Data Processing Agreement (DPA)

Last updated: June 2026 · For crew & employee personal data

This DPA supplements the Terms of Service and Privacy Policy when your organization (the Customer / data controller) uses Tower OPS to process personal data of crew members, subcontractors, and field staff (the Data Subjects).

1. Roles

• Customer is the data controller for crew/employee data entered into the Service.
• GCE Field / Tower OPS (“Processor”) processes data only on documented instructions from the Customer, to provide hosting, sync, backup, and support for the Service.

2. Categories of data processed

• Identity & contact: name, email, phone, crew assignment, role
• Employment / field ops: site assignments, check-in/out timestamps, GPS at check-in (if enabled), daily updates
• Compliance: OSHA certificates, safety photos, incident notes, construction documents linked to crews
• Technical: login logs, device/browser metadata, API audit for security

3. Purpose & instructions

Processor shall process personal data solely to: operate app.gcefield.cc, sync desktop and mobile, store documents, generate operational reports for the Customer, and provide support. Processor shall not sell personal data or use it for unrelated marketing.

4. Sub-processors

Infrastructure may include cloud hosting (e.g. VPS provider), email delivery, and optional AI document naming when the Customer enables it. Processor remains responsible for sub-processors under standard contractual terms.

5. Security measures

• HTTPS in transit; access controls and role-based permissions
• Authentication tokens; production CORS and rate limiting
• Scheduled backups of database and uploads (see Customer onboarding)
• Incident notification to Customer without undue delay after becoming aware of a breach affecting personal data

6. International transfers

Data is hosted in the region agreed at contract (default: US/EU VPS as provisioned). Customer is responsible for lawful transfer mechanisms where required (e.g. SCCs) for cross-border crew data.

7. Retention & deletion

Processor retains data for the subscription term plus a reasonable export window. Upon termination, Customer may export data; Processor deletes or returns data within 30 days unless law requires retention.

8. Data subject rights

Requests from Data Subjects (access, correction, deletion) should be directed to the Customer as controller. Processor assists the Customer in fulfilling requests where technically feasible.

9. Audits

Upon reasonable notice, Customer may request summary security information or questionnaires. On-site audits apply only for Enterprise agreements with prior written schedule.

10. Contact

DPA & privacy inquiries: support@gcefield.cc

Privacy Policy · Terms · Service overview · Support · Admin manual