Skip to main content
Sauna Scale
Start

Data Processing Addendum

Last updated: May 5, 2026

1. Scope

This Data Processing Addendum ("DPA") supplements the Sauna Scale Terms of Service between Cymba Labs LLC ("Cymba", the "Processor") and the installer or business using the Service (the "Customer", the "Controller"). It governs personal data that the Customer captures from its homeowners through the Service.

2. Roles

The Customer is the data controller for homeowner contact and qualification data captured via the intake widget or SMS. Cymba is the data processor and acts only on the Customer's documented instructions, including those expressed through the Service's configuration.

3. Subject matter and duration

Processing covers the duration of the Customer's subscription and the operations necessary to provide the Service: storing conversations, leads, and contact records; running the AI agent; generating quotes; sending transactional email and SMS; and serving the customer-facing quote view.

4. Categories of data

  • Identifiers: name, email, phone, ZIP.
  • Project data: project type, size, budget band, timeline, electrical and permitting notes, decision-maker context.
  • Conversation transcripts and timestamps.
  • Quote line items, totals, and acceptance state.

5. Data subjects

Homeowners and end customers of the Customer who initiate a conversation through the Service.

6. Subprocessors

Cymba uses the subprocessors listed at /subprocessors. Cymba will give prior notice of new subprocessors to the Customer by email. The Customer may object to a new subprocessor on reasonable grounds; if Cymba cannot accommodate the objection the Customer may terminate the affected portion of the Service.

7. Security measures

  • TLS encryption in transit for all client connections.
  • Encryption at rest for the database and object storage.
  • Row-level security policies that enforce per-tenant isolation.
  • Production access limited to a small set of authorized personnel, audited via vendor logs.
  • Application-level monitoring (Sentry) tagged with org and conversation IDs for incident response.

8. Personnel

Cymba personnel with access to personal data are bound by confidentiality obligations.

9. Breach notification

Cymba will notify the Customer without undue delay (and in any event within 72 hours) of becoming aware of a personal data breach affecting the Customer's data, including the nature of the incident, likely consequences, and the measures taken or proposed.

10. Data subject rights

Cymba will assist the Customer in responding to data subject requests (access, deletion, correction) by providing the tools and data export needed. Requests addressed directly to Cymba will be forwarded to the Customer.

11. Return or deletion at termination

On termination of the Service, Cymba will, at the Customer's choice, return or delete the Customer's personal data within 30 days, except where retention is required by law (including SMS consent and opt-out records retained for TCPA audit).

12. Contact

DPA questions: hello@cymbalabs.com.