Data Processing Agreement - Canada
This Data Processing Agreement (Canada) (“DPA”) is entered into as of the Effective Date, and is by and between Euna Solutions Inc., a British Columbia corporation with headquarters in Ontario (“Service Provider”), and the customer identified in the signature block below (“Customer”) (each a “Party,” collectively the “Parties”).
This DPA may be executed: (a) as an addendum, exhibit, or schedule to a master services agreement, subscription agreement, order form, or other agreement between the Parties governing Customer’s use of the Platform Services (the “Related Agreement”), in which case it supplements and forms part of the Related Agreement and prevails over it with respect to the subject matter hereof; or (b) as a standalone agreement, in which case it governs Service Provider’s Processing of Customer Personal Data and shall be read together with the applicable order form or statement of work identifying the Platform Services. In either case, references herein to the “Related Agreement” mean whichever instrument applies.
NOW, THEREFORE, in consideration of the mutual promises and covenants contained herein and other good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, the Parties hereby agree as follows:
1. DEFINITIONS
As used in this DPA:
“Applicable Canadian Privacy Law” means any federal or provincial privacy, data protection, or data security law or regulation of Canada applicable to Service Provider’s Processing of Customer Personal Data under this DPA, which may include, without limitation, the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 (“PIPEDA”); the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, as amended by An Act to modernize legislative provisions as regards the protection of personal information (collectively, the “Quebec Privacy Act” or “Quebec Law 25”); the Personal Information Protection Act (Alberta), S.A. 2003, c. P-6.5 (“PIPA Alberta”); and the Personal Information Protection Act (British Columbia), S.B.C. 2003, c. 63; in each case as enacted and effective from time to time and including any regulations promulgated thereunder.
“Business Purpose” means the specific operational purposes for which Customer engages Service Provider to Process Customer Personal Data, as further described in Schedule A.
“Confidentiality Incident” has the meaning given to that term in the Quebec Privacy Act and means unauthorized access to, use of, or communication of, Personal Information, as well as loss of Personal Information or any other breach in the protection of such information.
“Customer Personal Data” means Personal Information that is submitted, uploaded, or otherwise made available to Service Provider by Customer or its End Users through the Platform Services, and that is in the possession or control of Service Provider or any Sub-processor under this DPA. Customer Personal Data does not include: (a) Personal Information that is or becomes publicly available within the meaning of Applicable Canadian Privacy Law through no act or omission of Service Provider; (b) Personal Information that Service Provider independently collects or generates outside the Platform Services without reference to Customer Personal Data; (c) Personal Information that has been de-identified, anonymized, or aggregated in accordance with the requirements of Applicable Canadian Privacy Law; or (d) Personal Information that Service Provider is required to disclose by applicable law, regulation, or legal process.
“Data Breach” means a confirmed security incident in which Customer Personal Data in the possession or control of Service Provider is accessed, acquired, used, or disclosed by an unauthorized person or in an unauthorized manner, or lost. A Data Breach does not include access to or acquisition of Customer Personal Data that is secured by encryption or other comparable technology, provided that the encryption key or comparable security mechanism was not also acquired in the same incident. To the extent Customers are subject to the Quebec Privacy Act, “Data Breach” includes any Confidentiality Incident.
“End Users” means Customer’s employees and contractors authorized by Customer to access and use the Platform Services on Customer’s behalf.
“Personal Information” has the meaning given to it under Applicable Canadian Privacy Law and, for purposes of this DPA, means any information about an identifiable individual. Personal Information does not include business contact information where the collection, use, or disclosure of such information is solely for the purpose of communicating or facilitating communication with the individual in relation to their employment, business, or profession, to the extent excluded from the scope of Applicable Canadian Privacy Law. Personal Information does not include information that is anonymous, de-identified, or aggregated in accordance with the requirements of Applicable Canadian Privacy Law such that it cannot reasonably be used to identify a particular individual.
“Platform Services” means the software-as-a-service platform and related products and services provided by Service Provider to Customer pursuant to the Related Agreement.
“Privacy Officer” means the individual designated by Service Provider, and (where applicable) the individual designated by Customer, responsible for compliance with Applicable Canadian Privacy Law as further described in Section 2.3.
“Processing” or “Process” means any operation performed on Customer Personal Data, including collection, use, communication, storage, access, retention, transfer, deletion, or destruction.
“Sensitive Personal Information” means Personal Information that is of a sensitive nature due to its intimate character or the context of its collection, use, or communication, including, without limitation, health information, financial information, biometric data, and government-issued identification numbers (including Social Insurance Numbers), as such term (or any analogous term) is defined or treated under Applicable Canadian Privacy Law. Service Provider does not collect Sensitive Personal Information except as may be inputted into the Platform Services by the Customer.
“Sub-processor” means any third party engaged by Service Provider to Process Customer Personal Data on Service Provider’s behalf in connection with the Platform Services.
2. ROLES, ACCOUNTABILITY, AND CUSTOMER REPRESENTATIONS
2.1 Roles. As between the Parties, Customer is the organization that determines the purposes for which and the means by which Customer Personal Data is Processed, and Service Provider Processes Customer Personal Data on Customer’s behalf and for Customer’s benefit in connection with the Platform Services. Service Provider Processes Customer Personal Data solely on behalf of and as directed by Customer, for the Business Purposes described in Schedule A, and for the other purposes described in this DPA. Customer remains accountable for Customer Personal Data in accordance with the accountability principle under Applicable Canadian Privacy Law, including Principle 4.1 of Schedule 1 to PIPEDA and section 3.1 of the Quebec Privacy Act.
2.2 Customer Representations and Warranties. Customer represents, warrants, and covenants on a continuing basis that:
Customer has the full legal right, power, and authority to submit Customer Personal Data to Service Provider for Processing under this DPA and for the Business Purposes described herein;
Prior to submitting Customer Personal Data to Service Provider, Customer has provided all notices and obtained all consents, authorizations, or other approvals required under Applicable Canadian Privacy Law and any other applicable law for Service Provider to Process Customer Personal Data as contemplated by this DPA, including any consents required for the collection, use, and disclosure of Sensitive Personal Information and any consents required in connection with the cross-border transfer and Processing of Customer Personal Data contemplated by Section 10;
Customer has informed the individuals to whom Customer Personal Data relates, in accordance with the openness and transparency requirements of Applicable Canadian Privacy Law (including section 8 of the Quebec Privacy Act and section 13.1 of PIPA Alberta, where applicable), of: (i) the purposes for which and the means by which their Personal Information is being collected; (ii) the categories of third parties (including Service Provider and its Sub-processors) to whom their Personal Information may be disclosed; and (iii) the fact that their Personal Information may be transferred to, stored in, and Processed in the United States and other jurisdictions outside of Canada;
The submission, transfer, and other Processing of Customer Personal Data under this DPA does not and will not violate any applicable law, regulation, court order, or the privacy rights of any individual;
Customer’s instructions to Service Provider comply, and will at all times comply, with Applicable Canadian Privacy Law;
Customer has conducted any privacy impact assessment, factors analysis, or similar assessment required of Customer under Applicable Canadian Privacy Law in respect of the Processing contemplated by this DPA, including any assessment required under sections 3.3 and 17 of the Quebec Privacy Act in connection with the communication of Personal Information outside Quebec; and
Customer is solely responsible for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired it.
2.3 Privacy Officer. Service Provider has designated a Privacy Officer responsible for Service Provider’s compliance with PIPEDA and other Applicable Canadian Privacy Law. Service Provider’s Privacy Officer may be contacted at [email protected]. Customer shall, where required by Applicable Canadian Privacy Law, designate its own person in charge of the protection of Personal Information (including for purposes of section 3.1 of the Quebec Privacy Act) and shall provide Service Provider with such contact information upon request.
3. SERVICE PROVIDER PROCESSING OBLIGATIONS
3.1 Instructions. Service Provider will Process Customer Personal Data only: (a) as necessary to provide the Platform Services in accordance with the Related Agreement and this DPA; (b) as documented in written instructions from Customer; (c) as required by applicable law, including Applicable Canadian Privacy Law; or (d) as reasonably necessary to detect, prevent, or address fraud, security incidents, technical issues, or illegal activity, or to enforce Service Provider’s rights or agreements with End Users or Customer.
3.2 Security. Service Provider will implement reasonable security measures designed to protect Customer Personal Data against unauthorized access, use, communication, alteration, loss, or destruction, having regard to the sensitivity of the Personal Information, as required by Principle 4.7 of Schedule 1 to PIPEDA and section 10 of the Quebec Privacy Act. Customer has reviewed Service Provider’s security measures and has determined that they are adequate and appropriate for the risk to Customer Personal Data and the Platform Services.
3.3 Compliance with Law; Restrictions on Use and Disclosure. Service Provider will comply with the obligations applicable to it under Applicable Canadian Privacy Law in its capacity as a service provider Processing Customer Personal Data on Customer’s behalf. Further, Service Provider will not: (a) retain, use, or disclose Customer Personal Data for any purpose other than the Business Purpose specified in Schedule A or as otherwise permitted by this DPA; (b) sell Customer Personal Data; or (c) combine Customer Personal Data received from Customer with Personal Information received from or collected from other sources, except as permitted under Applicable Canadian Privacy Law or elsewhere in this DPA. In the event that any amendment to, or change in, Applicable Canadian Privacy Law imposes obligations on Service Provider that are materially beyond those required as of the Effective Date of this DPA, or that would require Service Provider to incur material additional costs to comply, Service Provider shall have no obligation to comply with such additional obligations until the Parties have conferred in good faith regarding the impact of such change; and if the Parties are unable to agree on an allocation of such additional costs or obligations within thirty (30) days of Service Provider’s written notice to Customer of the change, Service Provider may, at its election: (a) pass through to Customer any reasonable additional costs required to achieve compliance, which Customer shall pay within thirty (30) days of invoice; or (b) terminate the affected portion of the Platform Services upon sixty (60) days’ written notice to Customer without liability to Customer for such termination.
3.4 De-identified and Anonymized Data. To the extent Service Provider creates de-identified or anonymized information derived from Customer Personal Data in accordance with the requirements of Applicable Canadian Privacy Law (including section 23 of the Quebec Privacy Act), Service Provider will: (a) implement reasonable technical and organizational measures designed to prevent re-identification; (b) not attempt to re-identify such information; and (c) require any recipient to comply with equivalent restrictions.
3.5 Compliance Continuation. Service Provider will notify Customer in writing if it determines or reasonably suspects its inability to materially comply with its obligations set forth in this DPA.
3.6 Confidentiality. Service Provider will impose on its employees and contractors with access to Customer Personal Data an obligation to maintain the confidentiality of such Customer Personal Data.
3.7 Artificial Intelligence and Automated Processing. To the extent Customer’s subscription under the Related Agreement includes AI Features, as defined in Schedule C, the additional terms set forth in Schedule C shall apply and are incorporated into this DPA by reference. In the event of a conflict between Schedule C and the DPA body with respect to the Processing of Customer Personal Data through AI Features, Schedule C shall prevail.
4. SUB-PROCESSORS
4.1 General Authorization. Customer hereby provides written authorization for Service Provider to engage Sub-processors to assist in providing the Platform Services and Process Customer Personal Data, subject to the requirements of this Section 4. Service Provider’s current Sub-processors are listed in Schedule B. Processing of Customer Personal Data by Sub-processors located outside of Canada is subject to Section 10.
4.2 Changes. Service Provider will provide Customer with reasonable prior written notice (which may be by email or by updating Schedule B on Service Provider’s website) before adding or replacing any Sub-processor that will Process Customer Personal Data. If Customer reasonably objects to a proposed Sub-processor on data protection grounds, Customer shall notify Service Provider in writing within ten (10) business days of receiving notice. The Parties shall work in good faith to resolve the objection. If unresolved within thirty (30) days, Customer’s sole and exclusive remedy is to terminate the affected portion of the Platform Services upon written notice.
4.3 Sub-processor Obligations. Service Provider will impose relevant data protection obligations on each Sub-processor that are materially consistent with those in this DPA with respect to Customer Personal Data. Service Provider remains responsible to Customer for its Sub-processors’ performance, subject to the liability limitations in Section 11 and the Related Agreement.
5. INDIVIDUAL RIGHTS REQUESTS
5.1 Customer Responsibility. Customer is solely responsible for receiving, validating, and responding to requests from individuals exercising their rights under Applicable Canadian Privacy Law in respect of Customer Personal Data (“Rights Requests”), including rights of access, correction (rectification), withdrawal of consent, de-indexing or cessation of dissemination, data portability, and, where applicable, rights relating to automated decision-making.
5.2 Service Provider Assistance. Service Provider will provide reasonable technical assistance to Customer to fulfill Rights Requests, to the extent technically feasible given the nature of the Processing and the information available to Service Provider. Where Platform Services self-service tools are available, Customer shall use such tools in the first instance.
5.3 Direct Requests. If Service Provider receives a Rights Request directly from an individual relating to Customer Personal Data, Service Provider will notify Customer and will not respond to the individual directly, except to acknowledge receipt, to direct the individual to Customer, or as otherwise required by Applicable Canadian Privacy Law.
6. DATA BREACH NOTIFICATION
6.1 Notification to Customer. Upon becoming aware of a Data Breach, Service Provider will notify Customer without undue delay. Such notification will be provided to the contact designated in Schedule A.
6.2 Content. Service Provider’s notification will include, to the extent then known: (a) the nature of the Data Breach and the categories and approximate number of individuals and records affected; (b) measures taken or proposed to be taken to address the Data Breach and to mitigate its adverse effects; and (c) Service Provider’s designated privacy contact. Service Provider may provide information in phases as additional information becomes available.
6.3 Customer’s Notification Responsibility. Customer is solely responsible for all notifications to affected individuals, to the Office of the Privacy Commissioner of Canada, to the Commission d’accès à l’information du Québec, to the Office of the Information and Privacy Commissioner of Alberta, to the Office of the Information and Privacy Commissioner for British Columbia, to any other applicable regulatory authorities, and to any other required third parties under Applicable Canadian Privacy Law, including any determination of whether a Data Breach creates a “real risk of significant harm” for purposes of PIPEDA or PIPA Alberta or “a risk of serious injury” for purposes of the Quebec Privacy Act. Customer is solely responsible for maintaining any register of Confidentiality Incidents or breach records required of Customer under Applicable Canadian Privacy Law. Service Provider will have no obligation to notify any individual, regulator, or other third party directly. Service Provider will provide reasonable assistance to Customer in preparing required notifications upon Customer’s written request, at Customer’s expense.
6.4 No Admission. Service Provider’s notification of a Data Breach shall not be construed as an admission of fault, liability, or responsibility.
7. RETENTION AND DELETION
7.1 Retention. Service Provider will retain Customer Personal Data only for as long as necessary to provide the Platform Services, as required by Applicable Canadian Privacy Law or the Related Agreement, or as otherwise necessary under this DPA.
7.2 Return or Deletion. Upon termination or expiration of the Related Agreement, or upon Customer’s written request, Service Provider will, at Customer’s election and expense: (a) return Customer Personal Data to Customer in a commonly used machine-readable format; or (b) securely delete or destroy Customer Personal Data; in each case within sixty (60) days of Service Provider’s receipt of Customer’s written request. Where required by Applicable Canadian Privacy Law (including section 23 of the Quebec Privacy Act), Service Provider will destroy Customer Personal Data or anonymize it in accordance with generally accepted best practices when the purposes for which it was collected or used have been achieved, subject to the exceptions set forth in Section 7.3.
7.3 Backups and Archives. Notwithstanding the foregoing, Service Provider shall not be required to delete Customer Personal Data to the extent that retention is: (a) necessary to comply with applicable law, regulation, legal process, or governmental request, including applicable data retention mandates; (b) necessary to establish, exercise, or defend legal rights or claims arising out of or related to this DPA or the Related Agreement, including for purposes of litigation, dispute resolution, or regulatory investigation; (c) necessary to detect, prevent, or investigate fraud, security incidents, or other illegal or unauthorized activity involving the Platform Services; (d) necessary for audit, compliance, or financial record-keeping purposes in accordance with Service Provider’s reasonable internal policies and applicable law; (e) contained in backup, archival, or disaster recovery storage systems prior to the scheduled purge or rotation of such systems in the ordinary course of Service Provider’s data management practices, provided that Service Provider will not actively restore, access, or use such data for any purpose other than recovery operations; or (f) otherwise required or permitted by Applicable Canadian Privacy Law. In each case, Customer Personal Data retained pursuant to this Section will remain subject to the confidentiality and security obligations of this DPA, except as the preceding exceptions require, and will be deleted or anonymized as soon as all applicable exceptions no longer apply.
8. AUDIT AND COMPLIANCE
8.1 Compliance Documentation. No more than once per calendar year, unless required by Applicable Canadian Privacy Law, Service Provider will make available to Customer, upon written request, information reasonably necessary to demonstrate compliance with this DPA.
8.2 Third-Party Certifications. Service Provider may satisfy its obligations under Section 8.1 by providing a current third-party audit report or certification (such as SOC 2 Type II) covering the Platform Services. Customer shall treat such reports as Service Provider’s Confidential Information.
8.3 On-Site Audit. Only where required by Applicable Canadian Privacy Law and where the documentation in Section 8.2 is demonstrably insufficient, Customer may, upon no less than thirty (30) days’ prior written notice, conduct or commission a mutually agreed audit at Customer’s sole expense, during Service Provider’s normal business hours, and subject to Service Provider’s reasonable confidentiality requirements. Service Provider shall not be required to disclose information belonging to other customers or that would compromise its security posture.
9. GOVERNMENTAL CUSTOMER PROVISIONS
9.1 Applicability. This Section 9 applies where Customer is a federal, provincial, territorial, municipal, or other public sector body or government institution in Canada, including any department, agency, Crown corporation, board, commission, school board, health authority, or other instrumentality of government (“Governmental Entity”). Customer acknowledges that PIPEDA generally does not apply to Governmental Entities, and that Customer may instead be subject to one or more public sector privacy statutes, including, as applicable, the Privacy Act (Canada), R.S.C. 1985, c. P-21; the Freedom of Information and Protection of Privacy Act (Ontario), R.S.O. 1990, c. F.31; the Municipal Freedom of Information and Protection of Privacy Act (Ontario), R.S.O. 1990, c. M.56; the Act respecting Access to documents held by public bodies and the Protection of personal information (Quebec), CQLR c. A-2.1; the Freedom of Information and Protection of Privacy Act (British Columbia), R.S.B.C. 1996, c. 165; the Freedom of Information and Protection of Privacy Act (Alberta), R.S.A. 2000, c. F-25; and any analogous provincial or territorial legislation (collectively, “Public Sector Privacy Laws”). Customer is solely responsible for determining which Public Sector Privacy Laws apply to its use of the Platform Services and for complying with such laws.
9.2 Crown and Governmental Immunity. Nothing in this DPA constitutes a waiver of any Crown immunity, governmental immunity, or similar immunity to which Customer may be entitled under applicable law. Service Provider acknowledges that certain remedies that might otherwise be available under this DPA, including injunctive relief, specific performance, punitive damages, or consequential damages, may be limited or entirely unavailable against a Governmental Entity under applicable law. Any such limitations shall not affect the validity or enforceability of the remaining provisions of this DPA.
9.3 Appropriations. To the extent Customer is a Governmental Entity, Customer’s obligations under this DPA are subject to the availability of lawfully appropriated funds. Service Provider shall not be entitled to any remedy against Customer for failure to perform obligations arising solely from a lack of appropriated funds, provided that Customer promptly notifies Service Provider of such circumstance.
9.4 Access to Information and Public Records Laws. Customer acknowledges that Customer Personal Data submitted to the Platform Services may be subject to applicable access to information, freedom of information, or public records laws (“Access Laws”). Customer is solely responsible for determining whether and how Access Laws apply to Customer Personal Data, for responding to any access to information request, and for any resulting disclosure. Service Provider shall, upon written request, provide reasonable assistance in identifying Customer Personal Data relevant to an access request. Service Provider’s compliance with a disclosure directed by Customer shall not constitute a breach of this DPA.
9.5 Public Sector Contracting Requirements. Customer shall notify Service Provider in writing of any public sector contracting requirements, data residency requirements, or similar specific data protection obligations that apply to Service Provider under Public Sector Privacy Laws or Customer’s procurement policies prior to execution of this DPA. Service Provider will use commercially reasonable efforts to accommodate such requirements, provided that Service Provider shall not be required to accept obligations that materially expand its liability or obligations beyond those in this DPA. For greater certainty, unless expressly agreed in writing by Service Provider, Customer Personal Data may be Processed outside of Canada in accordance with Section 10.
9.6 No Third-Party Beneficiaries. This DPA is for the sole benefit of the Parties and their permitted successors and assigns. No government agency, constituent, End User, or other third party is a third-party beneficiary of this DPA or has any right to enforce its terms.
10. CROSS-BORDER TRANSFERS OF PERSONAL INFORMATION
10.1 Acknowledgment of Transfers. Customer acknowledges and agrees that, in connection with Service Provider’s provision of the Platform Services, Customer Personal Data will be transferred to, stored in, accessed from, and Processed in the United States, and may be transferred to, stored in, accessed from, or Processed in other jurisdictions outside of Canada by Service Provider and its Sub-processors. Customer acknowledges that Personal Information Processed in the United States and other jurisdictions outside of Canada may be subject to the laws of those jurisdictions, including laws permitting access by foreign governmental, regulatory, national security, or law enforcement authorities, and that the laws of such jurisdictions may differ from those of Canada and may provide a level of protection that is different from, or lower than, that afforded under Applicable Canadian Privacy Law.
10.2 Customer Responsibility for Transfer Assessments and Notices. Customer is solely responsible for conducting any privacy impact assessment, factors analysis, or similar assessment required of Customer under Applicable Canadian Privacy Law in respect of cross-border transfers of Customer Personal Data, including any assessment required under section 3.3 of the Quebec Privacy Act before communicating Personal Information outside Quebec. Where Customer is subject to PIPA Alberta, Customer is solely responsible for providing the notices required by section 13.1 of PIPA Alberta to individuals regarding the use of a service provider outside Canada, including the designation of a person who is able to answer the individual’s questions about the collection, use, disclosure, or storage of Personal Information by service providers outside Canada. Customer is solely responsible for providing to individuals any notices or disclosures required under Applicable Canadian Privacy Law regarding the transfer, storage, or Processing of their Personal Information outside Canada (or outside Quebec, as applicable), and for obtaining any consents required under Applicable Canadian Privacy Law for such transfers. Upon Customer’s reasonable written request, Service Provider will provide information reasonably available to Service Provider and reasonably necessary to support Customer’s assessment, such as a general description of the categories of Sub-processors, the locations of Processing, and the security measures applied to Customer Personal Data.
10.3 Contractual Safeguards. Service Provider will, through this DPA and through its contractual arrangements with Sub-processors, implement contractual measures designed to provide a comparable level of protection to Customer Personal Data when Processed outside Canada, consistent with the accountability principle under Principle 4.1 of Schedule 1 to PIPEDA, Guidelines for Processing Personal Data Across Borders issued by the Office of the Privacy Commissioner of Canada, and, where applicable, section 17 of the Quebec Privacy Act. Such measures include the confidentiality, security, use limitation, sub-processor, retention, and incident notification obligations set forth in this DPA.
10.4 Quebec-Specific Provisions. Where Customer is subject to the Quebec Privacy Act, the following additional provisions apply with respect to the communication of Customer Personal Data outside Quebec:
(a) Customer represents and warrants that, prior to communicating Customer Personal Data to Service Provider, Customer has conducted the privacy impact assessment required under section 3.3 of the Quebec Privacy Act and has determined, taking into account the sensitivity of the information, the purposes for which it is to be used, the protection measures that would apply to it (including those set forth in this DPA), and the legal framework applicable in the State in which the information would be communicated, that the Personal Information will receive adequate protection in light of generally recognized principles regarding the protection of personal information;
(b) The Parties agree that this DPA constitutes the written agreement referenced in section 17 of the Quebec Privacy Act with respect to the communication of Personal Information outside Quebec; and
(c) Customer shall document its assessment in accordance with the Quebec Privacy Act and make such documentation available to the Commission d’accès à l’information upon request.
10.5 Governmental Access. Customer acknowledges that Service Provider may be required, as a matter of applicable law, to disclose Customer Personal Data in response to valid legal process or governmental requests issued by authorities with jurisdiction over Service Provider, including in the United States. Service Provider will, to the extent legally permitted, use reasonable efforts to notify Customer of any such request prior to disclosure and to challenge overbroad or unlawful requests. Nothing in this DPA requires Service Provider to violate applicable law or to resist lawful compulsory process.
10.6 No Guarantee of Data Residency. Unless expressly agreed in a separate writing signed by an authorized representative of Service Provider, Service Provider makes no commitment regarding the residency of Customer Personal Data in Canada or in any particular jurisdiction, and reserves the right to Process Customer Personal Data in any jurisdiction in which Service Provider or its Sub-processors operate, subject to the terms of this DPA.
11. LIMITATION OF LIABILITY AND DISCLAIMERS
11.1 Incorporation of Related Agreement Limitations. The limitations on Service Provider’s liability set forth in the Related Agreement, including any aggregate caps and exclusions of consequential, indirect, incidental, special, or punitive damages, apply in full to all claims arising under or related to this DPA. Nothing in this DPA expands Service Provider’s liability beyond the limits in the Related Agreement.
11.2 Aggregate Liability Cap. Notwithstanding any other provision of this DPA or the Related Agreement, Service Provider’s total aggregate liability to Customer for all claims arising under or related to this DPA, whether in contract, tort, statute, or otherwise, shall not exceed the total fees actually paid by Customer to Service Provider under the Related Agreement in the twelve (12) months immediately preceding the event giving rise to the claim.
11.3 Exclusion of Consequential Damages. IN NO EVENT SHALL SERVICE PROVIDER BE LIABLE TO CUSTOMER OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES OF ANY KIND, INCLUDING LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF DATA, LOSS OF GOODWILL, BUSINESS INTERRUPTION, OR THE COST OF SUBSTITUTE SERVICES, ARISING OUT OF OR RELATED TO THIS DPA OR THE PROCESSING OF CUSTOMER PERSONAL DATA, EVEN IF SERVICE PROVIDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.
11.4 Disclaimer of Warranties. SERVICE PROVIDER MAKES NO WARRANTY, EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, WITH RESPECT TO THE SECURITY OR PRIVACY OF CUSTOMER PERSONAL DATA BEYOND THE OBLIGATIONS EXPRESSLY SET FORTH IN THIS DPA. SERVICE PROVIDER DOES NOT WARRANT THAT ITS SECURITY MEASURES WILL PREVENT ALL DATA BREACHES OR UNAUTHORIZED ACCESS.
11.5 Customer’s Sole Responsibility for Compliance. Service Provider’s performance of its obligations under this DPA does not constitute legal advice and does not guarantee Customer’s compliance with Applicable Canadian Privacy Law or any other law. Customer is solely responsible for its own legal compliance, including obtaining all required consents, providing all required notices, conducting all required privacy impact or factors assessments, and responding to all individual rights requests. Service Provider shall have no liability for Customer’s failure to comply with Applicable Canadian Privacy Law.
12. TERM AND TERMINATION
12.1 Term. This DPA is effective as of the Effective Date and remains in force for the duration of the Related Agreement.
12.2 Termination. This DPA terminates automatically upon the earlier of the termination or expiration of the Related Agreement and may not be terminated independently.
12.3 Survival. Sections 2.2 (Customer Representations), 7 (Retention and Deletion), 9 (Governmental Customer Provisions) where applicable, 10 (Cross-Border Transfers of Personal Information), 11 (Limitation of Liability and Disclaimers), and any other provisions that by their nature should survive, shall survive termination or expiration of this DPA.
13. GENERAL PROVISIONS
13.1 Order of Precedence. In the event of a conflict between this DPA and the Related Agreement with respect to the Processing of Customer Personal Data, this DPA shall prevail.
13.2 Governing Law. This DPA shall be governed by and construed in accordance with the governing law provision of the Related Agreement. To the extent Applicable Canadian Privacy Law mandates specific terms or dispute resolution procedures, those shall apply as required by law.
13.3 Language. The Parties have expressly requested and required that this DPA and all related documents be drawn up in the English language. Les parties ont expressément exigé que la présente entente et tous les documents connexes soient rédigés en anglais. Where Customer is located in Quebec and Applicable Canadian Privacy Law or other applicable law requires that this DPA be made available in French, Service Provider will provide a French-language version upon Customer’s written request; in the event of any discrepancy between the English and French versions, the English version shall prevail to the extent permitted by applicable law.
13.4 Updates. Service Provider may update this DPA from time to time to reflect changes in Applicable Canadian Privacy Law or Service Provider’s practices. Service Provider will provide Customer with reasonable prior notice of material changes. Customer’s continued use of the Platform Services after the effective date of any update constitutes acceptance.
13.5 Entire Agreement. This DPA, together with the Related Agreement and its schedules and exhibits, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior understandings relating thereto.
13.6 Severability. If any provision of this DPA is held invalid or unenforceable, the remaining provisions continue in full force.
13.7 No Waiver. No failure to exercise, and no delay in exercising, any right or remedy under this DPA constitutes a waiver of that right or remedy.
13.8 Counterparts; Electronic Signatures. This DPA may be executed in counterparts, each of which is an original. Electronic signatures are valid and binding.
13.9 No Third-Party Beneficiaries. This DPA is for the sole benefit of the Parties. No third party, including any End User, individual, or government body, has any right to enforce this DPA.
SCHEDULE A — DETAILS OF PROCESSING
This Schedule A forms part of the DPA and describes the processing activities to be performed by Service Provider.
| Subject matter of Processing: | Provision of the Platform Services as described in the Related Agreement |
| Duration of Processing: | For the term of the Related Agreement and as specified in Section 7 |
| Nature and purpose of Processing (Business Purpose): | Processing necessary to deliver, maintain, support, secure, and operate the Platform Services, including account management, transaction processing, technical support, security monitoring, and as otherwise directed by Customer in writing or described in the DPA |
| Processing Instructions: | In addition to other instructions, purposes and requirements of the DPA, Service Provider will Process Customer Personal Data in accordance with the following instructions, which Customer may supplement or modify in writing from time to time: (a) Customer’s configuration of the Platform Services, including user permissions, access controls, workflow settings, data fields, and reporting parameters, constitutes Customer’s instructions to Service Provider regarding the manner in which Customer Personal Data is organized, accessed, and used within the Platform Services; (b) Customer’s submission of data through the Platform Services constitutes Customer’s instruction to Process that data in connection with the specific Platform Services module or function to which it is submitted; and (c) Customer’s written requests submitted through Service Provider’s support channels, account management processes, or other designated means constitute ad hoc instructions for Processing activities outside the scope of Customer’s standard configuration. Service Provider has no obligation to evaluate whether Customer’s instructions are appropriate for Customer’s business purposes or compliant with applicable law, and Customer is solely responsible for the instructions it provides. |
| Categories and Type of Customer Personal Data: | [To be completed — e.g., employee names and contact information, constituent data, financial transaction data, procurement data, budget and compensation data as applicable to subscribed Platform Services] |
| Type of Sensitive Personal Information (if any): | [Identify if applicable — e.g., health information, financial account credentials, Social Insurance Numbers] |
| Categories of individuals: | Customer’s employees, End Users, and other individuals whose Personal Information Customer submits to the Platform Services |
| Jurisdictions of Processing: | United States (primary); additional jurisdictions may be used by Sub-processors as listed in Schedule B. Customer Personal Data is Processed outside Canada in accordance with Section 10. |
| Customer contact for Data Breach notification: | [ ] |
| Customer person in charge of protection of Personal Information (Quebec Privacy Act, where applicable): | [ ] |
SCHEDULE B — APPROVED SUB-PROCESSORS
The following Sub-processors are approved as of the Effective Date. Changes will be notified in accordance with Section 4.2.
| Sub-processor | Location | Processing Purpose |
|---|---|---|
| Sub-processors | Please refer to the full listing on our website at https://eunasolutions.com/privacy-policy/ | |
Additionally, current Sub-processor list available upon request from [email protected].
SCHEDULE C — ARTIFICIAL INTELLIGENCE AND AUTOMATED PROCESSING
This Schedule C forms part of the DPA and applies only where Customer’s subscription under the Related Agreement includes AI Features as defined herein. Where Schedule C does not apply, the terms of this Schedule C create no obligations for either Party. In the event of a conflict between this Schedule C and the DPA body with respect to the Processing of Customer Personal Data through AI Features, this Schedule C shall prevail.
C.1 Definitions. As used in this Schedule C:
(a) “AI Features” means any artificial intelligence, machine learning, generative AI, automated decision-making, or similar algorithmic processing capabilities made available by Service Provider as part of the Platform Services, as identified in the applicable order form, statement of work, or product documentation.
(b) “AI Output” means any content, recommendation, prediction, decision, score, summary, or other result generated by AI Features in connection with the Processing of Customer Personal Data.
(c) “Third-Party AI Provider” means any third-party provider of AI infrastructure, foundation models, or machine learning services engaged by Service Provider in connection with the delivery of AI Features, as listed in Schedule B.
C.2 Scope of Processing Through AI Features. Service Provider will Process Customer Personal Data through AI Features only: (a) as directed by Customer through Customer’s configuration and use of the Platform Services; (b) for the Business Purpose; and (c) subject to the restrictions on use and disclosure set forth in the DPA. This Schedule C supplements but does not replace the processing obligations in the DPA body, which continue to apply to all Processing of Customer Personal Data including Processing through AI Features.
C.3 Prohibition on Training. Service Provider will not use Customer Personal Data to train, develop, fine-tune, or otherwise improve any AI or machine learning model, whether operated by Service Provider or a Third-Party AI Provider, for use beyond the specific instance of the Platform Services provided to Customer under the Related Agreement, without Customer’s prior written consent. Service Provider will impose equivalent restrictions on any Third-Party AI Provider with access to Customer Personal Data in connection with the AI Features.
C.4 Third-Party AI Providers. Customer acknowledges that certain AI Features may be powered by Third-Party AI Providers, which may be located outside of Canada. Service Provider will: (a) identify any Third-Party AI Providers with access to Customer Personal Data in Schedule B; (b) impose data protection obligations on such providers that are materially consistent with those in this DPA with respect to Customer Personal Data; and (c) require that such providers do not use Customer Personal Data to train their own models or for any purpose other than delivering the AI Features to Service Provider on Customer’s behalf. Processing by Third-Party AI Providers outside Canada is subject to Section 10.
C.5 Automated Decision-Making — Customer’s Responsibility. To the extent AI Features generate AI Outputs that Customer uses to inform or make decisions about individuals, Customer acknowledges and agrees that: (a) Customer is solely responsible for evaluating the appropriateness, accuracy, and fitness of AI Outputs before applying them to any decision affecting individuals; (b) Service Provider does not represent or warrant the accuracy, completeness, reliability, or fitness for any particular purpose of AI Outputs, and AI Outputs may contain errors, omissions, or inaccuracies inherent in AI and machine learning systems; (c) Customer shall maintain appropriate human oversight of any decision based exclusively on the automated processing of Personal Information that produces legal or similarly significant effects concerning individuals, to the extent required by Applicable Canadian Privacy Law (including section 12.1 of the Quebec Privacy Act) or any applicable AI-specific law or regulation; and (d) Customer shall not rely solely on AI Outputs as the basis for decisions that produce legal or similarly significant effects concerning individuals without human review.
C.6 Individual Rights Regarding Automated Processing. To the extent Applicable Canadian Privacy Law grants individuals rights with respect to automated decision-making, profiling, or AI-generated outputs, including the right under section 12.1 of the Quebec Privacy Act to be informed of decisions based exclusively on automated processing and to request human review of such decisions, Customer is solely responsible for receiving, evaluating, and responding to such rights requests with respect to Customer’s deployment and use of AI Features, including providing any required notices to individuals. Service Provider will provide reasonable technical assistance to Customer in fulfilling such obligations upon Customer’s written request, to the extent technically feasible given the nature of the AI Features and the information available to Service Provider.
C.7 AI-Specific Regulatory Compliance. Customer is solely responsible for determining whether its deployment and use of AI Features is subject to any AI-specific law or regulation, including, without limitation, Canada’s proposed or enacted federal AI legislation (including any successor to the Artificial Intelligence and Data Act), any Canadian provincial AI law or regulation, or any applicable international AI framework, and for fulfilling any resulting compliance obligations, including algorithmic impact assessments, disclosures to affected individuals, and any required regulatory filings or registrations. Service Provider will provide reasonable cooperation to Customer in connection with such obligations upon Customer’s written request, at Customer’s expense.
C.8 Changes in AI-Specific Law. In the event that any amendment to, or change in, any applicable AI-specific law or regulation imposes obligations on Service Provider with respect to AI Features that are materially beyond those required as of the Effective Date of this DPA, or that would require Service Provider to incur material additional costs to comply, the provisions of Section 3.3 of the DPA governing changes in law shall apply with equal force to such AI-specific legal changes.
C.9 Disclaimer Regarding AI Outputs. CUSTOMER ACKNOWLEDGES THAT AI FEATURES INVOLVE INHERENT LIMITATIONS AND RISKS, INCLUDING THE POTENTIAL FOR INACCURATE, INCOMPLETE, BIASED, OR OTHERWISE ERRONEOUS OUTPUTS. SERVICE PROVIDER MAKES NO WARRANTY, EXPRESS OR IMPLIED, REGARDING THE ACCURACY, RELIABILITY, COMPLETENESS, OR FITNESS FOR ANY PARTICULAR PURPOSE OF ANY AI OUTPUT. CUSTOMER ASSUMES ALL RISK ARISING FROM ITS RELIANCE ON OR USE OF AI OUTPUTS, AND SERVICE PROVIDER SHALL HAVE NO LIABILITY FOR ANY HARM, LOSS, OR DAMAGE ARISING FROM CUSTOMER’S USE OF, RELIANCE ON, OR DECISIONS MADE IN CONNECTION WITH AI OUTPUTS, INCLUDING WHERE SUCH HARM RESULTS FROM ERRORS, HALLUCINATIONS, BIASES, OR OTHER LIMITATIONS INHERENT IN AI SYSTEMS.
C.10 Schedule A and Schedule B. Where AI Features are included in Customer’s subscription: (a) Customer shall identify in Schedule A any categories of Customer Personal Data that will be submitted to or Processed by AI Features, and the specific Business Purpose for such Processing; and (b) Service Provider shall identify in Schedule B any Third-Party AI Providers with access to Customer Personal Data, which Customer hereby authorizes subject to the requirements of Section C.4 and Section 4 of the DPA.