VoltarPierre

Data Processing Agreement (DPA) — Template

Version: 2.0 · Last updated: 2026-05-07

DRAFT — needs lawyer review before use with real customers.

This template is the starting point for the DPA between Constelação Singela Unipessoal, Lda (legal entity operating the Pierre platform; "Processor") and tenant clinics/customers ("Controller") using the Pierre platform. Replace all <<placeholders>> with the per-tenant values; have a Portuguese data-protection lawyer review the final text before signing.

Parties

Processor (Subcontratante): Constelação Singela Unipessoal, Lda (operator of the Pierre platform) NIF: 516 868 160 Sede: Avenida da Liberdade 180A, 1.º Tivoli Fórum, 1250-146 Lisboa, Portugal Email DPO: dpo@usepierre.com

Controller (Responsável pelo tratamento): <<NOME LEGAL DO TENANT>> NIF: <<NIF TENANT>> Sede: <<MORADA TENANT>> Email contacto: <<EMAIL CONTACTO>>

1. Object and scope

This DPA governs the processing of personal data carried out by the Processor on behalf of the Controller in the context of the Pierre platform, a multi-tenant supplier ordering, RFQ, invoice management and consignment SaaS, operated at https://usepierre.com.

The Processor processes the following categories of personal data on behalf of the Controller:

  • Identification of Controller's staff: first name, last name, email, role (WORKER/SUPERVISOR/ADMIN), per-module permissions (UserModule), hashed authentication credentials, last sign-in timestamp
  • Operational metadata of orders / quotes / invoices / consignment lots / surgical quotes: who created them, when, with which suppliers, free-text notes
  • Browser / IP context for security and audit (logged on each authenticated request, retained 90 days)
  • Voluntary feedback submitted via the in-app "Sugestão" widget
  • Conversations with the AI Agent (Pierre β): prompts, responses, tool calls, credit consumption — stored in AgentSession
  • Surgical quotes (when the Surgical Quotes add-on is active): anonymised patient reference (the Controller is responsible for using a non-PII reference such as a clinic-internal hash; the platform does not validate this), selected lens, surgeon, payer entity, procedure type
  • Consignment lots (when the Consignment Management add-on is active): product name, reference, serial number, lot, expiry date, used-on date, used-on patient reference (same caveat)

The Processor does not process special-category data (Art. 9 GDPR) on behalf of the Controller; if the Controller submits such data into free-text fields or into the AI Agent, it does so at its own risk and outside the agreed scope. The Controller is reminded in the Pierre Acceptable Use Policy not to upload patient PHI into the platform.

2. Duration

This DPA enters into force on <<DATA INÍCIO>> and remains valid for as long as the Controller has an active subscription to the Pierre platform.

3. Processing instructions

The Processor processes personal data only on documented instructions from the Controller, including:

a) Operating the platform and providing the contracted features (including the activated add-ons: Consignment Management, Surgical Quotes, AI Agent) b) Performing security monitoring and intrusion detection c) Providing technical support when the Controller submits feedback or opens a support ticket — Master may impersonate the Controller's tenant via the audited cookie-based mechanism (ImpersonationLog + permanent red banner) d) Aggregated, anonymised analytics for product improvement (no tenant-identifying data leaves the system) e) Processing AI Agent conversations through Anthropic PBC (sub-processor) for inference, with zero data retention configured at the Anthropic account level f) Where required by Portuguese or EU law, in which case the Processor will inform the Controller of such requirement before processing, unless prohibited by law

Any processing outside this list requires written authorisation from the Controller.

4. Confidentiality and personnel

The Processor ensures that all personnel authorised to process personal data:

  • Are bound by confidentiality obligations (contractual or statutory)
  • Receive appropriate data-protection training
  • Have access only to the data strictly necessary for their role

The Processor maintains a list of authorised personnel and updates it within 7 days of any change.

5. Technical and organisational measures (Art. 32 GDPR)

Encryption

  • TLS 1.3 in transit on every external connection
  • AES-256 at rest (Supabase Postgres + Supabase Storage)
  • Magic-link tokens hashed (HMAC-SHA256) before storage; raw tokens never persisted
  • Cegid OAuth tokens encrypted with AES-256-GCM (dedicated key)

Access control

  • Role-based access (WORKER, SUPERVISOR, ADMIN, MASTER) with tenant isolation enforced via the withTenant() Prisma middleware
  • Module-level access control (UserModule enum + UserModulePermission) on top of the role: ADMIN can grant/revoke access to ORDERS, RFQ, CONSIGNMENT, ANALYTICS, etc. on a per-user basis. requireModule() server-side gate enforces at every page entry.
  • Multi-tenant data is never exposed across tenants except via the explicit anonymised benchmark surface (see §10) and the supplier-side consignment view (suppliers see their own lots distributed across tenants — covered by their own commercial relationship)
  • Cross-pollution guard: an email cannot exist in both User (tenant) and SupplierUser (supplier) tables
  • MFA available for ADMIN and MASTER roles (planned)
  • Service-role keys rotated on personnel changes; runbook at docs/runbooks/database-credential-rotation.md

Backup and recovery

  • Daily automated backups with 30-day retention (Supabase managed)
  • Point-in-Time Recovery enabled (5-minute window over last 7 days)
  • Documented restore runbook (docs/runbooks/restore-database.md, docs/runbooks/database-backups.md)
  • Quarterly restore drills

Security monitoring

  • Per-tenant rate limits on email sending (per-kind buckets) and supplier-token endpoints; visible to Master at /admin/ops/emails
  • Audit log for every administrative action (user creation, role change, module permission change, broadcast, impersonation, legal re-acceptance)
  • Cron-based retention enforcement (/api/cron/data-retention daily at 03:00 UTC) — magic-links, agent sessions, orphan drafts, billing events
  • Anomaly alerts (Sentry — opt-in via env var; per-tenant email volume anomalies via /admin/ops/emails)
  • Cloudflare Turnstile anti-bot on supplier /s/sign-up

Incident response

  • The Processor will notify the Controller without undue delay (and in any case within 48 hours) of becoming aware of a personal data breach affecting Controller's data
  • The notification will include: nature of the breach, categories and approximate number of data subjects affected, likely consequences, measures taken or proposed
  • The Processor maintains a security incident register and will coordinate with CNPD notifications under Art. 33 GDPR (72 hours)

6. Sub-processors

The Processor uses the following sub-processors as of <<DATA INÍCIO>>:

| Sub-processor | Purpose | Location | Lawful basis for transfer | |---|---|---|---| | Supabase Inc. | Postgres database + auth + Storage | EU (Stockholm) | Within EEA | | Vercel Inc. | Compute + edge (Functions in arn1/Stockholm) | EU compute pinned + control plane in US | DPF (EU-US) + SCCs | | Resend (Resend.com) | Transactional email delivery | EU + US | SCCs + EU-US DPF | | Stripe Payments Europe Ltd | Subscription billing + SEPA Direct Debit | Ireland | Within EEA | | Cloudware, S.A. (Cegid) | AT-certified electronic invoicing (cert. n.º 2397/AT) | Portugal | Within EEA | | Anthropic PBC | AI inference for Pierre β | US | DPF + SCCs + zero data retention configured | | Cloudflare, Inc. | Turnstile anti-bot challenge on supplier sign-up | US | DPF + SCCs; processes only session signal, not user content | | Sentry (Functional Software, Inc.) | Optional: error observability (opt-in via env var) | EU / US | DPF + SCCs |

The Processor will give the Controller 30 days notice before adding, removing, or replacing any sub-processor. The Controller may object on reasonable grounds (privacy, security); if the parties cannot resolve the objection, the Controller may terminate the contract for cause.

7. International transfers

Where personal data is transferred outside the EEA, the Processor uses Standard Contractual Clauses (SCCs) as adopted by the European Commission, including appropriate supplementary measures (encryption in transit + at rest, no plaintext logging of email body, zero data retention on AI Gateway).

All listed US sub-processors are also certified under the EU-US Data Privacy Framework (DPF).

8. Data-subject rights

The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures in fulfilling Controller's obligations under Articles 15-22 GDPR (right of access, rectification, erasure, restriction, portability, objection, automated decision-making).

Concretely, the Processor commits to:

  • Responding to data-subject access / portability requests within 7 working days of the Controller's forwarded request
  • Providing data exports in machine-readable JSON, CSV, and Excel (.xlsx) formats
  • Implementing erasure requests by removing the data subject from the Controller's tenant (soft-delete + 90-day hard-delete cycle), retaining only what is required for legal obligations

9. Audit

The Controller may request, with 30 days written notice and not more than once per calendar year, an audit of the Processor's compliance with this DPA. The audit may take the form of a questionnaire-based review, documentation review, or on-site visit (at Controller's expense).

The Processor may substitute an external audit certificate (e.g., ISO 27001, SOC 2 Type II) for direct on-site audits when available.

10. Cross-tenant aggregated benchmarks

Pierre computes aggregated, anonymised price benchmarks across tenants for canonical products that are explicitly linked to a MasterProduct entry. The benchmark NEVER exposes any other tenant's name, identifier, supplier, or specific transaction. Aggregations are gated on a minimum of 3 distinct cross-tenant transactions and 2 distinct tenants. The Controller may opt out by emailing dpo@usepierre.com.

11. Cross-tenant supplier consignment view

When the Controller has the Consignment Management add-on active, suppliers can view in /s/consignment the consignment lots they have distributed across all Pierre tenants. The legal basis is the execution of the commercial relationship between the Controller and the supplier (Art. 6.º(1)(b) GDPR).

12. AI Agent (Pierre β) processing

User prompts are sent to Anthropic PBC (sub-processor, US, with DPF + SCCs + zero data retention). Tool calls execute inside the Pierre platform with the same RBAC + module permissions as the user — no privilege escalation. Conversations are stored in AgentSession for 90 days then deleted by the data-retention cron.

The Controller is reminded that prompts containing patient PHI are outside the agreed scope (Art. 9 GDPR special-category data).

13. Return and deletion of data

On termination, the Controller may export all personal data within 180 days. After the grace period, the Processor will delete all personal data held on the Controller's behalf, confirm deletion in writing within 14 days, and retain only what is required for legal compliance.

14. Liability and indemnity

The parties' liability under this DPA is governed by the underlying service agreement. Each party indemnifies the other for damages arising from its breach of this DPA or of GDPR / Portuguese data-protection law.

15. Governing law and jurisdiction

This DPA is governed by Portuguese law and any dispute arising from it falls under the exclusive jurisdiction of the Lisbon courts, without prejudice to the data subject's right to lodge a complaint with the CNPD.

16. Signatures

For the Processor: For the Controller:

<<NOME>> <<CARGO>> <<NOME>> <<CARGO>>

Date: <<DATA>> Date: <<DATA>>

Signature: ________________ Signature: ________________