PREVSIS - Data Processing Agreement
Global SaaS Platform — Occupational Safety, Health & Sustainability
Version 1.0, Effective Date: 26 Feb 2026 | Last Updated: 26 Ene 2026
IMPORTANT: This Data Processing Agreement («DPA») forms part of the agreement between Prevsis and the Customer, and governs all processing of personal data by Prevsis on behalf of the Customer in connection with the Prevsis Platform and Services. It should be read alongside the Prevsis Privacy Policy and Terms of Use.
1. Definitions
In this DPA, the following terms have the meanings set out below. Other capitalized terms not defined here have the meanings given in the Terms of Use or applicable law.
- «Controller»: The Customer — the entity that determines the purposes and means of processing personal data.
- «Processor»: Prevsis — processing personal data on behalf of the Controller.
- «Sub-Processor»: Any third party engaged by Prevsis to process personal data in connection with providing the Services.
- «Personal Data»: Any information relating to an identified or identifiable natural person, as defined under applicable data protection law.
- «Processing»: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- «Anonymized Data»: Data that has been irreversibly stripped of all information capable of identifying a natural person or organization, such that re-identification is not reasonably possible.
- «Applicable Data Protection Law»: The laws applicable to the processing of personal data under this DPA, which may include GDPR, UK GDPR, CCPA/CPRA, LGPD, PIPEDA, and other applicable national laws.
- «Standard Contractual Clauses (SCCs)»: The clauses adopted by the European Commission for the transfer of personal data to third countries.
2. Scope and Data Processing Roles
2.1 Roles
The Customer acts as Controller with respect to personal data entered into or generated through the Prevsis Platform by or on behalf of the Customer’s organization. Prevsis acts as Processor when processing that data to provide the Services.
Where Prevsis processes personal data to improve its own AI models, develop predictive safety features, or for its own product analytics using Anonymized Data (as set out in Section 6), Prevsis may act as an independent Controller of that Anonymized Data, in accordance with its Privacy Policy.
2.2 Compliance with Instructions
Prevsis shall process personal data only on documented instructions from the Customer — as set out in this DPA, the Terms of Use, and Order Forms — unless required to do otherwise by applicable law. Prevsis shall inform the Customer if it believes an instruction infringes applicable data protection law.
3. Details of Processing
3.1 Subject Matter
Processing of personal data in connection with provision of Prevsis’s AI-powered occupational safety, health, and Sustainability platform and related services.
3.2 Duration
For the term of the subscription or commercial agreement, plus any additional retention period required by applicable law or this DPA.
3.3 Nature of Processing
Storage, retrieval, analysis, structuring, use, and transmission of personal data to provide the Services, including AI-driven risk prediction and recommendations.
3.4 Types of Personal Data
- Professional identity data: names, job titles, employer, work contact details.
- Platform usage and authentication data.
- Occupational safety records: risk assessments, near-miss and incident reports, inspection findings, corrective actions, safety observations.
- Worker data entered by Customer: names, roles, work locations, training records — as applicable.
- Technical and log data generated by user interaction with the Platform.
3.5 Categories of Data Subjects
- Customer’s employees, contractors, and site workers whose data is entered into the Platform.
- Customer’s authorized platform users (administrators, safety officers, managers).
- Any other individuals whose data the Customer inputs into the Platform.
4. Prevsis Obligations as Processor
Prevsis shall:
- Process personal data only in accordance with the Customer’s documented instructions and this DPA.
- Ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organizational security measures described in Section 8.
- Assist the Customer, by appropriate technical and organizational measures, in fulfilling the Customer’s obligation to respond to requests by data subjects exercising their rights under applicable law.
- Assist the Customer in ensuring compliance with security, breach notification, data protection impact assessment, and prior consultation obligations.
- At the Customer’s election, delete or return all personal data to the Customer upon termination of the Services, and delete existing copies unless applicable law requires otherwise.
- Make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA, and allow for and contribute to audits conducted by the Customer or an auditor mandated by the Customer (subject to reasonable notice, confidentiality obligations, and cost allocation).
5. Customer Obligations as Controller
The Customer represents, warrants, and undertakes that:
- It has a valid legal basis for processing personal data under applicable law before entering that data into the Prevsis Platform.
- It has provided all required notices to, and obtained all required consents from, data subjects whose data it enters into the Platform.
- Its instructions to Prevsis comply with applicable data protection law.
- It is responsible for the accuracy, quality, and legality of personal data submitted to the Platform.
- It will not use the Platform to process special category data (e.g., health data, biometric data) beyond what is expressly permitted under applicable law and this DPA, without prior written agreement with Prevsis.
6. AI, Predictive Analytics & Use of Anonymized Data
This section is central to Prevsis’s purpose as a platform: to predict and prevent workplace accidents and protect workers. It describes how data is used to improve the AI engine that powers this mission.
6.1 Tenant-Isolated AI Processing (Always Active)
Prevsis always processes Customer Data within the Customer’s isolated tenant environment to generate safety recommendations, risk predictions, compliance insights, and other outputs for that Customer’s exclusive benefit. This processing is necessary for the performance of the Services contract and cannot be opted out of without terminating the Services.
Customer Data is never made available — in identifiable or re-identifiable form — to any other customer’s environment.
6.2 Anonymization
Prevsis operates an anonymization pipeline that strips all personally identifiable information and organizational identifiers from Customer Data before that data may be used for any purpose beyond Section 6.1. The anonymization process is designed such that re-identification is not reasonably possible.
Anonymized Data is no longer «personal data» under GDPR Article 4(1) or equivalent definitions in applicable law, and the restrictions of this DPA do not apply to Anonymized Data once it has been irreversibly anonymized.
6.3 Global Predictive Model (Opt-In)
Where the Customer has opted in (or has not exercised the Tenant-Only Mode election described in Section 6.4), Anonymized Data derived from Customer Data may be contributed to Prevsis’s global predictive safety model. This model is used to improve the accuracy of risk predictions across all platform users — ultimately improving safety outcomes for workers everywhere. Prevsis acts as independent Controller of Anonymized Data used for this purpose.
6.4 Tenant-Only Mode (Available on Request)
The Customer may elect Tenant-Only Mode at any time. Under Tenant-Only Mode:
- No Anonymized Data derived from the Customer’s environment contributes to the global predictive model;
- The AI engine continues to operate, and predictions are based exclusively on the Customer’s own historical data and pre-trained model weights;
- The Customer may observe different predictive performance over time, particularly for rare event types, compared to Customers participating in the global model.
To elect Tenant-Only Mode, the Customer must submit a written request to legal@prevsis.com or through the account settings panel. The election takes effect within 10 business days of confirmed receipt. The Customer may revert to standard mode at any time.
6.5 No Sale of Data
Prevsis does not sell, rent, or otherwise commercialize Customer Data or Anonymized Data to third parties. Anonymized Data is used solely for the purpose of improving Prevsis’s own Services.
Prevsis does not sell, rent, or otherwise commercialize Customer Data or Anonymized Data to third parties. Anonymized Data is used solely for the purpose of improving Prevsis’s own Services.
6.6 Automated Decision-Making
AI-generated outputs (risk scores, recommendations, alerts) are decision-support tools. They do not constitute fully automated decisions with legal or similarly significant effects on individual workers. Prevsis shall not use the Platform to make or enforce decisions about individual workers without human review by the Customer’s authorized personnel. Where Customer uses the Platform in a manner that could involve automated decision-making affecting individuals, the Customer is responsible for ensuring compliance with GDPR Article 22 or equivalent provisions.
7. Sub-Processors
7.1 Authorized Sub-Processors
The Customer provides general authorization for Prevsis to engage the sub-processors listed in Prevsis’s current Sub-Processor Register, which includes:
- Amazon Web Services, Inc. (AWS); cloud infrastructure, data storage, compute.
- AWS Cognito; authentication and identity management.
- CRM and customer communications (contact data).
- Others as maintained in the live Sub-Processor Register; available at prevsis.com/legal or on request.
7.2 New Sub-Processors
Prevsis will provide at least 30 days’ notice before engaging a new sub-processor that will process Customer personal data. The Customer may object to a new sub-processor on reasonable data protection grounds within 14 days of notice. If the parties cannot resolve the objection, the Customer may terminate the relevant Services on written notice, without penalty.
7.3 Sub-Processor Obligations
Prevsis shall impose data protection obligations on sub-processors equivalent to those in this DPA, and remains liable to the Customer for the acts and omissions of its sub-processors.
8. Technical and Organizational Security Measures
Prevsis shall implement and maintain at minimum the following security measures:
8.1 Access Controls
- Role-based access control (RBAC) with least-privilege principles.
- Multi-factor authentication for administrative access.
- Logical tenant isolation ensuring no cross-customer data access.
8.2 Encryption
- Encryption of personal data in transit using TLS 1.2 or higher.
- Encryption of personal data at rest using AES-256 or equivalent.
8.3 Availability and Resilience
- Redundant infrastructure and backup systems.
- Disaster recovery and business continuity procedures.
- Target SLA and uptime commitments as set out in the Proposal or Order Form.
8.4 Monitoring and Testing
- Continuous security monitoring and anomaly detection;
- Regular vulnerability assessments and penetration testing;
- Annual security audits.
9. Personal Data Breach Notification
Prevsis shall notify the Customer without undue delay — and in any event within 72 hours — upon becoming aware of a personal data breach affecting Customer Data. Such notification shall include, to the extent then known:
- A description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and records concerned.
- The name and contact details of the data protection point of contact.
- A description of the likely consequences of the breach.
- A description of measures taken or proposed to address the breach.
Prevsis shall cooperate with the Customer and take reasonable steps to mitigate the effects of the breach. The Customer retains responsibility for any notifications required to supervisory authorities or data subjects under applicable law.
10. International Data Transfers
10.1 Transfer Mechanisms
Where processing of Customer personal data involves a transfer to a country outside the EEA, UK, or other jurisdiction with equivalent restrictions, Prevsis shall ensure that such transfers are conducted in accordance with applicable law, including by:
- Relying on Standard Contractual Clauses (SCCs) — Module 2 (Controller to Processor) — where applicable.
- Relying on adequacy decisions where available.
- Implementing any additional supplementary measures required following a Transfer Impact Assessment.
10.2 SCCs
To the extent that Customer Data originating in the EEA or UK is transferred to Prevsis or its sub-processors in a third country, the parties agree that the applicable SCCs (as adopted by the European Commission) are incorporated into this DPA by reference and form part of the agreement between the parties. The Annexes to the SCCs shall be populated by reference to the details in Section 3 of this DPA.
11. Data Subject Rights Assistance
Upon request from the Customer, Prevsis shall provide reasonable assistance to the Customer in responding to data subject requests (access, correction, deletion, portability, objection, restriction) within the timeframes required by applicable law. Where Prevsis receives a data subject request directly relating to Customer Data, it shall promptly forward the request to the Customer and shall not respond to it directly without the Customer’s authorization, except as required by law.
12. Data Protection Impact Assessments
Prevsis shall provide reasonable cooperation and information to assist the Customer in conducting Data Protection Impact Assessments (DPIAs) or equivalent assessments where required by applicable law, including in connection with AI-powered processing activities.
13. Audit Rights
The Customer may, upon at least 30 days’ prior written notice and no more than once per calendar year (unless a security incident requires otherwise), request an audit of Prevsis’s data processing activities. Audits shall be conducted during normal business hours, at the Customer’s cost, and subject to Prevsis’s reasonable confidentiality requirements. Prevsis may satisfy audit requests by providing relevant certifications (e.g., ISO 27001, SOC 2 reports) or by facilitating an audit by a mutually agreed third-party auditor.
14. Termination and Data Deletion
Upon expiry or termination of the Services:
- Prevsis shall, at the Customer’s election, return or delete all Customer personal data within 60 days or if customer would need, at a convened time.
- Prevsis may retain Anonymized Data that has already been incorporated into model training datasets, as such data cannot be linked back to the Customer.
- Prevsis shall certify deletion upon the Customer’s written request.
- Prevsis may retain personal data where required by applicable law, notifying the Customer of the legal basis and duration of any such retention.
15. Liability
Each party’s liability under this DPA is subject to the limitations set out in the Terms of Use or commercial agreement between the parties, to the extent permitted by applicable law. Where both parties are liable to a data subject, they shall each be liable for the entire damage, with the right to claim back from the other party the part of compensation corresponding to their share of responsibility.
16. Governing Law
This DPA shall be governed by the law applicable to the Terms of Use or commercial agreement between the parties, except to the extent that applicable data protection law requires otherwise (for instance, GDPR provisions that mandatorily apply). For SCC purposes, the governing law and jurisdiction of the relevant EU Member State shall apply.
17. Contact & Data Protection Officer
For all queries relating to this DPA, data subject rights, or data protection compliance, please contact:
Email: legal@prevsis.com
Data Protection Officer: Nelson Valencia
Address: Prevsis SpA, Libertad 269, Viña del Mar, Chile
Annex I — Processing Details (for SCC purposes)
A. List of Parties
Data Exporter: The Customer, as identified in the Order Form or commercial agreement.
Data Importer: Prevsis
B. Description of Transfer
Categories of data subjects, types of personal data, special categories, frequency, nature, purposes, retention — as set out in Section 3 of this DPA.
C. Competent Supervisory Authority
Supervisory authority for the Customer’s EEA establishment, or the Chilean data protection authority, or other applicable body.
Annex II — Technical and Organizational Security Policy and Measures
As described in Section 8 of this DPA, and as may be updated in Prevsis’s current Security Overview document (available on request).
Annex III — Sub-Processor Register
The current list of authorized sub-processors is maintained at prevsis.com/legal/sub-processors and is updated prior to the engagement of any new sub-processor. A point-in-time copy may be requested at any time by emailing legal@prevsis.com.
Español
简体中文
English
Français
Deutsch