Built for confidential disability-law records.

DisabilityProAI Data Processing Agreement

Last updated: 2026-05-22

1. Parties And Scope

This Data Processing Agreement ("DPA") forms part of the agreement between Canary Doctor LLC dba DisabilityProAI ("Provider") and the customer identified in the applicable order form, subscription, or terms of service ("Customer").

This DPA applies when Provider processes Customer Content on behalf of Customer through the DisabilityProAI service. If there is a conflict between this DPA and other agreement terms about processing Customer Content, this DPA controls for that subject matter unless the parties expressly agree otherwise in writing.

The service and this DPA are designed for United States customers, United States-based Authorized Users, and United States disability-law workflows only.

2. Definitions

• Authorized User means a person Customer permits to access the service.
• Customer Content means files, text, case metadata, OCR output, embeddings, prompts, reports, chat content, instructions, and other information submitted to or generated through the service for Customer.
• Personal Data means Customer Content or account/support information that identifies or can reasonably be linked to an individual.
• Sensitive Data means Personal Data that includes medical records, health information, disability records, government-benefit materials, attorney work product, financial information, or similar sensitive information.
• Security Incident means a confirmed unauthorized access to or disclosure, alteration, or destruction of Customer Content in Provider systems.
• Subprocessor means a third party engaged by Provider to process Customer Content or Personal Data to provide, secure, support, or maintain the service.

3. Roles And Instructions

Customer determines what Customer Content is submitted to the service and is responsible for having the rights, permissions, notices, and authorizations needed to use the service.

Provider will process Customer Content only to provide, secure, maintain, support, and troubleshoot the service as permitted by the agreement, Customer's product configuration, Customer's support requests, and lawful written instructions from Customer.

Provider will not train foundation models or customer-specific AI models on Customer Content.

Provider does not sell Customer Content or Personal Data. Provider does not share Customer Content for cross-context behavioral advertising, marketing, or unrelated third-party use. Disclosures to subprocessors listed in this DPA are for service delivery, security, support, billing, or legal compliance, not for sale of Customer Content.

Provider may decline or pause an instruction if Provider reasonably believes it is unlawful, technically infeasible, would compromise security, or would create material risk to the service or another customer.

4. Confidentiality

Provider will restrict personnel access to Customer Content to personnel and contractors with a business need to know. Provider personnel and contractors with access to Customer Content will be subject to confidentiality obligations.

Support access to Customer Content should be limited to the access needed to resolve a support, security, billing, or operational issue. Customer should not send PHI, medical records, or other Sensitive Data through email or support channels unless Provider has explicitly approved that channel for such data.

5. Security Measures

Provider will maintain reasonable technical and organizational safeguards designed to protect Customer Content. Current safeguards include the measures in Appendix 1. Provider may update safeguards over time, provided updates do not materially reduce the overall protection of Customer Content.

6. Subprocessors

Customer authorizes Provider to use the following subprocessors to provide, secure, support, maintain, and bill for the service:

Provider will require subprocessors to maintain confidentiality and data-protection obligations appropriate to their role.

Provider will provide notice of material subprocessor changes through a website notice, email, customer portal, or other reasonable method. Customer may object to a new subprocessor on reasonable data-protection grounds within the notice period. The parties will work in good faith to resolve the objection.

7. Deletion, Return, And Retention

Customer may delete matters through the product where available or request deletion through Provider's support channel. Provider will delete or return Customer Content according to the agreement, product functionality, and Provider's retention practices.

Unless a different written agreement applies, the current standard policy is that case content is scheduled for deletion 30 days after case creation. Operational logs, billing records, legal-acceptance records, audit records, and security records may be retained for legitimate business, legal, accounting, fraud-prevention, and security purposes. Provider may update retention periods prospectively through the Terms, Privacy Policy, or a written customer agreement.

Backups may retain deleted Customer Content until backup expiry, but backups are protected from ordinary access and are used for continuity, security, and recovery purposes.

8. Security Incident Notice

Provider will notify Customer within five business days after confirming a Security Incident affecting Customer Content, where legally or contractually required. Notice will include information reasonably available to Provider, such as affected systems, affected data categories, known impact, mitigation steps, and any recommended Customer actions.

Security Incident does not include unsuccessful attempts or activity that does not compromise Customer Content, such as blocked scans, pings, rate-limited requests, failed login attempts, or firewall events.

9. Customer Assistance

Provider will provide reasonable assistance, taking into account the nature of the service and information available to Provider, for Customer's deletion, export, security questionnaire, incident response, and regulatory obligations.

Customer remains responsible for managing Authorized Users, configuring access, reviewing generated outputs, maintaining client authorizations, applying minimum-necessary practices, and determining whether Customer's use is legally permitted.

10. Audit And Assurance

Provider may satisfy reasonable security review requests by providing security documentation, the subprocessor list in this DPA, standard questionnaire responses, and relevant vendor assurance materials where available.

Any direct audit requires reasonable written notice, confidentiality, limited scope, no disruption to the service or other customers, and no access to other customers' data. Direct audits may be reserved for enterprise customers, post-incident circumstances, or other cases Provider approves in writing.

11. United States Use Only

The service is intended only for customers and Authorized Users located in the United States and for United States disability-law workflows. Customer may not use the service for non-U.S. customers, non-U.S. Authorized Users, or processing that would require Provider to comply with non-U.S. privacy, data-protection, or international-transfer regimes unless Provider expressly agrees in writing before such use.

Customer is responsible for ensuring that Customer Content submitted to the service is appropriate for this U.S.-only service posture.

12. HIPAA And BAA Terms

This DPA does not by itself make Provider a business associate or create a BAA. If Customer's use requires business associate terms, the parties must execute a separate Business Associate Addendum or HIPAA exhibit, available on request, before Customer submits PHI in a HIPAA-regulated workflow.

Provider's service is designed to support HIPAA-conscious legal workflows when required agreements and customer-side controls are in place.

Appendix 1: Technical And Organizational Measures

Provider's current safeguards include:

• Encryption in transit for application traffic and backend service calls using HTTPS/TLS or authenticated TLS-protected service connections.
• Managed encryption at rest for primary cloud data stores and object storage.
• Supabase Auth for user authentication.
• Server-side ownership checks for case, file, chat, billing, and report access.
• Service-role credentials used only in backend/server contexts.
• Server-issued, time-bound upload and report access patterns instead of public storage locations.
• Role-based administrative controls and admin session hardening.
• hCaptcha and rate limiting on authentication-sensitive and high-cost paths.
• Click-through legal acceptance for the Terms, Privacy Policy, and DPA during onboarding or subscription checkout, with acceptance metadata retained for customer-assurance purposes where available.
• Security headers including HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
• Private source repositories, protected production branch, CodeQL, Dependabot, dependency review, secret scanning, and bundle secret scans.
• Shared redaction controls for logs and error handling to reduce exposure of tokens, private keys, signed URLs, and raw internal errors.
• Reviewed migrations and operator-controlled backup procedures before structural production database changes.
• Incident response, vulnerability intake, and customer assurance materials.

Appendix 2: Processing Details Schedule

This appendix identifies the processing covered by this DPA: what data is processed, whose data may be included, why it is processed, and how long the processing lasts. It is not a separate set of definitions; it is the operational processing schedule for this DPA.