Data Processing Addendum
Effective July 2, 2026
This Data Processing Addendum (DPA) forms part of the agreement between Climb Analytics, LLC and a customer for use of the Service. It describes how we process Customer Data on your behalf, the strict standard we apply before any data derived from Customer Data is used outside your organization, the subprocessors we rely on, and the rights and obligations of each party. Capitalized terms not defined here have the meaning given in the Terms of Service.
This DPA is a template for review. It must be reviewed and executed by counsel and the contracting parties before it is relied upon. The De-Identification & Aggregation Standard’s numeric thresholds are set here as defaults and are subject to confirmation.
1. Roles of the parties
For Customer Data that we ingest and process to provide the Service, the customer is the controller / business and Climb Analytics is the processor / service provider, acting only on the customer’s documented instructions (which include the Terms and this DPA). Where the customer is itself a processor for another controller, Climb acts as a sub-processor. For Aggregated Insights created under Section 5, Climb acts as an independent controller / business for its own account, because that information no longer identifies any person or operator.
2. Scope and subject matter
- Subject matter: provision of the Climb Analytics analytics Service.
- Duration: the term of the customer’s subscription plus the wind-down in Section 8.
- Nature and purpose: ingesting, storing, organizing, analyzing, and displaying Customer Data to produce analytics for the customer.
- Types of data:business records from connected sources — for example customers, appointments, payments, subscriptions, invoices, routes, employees/technicians, notes, communications, and reviews — which may include personal information of the customer’s own customers and staff.
- Data subjects: the customer’s customers, employees, technicians, and contacts.
3. Our obligations as processor
- process Customer Data only on the customer’s documented instructions, including for transfers, unless required by law (in which case we notify you where permitted);
- ensure personnel authorized to process Customer Data are bound by confidentiality;
- implement and maintain the security measures in Section 6;
- not sell Customer Data, and not use it for our own purposes except to create Aggregated Insights under Section 5 and to secure, support, and improve the Service;
- assist the customer, taking into account the nature of processing, with data-subject requests and with the customer’s own security, breach-notification, and impact-assessment obligations;
- make available information reasonably necessary to demonstrate compliance with this DPA.
4. Customer obligations
The customer is responsible for the accuracy and legality of Customer Data, for having the rights and any notices/consents needed to connect its sources and provide the data to us, and for issuing instructions that comply with law.
5. De-Identification & Aggregation Standard
Before any data derived from Customer Data is used in a benchmark, market product, the verified marketplace, or any output visible outside the contributing customer’s organization, Climb applies all of the following. This Standard is the operational commitment behind the “we do not expose your identity or raw numbers” promise in the Terms and Privacy Policy.
- Minimum cohort size (k-anonymity). No benchmark, statistic, or comparative output is generated or displayed unless it reflects a cohort of at least five (5) contributing operators for operator-facing benchmarking, and at least ten (10) contributing operators for any output made available to a broker, buyer, or other external third party. Any figure that would reflect fewer than the applicable minimum is suppressed or rolled up to a broader cohort (region, size band, or national) until the threshold is met.
- Small-cell suppression. Individual cells, segments, or slices that fall below the minimum cohort size are suppressed rather than shown.
- No single-operator outputs. No output may reveal, or reasonably allow the inference of, the data or identity of any single operator — including in thin or concentrated local markets, where cohorts are broadened or outputs withheld accordingly.
- No individual personal information. Aggregated Insights never include the personal information of any individual (a customer, employee, or technician).
- No re-identification. Climb applies reasonable technical and organizational measures against re-identification, maintains business processes prohibiting re-identification and inadvertent release, and does not attempt to re-identify de-identified data.
- Recipient obligations. Any recipient of Aggregated Insights (including brokers and buyers) is contractually prohibited from attempting to re-identify the data or to link it to any operator or individual.
- Ongoing review.De-identification is not treated as one-time; residual re-identification risk is reassessed periodically and thresholds are raised if a market’s structure warrants it.
Nothing that identifies a specific operator is disclosed to any broker, buyer, or other operator except with that operator’s separate, affirmative, and revocable opt-in to the verified marketplace, and then only to the extent the operator chooses.
6. Security measures
Climb maintains a security program that includes, at a minimum:
- encryption of Customer Data in transit and at rest;
- logical isolation of each customer organization’s data from every other’s;
- role-based access controls and single sign-on; least-privilege administrative access;
- read-only connections to source systems (Climb does not write back to your systems);
- hosting on Microsoft Azure with its infrastructure security controls;
- monitoring, logging, and vulnerability management; and
- personnel confidentiality obligations and security awareness practices.
7. Subprocessors
The customer authorizes Climb to engage subprocessors to provide the Service, each bound by data-protection terms no less protective than this DPA. Current subprocessors:
- Microsoft Azure — cloud hosting, storage, and database (United States).
- Vercel — hosting and delivery of the marketing website.
- Clerk — authentication and identity management.
- Sentry — application error monitoring.
We will maintain this list and provide a mechanism to receive notice of new subprocessors before they begin processing Customer Data, giving the customer a reasonable opportunity to object on reasonable data-protection grounds. Climb remains responsible for its subprocessors’ performance.
8. Return and deletion
On termination or expiry, and on the customer’s request, Climb will delete or return Customer Data and delete existing copies within a commercially reasonable wind-down period, except where retention is required by law. Aggregated Insights that no longer identify any operator or individual are not Customer Data and may be retained.
9. Data-subject requests, breaches, and assistance
Climb will, taking into account the nature of the processing, provide reasonable assistance so the customer can respond to data-subject requests and meet its security and breach-notification obligations. Climb will notify the customer without undue delay after becoming aware of a personal-data breach affecting Customer Data and will provide information reasonably available to help the customer meet its obligations.
10. International transfers
Climb processes Customer Data in the United States. Where data-protection law requires a transfer mechanism for personal data originating outside the United States, the parties will put an appropriate mechanism (such as Standard Contractual Clauses) in place.
11. Audits
Climb will make available information reasonably necessary to demonstrate compliance with this DPA and will contribute to audits, including inspections, conducted by the customer or its mandated auditor, subject to reasonable confidentiality, scheduling, and security conditions.
12. Order of precedence
This DPA supplements the Terms of Service. In the event of a conflict regarding the processing of Customer Data, this DPA controls. All other terms of the agreement remain in effect.
To request an executed copy of this DPA for your organization, contact hello@climb-analytics.com.
Questions about these terms? Contact us at hello@climb-analytics.com.