Data Processing Addendum (Preview)

1. Roles, Subject Matter, Duration

• Roles. Customer is the data controller; PatronPath is the data processor.
• Subject matter. Processing of Personal Data as necessary to provide the Service as documented by Customer’s configurations and written instructions.
• Duration. For the term of the underlying agreement and until deletion/return of Personal Data as set out below.

2. Nature & Purpose; Types & Subjects of Data

• Nature & purpose. Access-verification workflows, diagnostics, and support communications.
• Personal Data types. Typically limited to Customer staff business contact details (name, email) and any Personal Data Customer elects to include in instructions or attachments. Dedicated non-patron test account identifiers, including barcodes where needed for troubleshooting, may appear in library-facing reports but should not be assigned to real patrons. Real patron identifiers are not required for pilots and should not be provided.
• Data subjects. Customer personnel (e.g., library staff, administrators). No real end-user patrons are expected or required for pilots.

3. Instructions

Processor will process Personal Data only on documented instructions from Customer, including via in-product configurations, written requests, or the agreement. Processor will inform Customer if an instruction appears to violate applicable law.

4. Confidentiality & Personnel

Processor ensures personnel with access to Personal Data are bound by confidentiality obligations and receive appropriate privacy/security training.

5. Security Measures

Processor implements administrative, technical, and organizational measures described at /security, including a dedicated physical server under PatronPath's direct administrative control, encrypted server storage, least-privilege access, and the report-handling and masking practices described on that page. Customer is responsible for its own access controls and secure provision, scoping, revocation, and disablement of test credentials.

6. Sub-processing

Customer authorizes Processor to engage sub-processors listed at /legal/subprocessors to support the Service. Processor will impose data protection obligations on sub-processors no less protective than this DPA and will notify Customer of changes per that page, allowing reasonable objections where applicable.

7. International Transfers

Processor may process Personal Data in Canada and the United States. Where required by law for transfers, the European Commission Standard Contractual Clauses (SCCs) Module 2 (Controller→Processor) and the UK IDTA/Addendum are incorporated by reference and will apply to such transfers. On request, Processor will provide executed copies and transfer impact information.

8. Assistance

Taking into account the nature of processing, Processor will assist Customer by appropriate technical and organizational measures to respond to data subject requests and to meet security, breach notification, DPIA, and consultation obligations, as reasonably necessary and proportionate to the risk and scope of processing.

9. Incident Notification

Processor will notify Customer without undue delay upon confirming a Personal Data Breach affecting Customer Personal Data, including known details and mitigation steps, and will cooperate in remediation and notifications. If Processor suspects credential compromise or unauthorized access affecting Customer test credentials, Processor will disable or delete the affected credential from PatronPath and notify Customer within 24 hours.

10. Audits & Information

On request, Processor will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., security summaries, policy excerpts, pen-test summaries under NDA). Where further review is required, Customer may conduct audits during business hours with reasonable notice, scope, and frequency, without disrupting operations.

11. Return & Deletion

Upon termination, pilot completion, cancellation, or Customer's written request, Processor will delete active pilot test credentials and pilot test-result data within 48 hours, unless Customer requests retention or retention is required by law. Processor does not maintain backup copies of credentials or pilot test-result data. Copies already delivered to Customer, vendors Customer shares them with, or Customer-controlled email and file systems are outside Processor's control. Other Personal Data, such as staff business contact details in ordinary communications, is handled according to PatronPath's Privacy Policy, Customer instructions, and applicable legal retention requirements.

12. Liability & Precedence

Liability under this DPA is subject to the limitations and exclusions set out in the underlying agreement. If there is a conflict between this DPA and the agreement regarding Personal Data, this DPA controls. For SCCs/UK Addendum, the governing law and forum clauses of those instruments apply as specified therein.

13. Definitions

“Personal Data,” “processing,” “controller,” and “processor” have the meanings given in applicable data protection laws (e.g., PIPA (BC)/PIPEDA, GDPR/UK GDPR, CPRA, VCDPA).