Data Processing Agreement

Read alongside the Terms + Privacy Policy

This Data Processing Agreement (“DPA”) supplements the GladiusTurf Terms of Service and Privacy Policy and applies whenever you (the “Customer”) instruct Gladius Inc. (“Gladius”) to process Personal Data on your behalf through the GladiusTurf service.

Customer is the data controller. Gladius is the data processor. Gladius will only process Personal Data per Customer’s documented instructions, the Terms, this DPA, and applicable law.

1. Scope and roles

Customer warrants that it has lawful basis (consent, contract, or legitimate interest) to upload, transmit, or instruct Gladius to process the Personal Data of its end customers (homeowners, employees, prospects). Gladius does not independently determine the purposes of that processing.

2. Categories of data + data subjects

End customer (homeowner) data: name, email, phone, service address, property notes, photos, scheduled jobs, invoice history, recorded messages.
Employee / crew data: name, role, work email, phone, schedule, certifications. Not SSN or bank routing — those are not collected until a payroll integration ships.
Prospect data: any lead or quote information uploaded or captured through GladiusTurf.

3. Sub-processors

Customer authorizes Gladius to engage the following sub-processors. Material additions or substitutions will be announced 30 days in advance via email + this page; Customer may object and (if Gladius cannot accommodate) terminate the affected service.

Vercel Inc. — application hosting, CDN, edge middleware. United States.
Supabase Inc. — Postgres database, authentication sub-system, file storage. United States.
Anthropic, PBC — large language model inference for AI-assisted features (Ask Gladius, Quote Drafter). Per Anthropic’s commercial terms, prompts are not used to train their models. United States.
Resend — transactional and marketing email delivery. United States.
Stripe Inc. — payment processing. Card data is tokenized at the browser and never touches Gladius infrastructure. United States.
Twilio Inc. — SMS and voice (when enabled by Customer). United States.

4. Security measures

Gladius implements technical and organizational measures appropriate to the risk of processing, including:

Encryption in transit (TLS 1.2+) and at rest (Supabase-managed AES on Postgres + storage).
Tenant scoping enforced at the application layer; database-level row-level-security policies are present and migration to RLS as primary boundary is on the active engineering roadmap.
Authentication via signed magic-link tokens (HMAC-SHA256, 15-minute TTL). Session cookies are HttpOnly + Secure.
Regular dependency scanning, secret rotation, and pre-deployment review.

5. Breach notification

If Gladius confirms a Personal Data breach affecting Customer’s workspace, Gladius will notify Customer without undue delay and in any case within 72 hours of confirmation. The notification will describe the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address it.

6. Deletion and return of data

Customer may export its workspace data via the in-product export, the API, or by emailing legal@gladiusturf.com.

On termination of the underlying agreement, Gladius will delete or anonymize Customer Personal Data within 90 days, except where retention is required by law (tax, anti-fraud, dispute resolution). Backups roll off within 90 days of the deletion request.

7. International transfers

All sub-processors above operate United States infrastructure. If Customer or its end customers are located outside the U.S., Gladius relies on Standard Contractual Clauses (or equivalent transfer mechanisms) where required. If you are an EU/UK Customer and need a countersigned SCC addendum, request it at legal@gladiusturf.com.

8. Audit rights

Customer may request, no more than once per year, a written summary of Gladius’s security posture (controls, sub-processor register, incident log) sufficient to demonstrate compliance with this DPA. On-site audit rights are not granted; certifications and third-party reports (when available) substitute.

9. Contact

Email legal@gladiusturf.com for any DPA-related question, sub-processor objection, breach report, or counter-signature request. We respond within one business day.

This DPA is provided as a baseline. Enterprise Customers may request a counter-signed copy with bespoke terms — email legal@gladiusturf.com.