CanadaAccountants | Data Processing Agreement
Last Updated: January 15, 2025

Data Processing Agreement (DPA)

ℹ️

Enterprise Data Protection

This Data Processing Agreement governs how CanadaAccountants processes personal data on behalf of our enterprise clients, ensuring PIPEDA compliance and data protection best practices.

PIPEDA
Compliant
SOC 2
In Progress
24/7
Monitoring

1. Parties and Definitions

1.1 Parties

  • Data Controller: The Client organization using CanadaAccountants services
  • Data Processor: CanadaAccountants Inc., 123 Bay Street, Toronto, ON M5K 1A1
  • Data Protection Officer: Arthur Kostaras (privacy@canadaaccountants.app)

1.2 Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person as defined under PIPEDA
  • Processing: Any operation performed on personal data, including collection, storage, analysis, and deletion
  • Data Breach: Any unauthorized access, disclosure, or loss of personal data
  • Sub-processor: Third-party service providers engaged to assist with data processing

2. Data Processing Details

2.1 Categories of Personal Data

Business Contact Data

  • • Name and title
  • • Business email address
  • • Business phone number
  • • Company information

CPA Professional Data

  • • Professional credentials
  • • Practice specializations
  • • Geographic service areas
  • • Professional profile data

2.2 Processing Purposes

  • CPA-business matching and recommendations
  • Lead distribution and communication facilitation
  • Platform analytics and service improvement
  • Customer support and technical assistance
  • Billing and subscription management
  • Compliance monitoring and quality assurance

2.3 Data Retention

  • Active Account Data: Retained while account is active plus 90 days
  • Transaction Records: 7 years (CRA requirement compliance)
  • Marketing Communications: Until unsubscribed plus 30 days
  • Support Records: 3 years for quality assurance

3. Technical and Organizational Security Measures

3.1 Technical Safeguards

  • 🔒 Encryption: TLS 1.3 in transit, AES-256 at rest
  • 🛡️ Access Controls: Multi-factor authentication required
  • 📊 Monitoring: 24/7 security monitoring and alerting
  • 🔄 Backups: Automated daily backups with 30-day retention
  • 🌐 Infrastructure: Railway platform with enterprise security

3.2 Organizational Controls

  • 👥 Staff Training: Privacy and security training for all personnel
  • 📋 Access Management: Role-based access with regular reviews
  • 📞 Incident Response: 24-hour breach notification protocol
  • 🔍 Auditing: Regular security assessments and SOC 2 compliance
  • 📄 Documentation: Comprehensive security policies and procedures

4. Sub-processors

4.1 Authorized Sub-processors

Service Provider Service Data Location Compliance
Railway Platform Hosting Google Cloud (US) SOC 2, ISO 27001
Stripe Payment Processing US/Canada PCI DSS Level 1
SendGrid Email Communications US SOC 2 Type II

4.2 Sub-processor Management

  • All sub-processors undergo security and privacy assessments
  • Contractual data protection obligations equivalent to this DPA
  • 30-day advance notice for new sub-processors
  • Client right to object to sub-processor changes
  • Regular monitoring and compliance reviews

5. Data Subject Rights

5.1 Individual Rights Under PIPEDA

  • ✅ Right to access personal information
  • ✅ Right to correction of inaccurate data
  • ✅ Right to withdraw consent
  • ✅ Right to file complaints with Privacy Commissioner
  • ✅ Right to reasonable explanation of data use

5.2 Response Procedures

  • ⏰ 30-day maximum response time
  • 📧 Dedicated privacy email: privacy@canadaaccountants.app
  • 📞 Phone support: (647) 956-7290
  • 🔍 Identity verification required
  • 📋 Written responses with clear explanations

6. Data Breach Notification

6.1 Notification Timeline

24 hours
Initial notification to Client
72 hours
Detailed incident report
30 days
Post-incident review

6.2 Notification Content

  • Nature and scope of the data breach
  • Categories and number of affected individuals
  • Likely consequences and potential harm
  • Measures taken to address the breach
  • Recommendations for Client actions
  • Contact information for further details

7. Agreement Terms

7.1 Term and Termination

  • This DPA remains in effect while processing personal data for Client
  • Survives termination of main service agreement for data retention period
  • Client may terminate for material breach with 30-day cure period
  • Data return or destruction within 90 days of termination

7.2 Governing Law

  • Governed by the laws of Ontario, Canada
  • Subject to PIPEDA and applicable provincial privacy laws
  • Disputes resolved in Ontario courts or agreed arbitration
  • Privacy Commissioner of Canada may investigate complaints

7.3 Amendments

  • Material changes require written agreement from both parties
  • Administrative updates provided with 30-day notice
  • Current version always available at canadaaccountants.app/data-processing-agreement
  • Continued use constitutes acceptance of administrative changes

8. Contact Information

Data Protection Officer

Name: Arthur Kostaras

Title: Privacy Officer & CEO

Email: privacy@canadaaccountants.app

Phone: (647) 956-7290

Address: 123 Bay Street, Toronto, ON M5K 1A1

Regulatory Authority

Agency: Office of the Privacy Commissioner of Canada

Website: www.priv.gc.ca

Phone: 1-800-282-1376

Email: info@priv.gc.ca

Address: 30 Victoria Street, Gatineau, QC K1A 1H3

This Data Processing Agreement was last updated on January 15, 2025

For questions about this agreement, contact our Privacy Officer at privacy@canadaaccountants.app

Privacy Policy Terms of Service Trust Center Home