Operational Data Boundary

1. Purpose of the Service

Inventifornia provides operational inventory and asset tracking for organizations: supplies, equipment, PPE, grant-coded materials, consumables with lot/expiry tracking, and field deployment logistics. Typical users include county public health operations, facilities, emergency management, schools, and nonprofit programs.

The Service is not an electronic health record (EHR), case management system, patient portal, or clinical documentation tool.

2. Permitted Input Data

Customers may store Input Data that describes operational inventory only, such as:

• Item names, SKUs, barcodes, quantities, locations, and unit costs
• Equipment and supply descriptions (e.g., "N95 respirators — size medium", "Ford Transit van #4")
• Grant or funding-line codes (e.g., CDC PHEP, Title V program tags)
• Lot numbers, expiry dates, and deployment/event names (without client linkage)
• Staff user accounts (name, work email, role) for audit accountability
• Photos of inventory items or storage locations (not of individuals)

3. Prohibited Data (Customer obligation)

Customer shall notupload, enter, or process through the Service any of the following ("Prohibited Data"):

• Protected Health Information (PHI)as defined under HIPAA, including patient names, medical record numbers, diagnoses, treatment information, or any data that identifies an individual's health status
• Client, patient, or beneficiary identifiers tied to inventory checkouts (e.g., "issued to John Smith")
• Criminal justice information (CJIS) or law-enforcement-sensitive records
• Social Security numbers, driver's license numbers, or financial account numbers
• Children's personal information beyond what is required for staff user accounts (see COPPA)
• Any data class that would require Inventifornia to act as a Business Associate under HIPAA

Free-text fields (item notes, audit reasons, deployment descriptions) are not monitored for content classification. Customer is solely responsible for training staff not to enter Prohibited Data in any field.

4. No HIPAA Business Associate Agreement

Inventifornia does not offer HIPAA Business Associate Agreements (BAAs). By using the Service, Customer represents and warrants that it will not submit Prohibited Data and that its use of the Service complies with all applicable privacy and health-information laws.

If Customer requires HIPAA-covered processing, Customer must use a platform designed and contracted for that purpose — not Inventifornia.

5. Enforcement

If Inventifornia reasonably believes Customer has submitted Prohibited Data, we may:

• Notify Customer's designated administrator and require remediation within a reasonable period
• Suspend access to the affected tenant until Prohibited Data is removed or export is completed
• Terminate the account for repeated or egregious violations

Customer agrees to indemnify Inventifornia for claims arising from Customer's submission of Prohibited Data or use of the Service outside this Operational Data Boundary.

6. Incorporation into agreement

This Operational Data Boundary is incorporated into the Inventifornia Terms & Conditions and Acceptable Use Policy. Enterprise and government Customers may request execution of the Data Processing Addendum which references these prohibitions.