboard banner. Customer may object within that window.

5. International transfers

Personal Data may be transferred to or stored in the United States and EU regions, depending on Cloudflare D1 region configuration. For Customers in the EU/UK, OutOfOfficePro and its sub-processors rely on Standard Contractual Clauses (SCCs) and equivalent transfer mechanisms.

6. Security measures

Technical and organizational measures include:

HTTPS / TLS for all data in transit.
At-rest encryption via Cloudflare D1.
Magic-link authentication; no passwords stored.
HMAC-signed single-use tokens for vendor actions.
Session token rotation with 30-day TTL.
Constant-time comparison for token verification.
Role separation: marketing-site analytics do not track customer dashboards.
Logs retained for 30 days maximum; not used for analytics or training.

7. Data subject requests

If a data subject (caller, tenant, vendor) contacts OutOfOfficePro directly with a request relating to data processed on Customer's behalf, OutOfOfficePro will:

Refer the data subject to Customer.
Notify Customer of the request without undue delay.
Assist Customer in responding (e.g., providing data export, executing deletion).

8. Audits

Customer may request reasonable evidence of OutOfOfficePro's compliance with this DPA, including documentation of security measures and sub-processor lists. OutOfOfficePro will respond to audit requests within 30 days. On-site audits are subject to mutual agreement and confidentiality terms.

9. Term and termination

This DPA remains in effect for the duration of Customer's paid subscription. Upon termination:

OutOfOfficePro will, at Customer's option, return or delete all Personal Data within 90 days.
OutOfOfficePro may retain logs for the duration of legal retention requirements (typically 30 days for server logs).
Sub-processors are bound by similar deletion timelines via their own data processing agreements with OutOfOfficePro.

10. Liability

The liability provisions in the Terms of Service apply to this DPA. Nothing in this DPA limits either party's statutory liability under applicable data protection law.

11. Changes

OutOfOfficePro may update this DPA. Material changes will be communicated via email or dashboard notice with at least 30 days' notice. Continued use after the notice period constitutes acceptance.

12. Contact

For DPA-related inquiries, data subject requests, or breach notifications: hi@outofofficepro.com.

Need a counter-signed copy?

For B2B customers who need a counter-signed DPA on company letterhead, email hi@outofofficepro.com with your company name and Customer signatory. We respond within 5 business days for most requests.