Legal

Data Processing Agreement

Cairn Pet Health LLC — Version 1.0

1. Parties

This Data Processing Agreement ("DPA") forms part of the agreement between:

Controller

The subscribing veterinary clinic ("Clinic")

Processor

Cairn Pet Health LLC ("Cairn")

regarding the processing of Personal Data through the Cairn platform.

2. Purpose

Cairn provides software that enables veterinary clinics to monitor longitudinal owner-reported information regarding companion animals between appointments.

Cairn processes Personal Data solely for the purpose of providing the Services described in the Terms of Service.

3. Roles

For owner personal information:

For account information belonging directly to Cairn customers (billing, support communications, etc.), Cairn may act as an independent Controller where applicable.

4. Categories of Personal Data

Depending on how the Service is used, Cairn may process:

Owner Information

Clinic Information

Technical Information

Pet Information

Pet information itself is generally not personal data, but becomes associated with identifiable owners through the platform.

5. Processing Activities

Cairn processes Personal Data only to:

Cairn does not sell Personal Data.

Cairn does not use Personal Data for advertising.

6. Instructions

Cairn processes Personal Data only according to:

unless otherwise required by applicable law.

7. Confidentiality

Cairn ensures that personnel with access to Personal Data are subject to appropriate confidentiality obligations.

8. Security Measures

Cairn maintains administrative, technical, and organizational safeguards appropriate to the nature of the Services, including:

9. Subprocessors

The Clinic authorizes Cairn to use trusted subprocessors required to operate the Service.

Current subprocessors include:

ProviderPurpose
SupabaseDatabase, authentication, storage
StripePayment processing
PostHogProduct analytics
SentryError monitoring
CloudflareWebsite hosting and CDN
ExpoPush notification infrastructure
Google Cloud / Apple Push Services (as applicable)Notification delivery
OpenAIAI-assisted support-ticket classification and response drafting
PostmarkTransactional and support email delivery

Cairn may add or replace subprocessors as reasonably necessary. An up-to-date list will be maintained on the Cairn website.

10. International Transfers

Personal Data may be processed in the United States or other jurisdictions where Cairn or its subprocessors operate. Where legally required, Cairn will implement appropriate safeguards for international transfers.

11. Data Subject Requests

Where Cairn receives a request relating to Personal Data that is controlled by a Clinic, Cairn will notify the Clinic unless legally prohibited. The Clinic remains responsible for responding to applicable privacy requests.

12. Security Incidents

Cairn will notify affected Clinics without undue delay after becoming aware of a confirmed security incident affecting Personal Data processed on behalf of the Clinic. Notifications will include available information reasonably necessary for the Clinic to understand the nature and scope of the incident.

13. Data Retention

Cairn retains Personal Data for as long as an owner's account remains active.

Upon account deletion:

Where an owner has provided consent for research use, de-identified pet health information may be retained under a permanent research identifier that does not include the owner's name, email address, or the pet's name.

A Clinic's cancellation of its subscription does not itself trigger deletion or anonymization of Clinic or owner data; data remains accessible consistent with the Clinic's and owners' account status.

Clinics may request export of their data for as long as it remains identifiable.

14. Assistance

Upon reasonable request, Cairn will provide information necessary for Clinics to demonstrate compliance with applicable privacy laws relating to Cairn's processing activities.

15. Liability

Liability under this Agreement is governed by the Terms of Service.

16. Governing Law

This Agreement is governed by the same governing law specified in the Cairn Terms of Service.

Appendix A — Technical and Organizational Measures

Cairn maintains safeguards including:

  • Role-based access control
  • Authentication through Supabase
  • TLS encryption in transit
  • Encryption at rest
  • Row-Level Security (RLS)
  • Audit logging
  • Routine backups
  • Infrastructure monitoring
  • Crash reporting through Sentry
  • Product analytics through PostHog
  • Least-privilege access principles
  • Periodic dependency updates
  • Secure development practices