Data Processing Addendum — Template
Customer Data Processing Addendum for Pathfinder. Plain English. Negotiable. Includes a BAA addendum for HIPAA-regulated engagements.
Sidebar — negotiated redlines. Reach me at security@colbysdatamovers.com for negotiated redlines.
This is a template, not signed paper. Tailor before sending.
Data Processing Addendum
This Data Processing Addendum (this "DPA") is entered into between [Customer Name] ("Controller") and Colby's Data Movers LLC ("Processor") and forms part of the underlying agreement under which Customer obtains the Pathfinder software (the "Agreement"). Capitalised terms have the meaning given in the Agreement unless otherwise defined here.
1. Scope and roles
1.1 Processor's product is a customer-installed desktop application. Pathfinder runs entirely on customer-owned hardware. Processor does not host, mirror, or receive customer data in the ordinary course.
1.2 For the purposes of GDPR, CCPA, and analogous data-protection laws, Controller acts as data controller for all personal data Pathfinder processes; Processor acts as data processor solely for the limited operations described in §3.
2. Subject matter, duration, nature, and purpose
| Item | Description |
|---|---|
| Subject matter | Migrating Controller's records between Controller-controlled SaaS systems |
| Duration | Term of the Agreement |
| Nature | Extract, transform, conflict-detect, load; locally on Controller's hardware |
| Purpose | Replatform Controller's CRM or fundraising database |
| Categories of data | Whatever Controller chooses to migrate (typically contact, donor, gift) |
| Categories of data subjects | Controller's constituents (donors, beneficiaries, staff) |
3. Processor's processing activities
Processor's processing is limited to the executable Pathfinder provides and runs entirely on Controller's hardware. Processor has no operational access to Controller data in the ordinary course.
Processor may incidentally receive limited diagnostic data when Controller voluntarily uses the in-app "Export Support Bundle" command. Support bundles are sanitised before they leave Controller's device — they exclude credentials, raw customer records, and the contents of the macOS Keychain (see WorkspaceArchive::should_exclude).
4. Subprocessors
Processor uses the following subprocessors solely to deliver the Pathfinder executable and its updates:
| Subprocessor | Purpose |
|---|---|
| GitHub (Microsoft) | Source code hosting + release artefact distribution |
| Apple | macOS notarisation of the signed binary |
| Anthropic | LLM provider for the optional AI assistance feature; invoked only when Controller enables it and supplies its own API key |
Processor will provide at least 30 days' notice before adding or materially changing a subprocessor.
5. Security measures
Processor implements the technical and organisational measures described in Annex A (Pathfinder Compliance Crosswalk). At a glance:
- Customer data lives on Controller's hardware in a per-workspace SQLite file. Processor does not have a copy.
- Credentials are stored in the macOS Keychain. Processor does not have a copy.
- All outbound network traffic from Pathfinder is to Controller's own SaaS APIs, pinned by Pathfinder's per-connector base-URL allow-list.
- Audit trail is signed with per-workspace Ed25519 keys; tamper detection is part of the product.
6. Personal data breaches
Because Processor does not host Controller data, a "personal data breach" affecting Controller's data is typically a breach of Controller's own systems (Controller's SaaS, Controller's macOS device, Controller's network). Where Processor becomes aware of a security vulnerability in Pathfinder itself that, if exploited, could result in unauthorised access to Controller data, Processor will notify Controller without undue delay (and in any event within 72 hours of becoming aware).
7. Data subject rights
Because Pathfinder processes data on Controller's hardware, Controller controls the means for responding to data subject access, rectification, erasure, and portability requests. Processor will provide reasonable assistance via documentation and support.
8. Data deletion
When the Agreement ends, Controller deletes the Pathfinder workspace folder(s) and the corresponding Keychain entries on Controller's hardware. Processor does not retain Controller data.
9. Audit rights
On reasonable prior notice, Controller may request Processor's most recent third-party assurance artefacts (e.g. SBOM, security questionnaires) and, upon Controller's request, documentation sufficient to evidence Processor's compliance with this DPA.
10. International transfers
Pathfinder runs on Controller's hardware. International transfers, if any, arise from Controller's choice of SaaS endpoints (e.g. a Salesforce instance in the EU), not from Pathfinder itself. Standard Contractual Clauses are not required between Controller and Processor because Processor does not host or receive personal data.
11. General
11.1 In the event of any conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict for data-protection matters.
11.2 This DPA may be updated to reflect changes in applicable law on 30 days' notice.
Annex A — Security Measures Summary
See the Pathfinder Compliance Crosswalk for the live mapping onto SOC 2, HIPAA, and GDPR.
BAA Addendum — Business Associate Agreement
This BAA addendum is incorporated by reference into the DPA above when Controller is a HIPAA Covered Entity or a Business Associate engaging Processor as a subcontractor and Controller's data may include Protected Health Information (PHI).
B.1 Definitions
"Business Associate" and "Covered Entity" have the meanings given in 45 CFR §160.103. "PHI" means Protected Health Information transmitted or maintained in any form by Processor on behalf of Controller in connection with the Agreement.
B.2 Permitted uses and disclosures
Processor will use and disclose PHI only as necessary to perform the services described in the Agreement, as required by law, or as expressly authorised by Controller in writing. Pathfinder processes PHI locally on Controller's hardware; Processor does not receive PHI in the ordinary course.
B.3 Safeguards
Processor will implement administrative, physical, and technical safeguards aligned with HIPAA Security Rule §164.308–§164.312, as mapped in Annex A. Because Pathfinder is customer-installed:
- Access control (§164.312(a)(1)) is delegated to Controller's macOS user account model.
- Encryption at rest (§164.312(a)(2)(iv)) is delegated to Controller's FileVault configuration.
- Transmission security (§164.312(e)(1)) is enforced by Pathfinder's TLS 1.2+ outbound posture via
rustls. - Audit controls (§164.312(b)) are enforced by Pathfinder's Ed25519-signed Merkle audit-log chain.
B.4 Reporting of breaches
Processor will notify Controller of any Breach of Unsecured PHI of which Processor becomes aware, without unreasonable delay and in any event within 72 hours. Because Pathfinder does not host PHI, a "Breach" typically refers to a confirmed vulnerability in Pathfinder that could, if exploited, allow unauthorised access to PHI on Controller's device.
B.5 Subcontractors
Processor's subprocessors listed in §4 do not access PHI in the ordinary course of providing services to Processor. Should that ever change, Processor will obtain written assurances from each subcontractor consistent with this BAA before disclosing PHI to that subcontractor.
B.6 Access, amendment, and accounting
Processor will, on Controller's reasonable request, make PHI in Processor's possession (if any) available to Controller to satisfy Controller's obligations under 45 CFR §164.524 (access), §164.526 (amendment), and §164.528 (accounting of disclosures).
B.7 Return or destruction at termination
On termination of the Agreement, Processor will return or destroy all PHI in Processor's possession (if any) and certify destruction in writing. Because Pathfinder runs on Controller's hardware, the practical action is for Controller to delete the workspace folder and Keychain entries as described in §8.
B.8 Audit and inspection
Processor will make its books, records, and practices relating to the use and disclosure of PHI available to the Secretary of HHS as required by 45 CFR §164.504(e)(2)(ii)(I).
Signed for Controller:
Name: ______________________________
Title: _____________________________
Date: ______________________________
Signed for Processor (Colby's Data Movers LLC):
Name: Tyler Colby
Title: Principal
Date: ______________________________
Have procurement questions?
Email security@colbysdatamovers.com or book a discovery call.
Book a discovery call →