Data Processing Addendum (Preview)

1. Roles, Subject Matter, Duration

• Roles. Customer is the data controller; PatronPath is the data processor.
• Subject matter. Processing of Personal Data as necessary to provide the Service as documented by Customer’s configurations and written instructions.
• Duration. For the term of the underlying agreement and until deletion/return of Personal Data as set out below.

2. Nature & Purpose; Types & Subjects of Data

• Nature & purpose. Access-verification workflows, diagnostics, and support communications.
• Personal Data types. Typically limited to Customer staff business contact details (name, email) and any Personal Data Customer elects to include in instructions or attachments. Patron identifiers are not required for the beta and should not be provided.
• Data subjects. Customer personnel (e.g., library staff, administrators). No end-user patrons in beta.

3. Instructions

Processor will process Personal Data only on documented instructions from Customer, including via in-product configurations, written requests, or the agreement. Processor will inform Customer if an instruction appears to violate applicable law.

4. Confidentiality & Personnel

Processor ensures personnel with access to Personal Data are bound by confidentiality obligations and receive appropriate privacy/security training.

5. Security Measures

Processor implements administrative, technical, and organizational measures described at /security, including full-disk encryption, least-privilege access, and redaction by default for screenshots. Customer is responsible for its own access controls and secure provision of test credentials.

6. Sub-processing

Customer authorizes Processor to engage sub-processors listed at /legal/subprocessors to support the Service. Processor will impose data protection obligations on sub-processors no less protective than this DPA and will notify Customer of changes per that page, allowing reasonable objections where applicable.

7. International Transfers

Processor may process Personal Data in Canada and the United States. Where required by law for transfers, the European Commission Standard Contractual Clauses (SCCs) Module 2 (Controller→Processor) and the UK IDTA/Addendum are incorporated by reference and will apply to such transfers. On request, Processor will provide executed copies and transfer impact information.

8. Assistance

Taking into account the nature of processing, Processor will assist Customer by appropriate technical and organizational measures to respond to data subject requests and to meet security, breach notification, DPIA, and consultation obligations, as reasonably necessary and proportionate to the risk and scope of processing.

9. Incident Notification

Processor will notify Customer without undue delay upon confirming a Personal Data Breach affecting Customer Personal Data, including known details and mitigation steps, and will cooperate in remediation and notifications.

10. Audits & Information

On request, Processor will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., security summaries, policy excerpts, pen-test summaries under NDA). Where further review is required, Customer may conduct audits during business hours with reasonable notice, scope, and frequency, without disrupting operations.

11. Return & Deletion

Upon termination or at Customer’s written request, Processor will delete or return Personal Data within 30–90 days, unless retention is required by law. Backup deletion will follow standard cycles.

12. Liability & Precedence

Liability under this DPA is subject to the limitations and exclusions set out in the underlying agreement. If there is a conflict between this DPA and the agreement regarding Personal Data, this DPA controls. For SCCs/UK Addendum, the governing law and forum clauses of those instruments apply as specified therein.

13. Definitions

“Personal Data,” “processing,” “controller,” and “processor” have the meanings given in applicable data protection laws (e.g., PIPA (BC)/PIPEDA, GDPR/UK GDPR, CPRA, VCDPA).