Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the Inventro Terms of Service and governs the processing of personal data by Inventro on behalf of the Tenant.
1. Roles and Responsibilities
The Tenant is the Data Controller and determines the purposes and means of processing End Customer personal data. Inventro acts solely as the Data Processor and will only process personal data in accordance with the Tenant's documented instructions and the Terms of Service.
2. Processing Scope
Inventro processes personal data solely to provide the Services, including:
- Categories of data: End customer names, email addresses, phone numbers, delivery/event addresses, and booking details
- Purpose: Booking management, invoicing, customer communication, and inventory allocation
- Duration: For the term of the Tenant's active account plus the retention period described in Section 7
3. Security Measures
Inventro implements the following technical and organizational measures to protect personal data:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Hashed and salted credential storage
- Tenant-level logical data isolation
- Role-based access controls and principle of least privilege
- Audit logging of administrative actions
- Regular security reviews and patch management
4. Subprocessors
Inventro engages the following subprocessors to deliver the Services. Each subprocessor is bound by contractual obligations to process data only as instructed and to maintain appropriate security safeguards:
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, object storage (S3), and email delivery (SES) | United States (us-east-1) |
Inventro will notify Tenants of any changes to subprocessors by updating this page and providing at least thirty (30) days' notice via email or in-platform notification before a new subprocessor begins processing personal data. If a Tenant objects to a new subprocessor, the Tenant may terminate the Services without penalty.
5. Breach Notification
In the event of a confirmed personal data breach, Inventro will:
- Notify the affected Tenant(s) within 72 hours of confirming the breach
- Provide a written description of the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to mitigate the breach
- Cooperate with the Tenant in investigating and remediating the breach
- Where required by PIPEDA, report the breach to the Office of the Privacy Commissioner of Canada (OPC) if there is a real risk of significant harm
6. International Transfers
Personal data may be processed in Canada and the United States through our cloud infrastructure provider (AWS us-east-1). Contractual safeguards are in place to ensure data receives a comparable level of protection.
7. Data Retention and Deletion
Upon termination of the Tenant's account:
- Tenant data (including End Customer personal data) will be available for export for thirty (30) days
- After the 30-day period, all personal data will be permanently deleted from production systems
- Backups containing personal data will be purged within ninety (90) days
- Data may be retained longer only where required by Canadian law (e.g., tax records for up to seven years)
8. Audits and Compliance
Upon reasonable request and subject to confidentiality obligations, Inventro will provide Tenants with information necessary to demonstrate compliance with this DPA. Inventro may satisfy audit requests by providing relevant certifications, security reports, or third-party audit summaries.