Data Processing Agreement

Template version: May 2026 — send to hello@tradeloper.com for countersignature

1. Parties

Data Controller ("Customer"): The business owner who holds a Tradeloper account (identified by the email address used at signup).

Data Processor ("Tradeloper"): AdModifier LLC d/b/a Tradeloper, 30 N Gould St #40766, Sheridan, WY 82801, USA. Contact: hello@tradeloper.com.

2. Subject Matter and Duration

This DPA governs the processing of personal data by Tradeloper on behalf of the Customer in connection with the Tradeloper SaaS service (SMS review requests, AI post generation, review tracking). It is incorporated into, and subject to, the Tradeloper Terms of Service. Duration: for the term of the active subscription plus any statutory retention period.

3. Nature and Purpose of Processing

• Sending SMS review requests and follow-up messages to the Customer's end-customers via Twilio.
• Sending Day-3 email review requests to the Customer's end-customers via Resend.
• Storing customer names, phone numbers, and optional email addresses on behalf of the Controller.
• Generating AI social media post content from review data and business context via Anthropic (Claude).
• Tracking Google review counts and review snippets via SerpAPI for the Controller's dashboard.

Categories of data subjects: the Controller's own customers (end-users). Categories of personal data: name, phone number, email address, SMS consent record, review engagement events.

4. Obligations of the Processor (Tradeloper)

Tradeloper shall:

• Process personal data only on documented instructions from the Controller (the Terms of Service and this DPA constitute those instructions).
• Ensure that authorised personnel are bound by confidentiality obligations.
• Implement appropriate technical and organisational security measures (see Section 5).
• Not engage a sub-processor without prior general authorisation (the sub-processors listed in Section 6 are hereby authorised); notify the Controller of any intended changes to sub-processors.
• Assist the Controller in responding to data subject rights requests under GDPR Arts. 15-22 within 72 hours of receiving notification from the Controller.
• Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting Controller data.
• Delete or return all personal data to the Controller upon termination of the subscription and, if deletion is chosen, certify such deletion in writing within 30 days.
• Make available all information necessary to demonstrate compliance with this DPA and contribute to audits conducted by or on behalf of the Controller (reasonable prior notice required; limited to information relevant to Tradeloper's processing activities).

5. Security Measures

Tradeloper applies the following technical and organisational measures:

• Passwords hashed with bcrypt (cost factor 12).
• Google OAuth tokens encrypted at rest with AES-256-GCM.
• Sessions protected with httpOnly + sameSite cookie flags; CSRF protection on state-mutating routes.
• All HTTP traffic served over TLS (enforced by Replit infrastructure).
• Database access restricted to application service account; no direct public access.
• Twilio webhook signatures validated on every inbound request.
• IP addresses hashed with a daily HMAC salt before storage; raw IPs are never persisted.
• Access to admin endpoints gated by a secret ADMIN_TOKEN.

6. Authorised Sub-processors

The Controller hereby provides general authorisation for the following sub-processors. Each is engaged under a written DPA or Standard Contractual Clauses covering transfers to the US:

• Twilio Inc. (San Francisco, CA, USA) — SMS delivery. Privacy Policy
• Anthropic PBC (San Francisco, CA, USA) — AI content generation. Privacy Policy
• Paddle.com Market Ltd. (London, United Kingdom) — payment processing and Merchant of Record. Privacy Policy
• Resend Inc. (San Francisco, CA, USA) — transactional email. Privacy Policy
• Replit Inc. (San Francisco, CA, USA) — cloud hosting and database. Privacy Policy
• SerpAPI LLC (Boulder, CO, USA) — Google review count and snippet retrieval. Privacy Policy
• Functional Software, Inc. (Sentry) (San Francisco, CA, USA) — anonymised error monitoring. Privacy Policy

7. International Transfers

All sub-processors are based in the United States. Where personal data originates from the EEA or UK, transfers to the US are made under the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor). A copy of the applicable SCCs is available on request at hello@tradeloper.com.

8. Contact for Execution

To execute this DPA, email hello@tradeloper.com with the subject line "DPA Execution Request — [your business name]". We will return a countersigned copy within 5 business days.

AdModifier LLC d/b/a Tradeloper · 30 N Gould St #40766, Sheridan, WY 82801, USA