Data Processing Agreement

Last updated: 16 March 2026

This Data Processing Agreement ("DPA") forms part of the service agreement between your organisation ("Customer", "Controller") and HIRA-4D ("Processor") for the processing of personal information through the HIRA-4D platform.

1. Definitions

• Customer Data — All data uploaded, entered, or generated by the Customer or its authorised users within the HIRA-4D platform.
• Controller — The Customer organisation that determines the purposes and means of processing personal information.
• Processor — HIRA-4D, which processes personal information on behalf of the Controller.
• Personal Information (PI) — Any information relating to an identified or identifiable natural person, as defined under the Swiss Federal Act on Data Protection (FADP) and the Australian Privacy Act 1988.
• Subprocessor — A third-party service provider engaged by the Processor to assist in processing Customer Data.

2. Scope and Roles

The Customer acts as the Controller for all worker records, health surveillance data, incident reports, and other EHS information entered into the platform. HIRA-4D acts as the Processor, processing this data solely on the Customer's documented instructions to provide platform services.

HIRA-4D acts as an independent Controller for account management data (user names, email addresses, authentication records) and aggregated, anonymised usage analytics.

3. Customer Data Categories

The following categories of personal information may be processed:

• Identity data: Employee names, job titles, department assignments, employee IDs
• Employment data: Roles, responsibilities, work locations, shift patterns
• Health and safety data: Training records, competency assessments, health surveillance results, fitness-for-duty status
• Incident data: Injury reports, near-miss records, investigation findings, corrective actions
• Risk assessment data: Hazard exposures, risk ratings, control measures assigned to individuals or teams

4. Processing Location

All Customer Data is stored and processed in Zurich, Switzerland (Supabase eu-central-2 region). This includes primary databases, file attachments, encrypted backups, and audit logs.

Authentication data is processed by Clerk (USA) and payment data by Stripe (USA). Neither subprocessor stores Customer EHS data. Application hosting via Vercel uses global edge nodes for delivery but does not persist personal information.

5. Security Measures

The Processor implements the following technical and organisational measures:

• Encryption: AES-256 encryption at rest for all database records and backups. TLS 1.3 encryption for all data in transit.
• Access Control: Role-based access control (RBAC) with 9 defined roles. Row-level security (RLS) enforced at the database layer. Multi-factor authentication (MFA) available for all accounts.
• Audit Logging: Immutable, hash-chained audit logs recording all data access and modification events. Retained for 7 years.
• Infrastructure Security: Managed hosting with SOC 2 Type II certified providers. Automated vulnerability scanning and patching.
• Personnel Security: Background checks for all personnel with access to production systems. Confidentiality agreements and regular security awareness training.

6. Subprocessors

A current list of subprocessors is maintained at /subprocessors. The Customer will be notified at least 30 days before any new subprocessor is engaged. The Customer may object to a new subprocessor within 14 days of notification.

7. Data Subject Rights

The Processor will assist the Controller in responding to data subject requests for access, correction, deletion, or portability. Requests received directly by the Processor will be forwarded to the Controller within 48 hours without independent action.

The platform provides self-service data export tools (CSV, PDF, JSON) to facilitate the Controller's obligations under applicable privacy legislation.

8. Data Breach Notification

In the event of a personal data breach, the Processor will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. Notification will include:

• Nature of the breach and categories of data affected
• Approximate number of data subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact details for the Processor's incident response team

9. Data Return and Deletion

Upon termination of the service agreement, the Customer may export all Customer Data within 90 days using the platform's built-in export tools or by requesting a full data extract in JSON format.

After the 90-day export window, Customer Data will be deleted from production systems. Encrypted backups containing Customer Data will be purged within 180 days of termination, following the backup rotation schedule.

Data subject to statutory retention requirements (e.g., audit logs, health surveillance records) will be retained for the legally mandated period and then securely destroyed.

10. Cross-Border Transfer Mechanism

Customer EHS data remains in Switzerland. Where subprocessors operate outside Switzerland (Clerk and Stripe in the USA), the data shared with those subprocessors is limited to authentication tokens and payment tokens respectively — no Customer EHS records are transferred.

For Australian customers, this DPA addresses the requirements of Australian Privacy Principle 8 (APP 8) regarding cross-border disclosure. Switzerland is recognised by the European Commission as providing an adequate level of data protection, and its standards meet or exceed those required under APP 8.

11. Governing Law

This DPA is governed by Swiss law. Any disputes arising from or in connection with this DPA shall be submitted to the exclusive jurisdiction of the courts of Basel, Switzerland.

Where the Customer is subject to Australian law, nothing in this DPA limits the Customer's rights under the Privacy Act 1988 (Cth) or the Australian Privacy Principles.