Data Processing Agreement
Cairn Pet Health LLC — Version 1.0
1. Parties
This Data Processing Agreement ("DPA") forms part of the agreement between:
Controller
The subscribing veterinary clinic ("Clinic")
Processor
Cairn Pet Health LLC ("Cairn")
regarding the processing of Personal Data through the Cairn platform.
2. Purpose
Cairn provides software that enables veterinary clinics to monitor longitudinal owner-reported information regarding companion animals between appointments.
Cairn processes Personal Data solely for the purpose of providing the Services described in the Terms of Service.
3. Roles
For owner personal information:
- Clinic = Data Controller
- Cairn = Data Processor
For account information belonging directly to Cairn customers (billing, support communications, etc.), Cairn may act as an independent Controller where applicable.
4. Categories of Personal Data
Depending on how the Service is used, Cairn may process:
Owner Information
- Name
- Email address
- Phone number (optional)
Clinic Information
- Clinic name
- Staff names
- Staff email addresses
Technical Information
- IP address
- Device identifiers
- Push notification tokens
- Authentication identifiers
- Application usage metrics
- Crash diagnostics
Pet Information
- Name
- Species
- Breed
- Age
- Weight
- Medical conditions
- Medications
- Survey responses
- Notes
- Trend data
Pet information itself is generally not personal data, but becomes associated with identifiable owners through the platform.
5. Processing Activities
Cairn processes Personal Data only to:
- authenticate users
- store owner-entered records
- deliver scheduled surveys
- send medication reminders
- generate trend summaries
- display information to authorized veterinary staff
- provide customer support
- improve platform reliability and performance
- maintain system security
Cairn does not sell Personal Data.
Cairn does not use Personal Data for advertising.
6. Instructions
Cairn processes Personal Data only according to:
- this Agreement
- the Terms of Service
- documented instructions provided by the Clinic
unless otherwise required by applicable law.
7. Confidentiality
Cairn ensures that personnel with access to Personal Data are subject to appropriate confidentiality obligations.
8. Security Measures
Cairn maintains administrative, technical, and organizational safeguards appropriate to the nature of the Services, including:
- encrypted communications using TLS
- encryption at rest where supported
- authenticated access controls
- role-based authorization
- row-level security
- audit logging of clinical actions
- regular software updates
- monitoring of application performance and errors
9. Subprocessors
The Clinic authorizes Cairn to use trusted subprocessors required to operate the Service.
Current subprocessors include:
| Provider | Purpose |
|---|---|
| Supabase | Database, authentication, storage |
| Stripe | Payment processing |
| PostHog | Product analytics |
| Sentry | Error monitoring |
| Cloudflare | Website hosting and CDN |
| Expo | Push notification infrastructure |
| Google Cloud / Apple Push Services (as applicable) | Notification delivery |
| OpenAI | AI-assisted support-ticket classification and response drafting |
| Postmark | Transactional and support email delivery |
Cairn may add or replace subprocessors as reasonably necessary. An up-to-date list will be maintained on the Cairn website.
10. International Transfers
Personal Data may be processed in the United States or other jurisdictions where Cairn or its subprocessors operate. Where legally required, Cairn will implement appropriate safeguards for international transfers.
11. Data Subject Requests
Where Cairn receives a request relating to Personal Data that is controlled by a Clinic, Cairn will notify the Clinic unless legally prohibited. The Clinic remains responsible for responding to applicable privacy requests.
12. Security Incidents
Cairn will notify affected Clinics without undue delay after becoming aware of a confirmed security incident affecting Personal Data processed on behalf of the Clinic. Notifications will include available information reasonably necessary for the Clinic to understand the nature and scope of the incident.
13. Data Retention
Cairn retains Personal Data for as long as an owner's account remains active.
Upon account deletion:
- identifying information (name, email address, phone number, push notification tokens) is anonymized promptly upon request;
- associated pet records are deactivated and disassociated from identifying owner information;
- Personal Data may be retained briefly beyond that point solely as needed for backup, fraud prevention, and technical processing cycles, after which it is fully anonymized or deleted.
Where an owner has provided consent for research use, de-identified pet health information may be retained under a permanent research identifier that does not include the owner's name, email address, or the pet's name.
A Clinic's cancellation of its subscription does not itself trigger deletion or anonymization of Clinic or owner data; data remains accessible consistent with the Clinic's and owners' account status.
Clinics may request export of their data for as long as it remains identifiable.
14. Assistance
Upon reasonable request, Cairn will provide information necessary for Clinics to demonstrate compliance with applicable privacy laws relating to Cairn's processing activities.
15. Liability
Liability under this Agreement is governed by the Terms of Service.
16. Governing Law
This Agreement is governed by the same governing law specified in the Cairn Terms of Service.
Appendix A — Technical and Organizational Measures
Cairn maintains safeguards including:
- Role-based access control
- Authentication through Supabase
- TLS encryption in transit
- Encryption at rest
- Row-Level Security (RLS)
- Audit logging
- Routine backups
- Infrastructure monitoring
- Crash reporting through Sentry
- Product analytics through PostHog
- Least-privilege access principles
- Periodic dependency updates
- Secure development practices