Proof — Data Processing Addendum
Last Updated / Effective Date: July 11, 2026
This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the Proof Terms of Service or other written or electronic agreement between Proof Incorporated ("Proof", "we", "us") and the customer that has agreed to those terms ("Customer", "you") governing the Customer's access to and use of the Proof service made available at goproof.ca (the "Agreement"). This DPA applies to the extent Proof Processes Personal Data on the Customer's behalf in connection with the Service.
The short version
(This summary is for convenience only. It does not replace, limit, or modify the numbered terms below, which control in the event of any inconsistency.)
- Who's who. For the personal information about your drivers, field workers, and shipment contacts that Proof handles on your behalf, you are the Controller (the "organization" under Canada's PIPEDA) and Proof is the Processor (your service provider). You decide the purposes; we process on your instructions.
- What we do with it. We Process this data only to run the Service for you under the Agreement — logging scans, sending transactional texts and emails, extracting an ETA, screening notes, and keeping the append-only ledger. We do not sell it and do not use it for our own advertising.
- Your job. You confirm you have a lawful basis and every consent required — especially for the SMS and email messaging Proof sends on your behalf under CASL and, where applicable, TCPA/A2P rules.
- Security. We isolate each carrier's data in the database with Row-Level Security, require multi-factor authentication for dashboard users, store passwords only as salted hashes, keep the ledger append-only, and encrypt data in transit. Our founder can access data across customers to operate the Service, and founder actions that change Customer Personal Data are recorded in an append-only audit trail, with that cross-tenant access confined to the founder behind server-side controls — see the Privacy Policy.
- Our subcontractors. We use a short list of Subprocessors (Supabase, Vercel, Resend, Twilio, Anthropic). They are named in the Subprocessor List, and you authorize them by accepting this DPA.
- Where it lives. The primary database is hosted in Canada (Supabase
ca-central-1). Some Subprocessors (messaging, hosting edge, AI) operate in the United States or globally, under contractual safeguards. - If something goes wrong. If we suffer a Personal Data Breach affecting your data, we notify you without undue delay and help you meet your own obligations.
- When it ends. On termination you can export your data; we delete or return it, subject to the append-only ledger and any legal retention.
1. Definitions
1.1. Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement. The following definitions apply to this DPA:
- "Applicable Data Protection Law" means all laws and regulations applicable to the Processing of Personal Data under this DPA, including, as and where applicable: (a) the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA") and any substantially similar provincial privacy legislation (such as Québec's Act respecting the protection of personal information in the private sector, Alberta's PIPA, and British Columbia's PIPA); (b) Canada's Anti-Spam Legislation ("CASL") as it applies to the sending of commercial and transactional electronic messages; (c) where a Data Subject or the Customer is established in the European Economic Area, the United Kingdom, or Switzerland, the EU General Data Protection Regulation (Regulation (EU) 2016/679) and its UK and Swiss equivalents (collectively, "GDPR"); and (d) where applicable, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA") and other U.S. state privacy laws.
- "Controller" means the entity that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA and in respect of Customer Personal Data, the Customer is the Controller (and is the "organization" having control of the personal information under PIPEDA, and the "business" under the CCPA).
- "Customer Personal Data" means Personal Data contained within Customer Data that Proof Processes on behalf of the Customer under the Agreement, as further described in Annex A (Details of Processing).
- "Customer Data" means all data, content, and information (including Personal Data) that the Customer, or a Data Subject or end user acting through the Service on the Customer's behalf, submits to, uploads to, or generates within the Service, including ledger events, scan records, GPS coordinates, photographs, and shipment and contact records.
- "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
- "Personal Data" means any information relating to a Data Subject that is Processed under this DPA, and includes "personal information" as defined under PIPEDA and applicable provincial law, "personal data" as defined under the GDPR, and "personal information" as defined under the CCPA.
- "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data Processed by Proof or a Subprocessor. It does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, and other network attacks on firewalls or networked systems.
- "Processing" (and "Process", "Processed", "Processes") means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
- "Processor" means the entity that Processes Personal Data on behalf of the Controller. For the purposes of this DPA and in respect of Customer Personal Data, Proof is the Processor (and the "service provider" under the CCPA).
- "Standard Contractual Clauses" means, as applicable, the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum issued by the UK Information Commissioner, and any successor or equivalent transfer mechanism required by Applicable Data Protection Law.
- "Subprocessor" means any third party engaged by Proof (or by a Proof affiliate) to Process Customer Personal Data in connection with the provision of the Service.
- "the Service" means the Proof drop-trailer accountability and visibility platform and all related applications, dashboards, public field surfaces, APIs, messaging, and documentation made available by Proof under the Agreement.
1.2. The terms "cross-border transfer", "supervisory authority", "sensitive personal information", and other terms used but not defined here have the meanings given under the applicable instrument of Applicable Data Protection Law.
2. Roles and Scope of Processing
2.1. Roles of the parties. As between the parties, and with respect to Customer Personal Data, the Customer is the Controller and Proof is the Processor. Each party will comply with the obligations applicable to it in its role under Applicable Data Protection Law. Where Proof determines the purposes and means of Processing certain data for its own business purposes (for example, account administration, billing, service security, product improvement in aggregate and de-identified form, and legal compliance), Proof acts as an independent Controller for that limited Processing, which is governed by the Proof Privacy Policy and not by this DPA.
2.2. Processing only on documented instructions. Proof will Process Customer Personal Data only on the Customer's documented instructions, including with regard to cross-border transfers, unless required to do otherwise by applicable law to which Proof is subject. The Agreement (including this DPA), the Customer's configuration and use of the Service through its accounts and settings, and any subsequent written instructions agreed by the parties, together constitute the Customer's complete and final documented instructions to Proof for the Processing of Customer Personal Data. Processing outside the scope of these instructions requires prior written agreement between the parties.
2.3. Instruction compliance and legal conflicts. Proof will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, provided that Proof is under no obligation to conduct a legal review of the adequacy of the Customer's instructions and gives no assurance as to their legality. If applicable law requires Proof to Process Customer Personal Data other than on the Customer's instructions, Proof will inform the Customer of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.
2.4. Details of Processing. The subject-matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are described in Annex A (Details of Processing). In summary:
- Subject-matter and nature/purpose: Processing of Customer Personal Data as necessary to provide, maintain, secure, and support the Service under the Agreement — including capturing append-only, GPS-pinned, timestamped ledger events from QR scans; storing photographs and scan metadata; sending transactional SMS and email notifications on the Customer's behalf; extracting an estimated time of arrival from Customer-provided tracking-page text and screening free-text driver notes using AI; and generating documents, tickets, and reports.
- Duration: For the term of the Agreement, plus any period required to complete deletion or return under Section 9 (Deletion and Return) and any legally required or ledger-inherent retention period.
- Types of Personal Data: names; cell phone numbers; email addresses; passwords (stored only as salted hashes) and multi-factor authentication data for dashboard users; GPS coordinates captured at scan time; photographs uploaded at scans; a device-level "badge" cookie identity; employment or functional role (driver, mechanic, dock worker, dispatcher, receiver, shipper, broker); shipment and contact records; and event/ledger records naming who did what, where, and when.
- Categories of Data Subjects: the Customer's dashboard users; the Customer's drivers and field contacts; mechanics and dock/yard workers (who are frequently not the Customer's own employees); and shipment contacts (receivers, shippers, brokers, dispatchers).
2.5. No sale; restricted purposes (CCPA and equivalents). Proof will not: (a) sell or share Customer Personal Data (as "sell" and "share" are defined under the CCPA); (b) retain, use, or disclose Customer Personal Data for any purpose other than the specific purpose of performing the Service, or as otherwise permitted by Applicable Data Protection Law; (c) retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties; or (d) combine Customer Personal Data with personal information Proof receives from other sources, except as permitted for a service provider under the CCPA. Proof certifies that it understands and will comply with these restrictions.
3. Customer Obligations
3.1. Lawful basis and consent. The Customer represents, warrants, and covenants, on an ongoing basis, that: (a) it has a valid lawful basis, and has obtained and will maintain all consents, authorizations, and notices required under Applicable Data Protection Law, for the collection, use, disclosure, and Processing of Customer Personal Data through the Service, including for Proof and its Subprocessors to Process such data as contemplated by this DPA; and (b) it has provided all privacy notices and disclosures to Data Subjects required under Applicable Data Protection Law.
3.2. Messaging consent (CASL / TCPA / A2P). Because the Service sends transactional SMS to drivers and mechanics and email to office contacts on the Customer's behalf, the Customer is solely responsible for ensuring that every recipient has provided any consent required under CASL, the Telephone Consumer Protection Act (U.S.) ("TCPA"), U.S. carrier A2P 10DLC requirements, and other applicable messaging laws, and that a functioning unsubscribe or stop mechanism is honoured. The Customer will not use the Service to send messages to any person who has withdrawn consent or opted out, and will maintain records of consent sufficient to demonstrate compliance.
3.3. Lawful instructions. The Customer's instructions to Proof (including through its configuration and use of the Service) will comply with Applicable Data Protection Law. The Customer is responsible for the accuracy, quality, and legality of Customer Personal Data and of the means by which the Customer acquired it, and for the accuracy of the contact and role information it enters (for example, associating the correct cell phone number with a driver).
3.4. Customer as sole point of contact. As between the parties, the Customer is responsible for responding to and managing its relationship with Data Subjects, and Proof is entitled to rely on the Customer as the Controller of Customer Personal Data.
4. Proof's Obligations
4.1. Processing per instructions. Proof will Process Customer Personal Data only as described in Section 2 (Roles and Scope of Processing) and the Customer's documented instructions.
4.2. Confidentiality of personnel. Proof will ensure that persons authorized to Process Customer Personal Data (including its founder, personnel, and contractors) are bound by appropriate obligations of confidentiality (whether contractual or statutory) and have committed themselves to protect the confidentiality and security of Customer Personal Data. Proof limits access to Customer Personal Data to those who need it to provide, secure, or support the Service.
4.3. Security measures. Proof will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against a Personal Data Breach, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of Processing, and the risk to Data Subjects. Those measures are described in Annex B (Technical and Organizational Measures) and in the Proof Privacy Policy. The Customer acknowledges that the security measures are subject to technical progress and development and that Proof may update or modify them from time to time, provided that such updates do not materially degrade the overall security of the Service during the term of the Agreement.
4.4. Assistance with Data Subject rights. Taking into account the nature of the Processing, Proof will provide reasonable assistance to the Customer, by appropriate technical and organizational measures and insofar as this is possible, to enable the Customer to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, correction, deletion, portability, and withdrawal of consent), as further described in Section 6 (Data Subject Requests). Where such assistance requires effort beyond the self-service export, correction, and deletion capabilities of the Service, Proof may charge a reasonable fee.
4.5. Assistance with breach, DPIA, and consultation obligations. Taking into account the nature of Processing and the information available to Proof, Proof will provide reasonable assistance to the Customer with: (a) the Customer's obligations to notify a Personal Data Breach to a supervisory authority (including the Office of the Privacy Commissioner of Canada) and to affected Data Subjects, where applicable; (b) any data protection impact assessment ("DPIA") or privacy impact assessment the Customer is required to carry out in relation to the Service; and (c) any prior consultation with a supervisory authority arising from such an assessment.
4.6. Demonstrating compliance. Proof will make available to the Customer information reasonably necessary to demonstrate compliance with the obligations set out in this DPA, in the manner and subject to the limits described in Section 10 (Audits).
4.7. Founder access. The Customer acknowledges and agrees that a Proof founder ("super-admin") may access Customer Personal Data across customer tenants to operate, support, secure, and troubleshoot the Service. Founder actions that change Customer Personal Data (for example, suspending or reinstating a tenant, adjusting billing, or provisioning an organization) are recorded in an append-only audit trail, and this practice is disclosed in the Proof Privacy Policy. Founder viewing of Customer Personal Data for support and operations is not individually logged as a separate per-view record, but is confined to the founder behind the access controls described in Annex B (Technical and Organizational Measures). Founder access is limited to what is necessary to operate the Service and is subject to the confidentiality obligations in Section 4.2.
5. Subprocessors
5.1. General authorization. The Customer provides a general authorization for Proof to engage Subprocessors to Process Customer Personal Data in connection with the provision of the Service. The Subprocessors engaged by Proof as of the effective date of this DPA are listed in the Proof Subprocessor List (the "Subprocessor List"), which is incorporated into this DPA by reference. By accepting this DPA, the Customer authorizes the engagement of the Subprocessors identified on the Subprocessor List.
5.2. Subprocessor obligations. Where Proof engages a Subprocessor, Proof will impose on that Subprocessor, by a written contract, data protection obligations that are substantially equivalent to, and no less protective than, those set out in this DPA, to the extent applicable to the nature of the services provided by the Subprocessor. Proof remains responsible to the Customer for the performance of each Subprocessor's obligations in respect of Customer Personal Data, to the same extent Proof would be liable if performing the services of that Subprocessor directly under this DPA, subject to Section 11 (Liability and Precedence).
5.3. Notice of changes. Proof will notify the Customer of any intended addition or replacement of a Subprocessor at least fifteen (15) days before the new Subprocessor begins Processing Customer Personal Data, by updating the Subprocessor List and, where the Customer has subscribed to a notification mechanism made available by Proof, by notifying the Customer through that mechanism. The Customer is responsible for subscribing to any such mechanism to receive notice.
5.4. Right to object. The Customer may object, on reasonable data-protection grounds, to Proof's engagement of a new Subprocessor by notifying Proof in writing within fifteen (15) days after Proof's notice under Section 5.3. The parties will work together in good faith to resolve the objection. If the parties cannot reach a resolution, Proof will, at its option, either (a) not appoint the objected-to Subprocessor with respect to Customer Personal Data, or (b) permit the Customer to suspend or terminate the affected portion of the Service in accordance with the termination provisions of the Agreement, as the Customer's sole and exclusive remedy. Absent a timely objection, the Customer is deemed to have authorized the new Subprocessor.
6. Data Subject Requests
6.1. Forwarding requests. If Proof receives a request or communication from a Data Subject that relates to Customer Personal Data (including a request to exercise a right of access, correction, deletion, portability, restriction, objection, or withdrawal of consent), Proof will, to the extent legally permitted, promptly forward the request to the Customer and will not itself respond to the request other than to acknowledge receipt and to direct the Data Subject to the Customer, unless otherwise required by law or instructed by the Customer.
6.2. Assistance. Proof will provide the assistance described in Section 4.4 to enable the Customer to fulfil its obligations to respond to Data Subject requests. The Customer is responsible for determining whether and how to respond to any Data Subject request.
6.3. Ledger limitation. The Customer acknowledges that the Service maintains an append-only audit ledger in which event records cannot be edited or deleted (database UPDATE and DELETE are revoked). A Data Subject's request to erase or rectify data may therefore be satisfied by appending a correction record rather than by altering or deleting the original ledger entry, and Proof's ability to assist with erasure is subject to this design and to any overriding legal retention obligation. This limitation reflects the integrity and accountability purpose of the Service and is disclosed to the Customer so that the Customer may make appropriate disclosures to Data Subjects.
7. Personal Data Breach
7.1. Notification to the Customer. Proof will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
7.2. Contents of notification. Proof's notification will describe, to the extent then known and as it becomes available: (a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and mitigate its effects; and (d) a contact point for further information. Where it is not possible to provide all information at once, Proof may provide it in phases without further undue delay.
7.3. Cooperation. Proof will cooperate with the Customer and take such reasonable steps as are directed by the Customer to assist in the investigation, mitigation, and remediation of the Personal Data Breach.
7.4. No acknowledgment of fault. Proof's notification of, or response to, a Personal Data Breach is not, and will not be construed as, an acknowledgment by Proof of any fault or liability with respect to the breach.
7.5. Customer responsibility for regulatory and individual notice. As the Controller, the Customer is responsible for determining whether a Personal Data Breach must be reported to a supervisory authority (including under PIPEDA's breach-of-security-safeguards reporting obligations) or to affected Data Subjects, and for making any such report. Proof will provide the assistance described in Section 4.5.
8. International Transfers
8.1. Primary hosting in Canada. The primary Customer Data store (Supabase Postgres, authentication, and file storage) is hosted in Canada in the ca-central-1 region, where feasible for the Service.
8.2. Transfers by Subprocessors. Certain Subprocessors identified on the Subprocessor List (including the messaging, application-hosting/CDN, and AI providers) Process limited Customer Personal Data in the United States or in other jurisdictions on a global or edge basis. The Customer authorizes such transfers as necessary to provide the Service.
8.3. Appropriate safeguards. Where a transfer of Customer Personal Data to a jurisdiction outside the exporting jurisdiction is subject to Applicable Data Protection Law that requires additional safeguards, the parties will ensure that the transfer is subject to appropriate safeguards, which may include: (a) transfer to a jurisdiction that is the subject of an adequacy decision or finding of comparable protection; (b) the Standard Contractual Clauses; or (c) another valid transfer mechanism recognized under Applicable Data Protection Law. To the extent the Standard Contractual Clauses apply to a transfer under this DPA, they are incorporated by reference and the parties are deemed to have executed the applicable modules and clauses, with the Customer as data exporter and Proof (or the relevant Subprocessor) as data importer, and with the details in Annex A and Annex B completing the required annexes.
8.4. PIPEDA accountability. In respect of transfers of Personal Data for Processing under PIPEDA, the Customer, as the organization, remains accountable for the Personal Data, and Proof will provide a comparable level of protection to the Customer Personal Data it Processes, including through the contractual and security measures in this DPA.
9. Deletion and Return on Termination
9.1. Export before termination. During the term of the Agreement, and for a reasonable period following termination or expiry as described in the Agreement, the Customer may export Customer Data through the export and reporting features of the Service (including CSV exports and PDF documents), or may request an export in a commonly used format.
9.2. Deletion or return. Following termination or expiry of the Agreement, Proof will, at the Customer's choice and upon written request made within thirty (30) days after termination, delete or return the Customer Personal Data then in Proof's possession or control, and delete existing copies, except to the extent retention is required under Section 9.3. If the Customer does not make a timely request, Proof may delete Customer Personal Data in the ordinary course in accordance with its retention practices.
9.3. Ledger and legal retention. The Customer acknowledges that: (a) the append-only audit ledger is designed so that individual event records cannot be edited or deleted, and deletion is therefore effected at the level of the tenant data set rather than by altering individual ledger entries; and (b) Proof may retain Customer Personal Data to the extent, and for the period, required by applicable law, or as necessary to resolve disputes, enforce the Agreement, or maintain records of Processing, in which case Proof will continue to protect such data in accordance with this DPA and Process it only for the purpose and duration of the retention requirement.
9.4. Backups. Customer Personal Data residing in routine encrypted backups will be deleted in accordance with Proof's backup retention and rotation cycle.
10. Audits
10.1. Information and audit rights. Proof will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor mandated by the Customer, subject to the conditions in this Section.
10.2. Conditions. Any audit will: (a) be conducted no more than once in any twelve (12) month period, except where required by a supervisory authority or following a Personal Data Breach affecting the Customer; (b) be requested on at least thirty (30) days' prior written notice; (c) be conducted during Proof's normal business hours and in a manner that does not unreasonably disrupt Proof's operations or compromise the security or confidentiality of any other customer's data; (d) be subject to the confidentiality obligations of the Agreement, and any third-party auditor must be bound by confidentiality obligations and must not be a competitor of Proof; and (e) be at the Customer's expense, except where the audit reveals a material breach of this DPA by Proof.
10.3. Existing reports and attestations. The Customer agrees that, to the extent available, Proof may satisfy its obligations under this Section by providing existing audit reports, security questionnaires, certifications, attestations, or third-party assessments (including those of its Subprocessors), and that the Customer will accept such documentation in lieu of an on-site inspection where it reasonably addresses the subject matter of the audit.
11. Liability and Precedence
11.1. Limitation of liability. Each party's and all of its affiliates' aggregate liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to, and counts toward, the limitations and exclusions of liability set out in the Agreement (including the exclusion of indirect, consequential, special, incidental, and punitive damages and the aggregate liability cap). Any reference in the Agreement to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement and this DPA together. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law.
11.2. Precedence. This DPA forms part of, and is subject to, the Agreement. In the event of any conflict or inconsistency between this DPA and the Agreement (including the Terms of Service and Privacy Policy) with respect to the Processing of Customer Personal Data or the parties' data-protection obligations, this DPA will control to the extent of the conflict. In all other respects, the Agreement remains in full force and effect. The Standard Contractual Clauses, where they apply, prevail over this DPA to the extent of any conflict solely with respect to the transfers they govern.
11.3. No third-party beneficiaries. Except as expressly required by Applicable Data Protection Law (including any enforceable third-party rights of Data Subjects under the Standard Contractual Clauses), this DPA does not confer any rights on any third party.
12. General
12.1. Term. This DPA takes effect on the July 11, 2026 or, if later, the date the Customer accepts the Agreement, and continues until Proof ceases all Processing of Customer Personal Data under the Agreement.
12.2. Changes to this DPA. Proof may update this DPA from time to time where required to reflect changes in Applicable Data Protection Law, Subprocessors, or the Service, provided that no such change will materially diminish the protections for Customer Personal Data during the term of the Agreement. Material changes will be notified in accordance with the Agreement.
12.3. Governing law and jurisdiction. This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, and the parties submit to the courts of the Province of Ontario, except to the extent Applicable Data Protection Law or the Standard Contractual Clauses require otherwise for a particular transfer.
12.4. Contact. Questions or notices concerning this DPA or Proof's Processing of Customer Personal Data may be directed to Proof's privacy contact at support@goproof.ca, or by mail to Proof Incorporated, Ontario, Canada (mailing address on request via support@goproof.ca). Legal notices under the Agreement may be sent to support@goproof.ca. Service and support questions may be directed to support@goproof.ca.
Annex A — Details of Processing
A.1. Parties.
- Controller / data exporter: the Customer (the trucking carrier that has accepted the Agreement), being the "organization" under PIPEDA and the "business" under the CCPA.
- Processor / data importer: Proof Incorporated, operating the Proof service at goproof.ca, being the "service provider" under the CCPA.
A.2. Subject-matter of the Processing. Provision of the Proof drop-trailer accountability and physical-visibility platform, comprising a public no-login field surface (QR-scan event logging, live trailer pages, action links) and an authenticated carrier dashboard, together with transactional messaging, AI-assisted ETA extraction and note screening, document and ticket generation, and reporting.
A.3. Duration of the Processing. For the term of the Agreement, plus any period required for deletion or return under Section 9 and any legally required or ledger-inherent retention.
A.4. Nature and purpose of the Processing. To provide, operate, maintain, secure, support, and improve the Service for the Customer, including: recording append-only, GPS-pinned, timestamped ledger events; storing scan photographs in a private storage bucket accessed via time-limited signed URLs; authenticating dashboard users; sending transactional SMS (via Twilio) to drivers and mechanics and transactional email (via Resend) to office contacts on the Customer's behalf (arriving-soon alerts, hold/release wait-loop messages, badge and handoff links, work orders, day tickets, and update documents with PDF attachments); using AI (Anthropic Claude Haiku) to extract an ETA from Customer-pasted tracking-page text and to screen free-text driver notes for Customer-blocked content, where the AI reads and deterministic code decides and writes; generating letterhead documents, day-work tickets, work orders, and reports; and enforcing tenant isolation, access control, and audit logging.
A.5. Types of Personal Data.
- Dashboard users: name, email address, salted password hash (via Supabase Auth / GoTrue), TOTP multi-factor authentication data, session and sign-in metadata (including IP address and rough location, device, and timestamps), and role.
- Drivers and field contacts: name, cell phone number, functional role, a long-lived device "badge" cookie identity, and message consent/subscription status.
- Mechanics and dock/yard workers: name, cell phone and/or email, company, and role.
- Shipment contacts: names, email addresses, and phone numbers of receivers, shippers, brokers, and dispatchers.
- Event and content data: GPS coordinates captured at scan time; photographs uploaded at scans; free-text notes; PINs and high-entropy tokens associated with field links; and event/ledger records naming who did what, where, and when.
A.6. Categories of Data Subjects.
- The Customer's dashboard users (owners, dispatchers, viewers);
- The Customer's drivers and field contacts;
- Mechanics and dock/yard workers (frequently not the Customer's own employees);
- Shipment contacts (receivers, shippers, brokers, dispatchers).
A.7. Special categories / sensitive data. The Service is not intended to Process special categories of Personal Data or sensitive personal information. The Customer must not submit such data through the Service except location and photographic data inherent to the Service's function. Precise geolocation captured at scan time may constitute sensitive personal information under some laws; it is Processed solely to provide the Service's accountability function.
A.8. Frequency of Processing. Continuous, for the duration of the Agreement.
Annex B — Technical and Organizational Measures
Proof implements and maintains the following technical and organizational measures, which may be updated as described in Section 4.3 provided that they do not materially degrade overall security during the term of the Agreement:
B.1. Tenant isolation and access control.
- Row-Level Security ("RLS") keyed by
org_idon tenant tables, enforcing carrier isolation in the database itself, so that a defect in application code cannot expose one carrier's data to another. - Role-based access control for dashboard users (owner / dispatcher / viewer).
- Cross-tenant founder ("super-admin") access reachable only behind a founder authorization gate (layout, per-loader, and per-action checks) with an elevated authentication assurance re-check; billing and internal columns are revoked from tenant read access. State-changing founder actions (such as suspension, billing changes, and organization provisioning) are recorded in an append-only audit trail; founder reads for support and operations are not individually logged but are confined to the founder behind this gate.
B.2. Authentication and credential protection.
- Passwords stored only as salted hashes via Supabase Auth / GoTrue; plaintext passwords are never stored and cannot be read back by anyone, including Proof.
- Mandatory TOTP multi-factor authentication for all dashboard users, enforced server-side (including an enrollment wall for accounts that set a password but skip MFA).
- Leaked-password screening against known breach datasets; throttling and lockout on repeated failed sign-ins, with owner notification.
- Session expiry and refresh-token rotation.
B.3. Public field-surface controls.
- High-entropy, unguessable tokens for permanent trailer links and single-purpose action links; action links are single-use and time-limited.
- Per-shipment PINs for locked field surfaces, with attempts counted atomically in the database, rate limiting (lockout after repeated failures), owner/dispatch alerting, and every failed attempt written as a GPS-pinned ledger event.
- Public pages disclose only what a bystander physically at the trailer could already observe.
B.4. Integrity and auditability.
- Append-only audit ledger with database UPDATE and DELETE revoked on the events table; corrections are recorded as new append-only rows rather than edits or deletions.
- Comprehensive event logging of field actions, sign-ins, founder actions, and messaging.
B.5. Data protection in transit and at rest.
- HTTPS/TLS in transit, with HSTS; security headers including Content-Security-Policy.
- Encryption at rest for the managed database, storage, and backups as provided by the hosting Subprocessor.
- Scan photographs stored in a private storage bucket, accessible only via short-lived signed URLs.
B.6. Secret management.
- Service keys and third-party credentials (Supabase service role, Twilio, Resend, Anthropic) are held server-side only and are never exposed to the client or committed to source control.
B.7. Messaging safeguards.
- Transactional messages are held during a short undo window so that a mistaken field action sends nothing; a claim-before-send mechanism prevents duplicate sends; free-text that rides SMS is screened by AI for Customer-blocked content before it is sent.
B.8. Resilience and recovery.
- Point-in-time recovery and routine encrypted backups provided by the database Subprocessor.
- Redundant, minute-level scheduled jobs (database
pg_cronplus a platform cron) for time-critical messaging and watcher functions.
B.9. Subprocessor governance.
- Engagement of Subprocessors under written contracts imposing substantially equivalent data-protection obligations, as described in Section 5 and the Subprocessor List.
B.10. Organizational measures.
- Confidentiality obligations binding personnel and contractors; least-privilege access to Customer Personal Data; and a documented approach to Personal Data Breach handling consistent with Section 7.
Annex C — Subprocessor List
The Subprocessors engaged by Proof to Process Customer Personal Data are set out in the Proof Subprocessor List, which is incorporated into this DPA by reference and maintained as a separate document. The Subprocessor List identifies each Subprocessor, its purpose, the categories of data it Processes, and its primary Processing location, and is updated in accordance with Section 5 (Subprocessors).
This Data Processing Addendum is provided by Proof Incorporated in respect of the Proof service at goproof.ca. It should be reviewed by qualified legal counsel before use and completed by replacing each bracketed placeholder token.