← LastdayLASTDAY

Lastday Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the customer identified in the applicable order form or account registration ("Customer") and 1001537887 Ontario Inc. operating as Lastday ("Lastday") for use of the Lastday platform.

1. Parties and Roles

Customer is the controller of Customer Personal Data. Customer determines what signals, systems, users, and operational records are submitted to Lastday.

Lastday is the processor of Customer Personal Data. Lastday processes Customer Personal Data on Customer's instructions to provide, secure, support, and administer the Lastday service.

If Customer acts as a processor for another organization, Lastday acts as Customer's subprocessor. Customer is responsible for ensuring its own upstream agreements authorize Lastday's processing.

2. Definitions

"Customer Personal Data" means personal information contained in Customer Data that Lastday processes on behalf of Customer.

"Customer Data" means signals, issues, attachments, notes, actions, event trails, connector data, operational records, exports, and other content submitted to or generated through the Lastday service for Customer.

"Data Subject" means an identifiable individual whose personal information is included in Customer Personal Data, including drivers, employees, contractors, customers, vendors, customer contacts, and other individuals.

"Processing" means collection, use, disclosure, storage, retrieval, analysis, transmission, deletion, and any other handling of Customer Personal Data.

"Security Incident" means unauthorized access to, loss of, unauthorized disclosure of, or unauthorized use of Customer Personal Data resulting from a failure of Lastday's safeguards.

"Subprocessor" means a third party engaged by Lastday to process Customer Personal Data.

3. Scope and Purpose of Processing

Lastday processes Customer Personal Data to ingest operational signals, process signals through Octavian, classify and link operational issues, maintain issue records and event trails, generate briefs and evidence outputs, run relation detection, ghost pattern detection and embeddings, operate connectors and OAuth flows, authenticate users, maintain tenant isolation, provide support and billing, secure the platform, and respond to incidents.

Lastday does not process Customer Personal Data for model training, advertising, sale, cross-tenant benchmarking, shared embeddings, or anonymized cross-tenant analytics.

4. Categories of Data Subjects

Customer Personal Data may relate to Customer employees, drivers, dispatchers, maintenance staff, safety staff, compliance staff, finance and administrative staff, owners and executives, contractors, customer contacts, shipper contacts, vendor contacts, insurance contacts, claims contacts, government contacts, and other individuals included in operational signals.

5. Types of Personal Data

Customer Personal Data may include names, email addresses, phone numbers, role and job title, unit and route information, schedule and assignment information, HR-related information, workplace complaint information, safety incident information, injury-related information, medical certificate dates, compliance and qualification information, finance information, billing information, fraud and fuel card information, customer and vendor contact information, voice transcripts, photos, attachment content, OAuth account identifiers and tokens, event history, notes, actions, status changes, and AI outputs derived from Customer Data.

Some Customer Personal Data may be sensitive, including HR complaints, harassment allegations, injury reports, fraud investigations, disciplinary matters, financial information, and credential information.

5A. Non-Personal and Derived Data Categories

In addition to the Customer Personal Data described above, Lastday collects, generates, and stores the following non-personal and derived data categories:

  • FMCSA public carrier safety data. Public government records (carrier safety records, fleet size, safety ratings, inspection history, crash data, BASIC scores) obtained from the United States Federal Motor Carrier Safety Administration. Not personal data. Collected automatically at onboarding from the Customer's company name. Stored as part of the tenant's research profile.
  • Carrier maturity reports. AI-generated assessments stored per-tenant. Each report contains trust, operational health, and digital maturity scores, a narrative, and source attributions. Internal-mode reports may reference Customer Personal Data; external-mode reports (third-party carriers) use only public government data.
  • Prospect research. Public carrier data stored without tenant association. Used for pre-sales carrier research. No Customer Personal Data. Founder-only access. Deleted when a tenant is created for the same carrier.
  • Accessorial enrichment. Cross-reference results between email-detected accessorial events and connected QuickBooks invoices, stored within the tenant's issue records. May include Customer Personal Data present in the underlying signal and invoice.
  • Outbound email event records. Delivery status, bounce, and complaint events received from the email provider. Contains recipient addresses and message identifiers.

Additional processing purpose. Lastday processes the categories above for carrier assessment and operational intelligence generation. This is an additional purpose within the Scope and Purpose of Processing described in §3 and is not a separate authorization.

6. Customer Instructions

Customer instructs Lastday to process Customer Personal Data as necessary to provide the Service, comply with the agreement, comply with law, prevent or address security incidents, and delete or return data as requested by Customer.

Customer may provide additional documented instructions. Lastday will follow reasonable instructions unless they conflict with law, the agreement, the Constitution, or the Service's technical and security boundaries.

If Lastday believes an instruction may violate applicable law or materially weaken security, Lastday will notify Customer where legally permitted.

7. Customer Responsibilities

Customer is responsible for providing required notices and obtaining required consents, ensuring it has authority to connect email, finance, telematics, SMS, and other systems, ensuring Customer Data is lawful and appropriate for processing, setting user roles and access permissions, responding to individual access requests where Customer is the primary point of contact, reviewing AI outputs before making decisions, and ensuring Lastday is not used for unlawful surveillance or regulated decision-making without human review.

8. Lastday Responsibilities

Lastday will process Customer Personal Data only for the documented purposes, maintain tenant isolation, use Supabase Canada Central as the primary customer data store, use subprocessors listed in 13_SUBPROCESSOR_LIST.md, protect OAuth tokens and secrets, apply reasonable security safeguards, restrict founder and personnel access to need-to-know purposes, assist Customer with access, correction, export, and deletion requests, notify Customer of Security Incidents, and delete Customer Data on termination as described in 16_DATA_RETENTION.md.

9. Subprocessors

Customer authorizes Lastday to use the subprocessors listed in 13_SUBPROCESSOR_LIST.md.

Current subprocessors include Anthropic, NVIDIA, OpenAI, Supabase, Vercel, Stripe, Resend, Google, and Twilio.

Lastday will provide at least 30 days advance notice before adding a new subprocessor or making a material change to subprocessor processing, unless urgent replacement is needed for security, continuity, or legal reasons.

Customer may object in writing within 15 days of notice based on reasonable data protection concerns. If the parties cannot resolve the objection, Customer may terminate the affected Service.

10. Cross-Border Transfers

Customer operational data is stored in Supabase Canada Central.

Customer Personal Data may be transferred to or processed in the United States when Lastday uses Anthropic Claude Sonnet 4.6 (claude-sonnet-4-6), Anthropic Claude Opus 4.7 (claude-opus-4-7), NVIDIA NIM Llama 3.3 70B (meta/llama-3.3-70b-instruct), Google Vertex AI (Gemini Flash and Gemini Pro as defensive fallback for Jobs 1 and 4), Tavily (web search for Job 7 Deep Research, no customer operational data sent), OpenAI embeddings, Vercel hosting and serverless infrastructure, Stripe billing, Resend email, Google Gmail API, and Twilio communications if enabled.

Customer authorizes these cross-border transfers for the purposes described in this DPA and the Privacy Policy. Lastday will rely on provider agreements and commercial safeguards for these transfers.

11. Security Measures

Lastday's security measures include Supabase Row Level Security on tenant-scoped tables, tenant_id scoping in API routes and database queries, TLS for data in transit, encryption at rest through Supabase-managed infrastructure, Supabase Auth, password-based re-authentication to unlock sensitive content, backend-only OAuth token storage, token revocation and deletion on disconnect where supported, Vercel environment variables for secrets, logging restrictions, production guards for development endpoints, AI prompt injection controls through data delimiters, sensitivity gate controls, limited founder access, and incident response procedures.

The current internal security policy is in 14_SECURITY_POLICY.md.

12. Security Incidents and Breach Notification

Lastday will notify Customer without undue delay after confirming a Security Incident involving Customer Personal Data. Lastday targets notice within 72 hours after confirmation.

Notice will include, to the extent known, the incident description, date or approximate date, categories of Customer Personal Data affected, affected tenant or users, known or estimated number of individuals affected, containment steps taken, mitigation steps recommended for Customer or affected individuals, whether the incident appears to create a real risk of significant harm under PIPEDA, and the Lastday contact for incident follow-up.

Under PIPEDA, reportable breaches that create a real risk of significant harm must be reported to the Office of the Privacy Commissioner of Canada and affected individuals must be notified as soon as feasible. Lastday will assist Customer with these obligations.

13. Data Subject Requests

If Lastday receives a request from an individual relating to Customer Personal Data, Lastday will refer the individual to Customer where appropriate, unless legally required to respond directly.

Lastday will provide reasonable assistance to Customer to respond to access, correction, deletion, or complaint requests.

14. Audit Rights

Upon reasonable written request, Lastday will provide Customer with information reasonably necessary to demonstrate compliance with this DPA, such as security summaries, policy excerpts, subprocessor lists, incident summaries, and relevant audit evidence when available.

Audits must not compromise security, confidentiality, other customers, or production operations.

15. Return and Deletion

On termination or Customer request, Lastday will export Customer Data in a reasonable format if requested and delete Customer Data within 60 days of account termination. This aligns with 03_TRUST_AND_COMPLIANCE.md §7 and 16_DATA_RETENTION.md.

Deletion includes hard deletion from the production database and storage, revocation and deletion of OAuth tokens, and deletion requests to subprocessors where applicable and supported by the provider.

Backups age out under the retention window described in 16_DATA_RETENTION.md.

Lastday does not retain cross-tenant aggregates, anonymized derivatives, shared embeddings, or model-training datasets derived from Customer Data.

16. Liability

Liability under this DPA is subject to the limitations and exclusions in the applicable customer agreement unless a separate signed agreement states otherwise.

17. Order of Precedence

If this DPA conflicts with the Constitution, the Constitution governs internally. If this DPA conflicts with the Terms of Service or an order form, the order of precedence should be defined in the signed customer agreement.

18. Contact

1001537887 Ontario Inc. operating as Lastday

Ontario, Canada

jordan@lastdayops.com

Change Log

Version 1.2. April 20, 2026. Jordan Layden. Governance Wave 5 reconciliation. Header pin sweep: Constitution cite bumped to v3.14, Trust & Compliance cite bumped to v2.8. Voice exemption clause added citing §25.3(a). No substantive legal language changed; DRAFT status preserved.

Version 1.3. April 24, 2026. Claude Code. Doc reconciliation Wave 3. Cross-border transfer clause updated to reflect live model versions and missing subprocessors: Claude Sonnet 4 now Sonnet 4.6 (claude-sonnet-4-6); Claude Opus 4 now Opus 4.7 (claude-opus-4-7); NIM Llama 3.1 70B now Llama 3.3 70B (meta/llama-3.3-70b-instruct) per the Wave 1 Constitution v3.15 migration; Google Vertex AI (Gemini Flash and Gemini Pro) added as the defensive fallback for Jobs 1 and 4; Tavily added as the Job 7 Deep Research web-search subprocessor (no customer operational data sent). Header pin sweep: Constitution cite bumped to v3.20, Trust & Compliance cite bumped to v2.10. No substantive legal language changed; DRAFT status preserved.