Data Processing Addendum

Effective January 1, 2026

This page is maintained by the operator of ShiftPost. It is a template and not legal advice. Have qualified counsel in your jurisdiction review and adapt it before relying on it in production.

This Data Processing Addendum ("DPA") forms part of the Terms of Service between the employer/organization ("Customer", the data controller) and CA AND MO GROUP LLC ("ShiftPost", the data processor) and governs processing of personal data on behalf of the Customer in connection with the ShiftPost service (the "Service"). It is designed to comply with the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, Quebec Law 25, and comparable frameworks.

1. Subject matter and duration

ShiftPost processes personal data of the Customer's workers, managers, and administrators as necessary to provide the Service. Processing lasts for the duration of the Customer's subscription and any applicable retention period.

2. Nature and purpose of processing

Recording and verifying workforce attendance using GPS geofencing, selfie capture, QR verification, and device binding; managing schedules, worksites, breaks, adjustments, and audit logs; delivering in-app notifications and messaging.

3. Categories of data subjects and personal data

  • Data subjects: Customer's employees, contractors, applicants, and admins.
  • Data: name, email, role, workspace, language, location coordinates and accuracy, selfie images, device fingerprints, attendance records, adjustments, in-app messages, and audit logs.

4. Controller and processor obligations

  • The Customer determines purposes and means of processing and is responsible for the lawful basis, for informing workers, and for obtaining any required consent (including for selfie images where local law treats them as sensitive).
  • ShiftPost processes personal data only on the Customer's documented instructions, including transfers, unless required by applicable law.
  • ShiftPost ensures personnel authorized to process personal data are bound by confidentiality.
  • ShiftPost implements appropriate technical and organizational measures (see Section 8).

5. Sub-processors

The Customer authorizes ShiftPost to engage the sub-processors listed below to deliver the Service. We will give prior notice of new or replacement sub-processors and give the Customer an opportunity to object on reasonable data protection grounds.

Sub-processorPurposeRegion
SupabaseManaged Postgres database, authentication, private object storageEU / US (per project)
CloudflareEdge hosting, DDoS protection, CDNGlobal
Lovable AI GatewayOptional AI-assisted features (when enabled by Customer)US / EU
Lovable transactional email (built-in)Transactional and authentication emailsUS / EU

6. International transfers

The Service is operated from the United States and personal data may be processed in the United States and other countries where our sub-processors operate. Customers based in Gabon and other Central African jurisdictions acknowledge that cross-border transfer is inherent to the Service. Where local law (for example the Gabonese personal data protection law No. 001/2011 and the CNPDCP) requires prior formalities for outbound transfers, the Customer is responsible for completing them and for providing notice to data subjects.

7. Data subject requests and assistance

ShiftPost will, taking into account the nature of processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests to exercise data subject rights, and to meet the Customer's obligations under Articles 32–36 GDPR (security, breach notification, DPIAs, and prior consultation). Data subjects should contact their employer first.

8. Security measures

  • TLS 1.2+ in transit; AES-256 encryption at rest for database and object storage.
  • Row-Level Security policies scoping data to the correct workspace and role.
  • Hashed passwords (bcrypt) and optional leaked-password check against the HIBP database.
  • Selfie bucket is private; signed URLs only, no public listing.
  • Audit logging of administrative actions and attendance adjustments.
  • Principle of least privilege for internal access; access reviews on personnel changes.
  • Automated backups and point-in-time recovery on the managed database.

9. Personal data breach

ShiftPost will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and provide information reasonably necessary for the Customer to meet its own notification obligations under GDPR Art. 33–34 or comparable law.

10. Audits

ShiftPost will make available to the Customer information necessary to demonstrate compliance with this DPA, including responses to reasonable security questionnaires and, where required, summaries of independent audit reports.

11. Return or deletion

On termination of the Service, ShiftPost will, at the Customer's choice, delete or return all Customer Data within 30 days, unless retention is required by applicable law. Backups are purged on their normal rotation cycle (up to 30 days).

12. Retention defaults

  • Selfies: default 90 days from capture, configurable by the Customer's admin.
  • Attendance records & audit logs: for the life of the workspace plus applicable legal retention.
  • Account data: 30 days after workspace deletion, subject to legal holds.

13. Contact

Data protection contact: moisebibalou@camogroupllc.com.