Data Processing Agreement

1. Definitions

• “Controller” means the Client (the mining company, safety consultancy, or other organization) that determines the purposes and means of processing personal data through the Platform. The Controller is the entity that subscribes to the Platform.
• “Processor” means VeriField Pro LLC, which processes personal data on behalf of the Controller in connection with providing the Platform's services.
• “Data Subject” means an identified or identifiable natural person whose personal data is processed through the Platform, including mine workers, safety personnel, contractors, and visitors.
• “Personal Data” means any information relating to a Data Subject that is processed through the Platform.
• “Processing” means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, transfer, and deletion.
• “Sub-Processor” means a third party engaged by VeriField Pro to process personal data on behalf of the Controller.
• “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

2. Scope and Purpose of Processing

VeriField Pro processes personal data solely for the purpose of providing the Platform's services to the Controller, as described in the Terms of Service. Processing activities include:

• Authenticating and authorizing user access to the Platform.
• Recording check-in and check-out events, including GPS coordinates at the time of each event.
• Storing and managing inspection records, training documentation, incident reports, and other safety compliance records.
• Processing and storing photos uploaded for hazard and incident documentation.
• Generating compliance reports and analytics for the Controller.
• Facilitating emergency management functions, including muster operations and lone worker monitoring.
• Sending notifications, alerts, and communications on behalf of the Controller.

3. Categories of Data Processed

3.1 Categories of Data Subjects

• Mine workers and employees of the Controller.
• Contractors and subcontractors working at the Controller's mine sites.
• Visitors to the Controller's mine sites.
• Safety personnel, supervisors, and administrators employed by the Controller.

3.2 Types of Personal Data

• Identity Data: Full name, employee ID, job title, role, employer name.
• Contact Data: Email address, phone number.
• Location Data: GPS coordinates captured at check-in and check-out events (not continuous tracking).
• Employment Data: Training certifications, qualification records, competency designations, MSHA training history.
• Safety Records: Inspection data, hazard observations, incident reports, near-miss reports, workplace examination records.
• Media: Photos uploaded for hazard and incident documentation.
• Technical Data: IP address, device type, browser information, access timestamps.

4. Obligations of the Processor

VeriField Pro, as the Processor, shall:

• Process personal data only on documented instructions from the Controller, including with respect to transfers of personal data, unless required to do so by applicable law.
• Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7.
• Not engage another processor (Sub-Processor) without prior specific or general written authorization of the Controller, as described in Section 6.
• Assist the Controller in fulfilling its obligations to respond to data subject requests, as described in Section 9.
• Assist the Controller in ensuring compliance with security, breach notification, and data protection impact assessment obligations.
• At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, as described in Section 11.
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid out in this DPA, as described in Section 12.

5. Obligations of the Controller

The Controller shall:

• Ensure that the processing of personal data through the Platform is lawful, and that all necessary notices and consents have been obtained from Data Subjects.
• Provide clear and documented instructions to VeriField Pro regarding the processing of personal data.
• Ensure the accuracy and completeness of personal data submitted to the Platform.
• Comply with all applicable data protection laws in connection with its use of the Platform.
• Manage user access permissions and promptly deactivate accounts of individuals who no longer require access.

6. Sub-Processors

The Controller hereby provides general authorization for VeriField Pro to engage Sub-Processors. VeriField Pro shall notify the Controller of any intended changes to its Sub-Processors, giving the Controller the opportunity to object to such changes within 30 days.

The following Sub-Processors are currently engaged:

VeriField Pro ensures that each Sub-Processor is bound by data processing obligations no less protective than those set forth in this DPA. VeriField Pro remains fully liable for the performance of its Sub-Processors.

7. Security Measures

VeriField Pro implements the following technical and organizational security measures:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256).
• Row-level security (RLS) enforcing strict tenant data isolation at the database level.
• Multi-factor authentication for administrative accounts.
• Role-based access control with least-privilege principles.
• Regular security assessments, vulnerability scanning, and penetration testing.
• Automated monitoring and alerting for security events.
• Immutable audit logging of all data access and modifications.
• Employee access controls with regular review and offboarding procedures.
• Regular backups with encrypted storage in geographically separate locations.

For detailed information, see our Security Practices page.

8. Data Breach Notification

• VeriField Pro shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach affecting the Controller's personal data.
• The notification shall include, to the extent available: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) contact details for further information.
• VeriField Pro shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the Data Breach.
• VeriField Pro shall document all Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

9. Data Subject Rights

VeriField Pro shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including rights of access, rectification, erasure, restriction of processing, data portability, and objection.

• If VeriField Pro receives a request directly from a Data Subject, it shall promptly redirect the request to the Controller, unless otherwise instructed.
• VeriField Pro shall provide the Controller with the technical capability to export, correct, or delete Data Subject data through the Platform's administrative functions.
• In the event that a Data Subject request cannot be fulfilled through the Platform's standard functionality, VeriField Pro shall provide reasonable assistance to the Controller, which may be subject to additional fees for excessive or complex requests.
• Deletion requests are subject to MSHA mandatory retention periods. Records that must be retained under federal regulation will not be deleted until the applicable retention period has expired.

10. Cross-Border Data Transfers

VeriField Pro processes and stores all personal data within the United States. We do not transfer personal data outside of the United States. All Sub-Processors listed in Section 6 process data within the United States.

In the event that a future Sub-Processor requires processing outside of the United States, VeriField Pro shall: (a) notify the Controller in advance; (b) ensure appropriate safeguards are in place; and (c) obtain the Controller's consent before any cross-border transfer occurs.

11. Data Return and Deletion

• Upon termination or expiration of the Agreement, the Controller may request the return of all personal data in a standard, machine-readable format (CSV, JSON, or PDF).
• The Controller shall have 90 days from termination to request data export. During this period, the data remains accessible through the Platform's export functionality.
• After the 90-day export period (or upon earlier written request from the Controller), VeriField Pro shall permanently delete all personal data, including copies in backup systems, within 30 days.
• Data that must be retained under MSHA federal recordkeeping requirements will be retained for the required period and then deleted. VeriField Pro shall inform the Controller of any such retention obligations.
• VeriField Pro shall provide written certification of deletion upon the Controller's request.

12. Audit Rights

• VeriField Pro shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
• The Controller may conduct, or appoint a qualified third-party auditor to conduct, an audit of VeriField Pro's compliance with this DPA, no more than once per calendar year, with at least 30 days' prior written notice.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with VeriField Pro's business operations.
• The Controller shall bear the costs of any audit, unless the audit reveals material non-compliance by VeriField Pro, in which case VeriField Pro shall bear the reasonable costs.
• VeriField Pro may satisfy audit requirements by providing the Controller with relevant third-party audit reports (e.g., SOC 2 reports) in lieu of on-site audits, where such reports adequately address the Controller's concerns.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service. Nothing in this DPA limits or excludes either party's liability for: (a) fraud or fraudulent misrepresentation; (b) death or personal injury caused by negligence; or (c) any liability that cannot be limited or excluded by applicable law.

14. Duration and Termination

This DPA shall remain in effect for the duration of the Agreement between the Controller and VeriField Pro. Upon termination of the Agreement, VeriField Pro shall continue to process personal data only as necessary to fulfill its obligations under Sections 8 (Data Breach Notification), 11 (Data Return and Deletion), and any applicable legal retention requirements. All other processing shall cease upon termination.

15. Contact Us

For questions about this Data Processing Agreement or to submit data processing inquiries: