Data Processing Agreement

1. Definitions

Capitalized terms not defined here have the meaning set out in the Agreement, the GDPR, the UK GDPR, Quebec Law 25, or the applicable U.S. state privacy law, as the context requires.

• "Applicable Data Protection Law" means all data-protection and privacy laws applicable to the processing of Personal Data under this DPA, including the EU GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss Federal Act on Data Protection, the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA"), Quebec's Act respecting the protection of personal information in the private sector as amended by Law 25, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and the comparable laws of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and any other U.S. state with applicable comprehensive privacy law, and the Digital Personal Data Protection Act, 2023 of India ("DPDP Act").
• "Controller" (or "Business" under CCPA, or "Data Fiduciary" under the DPDP Act) means the entity that determines the purposes and means of processing Personal Data.
• "Customer Personal Data" means Personal Data that Gid processes on behalf of Customer as part of the Service.
• "Data Subject" (or "Consumer" under CCPA, or "Data Principal" under the DPDP Act) means the natural person to whom Personal Data relates.
• "Personal Data" means information relating to an identified or identifiable natural person.
• "Personal Data Breach" has the meaning set out in Article 4(12) of the GDPR.
• "Processor" (or "Service Provider" under CCPA, or "Data Processor" under the DPDP Act) means the entity that processes Personal Data on behalf of a Controller.
• "Sub-processor" means a third party engaged by Gid to process Customer Personal Data on Gid's behalf.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission Decision (EU) 2021/914 of 4 June 2021, in their then-current form, and any equivalent clauses recognized by the UK Information Commissioner's Office, the Swiss FDPIC, and the Data Protection Board of India.

2. Roles & scope

The parties acknowledge that, with respect to Customer Personal Data, Customer is the Controller (or Business, or Data Fiduciary) and Gid is the Processor (or Service Provider, or Data Processor), unless otherwise specified for a particular processing activity.

Gid acts as Controller for a limited set of operational Personal Data that Gid determines the purpose of (such as account-administration data, billing records, security logs, support correspondence). Processing of such data is governed by the Gid Privacy Policy, not this DPA.

3. Details of processing (Article 28(3) GDPR)

See Annex 1 for the subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects.

4. Gid's obligations as Processor

Gid will:

• (a) Process on documented instructions. Process Customer Personal Data only on documented instructions from Customer, which include the Agreement, this DPA, and Customer's use of the Service. Gid will inform Customer if it considers an instruction to infringe Applicable Data Protection Law, unless prohibited by law from doing so.
• (b) Confidentiality. Ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
• (c) Security. Implement appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex 2.
• (d) Sub-processing. Engage Sub-processors only in accordance with Section 5.
• (e) Data-subject requests. Assist Customer, taking into account the nature of the processing and information available to Gid, in responding to Data Subject requests under Applicable Data Protection Law (Section 6).
• (f) Security incidents. Notify Customer of a Personal Data Breach in accordance with Section 8.
• (g) DPIAs and prior consultation. Provide reasonable assistance with Customer's data protection impact assessments and prior consultations with supervisory authorities (Articles 35 and 36 GDPR), taking into account the nature of the processing and the information available to Gid.
• (h) Deletion or return. At Customer's choice, delete or return all Customer Personal Data at the end of the Service, subject to legal retention requirements (Section 11).
• (i) Audit rights. Make available all information necessary to demonstrate compliance with this Section 4, and allow audits, in accordance with Section 9.

5. Sub-processors

Customer authorizes Gid to engage the Sub-processors listed at gidai.ca/sub-processors. Gid will:

• Impose written contractual obligations on each Sub-processor that are equivalent to the obligations set out in this DPA, including the security, confidentiality, sub-processing, and data-transfer obligations;
• Remain liable to Customer for the acts and omissions of its Sub-processors as if they were Gid's own;
• Provide Customer with at least thirty (30) days' advance notice of any addition or replacement of a Sub-processor by email (to addresses subscribed at privacy@gidai.ca) and by updating gidai.ca/sub-processors;
• Honor a Customer's reasonable, data-protection-grounds objection to a new Sub-processor. If the parties cannot find a mutually acceptable resolution, Customer may terminate the affected portion of the Service for material breach with a pro-rated refund of pre-paid, unused fees.

6. Data-subject rights

Gid provides Customer with functionality and procedures that enable Customer to respond to Data Subject requests for access, correction, deletion, restriction, portability, objection, and (where applicable) automated-decision review. Where a Data Subject contacts Gid directly with such a request, Gid will refer the request to Customer (the Controller) without responding to the substance, unless instructed otherwise by Customer or required by law.

The standard tooling is described at gidai.ca/privacy §9.A and includes in-app export, in-app deletion, web-form export, and web-form deletion. Where additional Customer-specific assistance is required, Gid will assist in good faith, subject to reasonable cost recovery for non-standard requests.

7. Security (Article 32 GDPR)

Gid maintains technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These measures are described in Annex 2. Gid reviews and updates these measures regularly to reflect the evolving threat landscape and the sensitivity of the data we process.

8. Personal Data Breach notification

Gid will notify Customer without undue delay, and in any event within seventy-two (72) hours, of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include, to the extent then known:

• The nature of the breach, the categories and approximate number of Data Subjects affected, and the categories and approximate volume of Personal Data records affected;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach, including measures to mitigate adverse effects;
• The contact point for further information.

Where information is not available when the initial notification is sent, Gid will provide it in stages without further undue delay. Notifications are sent to the security contact on Customer's account; Customer is responsible for keeping that contact current.

9. Audit rights

On reasonable written notice and no more than once per twelve-month period (except following a Personal Data Breach affecting Customer), Customer may audit Gid's compliance with this DPA. Audits will be conducted during business hours, with reasonable care to minimize disruption.

To minimize disruption, Gid will satisfy audit obligations by making available, on request: (i) the latest available SOC 2 / ISO 27001 / equivalent reports of its infrastructure Sub-processors (such as Google Cloud Platform and Stripe), (ii) Gid's own security documentation and policies, (iii) responses to a reasonable security questionnaire, and (iv) where Customer requires more, an on-site or remote audit by an independent third-party auditor bound by appropriate confidentiality. Customer bears the costs of any audit beyond the documentation review.

Gid is not required to provide access to data of other customers, internal commercially sensitive information not relevant to the audit, or systems beyond those used to process Customer Personal Data.

10. International data transfers

Where Customer Personal Data subject to the EU GDPR, UK GDPR, Swiss FADP, or the DPDP Act is transferred from the EEA, UK, Switzerland, or India to a country without an adequacy decision, the parties hereby agree to the following:

• EU SCCs. The parties incorporate Module 2 (Controller to Processor) of the EU SCCs by reference. Where applicable, the parties also incorporate Module 3 (Processor to Sub-processor) for onward transfers. The optional docking clause (Clause 7) is included. Option 2 of Clause 9(a) is selected, with a notice period of thirty (30) days as set out in Section 5. The supervisory authority for Clause 13 is determined under Annex I.C of the SCCs based on Customer's establishment.
• UK Addendum. For data transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU SCCs issued by the UK ICO applies.
• Switzerland. For data transfers subject to the Swiss FADP, references to the GDPR in the SCCs are interpreted as references to the FADP, and the Swiss FDPIC is the competent authority.
• India. Transfers from India are subject to Section 16 of the DPDP Act and any restrictions notified by the Government of India. We will update this DPA when implementing regulations are issued.
• Conflict. In the event of a conflict between this DPA and the SCCs (or UK Addendum), the SCCs / UK Addendum control to the extent necessary for compliance with Applicable Data Protection Law.

11. Deletion or return at end of services

Within sixty (60) days after termination or expiration of the Service, Gid will, at Customer's choice, return or delete all Customer Personal Data, except to the extent retention is required by law (such as 7-year financial records or hashed records on a suppression list). Customer's documented choice should be sent to privacy@gidai.ca. If Customer does not communicate a choice, Gid will delete (default).

12. CCPA / U.S. state-law specific terms

For the purposes of the CCPA and comparable U.S. state laws, Gid is engaged as a Service Provider, Processor, or equivalent role. Gid shall:

• Process Customer Personal Data only for the business purposes set out in the Agreement and this DPA, and not for any other commercial purpose;
• Not sell or share (as those terms are defined under the CCPA) Customer Personal Data;
• Not retain, use, or disclose Customer Personal Data outside of the direct business relationship with Customer;
• Not combine Customer Personal Data with personal information that Gid receives from or on behalf of any third party, or that Gid collects from its own interactions with Data Subjects, except as expressly permitted under the CCPA Regulations;
• Comply with applicable CCPA obligations for Service Providers, including providing assistance in responding to consumer requests and providing reasonable notice and assistance in connection with a deletion request received by Gid that the consumer should have directed to Customer;
• Comply with comparable obligations under the Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, and Montana MCDPA.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Agreement, except where Applicable Data Protection Law requires otherwise.

14. General

This DPA forms part of the Agreement. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in effect. This DPA is governed by the law and dispute-resolution provisions of the Agreement, except where Applicable Data Protection Law mandates otherwise.

Contact