Overview
This DPA implements the obligations of Article 28 GDPR and the equivalent provisions of the UK GDPR, the California CCPA / CPRA, and Canadian PIPEDA in a single document. It's designed to be readable and signable as-is by mid-market buyers without custom redlines.
If you're an enterprise buyer with mandatory clause language, send the redline to legal@saferinventory.com. We accept reasonable customer-paper revisions in 7 business days or sooner.
Definitions
- Customer — the legal entity that subscribes to Safer Inventory under our Terms of Service.
- Safer / we / us — Pistis Contracting Inc., 18 Strathearn Ave, Brampton, ON L6T 4L8, Canada.
- Personal Data — any information relating to an identified or identifiable natural person, processed by Safer on behalf of the Customer.
- Processing — any operation performed on Personal Data, automated or otherwise.
- Subprocessor — a third party we engage to help us process Personal Data, listed at /legal/subprocessors.
Roles + scope
For Personal Data submitted to the Service by Customer or its end users, the Customer is the Controller and Safer is the Processor.
Safer processes Personal Data only on the Customer's documented instructions. Those instructions are: (a) the Terms of Service, (b) this DPA, (c) the configurations, integrations, and admin actions performed by the Customer in the product, and (d) any further written instructions from the Customer that don't conflict with this DPA.
Processing details
For the avoidance of doubt:
| Item | Description |
|---|---|
| Subject matter | Cloud-based inventory management service. |
| Duration | For as long as the Customer maintains an active subscription, plus the deletion tail in §11. |
| Nature + purpose | Storage, retrieval, synchronisation, analysis, and presentation of inventory and order data. |
| Categories of data subjects | Customer's end-user employees and contractors with logins; Customer's customers (sales-order names + emails); Customer's vendors. |
| Categories of Personal Data | Names, business email addresses, phone numbers, billing + shipping addresses, IP addresses, audit-log activity, push-notification tokens. |
| Special categories | None. The Service is not designed to process sensitive categories under Article 9 GDPR. Customers must not upload health, biometric, or political-affiliation data. |
Subprocessors
Customer authorises Safer to engage the Subprocessors listed at /legal/subprocessors. Safer will:
- Notify Customer at least 30 days before adding a new Subprocessor with access to Personal Data, by email and an in-app banner.
- Bind every Subprocessor in writing to substantially the same data-protection obligations as those in this DPA.
- Remain liable for the acts and omissions of its Subprocessors as if they were its own.
Customer may object to a new Subprocessor on reasonable grounds related to the protection of Personal Data within the 30-day notice window. If we cannot accommodate the objection, the Customer may terminate the affected portion of the subscription with a prorated refund.
Security measures
Safer implements appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk:
- Encryption — TLS 1.3 in transit; AES-256-GCM at rest with envelope encryption (per-record DEK wrapped under a Key Encryption Key) and annual KEK rotation.
- Tenant isolation — Postgres row-level security on every tenant table, with policies tested in CI; application-layer org_id filter as a second wall.
- Access control — Role-based authorisation (owner / admin / member / viewer); Clerk-managed authentication with mandatory 2FA for owner / admin roles; hardware-key 2FA for production console access.
- Audit + monitoring — Append-only audit log of every state-changing API call; 7-year retention; Sentry error tracking with PII filters; Pino structured access logs.
- Resilience — Daily PITR backups, encrypted, restorable to any point in the last 30 days. Backup restore tested quarterly.
- Software development — Code review required on every change to main; gitleaks + pnpm audit + CodeQL extended security pack in CI; quarterly dependency review.
- Data residency — Default region Toronto, Canada (yyz). Data stays in the region the Customer selects.
Full live posture and roadmap at /security.
Incident response
If Safer becomes aware of a Personal Data Breach (as defined in Article 4(12) GDPR), Safer will:
- Notify the Customer's designated security contact within 72 hours of discovery.
- Provide the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures taken to mitigate.
- Cooperate in good faith with the Customer's breach-notification obligations.
- Document every breach in our internal incident registry, retained for 5 years and available to auditors.
The Customer's designated security contact is whoever they identified at signup and configured in /app/settings/security. If unset, we use the billing email.
Data subject rights
When a data subject contacts Safer directly with an access, correction, deletion, or portability request, Safer will redirect them to the Customer (the Controller) without further response, unless the Customer has authorised Safer to respond.
For requests routed through the Customer, Safer will provide reasonable assistance within 7 business days at no additional cost. The product also exposes self-service tools at /app/settings/account→ “Export my data”.
International transfers
Safer is established in Canada. Where the processing of Personal Data involves a transfer to a country that has not received an adequacy decision under GDPR, the parties incorporate the European Commission's 2021 Standard Contractual Clauses (Module 2: Controller-to-Processor) into this DPA by reference. The full SCCs are available at ec.europa.eu; Annexes I, II, and III are populated by this DPA + the subprocessors page.
For UK data, the parties incorporate the UK Information Commissioner's International Data Transfer Addendum (Version B1.0).
Audit + reporting
Safer makes available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, including relevant security documentation once available. Customers may request security materials under NDA via security@saferinventory.com.
For Customers with regulatory obligations that require on-site audit, Safer will allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer at most once per 12-month period, at the Customer's reasonable expense, with at least 30 days written notice.
Term + return / deletion
Upon termination of the underlying subscription, Safer will, at the Customer's choice:
- Return all Personal Data via the standard CSV / PDF export mechanisms, OR
- Delete all Personal Data from active systems within 30 days, and from backups within 30 additional days as backups age out of the rolling PITR window.
Audit-log entries may be retained beyond this window where Safer has a legal obligation to do so (e.g. tax records, security investigations); they remain subject to this DPA until destroyed.
Sign + counter-sign
This DPA enters into effect when (a) the Customer accepts the Terms of Service and (b) the Customer countersigns this document. To execute, email a signed PDF to legal@saferinventory.com; we'll countersign and return within 5 business days.
For Customers without procurement constraints, the click-through acceptance of the Terms of Service constitutes execution of this DPA without need for a wet-ink signature.
Conflicts: if any provision of this DPA conflicts with the Terms of Service, this DPA controls in respect of the processing of Personal Data.
Governing law: the Province of Ontario and the federal laws of Canada applicable therein, except where Customer's mandatory data-protection law requires otherwise.