Data Processing Agreement

The Processor processes personal information on the Controller's behalf solely for the purpose of operating the ResponseCore service. This DPA is in effect for the duration of the Controller's subscription, and survives termination to the extent needed for export, deletion, and statutory retention obligations.

Personal information processed includes staff names, work emails, usernames, roles, authentication credentials (hashed), and audit records of inventory actions. The purpose is to provide authentication, authorisation, recordkeeping, and reporting features of the service.

No patient health information is intended to be processed. If the Controller enters such information into free-text fields contrary to the Terms of Service, the Controller remains solely responsible for that data's lawful basis.

The Processor uses the following sub-processors as of the effective date above:

• Supabase, Inc. — database, authentication, storage. Data residency: [CANADIAN OR EU REGION TO BE CONFIRMED].
• Vercel Inc. — application hosting and CDN. Data residency: [REGION TO BE CONFIRMED].
• [SMTP provider] — transactional email if used (password reset, invitations).

The Processor will give the Controller at least 30 days' written notice before adding a new sub-processor. If the Controller reasonably objects on data-protection grounds within 14 days, the parties will discuss in good faith; the Controller may terminate this DPA without penalty if no resolution is reached.

The Processor will ensure that personnel authorised to process personal information are bound by appropriate confidentiality obligations, and limit access to a need-to-know basis.

The Processor implements appropriate technical and organisational measures, including:

• TLS 1.2+ for data in transit.
• Encryption at rest on all storage layers.
• Row-level security in the database to enforce tenant isolation.
• Multi-factor authentication for administrative access to the Processor's production systems.
• Audit logs of administrative actions.
• Routine backups and tested restoration procedures.
• Vulnerability and patch management for application dependencies.

The Processor will notify the Controller without undue delay (and in any event within [72 HOURS] of becoming aware) of any personal-data breach affecting the Controller's data, providing the information reasonably available at the time and updating as more becomes known.

The Processor will assist the Controller with requests from data subjects (employees) for access, correction, deletion, or portability, by providing the technical means in the service or, where not available in the service, by responding to written requests within a reasonable time.

On reasonable written notice and no more than once per year (except in response to a security incident), the Controller may audit the Processor's compliance with this DPA, including by reviewing third-party audit reports or by interviewing relevant personnel. Costs are borne by the Controller unless the audit reveals a material breach.

If sub-processor infrastructure means data is transferred outside Canada, the Processor will rely on a recognised transfer mechanism (such as the EU Standard Contractual Clauses or an adequacy decision) and will document this on request.

On termination, the Processor will, at the Controller's choice, return the data (via the export tools in the service) and/or delete it within 90 days, except where law requires longer retention.

Liability is governed by the master service agreement between the parties. This DPA is governed by the laws of the Province of Alberta, Canada.

If there is a conflict between this DPA and any other agreement between the parties, this DPA prevails as to the processing of personal information.