This Data Processing Addendum ("DPA") forms part of the Terms of Service between the employer/organization ("Customer", the data controller) and CA AND MO GROUP LLC ("ShiftPost", the data processor) and governs processing of personal data on behalf of the Customer in connection with the ShiftPost service (the "Service"). It is designed to comply with the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, Quebec Law 25, and comparable frameworks.
1. Subject matter and duration
ShiftPost processes personal data of the Customer's workers, managers, and administrators as necessary to provide the Service. Processing lasts for the duration of the Customer's subscription and any applicable retention period.
2. Nature and purpose of processing
Recording and verifying workforce attendance using GPS geofencing, selfie capture, QR verification, and device binding; managing schedules, worksites, breaks, adjustments, and audit logs; delivering in-app notifications and messaging.
3. Categories of data subjects and personal data
- Data subjects: Customer's employees, contractors, applicants, and admins.
- Data: name, email, role, workspace, language, location coordinates and accuracy, selfie images, device fingerprints, attendance records, adjustments, in-app messages, and audit logs.
4. Controller and processor obligations
- The Customer determines purposes and means of processing and is responsible for the lawful basis, for informing workers, and for obtaining any required consent (including for selfie images where local law treats them as sensitive).
- ShiftPost processes personal data only on the Customer's documented instructions, including transfers, unless required by applicable law.
- ShiftPost ensures personnel authorized to process personal data are bound by confidentiality.
- ShiftPost implements appropriate technical and organizational measures (see Section 8).
5. Sub-processors
The Customer authorizes ShiftPost to engage the sub-processors listed below to deliver the Service. We will give prior notice of new or replacement sub-processors and give the Customer an opportunity to object on reasonable data protection grounds.
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase | Managed Postgres database, authentication, private object storage | EU / US (per project) |
| Cloudflare | Edge hosting, DDoS protection, CDN | Global |
| Lovable AI Gateway | Optional AI-assisted features (when enabled by Customer) | US / EU |
| Lovable transactional email (built-in) | Transactional and authentication emails | US / EU |
6. International transfers
The Service is operated from the United States and personal data may be processed in the United States and other countries where our sub-processors operate. Customers based in Gabon and other Central African jurisdictions acknowledge that cross-border transfer is inherent to the Service. Where local law (for example the Gabonese personal data protection law No. 001/2011 and the CNPDCP) requires prior formalities for outbound transfers, the Customer is responsible for completing them and for providing notice to data subjects.
7. Data subject requests and assistance
ShiftPost will, taking into account the nature of processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests to exercise data subject rights, and to meet the Customer's obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, and prior consultation). Data subjects should contact their employer first.
8. Security measures
- TLS 1.2+ in transit; AES-256 encryption at rest for database and object storage.
- Row-Level Security policies scoping data to the correct workspace and role.
- Hashed passwords (bcrypt) and optional leaked-password check against the HIBP database.
- Selfie bucket is private; signed URLs only, no public listing.
- Audit logging of administrative actions and attendance adjustments.
- Principle of least privilege for internal access; access reviews on personnel changes.
- Automated backups and point-in-time recovery on the managed database.
9. Personal data breach
ShiftPost will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and provide information reasonably necessary for the Customer to meet its own notification obligations under GDPR Art. 33–34 or comparable law.
10. Audits
ShiftPost will make available to the Customer information necessary to demonstrate compliance with this DPA, including responses to reasonable security questionnaires and, where required, summaries of independent audit reports.
11. Return or deletion
On termination of the Service, ShiftPost will, at the Customer's choice, delete or return all Customer Data within 30 days, unless retention is required by applicable law. Backups are purged on their normal rotation cycle (up to 30 days).
12. Retention defaults
- Selfies: default 90 days from capture, configurable by the Customer's admin.
- Attendance records & audit logs: for the life of the workspace plus applicable legal retention.
- Account data: 30 days after workspace deletion, subject to legal holds.
13. Contact
Data protection contact: moisebibalou@camogroupllc.com.