Data Processing Addendum
1. Introduction
This Data Processing Addendum ("DPA") forms part of the agreement between RegulaCore Inc. ("Processor," "we," "us") and the customer ("Controller," "you") and governs our processing of personal data on your behalf when you use the RegulaCore Inc platform (the "Service").
This DPA applies where and to the extent RegulaCore Inc processes personal data subject to the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), and other applicable data protection laws.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person processed by RegulaCore Inc on behalf of the Controller through the Service.
- "Processing" means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- "Sub-processor" means any third party engaged by RegulaCore Inc to process personal data on behalf of the Controller.
- "Data Subject" means the identified or identifiable natural person to whom the personal data relates.
3. Scope of Processing
3.1 Subject Matter
RegulaCore Inc processes personal data to provide the Service, which includes EHS management, quality management, ISO certification readiness, training management, and related compliance functions.
3.2 Categories of Data Subjects
- Customer employees and authorized users
- Employees of customer's contractors, suppliers, and business partners
- Individuals referenced in incident reports, audit findings, corrective actions, training records, and ISO compliance documents
3.3 Types of Personal Data
- Name, email address, phone number, job title, employee ID
- Health and safety incident data (may include injury details)
- Training records and certification status
- Audit findings, corrective action assignments, and compliance records
- IP addresses, browser metadata, and usage logs
3.4 Duration
Processing continues for the duration of the service agreement plus the data retention period specified in the Terms of Service.
4. Obligations of the Processor
RegulaCore Inc shall:
- Process personal data only on documented instructions from the Controller, unless required by applicable law.
- Ensure that personnel authorized to process personal data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, pseudonymization, access controls, and regular security testing.
- Assist the Controller in fulfilling its obligation to respond to data subject requests.
- Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach.
- Delete or return all personal data upon termination of the Service, at the Controller's election, unless retention is required by applicable law.
- Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits.
5. Sub-processors
5.1 Authorization
The Controller provides general written authorization for RegulaCore Inc to engage sub-processors. RegulaCore Inc maintains a current list of sub-processors, which includes:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure, CDN, edge compute, R2 storage | Global (300+ cities) |
| Stripe, Inc. | Payment processing | United States |
| PayPal Holdings, Inc. | Payment processing | United States |
| OpenAI, LLC | AI-assisted document generation (optional) | United States |
5.2 Notification
RegulaCore Inc will notify the Controller at least 30 days before engaging a new sub-processor or replacing an existing one. If the Controller objects to a new sub-processor, the parties will work in good faith to resolve the concern. If no resolution is reached, the Controller may terminate the affected portion of the Service.
5.3 Liability
RegulaCore Inc remains fully liable for the acts and omissions of its sub-processors as if they were its own.
6. International Data Transfers
Where personal data is transferred outside the European Economic Area, United Kingdom, or Switzerland, RegulaCore Inc ensures appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Module 2: Controller-to-Processor).
- UK International Data Transfer Addendum where applicable.
- Transfer Impact Assessments documenting the legal regime of the destination country.
7. Data Subject Rights
RegulaCore Inc will assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction, portability, and objection. RegulaCore Inc will promptly forward any data subject requests it receives directly to the Controller.
8. Security Measures
RegulaCore Inc implements and maintains the following technical and organizational measures:
- TLS 1.3 encryption for all data in transit
- AES-256 encryption for data at rest
- Tenant-level data isolation with zero-trust architecture
- Role-based access control (RBAC) with audit logging
- Regular penetration testing and vulnerability assessments
- Business continuity and disaster recovery procedures
- Employee security awareness training
9. Data Breach Notification
In the event of a personal data breach, RegulaCore Inc will:
- Notify the Controller without undue delay, and no later than 72 hours after becoming aware of the breach.
- Provide details including the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to mitigate the breach.
- Cooperate with the Controller and take reasonable steps to remediate the breach and prevent recurrence.
10. Audit Rights
Upon reasonable notice, the Controller (or its authorized third-party auditor, subject to confidentiality obligations) may audit RegulaCore Inc's compliance with this DPA. RegulaCore Inc will provide reasonable cooperation and access to relevant information, records, and facilities. Audits shall be conducted no more than once per year unless required by a supervisory authority or following a data breach.
11. Term and Termination
This DPA remains in effect for the duration of the service agreement. Upon termination, RegulaCore Inc will delete or return all personal data within 30 days, unless applicable law requires retention. RegulaCore Inc will certify deletion upon the Controller's request.
12. Contact
For questions about this DPA, contact:
RegulaCore Inc.
500 Navarro St, 2nd Floor, PMB 7096
San Antonio, TX 78205
United States
Email: dpa@regulacore.com