How we handle data on your behalf.
Last updated: May 2026 — Schedaddle LLC
This Data Processing Addendum ("DPA") forms part of the Terms of Servicebetween Schedaddle Limited Liability Company, a Texas limited liability company doing business as "Schedaddle" ("Schedaddle," "we," "us"), and the customer that uses the Service ("Customer," "you"). It governs our processing of personal data that you provide to the Service about your employees and other individuals.
Note: This DPA is provided as a standard template for transparency. For a counter-signed copy or for negotiated terms (e.g., enterprise or regulated customers), email legal@schedaddle.co. Defined terms not defined here have the meaning given in the Terms of Service or in applicable data protection law (the "GDPR," "UK GDPR," "CCPA/CPRA," and similar laws).
Roles of the Parties
For personal data about your employees and other individuals that you submit to the Service ("Customer Personal Data"), you are the controller (or business) and Schedaddle is the processor (or service provider). We process Customer Personal Data only to provide the Service and only on your documented instructions, unless required otherwise by law (in which case we will tell you, unless the law prohibits it).
As a service provider under the CCPA/CPRA, we will not sell or share Customer Personal Data, will not retain, use, or disclose it outside the direct business relationship, and will not combine it with data from other sources except as permitted by the CCPA/CPRA.
Scope & Instructions
The subject matter, duration, nature, and purpose of the processing, the types of personal data, and the categories of data subjects are described in the Annex below. Your use of the Service, together with these documents, constitutes your complete and documented processing instructions. If we believe an instruction violates data protection law, we will inform you.
Confidentiality
We ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and access the data only as needed to provide the Service.
Security Measures
We maintain technical and organizational measures appropriate to the risk, including:
- Tenant isolation enforced at the database level through row-level security keyed to your store, so one customer's queries cannot return another customer's data.
- Encryption in transit (TLS 1.2+) and encryption at rest on managed infrastructure.
- Least-privilege access controls; administrative database keys held only in server-side environment variables.
- Optional TOTP-based two-factor authentication for accounts.
- Biometric identifiers are never transmitted to or stored by us — the device returns only a pass/fail result. (See the Privacy Policy.)
Sub-processors
You authorize us to engage the sub-processors listed at schedaddle.co/subprocessors to process Customer Personal Data. Each sub-processor is bound by data-protection terms no less protective than this DPA. We remain responsible for our sub-processors' performance. We will give you advance notice (via that page) before adding or replacing a sub-processor, and you may object on reasonable data-protection grounds; if we cannot accommodate your objection, you may terminate the affected Service.
Data Subject Requests
Taking into account the nature of the processing, we will assist you with appropriate technical and organizational measures, insofar as possible, to respond to requests from individuals to exercise their rights (access, correction, deletion, portability, objection, and restriction). If we receive such a request directly, we will, unless legally required to act, direct the individual to you as the controller.
Breach Notification
We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, and will provide information reasonably available to us to help you meet your own notification obligations to regulators and individuals.
Audits
On reasonable written request, and no more than once per year (unless required by a regulator or following a breach), we will make available information necessary to demonstrate compliance with this DPA — including relevant third-party audit reports of our sub-processors where available — subject to confidentiality obligations.
International Transfers
Where we transfer Customer Personal Data subject to the GDPR or UK GDPR from the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses and, for UK data, the UK International Data Transfer Addendum, which are incorporated by reference and completed using the details in the Annex.
Return & Deletion
On termination of the Service, you may export Customer Personal Data during the grace period described in the Terms of Service. After that period, we will delete Customer Personal Data, except for the limited records we are required to retain by law (described in the Privacy Policy) and de-identified data that can no longer be linked to an individual.
Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
Annex — Details of Processing
Subject matter & duration
Provision of the Schedaddle workforce-scheduling service for the duration of the Customer's subscription, plus the post-termination period described above.
Nature & purpose
Hosting, organizing, displaying, and transmitting employee scheduling and attendance data to operate the Service.
Categories of data subjects
- The Customer's employees and staff (who may include individuals under 18)
- The Customer's managers and administrators
Types of personal data
- Identifiers — name, email, role
- Scheduling data — availability, shift assignments, time-off
- Attendance data — clock-in/out timestamps and break records
- Geolocation — GPS coordinates sampled at clock-in/out (where geofencing is enabled)
- Biometric verification results — a pass/fail value only; no biometric identifier is transmitted to or stored by us
- Device data — push notification tokens, platform
Sensitive data
Precise geolocation and biometric verification results are processed only where the Customer enables those optional features and has obtained any required consent.
Contact
Schedaddle Limited Liability Company (d/b/a Schedaddle)
legal@schedaddle.co
schedaddle.co