Data Processing Agreement

This Data Processing Agreement ("DPA") describes how TradeRig processes personal data on behalf of organizations ("Controllers") using the TradeRig platform. This DPA is incorporated by reference into the TradeRig Terms of Service and supplements the Privacy Policy.

For the purposes of this DPA, TradeRig acts as a "Processor" with respect to personal data submitted to the platform by organization administrators and members. The organization acts as the "Controller" of that data.

As a Processor, TradeRig processes the following categories of personal data on behalf of your organization:

• Member names, email addresses, and assigned roles within your workspace.
• Safety check submissions, site startup records, and daily readiness data.
• Incident reports, corrective action records, and associated metadata.
• Training records, simulation results, and certification status.
• Audit log entries recording member actions within the workspace.
• Emergency alert records and notification logs.

We process this data solely to provide the TradeRig platform to your organization and as otherwise directed by you.

TradeRig processes personal data only in accordance with your documented instructions as expressed through your use of the platform and your configuration of roles, permissions, and settings. We will not process personal data for any other purpose without your instruction, except as required by applicable law.

If we receive a legal requirement to process data contrary to your instructions, we will notify you before complying unless prohibited by law.

TradeRig implements and maintains appropriate technical and organizational measures to protect personal data, including:

• Encryption of all data in transit using TLS 1.2 or higher.
• Encryption of data at rest.
• Row-level security and role-based access controls enforced at the database level.
• Authentication controls including hashed password storage and session management.
• Access logging and audit trail maintenance.
• Regular security reviews and vulnerability assessments.

TradeRig uses the following categories of sub-processors to provide the platform:

• Infrastructure and database: Supabase, Inc. (data storage, authentication, real-time services)
• Payment processing: Third-party payment processors operating under their own PCI DSS compliance programs
• Email delivery: Transactional email providers for account notifications and verification
• Hosting and CDN: Infrastructure providers for platform delivery

All sub-processors are subject to data processing agreements that restrict their use of your data to the provision of services to TradeRig. We will notify you of any changes to our sub-processor list with reasonable advance notice.

Personal data may be processed in Canada or the United States, depending on the infrastructure used. Where data is transferred outside Canada, we ensure appropriate safeguards are in place, including contractual protections with our sub-processors consistent with PIPEDA requirements.

As the Controller, your organization is responsible for responding to requests from individuals exercising their rights under applicable privacy law. TradeRig will assist you in fulfilling these obligations by providing appropriate platform tools (such as member management and data export) and, where platform tools are insufficient, by providing reasonable assistance upon request.

Contact support@traderig.app to request assistance with data subject requests.

In the event of a security incident involving personal data processed on your behalf, TradeRig will notify you without undue delay after becoming aware of the incident. Notification will include the nature of the incident, the categories and approximate volume of records affected, the likely consequences, and the measures we are taking to address it.

You may request information demonstrating our compliance with this DPA by contacting support@traderig.app. TradeRig will respond to reasonable requests within 30 days.

Upon termination of your subscription, TradeRig will retain your organization's data for 90 days during which you may request a data export. After that period, personal data will be permanently deleted from our systems, except as required by applicable law or as described in our Privacy Policy.

For DPA-related inquiries, contact support@traderig.app.