Between Odin Technology Group LLC (operating as Doorstep) and Contractor · Version 1.0 · Effective upon click-through acceptance
| Document | Doorstep Contractor Data Processing Agreement (DPA) |
| Version | 1.0 |
| Effective | Upon Contractor acceptance at signup (click-through) |
| Law | State of Florida, United States |
| Processor | Odin Technology Group LLC (operating as Doorstep) |
| Address | 359 Zancara Street, St. Augustine, FL 32092 |
| Contact | privacy@heydoorstep.com |
This Data Processing Agreement (“DPA”) is entered into between Odin Technology Group LLC, a Florida limited liability company operating the Doorstep platform (“Doorstep,” “Processor,” “we,” or “us”), and the contractor business or individual (“Contractor” or “Controller”) that has accepted Doorstep's Terms of Service. This DPA is incorporated into and forms part of those Terms of Service.
Acceptance is completed by clicking “I Agree” during the contractor signup flow, or by otherwise accessing or using the Services after this DPA is made available. No physical signature is required. The Contractor's continued use of the Services constitutes ongoing acceptance.
This DPA governs Doorstep's processing of Personal Data on behalf of the Contractor. Where this DPA conflicts with the Terms of Service on a matter of Personal Data processing, this DPA controls. In all other respects, the Terms of Service control. The Terms of Service incorporate this DPA by reference.
Controller: The Contractor — the entity that determines the purposes and means of processing Personal Data of its customers.
Processor: Odin Technology Group LLC, operating as Doorstep — processes Personal Data solely on behalf of and under the instructions of the Controller as set out in this DPA.
Personal Data: Name, email address, phone number, physical address, service history, invoice and payment records, portal messages, and SMS consent records relating to identified or identifiable individuals who are customers of the Contractor. Does not include IP addresses, session tokens, or other technical identifiers that are not linked to an identified individual in Doorstep's systems.
Processing: Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
Data Subject: Homeowners and customers of the Contractor whose Personal Data is processed through the Doorstep platform.
Sub-processor: A third-party service provider engaged by Doorstep to process Personal Data in connection with the Services, as listed in Section 4.4.
Security Incident: A confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Personal Data.
Services: The Doorstep platform, including the contractor admin dashboard, homeowner portal, automated SMS and email communications, and associated infrastructure, as described in the Terms of Service.
Doorstep processes Personal Data solely to provide the Services to the Contractor. Processing occurs through automated platform operations — including scheduled jobs, webhook-driven workflows, and system-level automation — that collectively constitute the Contractor's standing instructions to Doorstep. These operations include:
Doorstep does not process Personal Data for its own commercial purposes, advertising, profiling, or any purpose beyond providing the Services.
| Category | Examples | Source |
|---|---|---|
| Identity | First name, last name | Contractor / Homeowner |
| Contact | Email address, mobile phone number | Contractor / Homeowner |
| Location | Service address (street, city, state, ZIP) | Contractor / Homeowner |
| Service records | Appointment history, invoices, estimates, job notes, photos | Contractor |
| Communications | Portal messages, SMS content | Homeowner / Contractor |
| Consent records | ToS acceptance timestamp, SMS opt-in/out status | Homeowner (via portal) |
Doorstep processes Personal Data only in accordance with the Contractor's instructions as set out in this DPA and the Terms of Service. The automated platform operations described in Section 2 constitute the Contractor's standing instructions. Doorstep will notify the Contractor if it believes any instruction violates applicable law, and may suspend processing of that instruction pending resolution.
Doorstep will ensure that personnel authorized to access Personal Data are subject to confidentiality obligations. Doorstep will not disclose Personal Data to any third party except as expressly authorized by this DPA or required by applicable law.
Doorstep implements and maintains reasonable technical and organizational security measures appropriate to the risk. As of the effective date, these include:
Doorstep does not warrant that its security measures will prevent all unauthorized access to Personal Data. The security measures listed above represent Doorstep's current implementation and may be updated over time.
Contractor grants Doorstep general authorization to engage the following sub-processors. Doorstep remains responsible for each sub-processor's compliance with the obligations of this DPA to the extent Doorstep controls the processing:
| Sub-processor | Role | Location |
|---|---|---|
| Supabase, Inc. | Database and authentication infrastructure | United States |
| Twilio Inc. | SMS delivery and inbound message handling | United States |
| Vercel Inc. | Application hosting and edge delivery | United States |
| Resend, Inc. | Transactional email delivery | United States |
Doorstep may update this sub-processor list by posting a revised DPA at heydoorstep.com/dpa. Material additions — meaning sub-processors that would handle materially more Personal Data than those currently listed — will be communicated to Contractors via the email address on file at least 14 days before the addition takes effect. Contractor's continued use of the Services after that date constitutes acceptance of the updated list.
GoHighLevel (GHL) is the Contractor's own independent CRM and field operations platform. Doorstep receives contact, appointment, and job data from GHL via webhook at the Contractor's direction. GHL is the Contractor's processor, not Doorstep's. GHL's handling of Personal Data is governed solely by the Contractor's separate agreement with GHL. Doorstep is not responsible for GHL's data practices.
If Doorstep receives a Data Subject request directed at the Contractor (such as a request to access or delete personal information), Doorstep will forward it to the Contractor's account email promptly. Doorstep's obligation is limited to forwarding; the Contractor is responsible for responding to Data Subjects and determining how to fulfill such requests. Upon written request submitted to privacy@heydoorstep.com, Doorstep will confirm which data fields exist for a given contact record to assist the Contractor in fulfilling its obligations.
In the event of a confirmed Security Incident affecting Personal Data processed under this DPA, Doorstep will notify the Contractor without undue delay after becoming aware of the incident. Notification will be sent to the Contractor's account email address and will include, to the extent then known: (a) the nature of the incident; (b) categories of Personal Data and approximate number of Data Subjects affected; (c) likely consequences; and (d) measures taken or proposed. Doorstep may provide initial notice before full details are confirmed and will supplement the notice as information becomes available.
Upon reasonable written request, Doorstep will provide the Contractor with information about Doorstep's security practices and data handling procedures to the extent necessary to demonstrate compliance with this DPA. Doorstep may fulfill such requests through written summaries, policy documentation, or this DPA itself. Doorstep is not obligated to provide access to its systems, source code, or internal infrastructure.
The Contractor, as data controller, represents, warrants, and agrees that:
By Contractor. Contractor will defend, indemnify, and hold harmless Doorstep and its officers, directors, employees, and agents from and against any claims, damages, penalties, fines, and costs (including reasonable attorneys' fees) arising out of or related to: (a) Contractor's breach of any obligation in this DPA; (b) Contractor's unlawful instructions to Doorstep; (c) any claim by a Data Subject arising from Contractor's own data practices or failure to provide adequate privacy notice; or (d) Contractor's violation of applicable privacy or communications law, including TCPA.
By Doorstep. Doorstep will defend, indemnify, and hold harmless Contractor from third-party claims arising solely and directly from Doorstep's material breach of its security obligations under Section 4.3, subject to the liability cap set forth in Section 9. Doorstep's indemnification obligation does not apply to claims arising from Contractor's own acts, omissions, or instructions.
Doorstep retains Personal Data for as long as the Contractor maintains an active account. Upon account termination or expiration:
All Personal Data processed under this DPA is stored and processed in the United States by Doorstep and each sub-processor listed in Section 4.4. Doorstep does not transfer Personal Data outside the United States in the course of providing the Services. Contractor acknowledges that by using the Services, Personal Data will be processed in the United States.
Each party's aggregate liability under this DPA is subject to, and shall not exceed, the limitation of liability set forth in the Doorstep Terms of Service, which caps Doorstep's total liability at the greater of (a) $100 or (b) the total fees paid by Contractor to Doorstep in the three months preceding the claim. Nothing in this DPA creates liability in excess of that cap. This DPA does not limit either party's liability for fraud, gross negligence, or willful misconduct.
This DPA is effective upon Contractor's acceptance of the Doorstep Terms of Service and remains in effect for the duration of the Contractor's use of the Services. This DPA terminates automatically upon termination of the Contractor's account. Sections 6 (Indemnification), 7 (Data Retention and Deletion), and 9 (Limitation of Liability) survive termination.
Doorstep may update this DPA from time to time. The current version will always be posted at heydoorstep.com/dpa with its version number and effective date. For material changes, Doorstep will notify Contractors via the email address on file at least 14 days before the change takes effect. Contractor's continued use of the Services after the effective date constitutes acceptance of the updated DPA. If Contractor objects to a material change, it may terminate its account before the effective date without incurring an early termination fee on account of that objection.
This DPA is governed by the laws of the State of Florida, United States, without regard to conflict of law principles, consistent with the Doorstep Terms of Service. Any dispute arising under or relating to this DPA shall be resolved in accordance with the governing law and venue provisions of the Terms of Service. Where the Terms of Service provide for arbitration, that arbitration clause applies to disputes under this DPA.
| Version | Date | Summary of Changes |
|---|---|---|
| 1.0 | June 2026 | Initial version. |
This DPA is accepted electronically. By clicking “I Agree” during the Doorstep contractor signup process, or by accessing or using the Services after this DPA has been made available, the Contractor agrees to be bound by the terms of this Data Processing Agreement on behalf of itself and its authorized users. No physical signature is required or collected.
If you are accepting on behalf of a business entity, you represent that you have the authority to bind that entity to this DPA.
Odin Technology Group LLC d/b/a Doorstep · 359 Zancara Street, St. Augustine, FL 32092 · privacy@heydoorstep.com · heydoorstep.com/dpa
DPA v1.0 · June 2026 · Click-through acceptance · Governing law: Florida