Legal

Data Processing Addendum

Effective: June 1, 2026/Last updated: June 1, 2026

This Data Processing Addendum (the “DPA”) forms part of the Terms of Serviceor other written agreement (the “Agreement”) between Precision Touring, LLC (“Precision”) and the business customer that has accepted the Agreement (“Customer”). It governs Precision’s processing of Personal Information on Customer’s behalf in connection with the Services.

This DPA applies automatically to every Customer that uses the Services. Customers that require a signed copy on company letterhead may request one from legal@getprecision.co.

1. Definitions

  • “Personal Information” means information that identifies or is reasonably capable of being associated with an identified or identifiable individual that Customer or its authorized users submit to the Services.
  • “Customer Personal Information” means Personal Information that Precision processes on Customer’s behalf under the Agreement.
  • “Privacy Laws” means all U.S. federal and state privacy laws applicable to Precision’s processing of Customer Personal Information, including the California Consumer Privacy Act as amended (the “CCPA”) and other state comprehensive privacy laws to the extent applicable.
  • “Sub-processor” means a third party engaged by Precision to process Customer Personal Information on Precision’s behalf.
  • Terms such as “Business,” “Service Provider,” “Sell,” “Share,” “Sensitive Personal Information,” and “Process” have the meanings given by the CCPA when used in CCPA-related provisions.

2. Roles of the Parties

For Customer Personal Information, Customer is the “Business” (or, where applicable, controller) and Precision is the “Service Provider” (or, where applicable, processor). Precision will process Customer Personal Information only on Customer’s documented instructions and only for the “Business Purposes” described in Section 3.

3. Subject Matter, Duration, Nature, Purpose, Categories

Subject matter and duration: Precision processes Customer Personal Information for the duration of the Agreement and for the period necessary to provide the Services described in the Agreement.

Nature and purpose:hosting and storing Customer’s tour-management and carrier-portal data; rendering the Services to Customer’s authorized users; generating documents and AI-assisted outputs Customer requests; sending transactional emails Customer triggers; integrating with services Customer authorizes (for example, QuickBooks Online); maintaining security, fraud-prevention, and audit logs; and otherwise providing the Services described in the Agreement (the “Business Purposes”).

Categories of data subjects:Customer’s personnel, contractors, and authorized users; crew members, vendors, venue staff, guests, and other third parties whose information Customer enters into the Services.

Categories of Personal Information: identifiers (name, email, phone); professional and employment information; approximate location; business contact information; tour, vehicle, and operational data; financial records (settlements, expenses, per-diem distributions); uploaded documents that may contain Sensitive Personal Information (for example, passport and visa details, work permits, tax forms, insurance information, dietary restrictions, and allergies); and authentication and usage information.

4. Precision’s Obligations as a Service Provider

Precision will:

  • process Customer Personal Information only for the Business Purposes and only as permitted by the Agreement, this DPA, or Customer’s documented written instructions;
  • not Sell or Share Customer Personal Information (as those terms are defined under the CCPA);
  • not retain, use, or disclose Customer Personal Information for any purpose other than the Business Purposes, including not for any “commercial purpose” other than performing the Services;
  • not combine Customer Personal Information with personal information received from or on behalf of any other person or collected from Precision’s own interactions with the data subject, except as permitted under 11 CCR § 7050(b);
  • not retain, use, or disclose Customer Personal Information outside of the direct business relationship with Customer;
  • notify Customer if Precision determines that it can no longer meet its obligations under Privacy Laws;
  • permit Customer to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Information by Precision; and
  • ensure that personnel authorized to process Customer Personal Information are bound by appropriate confidentiality obligations.

Precision certifies that it understands and will comply with the restrictions in this Section as required by California Civil Code § 1798.140(ag)(1)(A)-(D) and analogous provisions of other Privacy Laws.

5. Security

Precision will implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Personal Information against unauthorized access, disclosure, alteration, or destruction. These include, at minimum:

  • encryption of Customer Personal Information in transit over public networks (TLS);
  • encryption at rest at the database layer through our hosting provider;
  • row-level security on tenant-scoped data;
  • short-lived signed URLs for downloads of uploaded documents;
  • scoped credentials and service-role isolation, with access on a need-to-know basis;
  • access and change logging on financial-data tables;
  • secrets management through environment-isolated configuration;
  • routine patching of dependencies and infrastructure provided by sub-processors.

Precision will review its safeguards periodically and update them as appropriate to address changes in risk.

6. Personal Information Breach

Precision will notify Customer without undue delay, and in any event no later than 72 hours, after Precision confirms a Personal Information Breach affecting Customer Personal Information. “Personal Information Breach” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Information.

The notification will include, to the extent known:

  • the nature of the breach, including categories and approximate number of records and data subjects affected;
  • the likely consequences;
  • the measures Precision has taken or proposes to take to address the breach and mitigate possible adverse effects; and
  • a contact point for further information.

Precision will cooperate with Customer in good faith to investigate and respond to the breach and to support Customer’s notice obligations to its end users and regulators. Precision will not directly notify Customer’s data subjects or regulators about a breach affecting Customer Personal Information without Customer’s prior written consent, except where required by law.

7. Sub-processors

Customer authorizes Precision to engage the sub-processors listed at /sub-processors. Precision will:

  • impose contractual data-protection obligations on each Sub-processor that are no less protective than those in this DPA;
  • remain responsible for each Sub-processor’s performance under this DPA;
  • maintain and update the list of Sub-processors at the URL above; and
  • where Customer subscribes to email notifications of changes, provide notice of the addition or replacement of a Sub-processor at least 10 days before that Sub-processor begins processing Customer Personal Information, giving Customer the right to object on reasonable grounds. If Customer objects in writing within that period, the parties will work in good faith to resolve the objection; if not resolved, Customer may terminate the affected portion of the Services on written notice and receive a pro-rated refund of pre-paid fees for the terminated portion.

8. Assistance with Data-Subject Requests

Precision will, taking into account the nature of the processing, assist Customer through appropriate technical and organizational measures to respond to verifiable requests from data subjects to exercise their rights under Privacy Laws (including access, deletion, correction, portability, opt-out of sale or sharing, and limitation of use of sensitive personal information).

If Precision receives a data-subject request that relates to Customer Personal Information, Precision will forward it to Customer without undue delay and will not respond to the data subject except to acknowledge receipt and confirm that the request will be handled by Customer.

9. Audit and Demonstration of Compliance

Precision will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Customer may submit reasonable written audit requests to security@getprecision.co no more than once per twelve-month period, subject to (a) reasonable confidentiality protections, (b) at least 30 days’ advance notice, (c) Customer bearing its own costs and reimbursing Precision’s reasonable costs, and (d) the audit being conducted in a manner that does not unreasonably interfere with Precision’s operations. In response to such a request, Precision may, at its option, provide existing third-party reports or written attestations that adequately address the topics of the request.

10. Deletion and Return of Customer Personal Information

Within 30 days of expiration or termination of the Agreement (or earlier, on Customer’s written request), Precision will return or, at Customer’s election, delete all Customer Personal Information, except to the extent retention is required by law or for legitimate audit and security purposes, in which case Precision will isolate and protect the retained information from any further processing. Customer Personal Information stored in backup systems may persist for up to 30 additional days, after which it is overwritten in the ordinary course.

11. International Processing

Precision processes Customer Personal Information in the United States. The Services are not currently offered to data subjects in the European Economic Area, the United Kingdom, Switzerland, or other jurisdictions that require specific cross-border transfer mechanisms.

12. Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA controls with respect to Precision’s processing of Customer Personal Information.

13. Contact

For all DPA matters, contact security@getprecision.co.