Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Field Terms of Service (the “Agreement”) between Field.is LLC (“Field,” “Processor”) and the Operator who has accepted the Agreement (“Operator,” “Controller”). It governs Field's processing of Personal Data on behalf of the Operator in connection with the Operator's use of the Field platform.

1. Definitions

Personal Data — any information relating to an identified or identifiable natural person, as processed under this DPA. Includes information about the Operator's clients and end users (Operator Client Data).

Processing — any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and erasure.

Operator Client Data — Personal Data submitted to Field by the Operator about the Operator's end clients, including but not limited to email content, communication records, contact information, and AI-derived assessments.

Sub-Processor — a third party engaged by Field to process Personal Data on the Operator's behalf, as listed in Section 6.

Data Protection Laws — applicable data protection and privacy laws including, where relevant, the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and equivalent laws in other jurisdictions.

2. Roles and Scope

Field acts as Processor on the Operator's behalf. The Operator acts as Controller for Operator Client Data and is responsible for establishing the lawful basis for processing, obtaining any required consents, and responding to data-subject requests from end clients.

Field does not determine the purposes or means of processing Operator Client Data. Field processes Operator Client Data exclusively to provide the services described in the Agreement and per the Operator's instructions documented in this DPA, the Agreement, and the Field platform's standard configuration.

3. Subject Matter and Duration

Subject matter: Processing of Personal Data to provide practice-management services, including email triage, AI assessment, work tracking, billing, monitoring, and client communications.

Duration: For the term of the Agreement plus the retention periods set out in the Privacy Policy.

Nature and purpose: Storage, retrieval, structured analysis, transmission of communications, and incidental processing required to operate the Field platform.

Categories of data subjects: The Operator's end clients; the Operator's end clients' authorized contacts; and the Operator's own personnel where applicable.

Categories of Personal Data: Names, email addresses, business contact information, communications content, project notes, billing records, AI-derived assessments and classifications.

4. Operator (Controller) Obligations

The Operator represents and warrants that:

• It has the legal authority to submit Personal Data to Field and to instruct Field's processing.
• It has provided all required notices and obtained all required consents from its end clients in accordance with applicable Data Protection Laws.
• Its instructions to Field comply with Data Protection Laws.
• It is the appropriate party to respond to data-subject requests from its end clients.

5. Field (Processor) Obligations

Field will:

• Process Personal Data only on documented instructions from the Operator, including with regard to transfers of Personal Data, unless required to do so by applicable law.
• Ensure persons authorized to process Personal Data are bound by appropriate confidentiality obligations.
• Implement the technical and organizational measures described in Section 7 to protect Personal Data.
• Engage only the Sub-Processors listed in Section 6, and notify the Operator before engaging new Sub-Processors per Section 6.
• Assist the Operator, taking into account the nature of processing and the information available to Field, in fulfilling its obligations to respond to data-subject requests under Data Protection Laws.
• Notify the Operator without undue delay after becoming aware of a Personal Data breach.
• At the Operator's choice, delete or return all Personal Data to the Operator after the end of the provision of services, subject to retention required by applicable law.
• Make available to the Operator all information necessary to demonstrate compliance with the obligations in this DPA.

6. Sub-Processors

The Operator authorizes Field to engage the following Sub-Processors to provide the platform services:

• Anthropic (USA) — AI processing. Platform-level features (site scanning, request parsing, report drafts) use Field's own Anthropic credentials. Operator-level features (email triage, inline assessment, command bar, voice intent) use the Operator's own API credentials; for those API calls the relationship is directly between the Operator and Anthropic.
• OpenAI (USA) — Speech-to-text transcription (Whisper API) for operator voice commands. Audio is transmitted to OpenAI using Field's credentials and is not retained by Field after transcription.
• Google PageSpeed Insights (USA) — Public-page performance metrics fetched during site scans. Only the scanned URL is sent; no operator or client data is transmitted.
• WPScan (USA/UK) — WordPress plugin/theme vulnerability lookups during agent polls. Only plugin/theme slugs and versions are sent; no operator or client data is transmitted.
• WordPress.org (USA) — Public advisory RSS feed read by a scheduled job. No data is sent.
• Cloudflare R2 (USA) — Object storage for the Field Agent install package distributed to operator sites. Only the package URL is fetched; no operator or client data is transmitted.
• Stripe (USA) — Payment processing and subscription billing.
• Resend (USA) — Transactional email delivery (outbound).
• ImprovMX (USA) — Inbound email forwarding for Field intake addresses (*@in.field.is). Email content reaches Field through this provider before being parsed by the intake webhook.
• Supabase (USA, US-East region) — Database hosting, authentication, and storage.
• Vercel (USA) — Application hosting and edge functions.
• Pushover (USA) — Operator push notifications.
• Harvest (USA) — Time-tracking sync, when the Operator has connected their Harvest account. Field acts as a transmitter between the Operator's Field workspace and the Operator's own Harvest account.

Field will provide at least 14 days' notice before adding or replacing a Sub-Processor. The Operator may object to a new Sub-Processor on reasonable grounds related to data protection; in that case the parties will work in good faith to resolve the objection, and absent resolution, the Operator may terminate the Agreement.

7. Security Measures

Field implements the following technical and organizational measures:

• Encryption in transit (HTTPS/TLS) for all client connections and inter-service traffic.
• Encryption at rest for the production database (managed by Supabase).
• Row-level security policies on all multi-tenant tables, with restrictive policies enforcing operator scope at the database layer.
• Authentication via Supabase Auth with magic-link, password, and TOTP MFA support.
• Scoped API key authentication for integration endpoints; integration credentials stored server-side with provider-managed encryption at rest (Supabase Postgres).
• Operator-scoped access controls; no Field personnel routinely access Operator Client Data outside of incident response, with audit logging for any such access.
• Adversarial security review of major surfaces (auth, intake, AI pipelines, outbound communications, portal RLS) prior to production deployment.
• Centralized error logging with PII redaction (email addresses masked, sensitive fields dropped, long bodies truncated).

8. International Data Transfers

Field and its Sub-Processors are located in the United States. Where applicable, Operators in the European Economic Area, the United Kingdom, or other jurisdictions with cross-border transfer restrictions rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, as supplemented by the security measures in Section 7, as the lawful basis for transfer. The SCCs (Module 2: controller-to-processor) are incorporated into this DPA by reference for Operators based in jurisdictions where they apply.

9. Data Subject Requests

End-client data-subject requests (access, correction, deletion, portability, restriction) should be directed by the data subject to the Operator. The Operator is responsible for responding within the timeframes required by applicable law. Field will assist the Operator on request via privacy@field.is — export and deletion are currently handled as manual processes; Field will acknowledge requests within 5 business days and respond substantively within 30 days.

10. Breach Notification

In the event of a Personal Data breach affecting Operator Client Data, Field will:

• Notify the affected Operators without undue delay after becoming aware of the breach, and in any event within 72 hours where required by Data Protection Laws.
• Provide details sufficient for the Operator to meet its own notification obligations, including the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed to address the breach.
• Cooperate in good faith with the Operator's response and remediation efforts.

11. Audits

Field will make available to the Operator all information reasonably necessary to demonstrate compliance with this DPA. Operators may request, no more than once per year, a written summary of Field's security practices and applicable third-party audit reports of Sub-Processors. On-site audits are not generally available for a single-operator subscription; Operators with elevated compliance needs should discuss bespoke arrangements before subscribing.

12. Return or Deletion of Personal Data

Upon termination of the Agreement, the Operator may request that Field delete or return all Personal Data. Return and deletion are currently handled as manual processes — the Operator initiates the request to privacy@field.is within 60 days of termination, and Field will execute within 30 days of receipt. The following exceptions apply:

• Billing and invoice records, retained for 7 years per tax requirements;
• Backups, which are purged on the standard backup rotation schedule.

Inbound email content and AI-generated assessments are also subject to automated 18-month redaction during the term of the Agreement, as described in the Privacy Policy.

13. Liability

The liability of each party under this DPA is subject to the limitations of liability set out in the Agreement.

14. Term and Termination

This DPA takes effect when the Operator first accepts the Agreement and continues for the term of the Agreement. Provisions that by their nature should survive termination — including confidentiality, breach notification for pre-termination breaches, and post-termination data handling — survive accordingly.

15. Governing Law and Jurisdiction

This DPA is governed by the same governing law and dispute-resolution provisions as the Agreement (Sections 12 and 13 of the Field Terms of Service).

16. Contact

For DPA-related inquiries, sub-processor notifications, or signed-copy requests:
privacy@field.is