SafetySphere · Legal

Data Processing Agreement

DPA covering processing of personal information.

Effective Date: 2026-05-08

This Data Processing Agreement (the "DPA") forms part of the agreement between Stoney Technologies Ltd ("Processor" or "we") and the customer identified in the Order Form ("Controller" or "Customer") for use of the SafetySphere service (the "Service"), and is incorporated into the Terms of Service (together, the "Agreement"). It governs Processor's processing of Personal Information on Controller's behalf in connection with the Service.

In the event of a conflict between this DPA and the Terms, this DPA controls with respect to the processing of Personal Information.


1. Definitions

Capitalized terms not defined here have the meanings given in the Terms.

  • "Applicable Privacy Law" means all privacy and data protection laws applicable to the processing of Personal Information under this DPA, including PIPEDA, Alberta's PIPA, BC's PIPA, Quebec's Law 25, the CCPA/CPRA, and other US state privacy laws (collectively the "Privacy Laws").
  • "Controller", "Processor", "Personal Information", "Processing", "Data Subject", and "Personal Information Breach" have the meanings given in Applicable Privacy Law. For the avoidance of doubt, "Personal Information" includes "personal data," "personal information" as defined under CCPA/CPRA, and similar terms.
  • "Sub-processor" means any third party engaged by Processor to process Personal Information on behalf of Controller.
  • "Service Provider" has the meaning given under CCPA/CPRA. To the extent CCPA/CPRA applies, Processor acts as a Service Provider.

2. Roles and scope

2.1 Roles

With respect to Personal Information contained in Customer Data, Controller is the Controller (or "Business" under CCPA/CPRA) and Processor is the Processor (or "Service Provider"). Processor processes Personal Information only on documented instructions from Controller, including as set out in this DPA, the Terms, and the Order Form, and as needed to provide the Service.

2.2 Scope of processing

  • Subject matter: provision of the Service.
  • Duration: the Subscription Term plus any post-termination period in which Personal Information is retained for export, plus periods required by law.
  • Nature and purpose: hosting, processing, and making available Customer Data to enable Controller's H&S management activities.
  • Categories of Personal Information: as detailed in Annex A.
  • Categories of Data Subjects: as detailed in Annex A.

2.3 Permitted processing

Processor will not: (a) sell Personal Information; (b) share Personal Information for cross-context behavioural advertising; (c) retain, use, or disclose Personal Information outside the direct business relationship between the parties; or (d) combine Personal Information received from Controller with Personal Information from another source, except as permitted under Applicable Privacy Law and this DPA.

2.4 Compliance with law

Processor will comply with Applicable Privacy Law in providing the Service. If Processor cannot meet its obligations under Applicable Privacy Law, it will promptly notify Controller and cease processing or take other reasonable steps as agreed.

3. Controller obligations

Controller is responsible for: (a) the lawfulness of Personal Information collection and the existence of a legal basis for the processing; (b) providing notice to Data Subjects and obtaining consents required under Applicable Privacy Law; (c) responding to Data Subject requests (Processor will assist as set out in Section 7); and (d) ensuring its instructions to Processor comply with Applicable Privacy Law.

4. Confidentiality and access

Processor restricts access to Personal Information to personnel who need such access to provide the Service and ensures all such personnel are bound by appropriate confidentiality obligations.

5. Security

Processor implements and maintains the technical and organizational measures described in Annex B to protect Personal Information from unauthorized or unlawful processing and from accidental loss, destruction, damage, alteration, or disclosure.

6. Sub-processors

6.1 General authorization

Controller authorizes Processor to engage Sub-processors to process Personal Information, subject to this Section 6. A list of Sub-processors as of the Effective Date is set out in Annex C.

6.2 Notice and objection

Processor will give Controller prior notice (by email, in-product notice, or by updating Annex C with notification) of any new Sub-processor at least fourteen (14) days before the new Sub-processor begins processing Personal Information. Controller may object on reasonable data protection grounds within that period. If the parties cannot agree on a resolution, Controller's sole remedy is to terminate the affected Order Form for convenience and receive a pro-rata refund of pre-paid, unused Fees.

6.3 Sub-processor obligations

Processor will impose contractual obligations on Sub-processors that are no less protective than those in this DPA, and remains liable for the acts and omissions of its Sub-processors.

7. Data Subject requests

Processor will, taking into account the nature of the processing, provide reasonable assistance to Controller (through appropriate technical and organizational measures, insofar as possible) for the fulfilment of Controller's obligation to respond to Data Subject requests under Applicable Privacy Law. If a Data Subject contacts Processor directly with a request, Processor will, where reasonably possible, redirect the Data Subject to Controller and notify Controller of the request.

8. Personal Information Breach

8.1 Notification

Processor will notify Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any Personal Information Breach affecting Controller's Personal Information.

8.2 Information provided

The notification will, to the extent known at the time, describe: the nature of the breach; the categories and approximate number of Data Subjects and records affected; likely consequences; and measures taken or proposed to address the breach. Processor will provide updates as more information becomes available.

8.3 Cooperation

Processor will reasonably cooperate with Controller in connection with the investigation and notification (to regulators or Data Subjects) of any Personal Information Breach, as required by Applicable Privacy Law.

9. International transfers

Processor and its Sub-processors may store and process Personal Information in Canada and the United States. The parties acknowledge that Personal Information may be subject to lawful access requests by authorities in those jurisdictions. Where required by Applicable Privacy Law, the parties will execute appropriate transfer mechanisms (such as standard contractual clauses or equivalent tools).

10. Audits and assessments

10.1 Audit rights

Processor will make available to Controller, on request and no more than once per twelve (12) month period (unless required more often by regulators), information reasonably necessary to demonstrate compliance with this DPA, including its most recent third-party audit reports (e.g., SOC 2, ISO 27001) under appropriate confidentiality.

10.2 On-site audits

On-site audits are not generally required given the nature of cloud services. If Controller requires an on-site audit due to a regulatory mandate or a documented Personal Information Breach, the parties will agree in writing on reasonable scope, timing, fees, and confidentiality before any audit takes place.

11. Privacy impact assessments

Processor will provide reasonable assistance, at Controller's reasonable cost, with privacy impact assessments and prior consultations with regulators that Controller is required to perform under Applicable Privacy Law.

12. Return or deletion of Personal Information

Upon termination or expiration of the Agreement, Processor will, within a reasonable period (and as set out in the Terms), and at Controller's option, return or delete all Personal Information processed on Controller's behalf, except to the extent retention is required by law. Encrypted backups will be deleted in the ordinary backup rotation cycle.

13. Liability

The liability of each party arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms.

14. General

14.1 Order of precedence

In the event of a conflict, the order of precedence is: (1) this DPA; (2) the Terms; (3) other policies referenced in the Terms; (4) the Order Form, except that the Order Form prevails over the DPA only where it expressly states that it amends specific provisions of the DPA.

14.2 Survival

Provisions intended to survive termination, including those concerning confidentiality, security, breach, and data return, survive termination of the Agreement.

14.3 Amendments

We may update this DPA from time to time to reflect changes in Applicable Privacy Law or our practices. Material changes will be communicated with at least thirty (30) days' notice.


Annex A — Description of processing

Subject matter and duration: Provision of the SafetySphere Service for the Subscription Term, plus periods required for data export and legal retention.

Nature and purpose: Hosting, storing, processing, displaying, transmitting, and otherwise making available Customer Data to enable Controller's workplace health and safety management activities (e.g., incident reporting, risk assessment, permits to work, audits and inspections, training records, and dashboards).

Categories of Data Subjects:

  • Authorized Users (Controller's employees, contractors, and agents who use the Service)
  • Workers (employees, contractors) named in incident reports, risk assessments, permits, audits, training records, and similar H&S records
  • Visitors, members of the public, or third parties referenced in incident reports
  • Business contacts referenced by Controller within the Service

Categories of Personal Information:

  • Identity and contact data (name, employee ID, work email, work phone, job title)
  • Employment data (department, location, role, manager)
  • H&S record data (training completion, certifications, incident involvement, injury descriptions, return-to-work status, exposures)
  • Authentication and audit log data (IP address, login times, device information, actions taken in the Service)
  • Any additional Personal Information that Controller chooses to upload

Special categories (only if uploaded by Controller): information about injuries, occupational illness, or workplace exposures may be sensitive. Controller must determine the legal basis and lawfulness of processing such data.


Annex B — Technical and organizational security measures

Processor maintains the following measures, which may be updated from time to time provided the overall level of security is not materially reduced:

Encryption

  • TLS 1.2+ for data in transit
  • AES-256 (or equivalent) encryption for data at rest

Access control

  • Role-based access control with principle of least privilege
  • Multi-factor authentication for administrative access
  • Periodic access reviews and prompt revocation upon role change or termination
  • Strong password policies and credential rotation for system accounts

Network and infrastructure

  • Hosting with reputable cloud infrastructure providers in geographically resilient regions
  • Network segmentation and firewalls
  • DDoS protection
  • Vulnerability scanning and timely patching

Application security

  • Secure software development practices, including code review and dependency scanning
  • Regular penetration testing by qualified third parties
  • Bug bounty / responsible disclosure program (where in place)

Logging and monitoring

  • Centralized logging of system and security events
  • 24/7 monitoring and alerting for security and availability events
  • Audit logs of access to Personal Information

Backup and resilience

  • Regular encrypted backups
  • Documented business continuity and disaster recovery procedures
  • Periodic restoration testing

Personnel

  • Background checks where lawful
  • Confidentiality undertakings from all personnel
  • Annual security and privacy training

Incident response

  • Documented incident response plan
  • Defined roles, communication channels, and timelines
  • Post-incident review and remediation

Subprocessor governance

  • Contractual obligations no less protective than this DPA
  • Periodic review of subprocessor security posture

Annex C — Sub-processors

A current list of material Sub-processors is maintained at https://safetysphere.io/support/subprocessors (or available on request from info@stoneytechnologies.com).

Typical categories include:

  • Cloud hosting and infrastructure (e.g., AWS, GCP, Azure — region-specific)
  • Database and storage services
  • Email delivery (transactional and notifications)
  • Customer support and ticketing
  • Error monitoring and observability
  • Analytics
  • Payment processing (limited Personal Information; primarily for billing contact)

For each Sub-processor, Processor records: name, role, location of processing, and applicable transfer mechanism (where relevant).


Version: 1.0 — 2026-05-08