Data Processing Addendum

Last Updated April 9, 2024

This Data Processing Addendum (“DPA”) is incorporated by reference into the Terms of Service (the “Agreement”) or any other agreement for the delivery of products or services by Unleashd Technologies Ltd. (“Unleashd”) to the Customer. This DPA is in force as of the Effective Date of the Agreement.

Any defined terms not otherwise defined herein shall have the meaning given to them in the Agreement, and all principles of interpretation shall be those set forth in the Agreement.

This DPA is supplemental to the Agreement and sets out the terms that apply when Personal Data (defined below) is Processed (defined below) by Unleashd under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with applicable laws, and with due respect for the rights and freedoms of individuals whose Personal Data is Processed.

DATA PROCESSING TERMS

In providing the Products and Services to Customer pursuant to the Agreement, Unleashd may Process Personal Data on behalf of Customer. Unleashd will comply with the provisions in this DPA with respect to its Processing of any Personal Data.

Capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.

1. DEFINITIONS

1.1

For the purposes of this DPA:

"Affiliate(s)" has the same meaning ascribed to it in the Agreement and, if not defined in the Agreement, the term means any other entity that, directly or indirectly through one or more intermediaries, controls, is controlled by, or is under common control with, that Party.

"Controller" means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

"Customer" means the non-Unleashd party to both the Agreement and this DPA that has access to the Products and Services.

"Customer Data" means any information that is held, used, or provided to Unleashd by the Customer in the course of Customer’s use of the Products and Services, including any information derived from such information

"Data Subject" means the individual to whom Personal Data relates.

"Data Protection Legislation" means all applicable federal, provincial and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.

"Personal Data" means any Customer Data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Document Name

Data Processing Addendum

Hyperlink

https://www.unleashd.ca/dpa

Document Name

Hyperlink

https://www.unleashd.ca/privacy

"Processor" means an entity which Processes Personal Data on behalf of the Controller.

"Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Products and Services" means, without limitation, any products and services that are ordered by the Customer under and Order Form or online purchasing portal, and includes any such Products and Services as may be added by Unleashd from time to time.

"Supervisory Authority" means the Office of the Privacy Commissioner in Canada, and any such equivalent organization with respect to Data Protection Legislation in other jurisdictions.

2. APPLICABILITY OF DATA PROCESSING ADDENDUM

2.1

Applicability. This DPA shall apply to all Customers to the extent Unleashd Processes Personal Data of Data Subjects on behalf of a Customer or a Customer Affiliate.

3. DETAILS OF THE PROCESSING

3.1

Types of Personal Data Processed. The categories of Personal Data are determined by the Customer in its sole discretion and may include but are not limited to: first and last name; contact information (e.g., email, phone, phys

3.2

Special Categories of Personal Data. Special categories of Personal Data are not required to be collected or processed for the provision of Products and Services. Should the Customer choose to include this type of data it is done so at the Customer’s sole discretion and may include but is not limited to, information revealing racial/ethnic origin, political, religious or philosophical beliefs, trade union membership or health data.

3.3

Categories of Data Subjects. The categories of Data Subjects whose Personal Data may be Processed in connection with the Products and Services are determined and controlled by Customer in its sole discretion and may include but are not limited to: customers and prospects of Customer; employees or contractors of Customer's prospects and customers, and; employees and contractors of Customer.

3.4

Nature of Processing Operations. Unleashd will Process Personal Data as necessary to provide the Products and Services pursuant to the Agreement. The Processing operations performed on the Personal Data will depend on the scope of Customer's Products and Services and Customer's configuration of its Unleashd instance. Such Processing operations of Personal Data as necessary for Unleashd to provide the Products and Services may include the following: collecting, recording, organizing, storage, use, alteration, disclosure, transmission, combining, retrieval, consultation, archiving and/or destruction.

4. ROLES AND RESPONSIBILITIES

4.1

Parties' Roles. Customer, as Controller, appoints Unleashd as a Processor to process the Personal Data on Customer's behalf. In some circumstances Customer may be a Processor, in which case Customer appoints Unleashd as Customer's sub-processor, which shall not change the obligations of either Customer or Unleashd under this DPA, as Unleashd will remain a Processor with respect to the Customer in such event.

4.2

Purpose Limitation. Unleashd shall Process Personal Data for the purposes set forth in the Agreement and only in accordance with the lawful, documented instructions of Customer, except where otherwise required by applicable law. The Agreement and this DPA set out Customer's complete instructions to Unleashd in relation to the Processing of Personal Data and any Processing required outside of the scope of these instructions (inclusive of the rights and obligations set forth under the SA) will require prior written agreement of the parties.

4.3

Training. Unleashd shall ensure that its relevant employees, agents and contractors receive appropriate training regarding their responsibilities and obligations with respect to the Processing, protection and confidentiality of Personal Data.

4.4

Compliance. Unleashd, as Processor, has complied and will continue to comply with all applicable privacy and data protection laws including, but not limited to, Data Protection Legislation. Customer, as Controller, shall be responsible for ensuring that, in connection with Customer Data and the Products and Services:

it has complied, and will continue to comply, with all applicable privacy and data protection laws, including Data Protection Legislation; and

it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to Unleashd for Processing in accordance with the terms of the Agreement and this DPA.

5. SECURITY

5.1

Security. Unleashd shall implement appropriate technical and organizational measures taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. These measures are listed in Annex 1 to this DPA, and shall be designed to ensure a level of security appropriate to the risk in order to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use (each a "Security Incident") and in accordance with Unleashd' security standards as set forth in the Agreement. Notwithstanding any provision to the contrary, we may modify or update the Security Measures at our discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

5.2

Confidentiality of Processing. Unleashd shall ensure that any person that it authorizes to Process the Personal Data (including its staff, agents, subcontractors and Sub-processors) shall be subject to an adequate duty of confidentiality (whether a contractual or a statutory duty) that shall survive the termination of their employment and/or contractual relationship.

5.3

Security Incidents. Upon becoming aware of an actual security incident which may affect the Customer, Unleashd shall notify Customer without undue delay and pursuant to the terms of the Agreement and shall provide such timely information as Customer may reasonably require to enable Customer to fulfill any data breach reporting obligations under applicable Data Protection Legislation. Unleashd will take steps to immediately identify and initiate actions to remediate the cause of such security incident.

6. SUB-PROCESSING

6.1

Sub-processors. Customer agrees that Unleashd may engage Unleashd Affiliates and third party sub-processors (collectively, "Sub-processors") to Process the Personal Data on Unleashd’s behalf. The Sub-processors currently engaged by Unleashd and authorized by Customer are listed in Annex 2 to this DPA. Unleashd shall impose on such Sub-processors data protection terms that protect the Personal Data to the same standard provided for by this DPA and shall remain liable for any breach of the DPA caused by a Sub-processor. Unleashd will publish, on its website, any changes of sub-processors from time to time.

7. COOPERATION

7.1

Data Subjects' Rights. Unleashd shall provide commercially reasonable assistance, including by appropriate technical and organizational measures as reasonably practicable, to enable Customer to respond to any inquiry, communication or request from a Data Subject seeking to exercise his or her rights under applicable Data Protection Legislation, including rights of access, correction, restriction, objection, erasure or data portability, as applicable. In the event such inquiry, communication or request is made directly to Unleashd, Unleashd shall promptly inform Customer by providing the full details of the request. For the avoidance of doubt, Customer is responsible for responding to Data Subject requests for access, correction, restriction, objection, erasure or data portability involving that Data Subject's Personal Data.

7.2

Supervisory Authorities. Unleashd shall notify Customer without undue delay if a Supervisory Authority or law enforcement authority makes any inquiry or request for disclosure regarding Personal Data, where not lawfully prohibited from doing so.

7.3

Data Protection Impact Assessments and Prior Consultation. Unleashd shall, to the extent required by Data Protection Legislation, provide Customer with reasonable assistance with data protection impact assessments and/or prior consultations with Supervisory Authorities that Customer is required to carry out under Data Protection Legislation.

8. SECURITY REPORTS AND AUDITS

8.1

Any provision of security attestation or audit reports (such as SOC 2, Type II or equivalent) shall take place in accordance with Customer's rights under the Agreement. If the Agreement does not include a provision regarding security attestation reports or audit rights, Unleashd shall provide a copy of its most current security report upon Customer's written request and subject to the confidentiality provisions of the Agreement. Unleashd shall allow Customer (or Customer's independent third-party auditor) to conduct an on-site audit of the procedures relevant to the protection of Customer’s Personal Data, subject to the confidentiality provisions of the Agreement. Customer and Unleashd will discuss and agree in advance on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit; and Unleashd reserves the right to charge a fee (based on Unleashd's reasonable costs) for any such audit. Unleashd will provide further details of any applicable fee and the basis of its calculation to Customer in advance of such audit.

9. DELETION OR RETURN OF CUSTOMER DATA

9.1

Deletion or Return of Data. Unleashd will retain Personal Data for a period of thirty (30) days after termination of the Agreement. Upon expiration of this period, Unleashd shall, in accordance with the terms of the Agreement, delete or make available to Customer for retrieval all relevant Personal Data (including copies) in Unleashd's possession, save to the extent that Unleashd is required by any applicable law to retain some or all of the Personal Data. In such event, Unleashd shall extend the protections of the Agreement and this DPA to such Personal Data and limit any further Processing of such Personal Data to only those limited purposes that require the retention, for so long as Unleashd maintains the Personal Data.

10. Miscellaneous

10.1

Except as amended by this DPA, the Agreement will remain in full force and effect.

10.2

If there is a conflict between the Agreement and this DPA, the terms of this DPA will control with respect to the matters set out herein.

10.3

Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

10.4

The limitations on liability set out in the Agreement apply to all claims made pursuant to any breach of the terms of this DPA.

10.5

The parties agree that the Customer shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of its Affiliates as if such acts, omissions or negligence had been committed by the Customer itself.

10.6

The Customer shall not be entitled to recover more than once in respect of the same loss.

Annex 1 - Technical and Organizational Security Measures

Information Security Program
‍Unleashd maintains an information security program focused on the security and integrity of Customer Data. Unleashd’s information security program includes administrative, technical, and operational controls appropriate for the size of its business and the types of information it processes.

Physical Protection
‍Unleashd maintains physical and environmental controls on its corporate office spaces, including restricted access to the facility. Entry to Unleashd’s buildings is secured via RFID security access card and alarms are enabled when the buildings are unoccupied.

Visitors are required to sign into a visitor log, and require supervision and a legitimate and specific business purpose to their visit.

Physical access to corporate offices or data processing centers is revoked upon employee separation, and is reviewed on a semi-annual basis.

‍Network Security and Encryption
‍Unleashd has implemented industry standard security controls to protect Customer Data from loss or unauthorized disclosure. Unleashd implements network boundary protection mechanisms to its production systems.

Data is encrypted in transit and at rest.

Personal data is transmitted via SFTP or API. Point to point VPN tunnels are set up between Unleashd’s offices and AWS Data Centres, with IP restrictions to limit access.

Unleashd’s AWS database instances use industry standard AES-256 encryption algorithm to encrypt the data. Each customer’s data set is partitioned within the database to ensure no cross contamination.

‍Monitoring
‍Unleashd monitors its systems by logging security-related events, alerting on suspicious activity, and conducting further analysis on suspicious activity.

‍Transmission Control
‍System logs audit and track the transmission of personal data for both internal parties as well as receiving or sending to external parties. User audit logging is used within the platform to identify usage and activity.

Access to systems that contain personal data is restricted to authorized personnel and within each platform restricted to the mechanism of delivery required for the specific service function.

‍Logical Access Control
‍Access to Customer Data is restricted based on the least privilege principle. Access is issued via a documented access authorization process, and revoked as soon as practicable on personnel separation. Requests for access are recorded in an internal tracking tool and an audit log of permissions is stored within the platform. Periodic and annual reviews of audit logs are conducted.

Users are required to set their password at first login and it is prohibited to share, store, or transmit passwords at any time.

There is a minimum requirement of 8 characters, and weak or previously used passwords are rejected. Multi-factor authentication is enabled on all user accounts, and passwords expire every 6 months.

‍Personnel Security
‍Unleashd ensures it hires skilled professionals who sign a confidentiality agreement, acceptable use of information systems agreement, and code of conduct. Annual training pertaining to data protection practices is mandatory for all employees, and personnel transfers result in access management changes based on least privilege and role.

‍Incident Management
‍Unleashd maintains an information security incident management program that provides timely response and notification as appropriate to security incidents in order to protect Customer Data.

Backup and recovery exists as part of Unleashd’s overall AWS Infrastructure along with multiple layers of redundancy. Backups are performed weekly at a minimum.

Anti-virus is maintained on workstations and servers, and scans are completed daily. Real-Time scanning is enabled on all systems for immediate threat protection, and all locations have firewalls with active subscriptions for up to date threat watch and management. Security patches and fixes for known system vulnerabilities are promptly implemented and updated.

‍Audit and Compliance
‍Unleashd periodically reviews the security controls put in place by its third party providers and sub-processors to ensure that they have implemented adequate security controls to protect Customer Data that may be stored or accessed by its third party providers.

Audits of internal processes are conducted annually.

Annex 2 - List of Sub-Processors‍

Sub-Processor

Purpose

Location

Absolute Results Productions Ltd.

Call Centre

Canada

Amazon Web Services, Inc.

Data Storage

Ireland

SendGrid Services

Email Campaign Deployment

USA

Stripe

Payment Processing

USA

Twilio Inc.

SMS Campaign Deployment

USA

Depending on which products and services are subscribed to, some of the sub-processors listed above may not be applicable. For more information, please contact us.