← Back to NorthReeve

Data Processing Addendum

Last updated: July 15, 2026

Related: Master Services Agreement Privacy Policy Terms of Service Refund Policy

This Data Processing Addendum ("DPA") is entered into between NorthReeve Software LLC, a Massachusetts limited liability company ("NorthReeve", "we", "us", or the "Processor") and the customer identified in the Master Services Agreement (the "Customer", "you", or the "Controller"). This DPA is incorporated into and forms part of the Master Services Agreement between the parties (the "MSA"). If there is a conflict between this DPA and the MSA on the subject of data protection, this DPA controls. Capitalized terms not defined here have the meanings given in the MSA.

This DPA governs NorthReeve's processing of personal information that the Customer submits to or generates within the Glide By Blade platform (the "Platform"). NorthReeve acts only as a service provider and processor for that data; the Customer is the business and controller and determines the purposes and means of processing.

1. Definitions

"Applicable Data Protection Law" means all US federal and state privacy and data protection laws applicable to the processing of Customer Personal Data, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (the "CCPA") and its regulations, and the comprehensive privacy laws of other US states as they apply. "Customer Personal Data" means personal information within Customer Data that NorthReeve processes on the Customer's behalf under the MSA. "Personal Data", "personal information", "business", "service provider", "contractor", "third party", "sell", "share", "process", and "consumer" have the meanings given under Applicable Data Protection Law. "Sub-processor" means a third party engaged by NorthReeve to process Customer Personal Data. "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data processed by NorthReeve.

2. Roles of the parties

As between the parties, the Customer is the business and controller of Customer Personal Data, and NorthReeve is the service provider and processor. NorthReeve processes Customer Personal Data only on the Customer's documented instructions, which include the MSA, this DPA, and the Customer's configuration and use of the Platform. The Customer is responsible for the accuracy of Customer Personal Data and for having a lawful basis and any required notices or consents to collect it and to have NorthReeve process it, including any consents required for calls, text messages, and email as described in the MSA.

3. Scope, nature, and purpose of processing

The subject matter of the processing is NorthReeve's provision of the Platform. The nature and purpose of processing is to host, operate, secure, support, and provide the features of the Platform to the Customer, including scheduling and routing, the field application, invoicing and payments, telephony and messaging, email and marketing, chat, leads and CRM, lawn measurement, AI-assisted features, data migration, backups, and related functions. Processing continues for the term of the MSA and the periods described in Section 10.

Categories of data subjects

Categories of Customer Personal Data

NorthReeve does not intend for the Platform to be used to process special categories of sensitive data beyond what is described above. The Customer is responsible for not submitting data outside these categories without first agreeing appropriate terms with NorthReeve.

4. NorthReeve's processing obligations

NorthReeve will:

5. Confidentiality

NorthReeve will treat Customer Personal Data as the Customer's confidential information, will limit access to personnel who need it to provide the Platform, and will ensure those personnel are bound by appropriate confidentiality obligations and are trained on their data protection responsibilities.

6. Security measures

NorthReeve will implement and maintain reasonable and appropriate technical and organizational measures designed to protect Customer Personal Data against a Security Incident, taking into account the nature of the data and the risks. These measures include, at a minimum:

The Customer is responsible for the security of its own account, including managing its users and roles, protecting its login credentials, and configuring the Platform appropriately.

7. Sub-processors

The Customer provides NorthReeve general authorization to engage Sub-processors to help provide the Platform. NorthReeve engages the following categories of Sub-processor:

CategoryFunction
Cloud hosting and infrastructureHosting of the Platform, databases, and encrypted backups
Telephony and messaging providersBusiness phone, voice, and two-way SMS and MMS features
Email delivery providerTransactional and marketing email sending
Payment processor and accounting integrationCard and ACH payment processing and QuickBooks Online sync
Maps and aerial or satellite imagery providerRouting, mapping, and lawn measurement
AI service providerAI-assisted features such as area detection, chat assistance, and smart pricing suggestions
Analytics and error monitoringPlatform reliability and performance

NorthReeve will impose data protection obligations on each Sub-processor that are substantially the same as those in this DPA, and NorthReeve remains responsible for its Sub-processors' performance. NorthReeve will maintain a current list of Sub-processors and will give the Customer at least thirty (30) days' notice before adding or replacing a Sub-processor that processes Customer Personal Data. The Customer may object on reasonable data protection grounds within that period; if the parties cannot resolve the objection, the Customer may terminate the affected part of the Platform as its exclusive remedy.

8. Assistance with data-subject requests and compliance

Taking into account the nature of the processing, NorthReeve will provide reasonable assistance to enable the Customer to respond to verifiable requests from consumers to exercise their rights under Applicable Data Protection Law, including rights to know, access, correct, delete, and obtain a portable copy, and to honor opt-out and limitation requests. Where NorthReeve receives a request directly from a consumer relating to Customer Personal Data, NorthReeve will not respond directly except to direct the consumer to the Customer, and will promptly inform the Customer. NorthReeve will also provide the Customer reasonable assistance with data protection impact or risk assessments and consultations to the extent required by Applicable Data Protection Law and relevant to the Platform.

9. Audits and verification

NorthReeve will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. No more than once per twelve (12) month period, and on reasonable prior written notice, the Customer may take reasonable and appropriate steps to verify NorthReeve's compliance, which may be satisfied by NorthReeve providing responses to a reasonable written security questionnaire and any then-current audit reports or certifications. Any on-site review must be at reasonable times, must not unreasonably disrupt NorthReeve's operations, must be subject to confidentiality obligations, and must not require NorthReeve to disclose data of other customers or information that would compromise security.

10. Return and deletion on termination

On expiration or termination of the MSA, NorthReeve will, at the Customer's choice, make Customer Personal Data available for export for the data-export window stated in the MSA, and thereafter will delete or de-identify Customer Personal Data in its production systems within a commercially reasonable period, except for copies retained in routine backups (which are deleted on the ordinary backup cycle) or as required to be retained by law. During any retention of residual copies, this DPA continues to apply.

11. Security Incident notification

NorthReeve will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting Customer Personal Data. The notice will describe, to the extent known, the nature of the incident, the categories and approximate volume of data involved, the likely consequences, and the measures taken or proposed to address it. NorthReeve will take reasonable steps to mitigate and remediate the incident and will reasonably cooperate with the Customer's investigation. As the controller, the Customer is responsible for determining whether and how to notify affected individuals and authorities. NorthReeve's notice is not an acknowledgment of fault or liability.

12. Service provider certification (CCPA)

NorthReeve certifies that it understands the restrictions in Section 4 and this DPA and will comply with them. NorthReeve is a service provider that receives Customer Personal Data solely to perform the services described in the MSA. NorthReeve does not sell or share Customer Personal Data, does not retain, use, or disclose it outside the direct business relationship or for any purpose other than the business purposes specified, and does not combine it with personal information from other sources except as permitted by Applicable Data Protection Law.

13. International transfers

NorthReeve processes and stores Customer Personal Data in the United States. The Platform is intended for use by US-based businesses and their US operations. If the Customer chooses to submit personal data originating outside the United States, the Customer is responsible for ensuring it may lawfully transfer that data to the United States for processing under this DPA, and the parties will cooperate in good faith to put in place any additional transfer terms then required by law.

14. General

This DPA is governed by the same law and dispute resolution provisions as the MSA. Except as amended by this DPA, the MSA remains in full force and effect. If any provision of this DPA is held invalid, the remainder continues in effect. This DPA takes effect on the effective date of the MSA and continues for as long as NorthReeve processes Customer Personal Data.

15. Contact

Data protection questions and notices under this DPA: forms@northreeve.com or sales@northreeve.com.