Draft for counsel review — not legal advice. This Addendum describes the controller/processor terms intended to apply when Smart Buildings Inc. processes personal data on behalf of a building operator. It must be reviewed and finalized by qualified counsel before reliance.
Last updated: draft. Governing law: Ontario, Canada.
Roles
The building operator is the controller of personal data processed through ATLAS OS for its deployment. Smart Buildings Inc. is the processor, acting only on documented instructions from the controller, except where law requires otherwise.
Scope of processing
- Subject matter: operation of the ATLAS OS platform for the operator's building(s).
- Data types: operator account data; building telemetry; privacy-by-design presence (WiFi-CSI, no cameras) and, where enabled, clinic vital-sign estimates.
- Data subjects: operators, staff, and residents of the deployed building.
Processor obligations
We will: (a) process personal data only on the controller's instructions; (b) ensure persons authorized to process are bound by confidentiality; (c) implement appropriate technical and organizational security measures; (d) assist the controller with data-subject requests and with its obligations under applicable law; and (e) delete or return personal data at the end of the engagement.
Subprocessors
The controller authorizes the use of vetted subprocessors (e.g., hosting and database providers) under written terms no less protective than this Addendum. We will maintain a current subprocessor list and give notice of intended changes.
Security
Security measures include access controls, encryption in transit, least-privilege administration, and logging. The platform's local-first design limits the personal data that must leave the building.
Personal health information
Where a deployment processes health-related signals, we apply PHIPA-aligned safeguards and process such information solely as the controller's agent, subject to resident consent obtained by the controller.
Breach notification
We will notify the controller without undue delay after becoming aware of a personal-data breach and provide information reasonably needed for the controller's own notification obligations.
International transfers
Personal data is processed in Canada by default. Any cross-border processing will be subject to safeguards consistent with PIPEDA and applicable provincial law.
Term
This Addendum applies for the duration of the processing and survives until all personal data is deleted or returned.
Contact
Data-protection questions: dpo@smartbuildings.example (placeholder — replace with the official contact before publication).