Data Processing Addendum

1. Parties and definitions

This Data Processing Addendum (this "DPA") forms part of the OllieSafe Master Subscription Agreement or equivalent agreement (the "Agreement") between OllieSafe Inc. ("OllieSafe", "Processor") and [CUSTOMER LEGAL NAME] ("Customer", "Controller") and governs the Processing of Customer Personal Data in connection with the Services.

Capitalized terms not defined here have the meanings given in the Agreement or in the EU General Data Protection Regulation 2016/679 ("GDPR"), the United Kingdom GDPR ("UK GDPR"), and the CCPA / CPRA (each as defined below) as applicable. The terms "Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given under GDPR Articles 4 and 28; analogous CCPA terms ("Business", "Service Provider", "Consumer") apply where the CCPA governs.

2. Subject matter, duration, nature, and purpose

• Subject matter. Processing of Customer Personal Data by OllieSafe to deliver the Services under the Agreement.
• Duration. Effective on the order start date of [ORDER EFFECTIVE DATE] and continuing for the term of the Agreement plus any post-termination data retention or return period set out in Section 12.
• Nature. Hosting, storing, processing, transmitting, and displaying Customer Personal Data submitted to the Services; generating reports, exports, and audit artifacts; sending transactional communications.
• Purpose. To enable Customer to operate its workplace safety, OSHA recordkeeping, incident management, training, and compliance workflows using the Services.

3. Categories of Data Subjects

• Customer's employees, contractors, and contingent workforce.
• Customer's safety committee members, supervisors, and administrative personnel using the Services.
• Third parties who appear in incident records (e.g. injured workers, witnesses, healthcare providers identified in recordkeeping submissions to the extent allowed by applicable law).
• Customer's authorized representatives who interact with OllieSafe support.

4. Categories of Personal Data

• Identification data: name, employee identifier, work email, work phone, job title.
• Employment data: hire date, work location/establishment, job classification, supervisor assignment.
• Safety and incident data: incident descriptions, injury type, body part, treatment received, return-to-work status, lost-time days, related OSHA 300/300A/301 and state-equivalent recordkeeping fields.
• Training and credentialing data: course assignments, completion timestamps, certification expirations.
• Account and usage data: authentication identifiers, session metadata, audit-log entries (actor, timestamp, resource), in-product preferences.
• Communications: support tickets, in-app messages, attachments uploaded by Customer users.

Special category data. Customer is responsible for ensuring that any special-category Personal Data (e.g. health information related to injuries) is submitted with a lawful basis under GDPR Article 9 and that the Customer has obtained any consents or notices required by applicable law. OllieSafe is not a HIPAA Business Associate; see Section 14.

5. Controller obligations

Customer represents and warrants that:

• It has a lawful basis under GDPR Article 6 (and Article 9 where applicable) for the Processing it instructs OllieSafe to perform.
• It has provided all required notices to and obtained all required consents from Data Subjects.
• Its documented instructions to OllieSafe in the Agreement, this DPA, and via the Services configuration are lawful.
• It will respond to Data Subject rights requests in the first instance and will only require OllieSafe assistance as set out in Section 9.

6. Processor obligations

OllieSafe agrees that it will:

• Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers, except as required by applicable law (in which case OllieSafe shall inform Customer of that legal requirement before Processing unless the law prohibits notice on important grounds of public interest).
• Ensure that persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement the technical and organizational measures set out in Section 8 to ensure a level of security appropriate to the risk.
• Engage Sub-processors only on the terms in Section 7.
• Assist Customer in fulfilling its obligations to respond to Data Subject rights requests as set out in Section 9.
• Assist Customer in ensuring compliance with GDPR Articles 32 to 36 (security, breach notification, data protection impact assessment, prior consultation) taking into account the nature of Processing and the information available to OllieSafe.
• At Customer's election on termination, return or delete Customer Personal Data as set out in Section 12.
• Make available to Customer the information necessary to demonstrate compliance with this DPA and contribute to audits as set out in Section 11.

Where OllieSafe receives an instruction it reasonably believes infringes GDPR or applicable data-protection law, OllieSafe will inform Customer in writing.

7. Sub-processors

Customer provides a general authorization for OllieSafe to engage Sub-processors to Process Customer Personal Data in support of the Services. The current list of authorized Sub-processors is published at /legal/subprocessors.

OllieSafe will:

• Notify Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance, providing Customer an opportunity to object on reasonable data-protection grounds.
• Enter into a written agreement with each Sub-processor imposing data-protection obligations no less protective than those in this DPA.
• Remain liable to Customer for the acts and omissions of its Sub-processors to the same extent OllieSafe would be liable if performing the services of each Sub-processor directly.
• If Customer reasonably objects to a Sub-processor change on data-protection grounds and the parties cannot reach a commercially reasonable resolution within thirty (30) days, Customer may terminate the affected Services without penalty.

8. Security measures

OllieSafe implements and maintains administrative, technical, and physical safeguards designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures are summarized on the public Security page at /security and include, at minimum:

• Encryption. AES-256 encryption at rest for persisted Customer Personal Data; TLS 1.3 for data in transit; SSL-enforced database connections with certificate verification.
• Access control. Role-based access tiers, multi-factor authentication via the identity provider, automated session rotation, principle-of-least-privilege for OllieSafe personnel.
• Tenant isolation. PostgreSQL row-level security enforces tenant boundaries at the database engine layer.
• Audit logging. Data-mutation events are recorded with actor, timestamp, and resource. Retention is configurable per Customer policy.
• Network protection. VPC-native networking, Web Application Firewall, and managed patching on the underlying cloud platform.
• Personnel. Background checks where permitted by law, security awareness training, signed confidentiality obligations.
• Incident response. Documented runbooks, on-call rotation, post-incident review.

OllieSafe may update its security measures from time to time, provided that any update does not materially degrade the protection of Customer Personal Data.

9. Data Subject rights assistance

OllieSafe provides Customer with self-service tooling in the Services to fulfill the majority of Data Subject access, rectification, erasure, restriction, portability, and objection requests under GDPR Articles 15-22 and the equivalent rights under CCPA and other applicable laws.

Where a Data Subject request requires OllieSafe assistance beyond the self-service tooling, OllieSafe will provide reasonable assistance, taking into account the nature of the Processing and the information available to OllieSafe, at no additional charge for requests that are not manifestly unfounded, excessive, or repetitive.

If OllieSafe receives a Data Subject request directly that relates to Customer Personal Data, OllieSafe will promptly forward the request to Customer and will not respond to the Data Subject directly except to acknowledge receipt and refer the Data Subject to Customer, unless legally required to do otherwise.

10. Personal Data Breach notification

OllieSafe will notify Customer without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include, to the extent then known:

• The nature of the Personal Data Breach.
• The categories and approximate number of Data Subjects and records concerned.
• The likely consequences of the Personal Data Breach.
• The measures taken or proposed to be taken to address the Personal Data Breach and mitigate its possible adverse effects.
• A contact point at OllieSafe for further information.

OllieSafe will cooperate with Customer's reasonable investigation and supervisory-authority notification obligations arising from the Personal Data Breach.

11. Audit rights

OllieSafe will make available to Customer, on reasonable request, the following information to demonstrate compliance with this DPA:

• The most recent third-party security attestation OllieSafe maintains (e.g. SOC 2 Type II once issued) under appropriate confidentiality terms.
• Responses to industry-standard security questionnaires (CAIQ, SIG, VSAQ).
• Summary documentation of OllieSafe's security program and incident response capabilities.

To the extent the foregoing does not satisfy a regulator's or auditor's documented requirements applicable to Customer, Customer or its independent third-party auditor (not a competitor of OllieSafe and bound by appropriate confidentiality obligations) may, no more than once per twelve-month period and on at least sixty (60) days' prior written notice (or immediately in case of a regulator-directed inspection), conduct an audit limited to OllieSafe's controls applicable to Customer Personal Data, during normal business hours and in a manner that does not disrupt OllieSafe's operations or other customers' data. Customer bears its own audit costs.

12. Term, return, and deletion

This DPA takes effect on the order start date and remains in force for the duration of the Agreement. On termination or expiration of the Agreement, OllieSafe will, at Customer's written election:

• Return Customer Personal Data to Customer in a structured, commonly used, machine-readable format within thirty (30) days of the termination effective date; or
• Delete Customer Personal Data within thirty (30) days of the termination effective date.

OllieSafe may retain Customer Personal Data to the extent and for the period required by applicable law, subject to continued confidentiality and the security measures in Section 8. Aggregated, de-identified data that no longer relates to an identified or identifiable Data Subject may be retained for legitimate business purposes.

13. International transfers

OllieSafe Processes Customer Personal Data on infrastructure located in the United States (Google Cloud Platform us-west1 region) and may transfer Customer Personal Data to Sub-processors identified at /legal/subprocessors.

Where the transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to OllieSafe requires a transfer mechanism under GDPR Chapter V, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), Module 2 (controller-to-processor), are incorporated into this DPA by reference and apply to such transfers, with the following selections:

• Clause 7 (Docking clause): Applicable.
• Clause 9(a) (Use of Sub-processors): Option 2 — General written authorisation, with a minimum of thirty (30) days' advance notice of intended changes as set out in Section 7 above.
• Clause 11(a) (Redress): The optional independent dispute-resolution body language is not incorporated.
• Clause 17 (Governing law): The law of [EU MEMBER STATE — TYPICALLY THE LAW OF THE COUNTRY OF ESTABLISHMENT OF THE DATA EXPORTER] applies.
• Clause 18 (Choice of forum and jurisdiction): The courts of [SAME JURISDICTION AS CLAUSE 17] have jurisdiction.
• Annex I (Description of transfer): The categories of Data Subjects and Personal Data are as set out in Sections 3 and 4 above; the subject matter, nature, and purpose are as set out in Section 2; the duration is the term of the Agreement.
• Annex II (Technical and organizational measures): The security measures in Section 8 and the public Security page at /security.
• Annex III (List of Sub-processors): The list published at /legal/subprocessors.

For transfers subject to the UK GDPR, the parties agree that the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (issued by the Information Commissioner's Office under section 119A of the Data Protection Act 2018) is incorporated into this DPA by reference.

For transfers subject to the Swiss Federal Act on Data Protection (FADP), references to GDPR in the EU SCCs are interpreted as references to the FADP and references to the competent supervisory authority and courts are interpreted as references to the Swiss Federal Data Protection and Information Commissioner and the courts of Switzerland respectively.

14. CCPA / CPRA specific terms

To the extent OllieSafe Processes Personal Information of Consumers in scope of CCPA on behalf of Customer, OllieSafe acts as a Service Provider and:

• Will not Sell or Share Personal Information as those terms are defined under CCPA.
• Will not retain, use, or disclose Personal Information for any purpose other than the business purpose specified in the Agreement or as otherwise permitted by CCPA.
• Will not retain, use, or disclose Personal Information outside of the direct business relationship between Customer and OllieSafe.
• Will not combine Personal Information received from Customer with Personal Information received from or on behalf of any other person or collected from OllieSafe's own interaction with the Consumer, except as permitted under CCPA Regulations § 7050(b).
• Will assist Customer in responding to verifiable Consumer requests as required under CCPA.

15. HIPAA — not a Business Associate

OllieSafe is not a HIPAA covered entity or Business Associate and does not execute Business Associate Agreements at this time. Customers subject to HIPAA must not upload Protected Health Information (PHI) into the Services. OllieSafe's Services are not designed or marketed to Process PHI. If Customer's safety program intersects with PHI handling, contact legal@olliesafe.com to scope an appropriate path forward.

16. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement. For the avoidance of doubt, nothing in this DPA limits any liability that cannot be limited under applicable data-protection law.

17. Governing law and order of precedence

This DPA is governed by the governing law of the Agreement, except that the EU SCCs incorporated by Section 13 are governed as set out in Clause 17 of those SCCs. In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the Processing of Personal Data. In the event of a conflict between this DPA and the EU SCCs, the EU SCCs prevail.

18. Contact

Data-protection inquiries, redline requests, and executable copies of this DPA: legal@olliesafe.com. Security incident notifications: security@olliesafe.com. Data Subject rights requests routed to OllieSafe: privacy@olliesafe.com.

Last updated

May 2026.