Data Processing Agreement
Effective Date: April 14, 2026
Last Updated: January 10, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between FieldMCP LLC ("Processor," "we," "us," or "our") and the entity agreeing to these terms ("Controller," "you," or "your") and governs the processing of personal data in connection with the FieldMCP platform and related services (the "Service").
1. Definitions
"Data Protection Laws" means all applicable laws relating to data protection and privacy, including the California Consumer Privacy Act (CCPA) and other US state privacy laws.
"Personal Data" means any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller in connection with the Service.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates, including Farmers whose agricultural data is accessed through the Service.
"Farmer" means an individual or entity whose agricultural data account is connected to the Service through OAuth authorization.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Service Provider" has the meaning given in California Civil Code § 1798.140(ag).
2. Scope and Roles
2.1 Roles of the Parties
-
Controller: You determine the purposes and means of processing Farmer Personal Data. You are responsible for obtaining Farmer consent and ensuring lawful basis for processing.
-
Processor: We process Personal Data solely on your behalf and according to your documented instructions as set forth in this DPA and the Service functionality.
-
Data Subjects: Farmers whose agricultural data is accessed through connections you establish.
2.2 Subject Matter of Processing
The Processor processes Personal Data to provide the Service, which includes:
- Storing and managing OAuth tokens for Farmer connections
- Routing API requests to agricultural data providers
- Refreshing OAuth tokens automatically before expiration
- Logging usage data for billing and analytics
- Caching authentication and rate limit data
2.3 Duration of Processing
Processing begins when you create a Farmer connection and continues until:
- You delete the Farmer connection, or
- Your account is terminated, or
- You instruct us to delete the data
Post-termination, data is retained according to Section 4.8 of this DPA.
2.4 Nature and Purpose of Processing
| Processing Activity | Purpose |
|---|---|
| Token storage | Enable API authentication with providers |
| Token encryption | Protect credentials at rest |
| Token refresh | Maintain continuous access |
| Request routing | Direct API calls to appropriate providers |
| Usage logging | Billing, analytics, debugging |
| Caching | Performance optimization, rate limiting |
2.5 Types of Personal Data
| Data Category | Examples |
|---|---|
| OAuth credentials | Access tokens, refresh tokens |
| Account identifiers | Provider user IDs, organization IDs |
| Agricultural data (in transit) | Field names, equipment info, yield data |
| Usage metadata | Timestamps, tool names, response times |
2.6 Categories of Data Subjects
- Farmers who authorize OAuth connections
- Farm employees with provider account access
- Agricultural business operators
3. Controller Obligations
3.1 Lawful Basis
You represent and warrant that:
- You have a lawful basis for processing Farmer Personal Data
- You have obtained all necessary consents from Farmers before connecting their accounts
- You have provided Farmers with adequate privacy notices describing your use of their data
- Your use of the Service complies with all applicable Data Protection Laws
3.2 Instructions
Your instructions for processing are set forth in:
- This DPA
- The Terms of Service
- The Service documentation
- API requests you submit through the Service
You may provide additional written instructions, provided they are consistent with the Service functionality.
3.3 Farmer Communications
You are solely responsible for:
- Communicating with Farmers about data access and use
- Responding to Farmer inquiries about their data
- Notifying Farmers when connections require re-authentication
- Handling Farmer complaints or concerns
4. Processor Obligations
4.1 Processing Limitations
We will:
- Process Personal Data only on your documented instructions
- Not process Personal Data for our own purposes beyond providing the Service
- Not sell Personal Data to third parties
- Not share Personal Data for cross-context behavioral advertising
To the extent the California Consumer Privacy Act (CCPA) applies, we are a Service Provider. We certify that we understand and will comply with the restrictions in CCPA § 1798.100(d). We will not retain, use, or disclose Personal Data for any purpose other than performing the Service, and will not combine Personal Data with data from other sources except as permitted by the CCPA.
4.2 Confidentiality
We ensure that personnel authorized to process Personal Data:
- Are subject to confidentiality obligations
- Process Personal Data only as necessary to provide the Service
- Receive appropriate training on data protection
4.3 Security Measures
We implement and maintain appropriate technical and organizational measures to protect Personal Data, including:
Encryption:
- OAuth tokens encrypted at rest using ChaCha20-Poly1305 authenticated encryption
- Encryption keys stored in Supabase Vault (isolated from database)
- Automated quarterly key rotation with natural token migration
- All data transmitted over HTTPS/TLS 1.2+
Access Controls:
- Row-level security (RLS) ensuring tenant isolation
- OAuth 2.1 authentication with ES256 JWT signing
- Rate limiting on authentication endpoints
- Automatic lockout after repeated authentication failures
Infrastructure:
- Managed infrastructure with SOC 2 Type II certified providers
- Database backups with point-in-time recovery
- Automatic cache expiration and cleanup
Monitoring:
- Error logging and alerting
- Authentication failure tracking
- Usage monitoring for anomaly detection
4.4 Sub-processors
4.4.1 Authorized Sub-processors
You authorize the use of the following Sub-processors:
| Sub-processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, edge functions | United States | All Personal Data |
| John Deere & Company | Agricultural data API provider | United States | OAuth tokens, API requests |
| Stripe, Inc. | Payment processing | United States | Controller email, billing data |
| Vercel, Inc. | Dashboard hosting | United States | Session data, cookies |
4.4.2 Sub-processor Changes
We will:
- Notify you at least 30 days before adding or replacing Sub-processors
- Provide you an opportunity to object to new Sub-processors
- If you object, we will make reasonable efforts to provide an alternative arrangement that avoids the objected-to Sub-processor. If no alternative is commercially feasible within 30 days, you may terminate the affected Service with a pro-rata refund for any prepaid, unused fees
4.4.3 Sub-processor Obligations
We ensure that Sub-processors:
- Are bound by data protection obligations no less protective than this DPA
- Implement appropriate security measures
- Process Personal Data only as necessary to provide their services
4.5 Data Subject Rights
We will assist you in responding to Data Subject requests to exercise their rights under applicable Data Protection Laws, including requests to:
- Access their Personal Data
- Correct inaccurate Personal Data
- Delete their Personal Data
- Restrict processing
- Data portability
Response Process:
- If we receive a request directly from a Data Subject, we will promptly notify you
- We will provide reasonable assistance to help you respond within required timeframes
- Standard assistance (included at no charge) covers: data export via the Service dashboard, deletion of Farmer connections and associated tokens, and written confirmation of deletion. Assistance requiring custom engineering work (e.g., manual database queries, bespoke reports) may be subject to additional fees at our then-current professional services rates, quoted in advance
4.6 Security Incident Response
4.6.1 Notification
If we become aware of a Security Incident affecting Personal Data, we will:
- Notify you without undue delay and in any event within 72 hours of confirming that a Security Incident has occurred. The notification timeline begins when we have sufficient information to confirm a Security Incident, not upon initial detection of a potential anomaly
- Provide notification to legal@fieldmcp.com or your designated security contact
4.6.2 Notification Content
Our notification will include, to the extent known:
- Description of the nature of the Security Incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of Personal Data records affected
- Name and contact details of our data protection contact
- Likely consequences of the Security Incident
- Measures taken or proposed to address the Security Incident
4.6.3 Cooperation
We will:
- Cooperate with your investigation of the Security Incident
- Take reasonable steps to mitigate effects and prevent recurrence
- Not notify Data Subjects directly without your prior approval, unless required by law
4.7 Audits and Assessments
4.7.1 Information Provision
Upon your reasonable request (no more than once per year), we will provide:
- Documentation of our security measures
- Summary of recent security assessments or certifications
- Answers to reasonable security questionnaires
For all customers, we will make available upon request the most recent SOC 2 Type II report from our primary infrastructure provider (currently Supabase, Inc.), along with a summary of any additional security measures we implement beyond the provider's baseline.
4.7.2 On-Site Audits
For Enterprise customers with appropriate contractual arrangements:
- We will allow audits by you or your designated third-party auditor
- Audits require 30 days' advance notice
- Audits must be conducted during normal business hours
- Audit scope is limited to processing activities covered by this DPA
- You bear the costs of audits you initiate
4.8 Data Deletion and Return
Upon termination of the Service or your written request:
Immediate Deletion:
- OAuth tokens (access and refresh)
- OAuth credentials (client IDs, encrypted tokens)
- Active cache entries
Retained for Limited Periods:
- Account profile data: 90 days
- Usage logs: 90 days (anonymized after 30 days by removing account and Farmer identifiers)
- Billing records: 3 years (legal compliance)
We will certify deletion upon your request.
5. Data Transfers
5.1 Location of Processing
Personal Data is processed in the United States. All Sub-processors process data within the United States.
5.2 Geographic Restriction
The Service is available only to Controllers established in the United States. By entering into this DPA, you represent that you are not subject to the EU General Data Protection Regulation (GDPR) or the UK Data Protection Act 2018. If your circumstances change such that GDPR or UK data protection law applies, you must notify us immediately, and we will work with you to establish appropriate transfer mechanisms or terminate the affected processing.
6. Liability
6.1 Allocation of Liability
Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service.
6.2 Controller Liability
You are liable for:
- Ensuring lawful basis for processing
- Obtaining necessary Farmer consents
- Accuracy of instructions provided to us
- Your applications' compliance with Data Protection Laws
6.3 Processor Liability
We are liable for:
- Processing Personal Data contrary to your documented instructions
- Failure to implement agreed security measures
- Unauthorized Sub-processor engagement
- Security Incidents caused by our negligence
7. Term and Termination
7.1 Term
This DPA is effective from the Effective Date and continues for the duration of your use of the Service.
7.2 Survival
The following obligations survive termination:
- Confidentiality (indefinitely)
- Data deletion and return (until completed)
- Liability provisions
- Any obligation that by its nature should survive
8. General Provisions
8.1 Conflicts
In the event of a conflict between this DPA and the Terms of Service, this DPA governs with respect to Personal Data processing.
8.2 Amendments
We may update this DPA to reflect changes required by Data Protection Laws. For material changes not required by law, we will provide 30 days' advance notice. If you do not agree to a material change, you may terminate the Service within 30 days of notice with a pro-rata refund for any prepaid, unused fees. Continued use of the Service after the 30-day notice period constitutes acceptance of the updated DPA.
8.3 Governing Law
This DPA is governed by the laws of the State of Missouri, without regard to conflict of law principles. Any disputes arising under this DPA are subject to the dispute resolution provisions in the Terms of Service.
8.4 Assignment
Neither party may assign this DPA without the other party's prior written consent, except in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided the assignee agrees in writing to be bound by this DPA. Any purported assignment in violation of this section is void.
9. Contact Information
For questions about this DPA or to exercise rights under it:
Data Protection Contact:
FieldMCP LLC
Email: legal@fieldmcp.com
Address: 117 SOUTH LEXINGTON ST STE 100 HARRISONVILLE, MO 64701
Appendix A: Technical and Organizational Security Measures
A.1 Encryption
| Data | Method | Key Management |
|---|---|---|
| OAuth tokens at rest | ChaCha20-Poly1305 | Supabase Vault (quarterly rotation) |
| Data in transit | TLS 1.2+ | Managed certificates |
| JWT signing keys | ES256 (ECDSA P-256) | Supabase Vault |
| Passwords | bcrypt (Supabase Auth) | Per-user salt |
A.2 Access Controls
| Control | Implementation |
|---|---|
| Authentication | Email/password via Supabase Auth |
| Authorization | Row-level security policies |
| API access | OAuth 2.1 with ES256-signed JWTs |
| Rate limiting | Per-minute and monthly limits by tier |
| Brute force protection | IP-based lockout after failures |
A.3 Infrastructure Security
| Measure | Provider |
|---|---|
| Database hosting | Supabase (AWS infrastructure) |
| Edge functions | Supabase (Deno runtime) |
| Dashboard hosting | Vercel |
| DDoS protection | Cloudflare (via providers) |
| Backups | Automated daily with PITR |
A.4 Operational Security
| Practice | Description |
|---|---|
| Logging | Request logging with error tracking |
| Monitoring | Uptime and error rate monitoring |
| Incident response | Documented response procedures |
| Access reviews | Periodic review of access permissions |
By using the FieldMCP Service, you acknowledge that you have read and agree to this Data Processing Agreement.