Data Processing Agreement

For purposes of this DPA:

• "Controller" means the entity that determines the purposes and means of processing Personal Data
• "Processor" means the entity that processes Personal Data on behalf of the Controller
• "Data Subject" means the individual to whom Personal Data relates
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Sub-processor" means any third party engaged by Processor to process Personal Data
• "Data Protection Laws" means all applicable privacy and data protection laws including PIPEDA, GDPR, and CCPA
• "Security Incident" means unauthorized access to or disclosure of Personal Data

2.1 Scope of Processing

This DPA applies to the processing of Personal Data by TeamFloe (Processor) on behalf of Customer (Controller) in connection with the Service.

2.2 Roles and Responsibilities

• Customer acts as the Controller of Personal Data
• TeamFloe acts as the Processor of Personal Data
• TeamFloe processes Personal Data only on documented instructions from Customer

2.3 Customer Instructions

Customer instructs TeamFloe to process Personal Data: (a) to provide the Service; (b) as documented in the Terms of Service; (c) as required by applicable law; and (d) as otherwise agreed in writing.

TeamFloe shall:

• Process Personal Data only on documented instructions from Customer
• Ensure persons processing Personal Data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Assist Customer in responding to Data Subject requests
• Assist Customer with security, breach notification, and impact assessments
• Delete or return Personal Data upon termination
• Make available information necessary to demonstrate compliance
• Notify Customer if instructions infringe Data Protection Laws

5.1 Security Measures

TeamFloe implements and maintains the following security measures:

5.2 Security Updates

TeamFloe may update security measures provided the updates do not materially decrease the overall security of the Service.

6.1 Authorized Sub-processors

Customer authorizes TeamFloe to engage the following sub-processors:

6.2 New Sub-processors

TeamFloe will notify Customer of new sub-processors 30 days in advance. Customer may object to new sub-processors on reasonable grounds within 14 days of notification.

6.3 Sub-processor Requirements

TeamFloe ensures sub-processors are bound by data protection obligations materially similar to this DPA and remains liable for sub-processor compliance.

7.1 Assistance with Rights

TeamFloe shall assist Customer in fulfilling obligations to respond to Data Subject requests for:

• Access to Personal Data
• Rectification of Personal Data
• Erasure of Personal Data
• Data portability
• Restriction of processing
• Objection to processing

7.2 Response Procedure

If TeamFloe receives a Data Subject request, it will promptly notify Customer and will not respond directly except as instructed by Customer or required by law.

8.1 Notification

TeamFloe will notify Customer without undue delay (within 72 hours) after becoming aware of a Security Incident affecting Customer's Personal Data.

8.2 Information Provided

Notification will include:

• Description of the Security Incident
• Categories and approximate number of affected Data Subjects
• Categories and approximate number of affected Personal Data records
• Likely consequences of the Security Incident
• Measures taken or proposed to address the incident
• Contact point for more information

8.3 Cooperation

TeamFloe will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of Security Incidents.

9.1 Transfer Mechanisms

For transfers of Personal Data outside of Canada or the EEA, TeamFloe relies on:

• Adequacy decisions where available
• Standard Contractual Clauses (SCCs) where required
• Other appropriate safeguards under Data Protection Laws

9.2 Standard Contractual Clauses

For EU data transfers, the EU Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated by reference and available upon request.

10.1 Right to Audit

TeamFloe will make available to Customer information necessary to demonstrate compliance with this DPA and allow for audits, subject to:

• Reasonable advance notice (minimum 30 days)
• During regular business hours
• No more than once per year unless required by law
• Execution of confidentiality agreement
• Customer bearing audit costs

10.2 Certifications

TeamFloe may provide certifications, attestations, or third-party audit reports to satisfy audit requirements where appropriate.

11.1 Upon Termination

Upon termination of the Agreement, TeamFloe will, at Customer's choice:

• Return all Personal Data to Customer in a standard format
• Delete all Personal Data and provide certification of deletion
• Combination of return and deletion as specified

11.2 Retention Period

Personal Data will be available for export for 60 days after termination. After this period, all Personal Data will be permanently deleted.

11.3 Exceptions

TeamFloe may retain Personal Data to the extent required by applicable law, provided it ensures continued protection and limits processing to legal requirements.

12.1 Liability Cap

Each party's liability under this DPA is subject to the limitations in the Terms of Service, except as required by Data Protection Laws.

12.2 Indemnification

Each party will defend and indemnify the other against claims brought by Data Subjects or regulatory authorities arising from that party's breach of this DPA.

This DPA is effective upon execution and continues for the duration of the Agreement. Termination of the Agreement automatically terminates this DPA.

Obligations regarding confidentiality, data deletion, and any provisions that by their nature should survive, will survive termination.

This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, without regard to conflict of law principles.

Any disputes arising under this DPA will be resolved according to the dispute resolution provisions in the Terms of Service.

In case of conflict between this DPA and the Terms of Service regarding data protection matters, this DPA will prevail. For all other matters, the Terms of Service will prevail.