Data Processing Addendum
Temporary Assistance Guru, Inc. ("TempGuru" / Service Provider) and [Agency Legal Name] ("Agency" / Business)
DPA Effective Date: [Date the Agency executes this DPA] Version: 1.7 Last Modified: 2026-05-21
1. Background
1.1 TempGuru provides a software platform (the "Platform") and an AI-assisted SMS-based assistant service (the "TempGuru SMS Agent" or the "Agent") to staffing agencies and their authorized client and worker users, as further described in the End-User License Agreement available at https://tempguru.co/temp-guru-eula (the "EULA") and the Privacy Policy available at https://tempguru.co/privacy-policy (the "Privacy Policy").
1.2 In providing the Services to the Agency, TempGuru processes Personal Information (as defined below) on the Agency's behalf and at the Agency's direction. The Agency acts as a "Business" or "Controller" with respect to such Personal Information; TempGuru acts as a "Service Provider" or "Processor."
1.3 The parties enter into this Data Processing Addendum (this "DPA") to satisfy each party's obligations under Applicable Privacy Laws and to document the parties' respective roles and responsibilities for the Processing of Personal Information.
1.4 This DPA forms part of, and is incorporated by reference into, the Customer Agreement and the EULA between the parties. In the event of a conflict between this DPA and any other agreement between the parties regarding the Processing of Personal Information, this DPA controls.
2. Definitions
The following capitalized terms have the meanings given below. Other capitalized terms have the meanings given in the EULA, the Privacy Policy, or Applicable Privacy Laws.
2.1 "Applicable Privacy Laws" means all U.S. federal and state laws, regulations, and regulatory guidance applicable to the Processing of Personal Information under this DPA, including without limitation: the California Consumer Privacy Act and California Privacy Rights Act (Cal. Civ. Code § 1798.100 et seq.) ("CCPA/CPRA"); the Virginia Consumer Data Protection Act ("VCDPA"); the Colorado Privacy Act ("CPA"); the Connecticut Data Privacy Act ("CTDPA"); the Utah Consumer Privacy Act ("UCPA"); the Texas Data Privacy and Security Act ("TDPSA"); the Oregon Consumer Privacy Act ("OCPA"); the Maryland Online Data Privacy Act ("MODPA"); other comparable U.S. state consumer privacy laws in force during the term of this DPA; the Telephone Consumer Protection Act ("TCPA") and applicable state mini-TCPA laws; the Children's Online Privacy Protection Act ("COPPA"); and applicable state breach-notification, data-security, and employment-privacy statutes.
2.2 "Business," "Controller," "Service Provider," "Processor," "Sub-Processor," "Sale," "Sharing," "Process / Processing," and "Sensitive Personal Information" have the meanings given to those terms (or their functional equivalents) under Applicable Privacy Laws.
2.3 "Personal Information" means any information that is processed by TempGuru on behalf of the Agency under this DPA and that constitutes "personal information," "personal data," or any equivalent term under any Applicable Privacy Law.
2.4 "Agency Data" means all Personal Information that the Agency or its authorized users (including Workers, Hiring Companies, and Hiring Company contacts) provides to TempGuru, or that TempGuru collects on the Agency's behalf, in connection with the Services. Agency Data includes the contents of SMS messages received by the Agent and conversational logs created by the Agent.
2.5 "Permitted Purposes" means the purposes for which TempGuru is authorized to Process Agency Data, as described in Schedule 1.
2.6 "Security Incident" means any breach of TempGuru's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Agency Data Processed by TempGuru.
2.7 "Sub-Processor" means any third party engaged by TempGuru to Process Agency Data on TempGuru's behalf. Sub-Processors as of the DPA Effective Date are listed in Schedule 2.
2.8 "Data Subject Request" means a request from an individual (a "Consumer," "Worker," or other data subject under Applicable Privacy Laws) to exercise any right under Applicable Privacy Laws with respect to that individual's Personal Information, including rights of access, deletion, correction, portability, opt-out of Sale or Sharing, opt-out of profiling or automated decision-making, and limitation of use of Sensitive Personal Information.
3. Roles of the Parties
3.1 The Agency is the Business / Controller. With respect to Worker employment data, Hiring Company contact data, and operational records relating to staffing assignments, the Agency is the "Business," "Controller," or equivalent role under each Applicable Privacy Law. The Agency is responsible for: (a) determining the purposes and means of Processing; (b) providing all required notices to data subjects (including, for Workers, an employee Notice at Collection compliant with CCPA/CPRA Section 1798.100(b)); (c) obtaining all consents required by Applicable Privacy Laws; (d) responding to Data Subject Requests as the entity of record; and (e) ensuring its own compliance with Applicable Privacy Laws.
3.2 TempGuru is the Service Provider / Processor. TempGuru Processes Agency Data only on the Agency's documented instructions, only for the Permitted Purposes, and only as further described in this DPA, the EULA, and the Privacy Policy.
3.3 No Sale or Sharing. TempGuru does not Sell or Share Agency Data, will not retain, use, or disclose Agency Data for any purpose other than the Permitted Purposes, and certifies that it understands and will comply with the restrictions in this Section 3.3 and Section 4 below.
3.4 AI processing of Agent messages. TempGuru engages Anthropic, PBC ("Anthropic") as a Sub-Processor to Process the contents of inbound SMS messages received via the Agent. Anthropic Processes such contents only to generate operational replies and only under TempGuru's Zero Data Retention addendum with Anthropic, which prohibits retention of message contents beyond the API call necessary to generate a response and prohibits use of message contents to train Anthropic's AI models. The Agency acknowledges and approves the engagement of Anthropic on these terms.
4. TempGuru's Obligations
TempGuru shall:
4.1 Process on Documented Instructions. Process Agency Data only on the Agency's documented instructions, including as documented in the EULA, the Privacy Policy, this DPA (including Schedule 1), and the Agency's reasonable additional written instructions consistent with this DPA. TempGuru will notify the Agency if, in TempGuru's opinion, an instruction violates Applicable Privacy Laws.
4.2 Permitted Purposes Only. Not Process Agency Data for any purpose other than the Permitted Purposes, except where required by law (in which case TempGuru will, where permitted, notify the Agency before Processing).
4.3 No Sale, No Sharing, No Combining. Not Sell or Share Agency Data; not combine Agency Data with personal information collected from any other source (including from other Agencies) except where necessary to provide the Services or as expressly permitted by this DPA; and not retain, use, or disclose Agency Data outside the direct business relationship with the Agency.
4.4 AI Training and Service Improvement. TempGuru may use Agency Data to train, fine-tune, evaluate, and improve TempGuru's own AI models, prompts, routing logic, classification systems, and related operational systems (collectively, "TempGuru Models"), subject to all of the following limits:
(a) Per-Agency Learning Loop. TempGuru may use a given Agency's data to train, fine-tune, and personalize TempGuru Models for behaviors and outputs that are scoped to that Agency's account only. Account-scoped learning may include the Agency's customer ordering patterns, vertical defaults, recurring-order cadences, contact preferences, intake flow defaults, and similar operational facts derived from the Agency's use of the Services. Account-scoped learning is retrieved or applied only when serving that Agency and is not shared with, combined with, exposed to, or used to train models serving any other Agency.
(b) Cross-Agency Generalized Patterns. TempGuru may also use generalized, de-identified patterns observed across multiple Agencies — for example, vertical-level reorder cadences, intake-flow defaults, or AI agent failure modes — to train TempGuru Models and improve the Services for all Agencies. Such patterns must not include, alone or in reasonable combination with other data: (i) any Agency's name; (ii) any named Hiring Company, named Hiring Company contact, or named Worker; (iii) any Agency's pricing, margins, rate cards, or other competitively sensitive commercial terms; (iv) any Sensitive Personal Information; or (v) any data that could reasonably be used to re-identify a specific Agency, Hiring Company, Worker, shift, or transaction.
(c) No Third-Party Model Training on Agency Data. TempGuru will not authorize any Sub-Processor or other third party to train, fine-tune, or develop any AI model on Agency Data. Anthropic's processing of TempGuru SMS Agent message content remains governed by the Zero Data Retention addendum referenced in Sections 3.4 and 7.5, which prohibits Anthropic's retention of message contents and use of message contents to train Anthropic's models.
(d) No Sale, No Sharing. Use of Agency Data under this Section 4.4 does not constitute a Sale or Sharing of Personal Information under any Applicable Privacy Law, is not undertaken for cross-context behavioral advertising, and does not require an opt-out under Applicable Privacy Laws.
(e) Worker Data Exclusion from Training. TempGuru does not use Worker Personal Information to train, fine-tune, or evaluate any AI model — whether the per-Agency Learning Loop under (a), the cross-Agency generalized pattern learning under (b), or any other TempGuru-operated model. Worker data flows to Anthropic only as needed for AI inference at the moment of message generation. The only Worker-related fields that may appear in the inference payload are the Worker's first name plus last initial, role, and shift detail (consistent with Schedule 3 of this DPA and the data-minimization controls described therein). Anthropic does not retain or train on that data per the Zero Data Retention addendum referenced in Sections 3.4 and 7.5.
(f) Hiring-Company Contact Opt-Out. A Hiring-Company contact who declines or withdraws consent to receive TempGuru SMS Agent messages (e.g., by replying STOP, never affirmatively consenting under the disclosure flow in the EULA, or submitting an opt-out request through Privacy Policy Section 15) will not have any conversation content collected after the opt-out. TempGuru will exclude an opted-out contact's prior conversation content from cross-Agency generalized pattern learning under (b) as of the date of the opt-out request.
(g) Technical and Procedural Controls. TempGuru maintains technical and procedural controls reasonably designed to enforce the limits in subsections (a) through (f), including controls intended to prevent (i) Worker Personal Information from entering any model training dataset, (ii) named-entity, pricing, and rate-card data from entering cross-Agency model training datasets, and (iii) data subject to a Hiring-Company contact opt-out from being included in future cross-Agency learning. TempGuru does not currently maintain a specific named-standard de-identification methodology; the parties acknowledge that the de-identification approach is a moving practice and that the Section 4.4(b) carve-outs (named entities, pricing, margins, Sensitive PI, re-identifying combinations) are the operative standard.
4.5 Operational Telemetry. Separately from Section 4.4, TempGuru may collect and use aggregate, de-identified operational telemetry — volume, latency, error rates, capacity-planning data, and similar non-content operational metrics — to operate and improve the Services. Operational telemetry: (a) contains no message content, no Worker personally identifiable information, and no Hiring Company order content; (b) is not capable of being re-identified to the Agency, any Worker, or any Hiring Company; and (c) is not Sold or Shared.
4.6 Confidentiality. Ensure that any TempGuru personnel authorized to Process Agency Data are subject to obligations of confidentiality and have received appropriate training on Applicable Privacy Laws and TempGuru's privacy and security practices.
4.7 Security Measures. Implement and maintain appropriate technical and organizational measures to protect Agency Data, as described in Schedule 3. TempGuru will not materially decrease the overall security of the Services during the term of this DPA.
4.8 Sub-Processors. Engage Sub-Processors only in accordance with Section 7.
4.9 Assistance with Data Subject Requests. Assist the Agency in responding to Data Subject Requests as set out in Section 8.
4.10 Notification of Requests. Notify the Agency of any Data Subject Request, regulatory inquiry, subpoena, or other legal process received directly by TempGuru with respect to Agency Data, except where prohibited by law, and not respond to such requests on the Agency's behalf without the Agency's instruction except as required by law.
4.11 Security Incident Notification. Notify the Agency without undue delay (and in no event later than the maximum period required by the strictest Applicable Privacy Law) after becoming aware of a Security Incident affecting Agency Data, as set out in Section 9.
4.12 Audit and Compliance. Make available to the Agency, upon reasonable written request, the information necessary to demonstrate compliance with this DPA, as set out in Section 10.
4.13 Return or Deletion. Return or delete Agency Data on termination as set out in Section 11.
4.14 Compliance Certification. Certify, by entering into this DPA, that TempGuru understands and will comply with the restrictions of CCPA/CPRA Section 1798.140(ag) and the equivalent service-provider/processor obligations of each other Applicable Privacy Law.
5. The Agency's Obligations
The Agency shall:
5.1 Lawful Processing. Have all necessary rights, consents, and lawful bases to provide Agency Data to TempGuru and to authorize TempGuru's Processing of Agency Data for the Permitted Purposes.
5.2 Notices. Provide all notices to data subjects required by Applicable Privacy Laws, including (a) for Worker data, an employee Notice at Collection compliant with CCPA/CPRA Section 1798.100(b) where any Worker is a California resident, and (b) for Hiring Company contacts, any consumer privacy notices required in the Agency's jurisdiction.
5.3 Consents. Obtain and maintain all required consents from data subjects, including any consents required for SMS messaging, automated decision-making, profiling, or processing of Sensitive Personal Information.
5.4 Worker Disclosures. Inform Workers in their employment paperwork (or equivalent) that operational data — including the Worker's first name and last initial, role, and shift assignment — may be transmitted to Hiring Companies via SMS through the Agent to coordinate dispatch.
5.5 Agency Instructions. Issue all instructions to TempGuru in writing and through the Agency's authorized administrative users in the Platform.
5.6 Cooperation. Cooperate with TempGuru in good faith to enable TempGuru to comply with this DPA, including in responding to Data Subject Requests under Section 8 and in handling Security Incidents under Section 9.
6. Categories of Personal Information and Permitted Purposes
The categories of Personal Information Processed under this DPA, the categories of data subjects, and the Permitted Purposes are set out in Schedule 1.
7. Sub-Processors
7.1 Authorization. The Agency authorizes TempGuru to engage the Sub-Processors listed in Schedule 2 as of the DPA Effective Date. The Agency further authorizes TempGuru to engage additional or replacement Sub-Processors in accordance with this Section 7.
7.2 Notice of New Sub-Processors. TempGuru will provide the Agency with at least thirty (30) days' written notice (which may be by email or other written communication) before engaging any new Sub-Processor that will Process Agency Data, except for routine engagements of professional advisors (legal counsel, auditors, accountants) under standard confidentiality obligations.
7.3 Right to Object. The Agency may object to TempGuru's engagement of a new Sub-Processor on reasonable grounds related to data protection within fifteen (15) days of receiving notice. The parties will discuss in good faith. If the parties cannot resolve the objection within thirty (30) days, the Agency may terminate the affected portion of the Services on written notice to TempGuru, with a pro-rata refund of any prepaid, unused fees attributable to the terminated portion.
7.4 Sub-Processor Obligations. TempGuru will impose on each Sub-Processor data protection obligations no less protective than those in this DPA. TempGuru remains liable to the Agency for the acts and omissions of its Sub-Processors with respect to Agency Data.
7.5 Special Sub-Processor — Anthropic (AI). As a condition of using the Agent, TempGuru maintains a Zero Data Retention addendum with Anthropic that prohibits retention of message contents beyond the API call necessary to generate a response and prohibits use of message contents to train Anthropic's AI models. TempGuru will not change this arrangement or substitute a different AI Sub-Processor without providing the Agency with notice and an opportunity to object as set out in this Section 7.
8. Data Subject Requests
8.1 Routing to the Agency. Where TempGuru receives a Data Subject Request directly from a data subject regarding Agency Data, TempGuru will promptly route the request to the Agency for response and will not respond on the Agency's behalf except as required by law.
8.2 TempGuru Assistance. TempGuru will provide reasonable assistance to enable the Agency to respond to Data Subject Requests within the time limits required by Applicable Privacy Laws (typically 45 days under CCPA/CPRA, with possible 45-day extension), including by making available to the Agency the means to access, delete, correct, or export Agency Data through the Platform, or by performing those operations on the Agency's documented instruction where Platform tools are insufficient.
8.3 Worker Requests. For Data Subject Requests from Workers regarding employment data, the Agency is the entity of record and is responsible for verification, response, and any required appeal procedure. TempGuru will support the Agency's response.
8.4 Verification. The Agency is responsible for verifying the identity of the data subject before TempGuru takes action on any Data Subject Request.
8.5 Fees. TempGuru will not charge the Agency for routine assistance with Data Subject Requests. Where the volume of requests is materially disproportionate to the size of the Agency's user base, the parties will discuss in good faith reasonable cost-recovery arrangements.
9. Security Incident Notification
9.1 Notice. TempGuru will notify the Agency of any Security Incident affecting Agency Data without undue delay after becoming aware of the Security Incident, and in no event later than the maximum period required by the strictest Applicable Privacy Law (which can be as short as 30 days from discovery in some U.S. states).
9.2 Contents of Notice. Notice will include, to the extent then known: (a) the nature of the Security Incident, including the categories and approximate number of data subjects and records affected; (b) the likely consequences; (c) the measures TempGuru has taken or proposes to take to address the Security Incident, including measures to mitigate adverse effects; and (d) a contact point for further information.
9.3 Cooperation. TempGuru will cooperate with the Agency, in good faith and at TempGuru's cost (subject to Section 12), to enable the Agency to satisfy its own breach-notification obligations to data subjects and regulators under Applicable Privacy Laws.
9.4 No Admission of Liability. TempGuru's notification of, or response to, a Security Incident does not constitute an acknowledgment by TempGuru of any fault or liability with respect to the Security Incident.
9.5 Coordination of Public Statements. Where commercially feasible and not prohibited by law, the parties will coordinate any public statements regarding a Security Incident affecting both parties' data.
10. Audit and Compliance
10.1 Information Rights. Upon the Agency's reasonable written request (no more than once in any twelve-month period, except where required by Applicable Privacy Laws or in connection with a Security Incident), TempGuru will make available to the Agency the information necessary to demonstrate compliance with this DPA, including: (a) summary descriptions of TempGuru's technical and organizational measures; (b) copies of relevant third-party security assessments, certifications, or audit reports (such as SOC 2 reports), if any; and (c) responses to a reasonable security questionnaire from the Agency.
10.2 On-Site Audits. TempGuru is not required to permit on-site audits as a default. Where Applicable Privacy Laws or regulators require an on-site audit, the parties will discuss in good faith, and the Agency will: (a) provide reasonable advance notice; (b) conduct the audit during normal business hours and in a manner that does not unreasonably disrupt TempGuru's operations; (c) bear the costs of the audit; and (d) ensure that any auditor is bound by confidentiality obligations no less protective than this DPA.
10.3 Confidentiality of Audit Results. All information obtained in connection with this Section 10 is the Confidential Information of TempGuru and may be used solely for the purpose of verifying compliance with this DPA.
11. Return or Deletion of Agency Data
11.1 At Termination. Upon termination of the Customer Agreement or expiration of this DPA, TempGuru will, at the Agency's election: (a) return Agency Data to the Agency in a commercially reasonable format; or (b) delete Agency Data from TempGuru's primary systems within thirty (30) days of termination and from backups within the next backup rotation cycle (typically thirty (30) additional days), except as set out in Section 11.2.
11.2 Retention Exceptions. TempGuru may retain Agency Data after termination only where, and only for as long as: (a) required by Applicable Privacy Laws (including tax, wage-and-hour, or other record-keeping requirements); (b) necessary for the establishment, exercise, or defense of legal claims; or (c) the Agency expressly directs TempGuru in writing to retain it. Retained Agency Data remains subject to the security obligations of this DPA.
11.3 Certification. Upon the Agency's reasonable written request, TempGuru will certify in writing that it has complied with this Section 11.
12. Liability
12.1 Liability Cap. Each party's liability under this DPA is subject to the limitation of liability set out in the EULA (Section 19), without modification.
12.2 Indemnification. The indemnification obligations in the Customer Agreement and the EULA apply to claims arising out of breach of this DPA. Nothing in this DPA expands those obligations.
12.3 Carve-Outs. Notwithstanding Section 12.1, the limitation of liability does not apply to: (a) a party's gross negligence or willful misconduct; (b) a party's indemnification obligations to the extent expressly stated in the Customer Agreement; or (c) liability that cannot be limited under Applicable Privacy Laws.
13. Term and Termination
13.1 Term. This DPA takes effect on the DPA Effective Date and continues until the later of: (a) termination of the Customer Agreement and the EULA between the parties; or (b) the date TempGuru ceases to Process Agency Data.
13.2 Survival. Sections 4.4 (No Training), 4.6 (Confidentiality), 9 (Security Incident Notification), 11 (Return or Deletion), 12 (Liability), 13 (Term and Termination), and 14 (General) survive termination of this DPA.
14. General
14.1 Order of Precedence. In the event of conflict regarding the Processing of Personal Information, the order of precedence is: (a) this DPA; (b) the Privacy Policy; (c) the EULA; (d) the Customer Agreement.
14.2 Amendment. TempGuru may update this DPA from time to time to reflect changes in Applicable Privacy Laws, addition of new Sub-Processors, or other operational requirements, by posting an updated version at https://tempguru.co/dpa and providing notice to the Agency. Material changes that materially diminish the protections afforded to data subjects under this DPA will not take effect with respect to the Agency without the Agency's consent.
14.3 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force and effect.
14.4 Governing Law. This DPA is governed by the laws of the State of Florida and the federal laws of the United States. Where Applicable Privacy Laws confer rights or impose obligations on data subjects, those rights and obligations are not limited by this Section 14.4.
14.5 Counterparts; Electronic Signatures. This DPA may be executed in counterparts, including by electronic signature.
14.6 Notices. Notices under this DPA shall be sent to:
- To TempGuru: legal@tempguru.co; with mail copy to: Temporary Assistance Guru, Inc., Attn: Legal, 333 1st St N, Jacksonville Beach, FL 32250.
- To the Agency: [Agency notice address — to be filled in upon execution].
Signatures
Temporary Assistance Guru, Inc.
By: _____ Name: Megan Hayward Title: Founder and CEO Date: _______
[Agency Legal Name]
By: _____ Name: ___ Title: ___ Date: _______
Schedule 1 — Description of Processing
Subject Matter of Processing: Provision by TempGuru to the Agency of (a) the staffing platform Services (the "Platform") and (b) the AI-assisted SMS-based assistant service (the "TempGuru SMS Agent" or "Agent"), as described in the EULA and the Privacy Policy.
Duration of Processing: From the DPA Effective Date until termination of the Customer Agreement or this DPA, plus retention periods set out in Section 11 and the Privacy Policy.
Nature of Processing: Hosting, storing, transmitting, displaying, routing, and analyzing Agency Data; processing inbound SMS messages through the AI Sub-Processor (Anthropic) under a Zero Data Retention addendum to generate operational replies; executing operational tools at the request of authorized users (including order placement and modification, roster lookup, invoice lookup, no-show recording, and do-not-return recording); and providing reporting and audit logs.
Permitted Purposes: 1. Delivering the Platform and the TempGuru SMS Agent to the Agency and its authorized users. 2. Authentication, security, fraud prevention, and audit logging. 3. Communicating with users about their accounts and transactions, including via SMS where consented. 4. Compliance with the Agency's documented instructions and Applicable Privacy Laws. 5. Processing payments and generating invoices through the payment processor and accounting Sub-Processors. 6. Aggregate, de-identified service-improvement metrics consistent with Section 4.5 of this DPA. 7. AI training and service improvement consistent with Section 4.4 of this DPA, including (a) per-Agency Learning Loop personalization scoped to the Agency's account and (b) de-identified, generalized cross-Agency pattern learning subject to the carve-outs in Section 4.4(b).
Categories of Data Subjects: - The Agency's employees and other personnel ("Workers"). - The Agency's Hiring Company clients and their authorized contacts ("Hiring Companies" / "Clients"). - The Agency's own administrative users.
Categories of Personal Information Processed (consistent with CCPA Section 1798.140 categories):
| CCPA Category | Examples |
|---|---|
| A. Identifiers | Name, email, phone number, account login, IP address |
| B. Customer records | Billing name, billing address, tokenized payment instrument |
| D. Commercial information | Orders, invoices, transaction history |
| F. Internet/network activity | Platform usage logs, timestamps |
| G. Geolocation | Approximate (city/region) only; precise geolocation is not collected through the TempGuru SMS Agent (geo-fence clock-in is a separate feature governed by Schedule C of the MSA) |
| H. Sensory information | SMS message content (text), MMS attachments where received |
| I. Professional/employment | For Workers: name, role, certifications, shift assignments, hours, performance feedback. For users: title, role, employer |
| K. Inferences | Operational signals (e.g., predicted no-show risk, recurring-order propensity) used solely for the Permitted Purposes |
Categories that are not processed under this DPA: protected classifications (Category C), biometric information (Category E), education information (Category J), and Sensitive Personal Information beyond account credentials and (where granted) precise geolocation. TempGuru will not knowingly process Sensitive Personal Information for any purpose other than as strictly necessary to provide the Services.
Special data flows (TempGuru SMS Agent): - The contents of inbound SMS messages are transmitted to Anthropic for AI processing under the Zero Data Retention addendum. - Worker employment data appears in operational SMS replies to Hiring Company contacts in limited form (first name + last initial, role, shift detail). Worker contact information, full name, wage rate, full address, and background-check data are not transmitted via SMS.
Schedule 2 — Approved Sub-Processors
As of the DPA Effective Date, TempGuru engages the following Sub-Processors. New or replacement Sub-Processors are governed by Section 7.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI processing of TempGuru SMS Agent message content under Zero Data Retention addendum; not used for AI training | United States |
| Twilio Inc. | SMS transport (carrier and gateway) | United States |
| Stripe, Inc. | TempGuru subscription billing under the Pro-tier MSA (Agency-to-TempGuru only; under the MSA Stripe does not process Client-to-Agency staffing payments). Tokenized; PCI DSS compliant. | United States |
| Intuit, Inc. (QuickBooks) | Accounting, invoicing, and tax record-keeping; access limited to billing/financial records | United States |
| Replit, Inc. | Application hosting and database hosting | United States |
| Squarespace, Inc. | Marketing website hosting (no Worker or Hiring Company data) | United States |
| Google LLC | Google Workspace (email and internal documents); Google Analytics (GA4) on the marketing website | United States |
| LinkedIn Corporation | LinkedIn Insight Tag (advertising / remarketing) on the marketing website only | United States |
Additional Sub-Processors may be engaged for limited, non-routine purposes (e.g., outside legal counsel, accountants, auditors) subject to standard professional confidentiality obligations.
Schedule 3 — Technical and Organizational Measures
TempGuru implements and maintains the following technical and organizational measures (collectively, the "Security Measures") to protect Agency Data. The Security Measures may evolve over time; TempGuru will not materially decrease the overall security of the Services during the term of this DPA.
Encryption. - Encryption in transit using TLS 1.2 or higher for all communications between users, the Platform, and Sub-Processors. - Encryption at rest for all stored Personal Information, including SMS conversation logs and database backups.
Access Controls. - Role-based access control. Personnel access to production systems and Agency Data is limited to those with a documented business need. - Multi-factor authentication required for all personnel with access to production systems. - Access logs maintained for security review and audit.
Authentication and Account Security. - Strong password requirements for user accounts. - Session timeouts and lockout policies for repeated failed authentication. - Tokenization of payment instruments (no card numbers stored by TempGuru directly).
Secure Development. - Secure software development lifecycle, including code review, dependency monitoring, and vulnerability scanning. - Separation of production, staging, and development environments.
Network and Infrastructure Security. - Hosting on cloud infrastructure with industry-standard physical and network security. - Firewalling and network segmentation between application tiers. - Regular patching of operating systems and dependencies.
Data Minimization and Segregation. - Multi-tenant data isolation: each Agency's substantive data is logically separated from other Agencies'. - The TempGuru SMS service does not transmit Worker contact information, full name, wage rate, full address, or background-check data; only first name + last initial, role, and shift details. - The TempGuru SMS service drops obvious direct identifiers (such as Social Security numbers and full credit card numbers) from inbound message content where detected.
Sub-Processor Oversight. - Sub-Processors are engaged under written data processing agreements consistent with Section 7 of the DPA. - The Anthropic Zero Data Retention addendum is in effect for all TempGuru SMS Agent message processing.
Incident Response. - Documented incident response plan covering detection, triage, notification, and remediation. - Post-incident review and corrective action.
Personnel. - Personnel are subject to confidentiality obligations and receive privacy and security training appropriate to their role.
Business Continuity and Backups. - Regular automated backups with a 30-day rolling retention window. - Documented restoration procedures.
Audit and Monitoring. - Application and access logs maintained for security review. - Annual review of the Security Measures and update as appropriate.
End of Data Processing Addendum v1.7.
