CMMS Pro  ·  RIR LLC

Data Processing Addendum

How CMMS Pro processes personal data on behalf of business customers.
Effective date: June 28, 2026  |  Last updated: June 28, 2026
Please review. This document forms part of the agreements governing your use of @@PRODUCT@@. Please read it carefully.
back to top ↑

1. Scope & Roles

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between RIR LLC (“Processor”) and the customer (“Controller”) and applies where RIR LLC processes Personal Data contained in Customer Data on the Controller’s behalf. Where there is a conflict on data-protection matters, this DPA controls.

back to top ↑

2. Definitions

“Applicable Data Protection Laws” means privacy and data-protection laws applicable to the processing, which may include the GDPR, UK GDPR, and U.S. state privacy laws. “Personal Data,” “Controller,” “Processor,” “Data Subject,” and “process” have the meanings given in Applicable Data Protection Laws.

back to top ↑

3. Processing of Personal Data

The Processor will process Personal Data only: (a) to provide the Service per the Terms; (b) in accordance with the Controller’s documented lawful instructions; and (c) as required by law (with notice where permitted). The subject matter, duration, nature, and purpose of processing, the types of Personal Data, and categories of Data Subjects are described in an annex or as configured by the Controller within the Service.

back to top ↑

4. Processor Obligations

  • process Personal Data only on documented instructions;
  • ensure persons authorized to process are bound by confidentiality;
  • implement appropriate technical and organizational security measures (Section 7);
  • assist the Controller, taking into account the nature of processing, with data-subject requests and with security, breach notification, and impact assessments;
  • make available information reasonably necessary to demonstrate compliance.
back to top ↑

5. Controller Obligations

The Controller is responsible for the accuracy and legality of Customer Data, for having a lawful basis for the processing, and for providing required notices and obtaining required consents from Data Subjects.

back to top ↑

6. Subprocessors

The Controller authorizes the Processor to engage subprocessors to provide the Service. Current subprocessors include those listed in our Privacy Policy (for example, Stripe, Cloudflare, and our email and hosting providers). The Processor will impose data-protection obligations on subprocessors substantially similar to those in this DPA and remains responsible for their performance. We will provide notice of new subprocessors and a reasonable opportunity to object.

back to top ↑

7. Security Measures

The Processor maintains technical and organizational measures appropriate to the risk, including: encryption of data in transit; hashed credential storage; role-based access controls; network protections; logging and audit trails; and regular review of security practices. Specific measures may be detailed in a Security Annex available on request.

back to top ↑

8. Personal Data Breach

The Processor will notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, and will provide information reasonably available to assist the Controller in meeting its notification obligations.

back to top ↑

9. Data Subject Requests

Taking into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights. If a request is made directly to the Processor, it will, where lawful, direct the Data Subject to the Controller.

back to top ↑

10. International Transfers

Where processing involves transfer of Personal Data across borders, the parties will rely on a lawful transfer mechanism, such as the EU Standard Contractual Clauses and UK Addendum, which are incorporated by reference where applicable.

back to top ↑

11. Return & Deletion

Upon termination, the Processor will, at the Controller’s choice, delete or return Customer Data, and delete existing copies except where retention is required by law. Export is available for 30 days after termination; thereafter data is deleted in the ordinary course, subject to rolling backups.

back to top ↑

12. Audits

The Processor will make available information reasonably necessary to demonstrate compliance and allow for audits, subject to reasonable confidentiality, scope, frequency, and notice requirements as further described in this Section.

back to top ↑

13. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms.

back to top ↑

14. Contact

Data-protection inquiries: [email protected]
RIR LLC — 1750 14th Street, Orange City, FL 32763