Download PDF
Data Processing Agreement
(Current as of April 13, 2026)
“Services”). This DPA is effective as of the date of acceptance of the Agreement.
conditions as regards the subject matter
The Parties agree as follows:
1. Definitions
and “natural person” as found in the Quebec Privacy Act;
“EU Data Protection Laws” means any law, statute, declaration, decree, directive, legislative enactment, PAGE 2 OF 8 order, ordinance, regulation, rule or other binding instrument relating to the protection of personal data in force in the territory of the European Union, including the Data Protection Directive, the GDPR, the ePrivacy Directive and the e-Privacy Regulation;
“Model Clauses” mean the Standard Contractual Clauses for international transfers (Controller to Processor, Module Two) as set out in the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
“Regulator” means the data protection supervisory authority which has jurisdiction over a Data Controller’s Processing of Personal Data. This includes, but is not limited to, the Commission d’accès à l’information in Quebec and the regulators in each member State of the European Economic Area (“EEA”) and the United Kingdom;
“Third Countries” means all countries outside of the scope of the data protection laws of the EEA and the United Kingdom, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time.
Any capitalized terms used but not defined herein shall have the meaning given to them in the Agreement
2. Processing of personal data
2.1 The Parties acknowledge and agree that with regard to the Processing of Personal Data, the Customer is the “Data Controller”, Nectari is the “Data Processor” and that Nectari may engage “Sub-Processors” pursuant to the requirements set forth in Section 8 below.
2.2 The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 “Processing Details” of this DPA.
2.3 The Data Processor shall only process Personal Data on behalf of and in accordance with documented instructions from the Data Controller. The Parties agree that this DPA constitutesthe Customer’s complete and final instructions to Nectari in relation to the processing of any Personal Data, as specified in Schedule 1. The Data Controller shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Data Controller acquired Personal Data and shall establish the legal basis for Processing under Applicable Data Protection Laws. Without limitation of the foregoing, the Data Controller represents, warrants, and covenants that: it has (and will have) provided any notice and obtained all consents and rights required by Applicable Data Protection Lawsto enable the Data Processor to lawfully Process Personal Data as permitted by this DPA and the Agreement.
2.4 Each Party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA, including Applicable Data Protection Laws.
2.5 The Data Controller shall have the right to verify the Processing of Personal Data by the Data Processor, as required by the Applicable Data Protection Laws.
3. Authorized Personnel
3.1 The Data Processor shall ensure that its personnel authorized to Process Personal Data have committed
themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Data
PAGE 3 OF 8
Processor shall ensure that such confidentiality obligations survive the termination of the personnel
engagement.
4. Rights data subjects
4.1 The Data Processor shall, to the extent legally permitted, promptly notify the Data Controller if it receives
a request from a Data Subject for access to its own Personal Data, or for the rectification or erasure of
such Personal Data or any other request or query from a Data Subject relating to its own Personal Data
(including Data Subjects’ exercising of their rights under Applicable Data Protection Laws, such as rights
of objection, restriction of processing, data portability, right to be forgotten including de-indexation rights,
or the right not to be subject to automated decision making) (a “Data Subject Request”). Taking into
account the nature of the Processing, the Data Processor shall assist the Data Controller by appropriate
technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s
obligation to respond to a Data Subject Request under Applicable Data Protection Laws. In addition, to
the extent the Data Controller, in its use of the Services, does not have the ability to address a Data Subject
Request, the Data Processor shall, upon Data Controller’s request, provide commercially reasonable
efforts to assist the Data Controller in responding to such Data Subject Request, to the extent the Data
Processor is legally permitted to do so and the response to such Data Subject Request is required under
Applicable Data Protection Laws. To the extent legally permitted, the Data Controller shall be responsible
for any costs arising from the Data Processor’s provision of such assistance.
5. Government access requests
5.1 The Data Processor shall promptly notify the Data Controller about any legally binding request for
disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited from doing so.
The Data Controller shall have the right to defend such action in lieu of and/or on behalf of the Data
Processor. The Data Processor shall reasonably cooperate with the Data Controller in such defense.
6. Security
6.1 Each of the Data Processor and the Data Controller shall implement and maintain appropriate technical
and organizational measures for protection of the security (including protection against unauthorized or
unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage,
unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data.
7. Compliance
7.1 The Data Processor shall take reasonable efforts to make available to the Data Controller all information necessary to demonstrate compliance with the obligations set forth in this DPA and Applicable Data Protection Laws.
7.2 Upon the Data Controller’s request, the Data Processor shall provide the Data Controller with reasonable cooperation and assistance needed to fulfil the Data Controller’s obligation under the GDPR and the Quebec Privacy Act to carry out a data protection impact assessment related to the Data Controller’s use of the Services, to the extent the Data Controller does not otherwise have access to the relevant information, and to the extent such information is available to the Data Processor. The Data Processor shall provide reasonable assistance to the Data Controller in the cooperation or prior consultation with the Regulator in the performance of its tasks relating to Section 7 of this DPA, to the extent required under Applicable Data Protection Laws. To the extent legally permitted, the Data Controller shall be responsible PAGE 4 OF 8 for any costs arising from the Data Processor’s provision of such assistance.
8. Sub-processing
8.1 The Data Controller agrees that the Data Processor may engage Sub-Processors to Process Personal Data. The Sub-Processors currently engaged by Nectari and authorized by the Customer are listed in Schedule 2 “List of Sub-Processors”.
8.2 The Data Processor shall ensure that such Sub-Processor has entered into a written agreement requiring the Sub-Processor to abide by terms no less protective than those provided in this DPA with respect to the protection of Personal Data, to the extent applicable to the nature of the services provided by such Sub-Processor. The Data Processor shall be liable for the acts and omissions of any Sub-Processors to the same extent as if the acts or omissions were performed by the Data Processor.
8.3 The Data Processor shall make available to the Data Controller a list of Sub-Processors authorized to Process Personal Data (“Sub-Processor List”, currently found in Schedule 2) and provide the Data Controller with a mechanism to obtain notice of any updates to the Sub-Processor List. Notification of a new Sub-Processor shall be issued prior to such new Sub-Processor being authorised to Process Personal Data in connection with the Agreement.
8.4 The Data Controller may object to the Data Processor’s use of a new Sub-Processor where there are reasonable grounds to believe that the new Sub-Processor will be unable to comply with the terms of this DPA or the Agreement. If the Data Controller objects to the Data Processor’s use of a new Sub-Processor, the Data Controller shall notify the Data Processor promptly in writing within ten (10) days after notification regarding such Sub-Processor. The Data Controller’s failure to object in writing within such time period shall constitute approval to use the new Sub-Processor. The Data Controller acknowledges that the inability to use a particular new Sub-Processor may result in the interruption of the Services or increased fees. The Data Processor will notify the Data Controller in writing (including by email) of any interruption to the Services or increased fees that would result from the Data Processor’s inability to use a new Sub-Processor to which the Data Controller has objected. The Data Controller may either execute a written amendment to the Agreement implementing such change or exercise its right to terminate the Agreement in accordance with the termination provisions thereof. Such termination shall not constitute termination for breach of the Agreement. The Data Processor shall have a right to terminate the Agreement if the Data Controller unreasonably objects to a Sub-Processor, or does not agree to a written amendment to the Agreement implementing changes in fees or the Services resulting from the inability to use the Sub-Processor at issue.
9. Return and deletion
9.1 The Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data to the Data Controller upon termination of the Agreement (and the provision of the Services) and delete existing copies of Personal Data, unless prohibited by law or the order of a governmental or regulatory body. For greater certainty, the return of all Personal Data stored by or on behalf of the Data Controller within the Software upon termination of the Agreement (and the provision of the Services) is achieved by the Data Controller exporting its Customer Data (as defined in the Agreement) from the Software, using the data export functionalities made available by the Software. The Data Processor may also anonymize such Personal Data and retain copies of anonymized Personal Data, if permitted by the Applicable Data Protection Laws. PAGE 5 OF 8
9.2 The Data Controller acknowledges and agrees that the Data Processor shall have no liability for any losses incurred by the Data Controller arising from or in connection with the Data Processor’sinability to provide the Services as a result of the Data Processor complying with a request to delete or return Personal Data made by the Data Controller pursuant to Section 9.1.
10. Data Breach
10.1 In the event there is, or the Data Processor reasonably believes that there is, any improper, unauthorized
or unlawful access to, use of, or disclosure of, or any other compromise which affects the availability,
integrity or confidentiality of Personal Data which is Processed by the Data Processor under or in
connection with this DPA and/or the Agreement (a “Data Breach”), then upon becoming aware of such
Data Breach, the Data Processor shall promptly notify the Data Controller and provide the Data Controller
with the following information as it becomes available:
(i) a description of the nature of the Data Breach, including where possible the
categories and approximate number of Data Subjects concerned;
(ii) the name and contact details of the Data Processor contact from whom more information can be obtained; and
(iii) a description of the measures taken or proposed to be taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects
10.2 The Parties agree to coordinate in good faith on developing the content of any related public statements and any required notices to the affected Data Subjects and/or the relevant Regulators in connection with a Data Breach, provided that nothing in this Section 10.2 shall prevent either Party from complying with its obligations under Applicable Data Protection Laws. The obligations in this Section 10 will not apply to any incidents that are caused by Customer or any User (as defined in the Agreement).
11. Internation and interprovincial transfers
11.1 The Data Processor will only process data in, or transfer Personal Data to, a Third Country where such processing or transfer takes place based on and in compliance with the Model Clauses, with the processing details that comprise Appendix 1 to the Model Clauses, and the technical and organizational security measures that comprise Appendix 2 to the Model Clauses. The Data Processor shall comply with the obligations of the data importer and the Data Controller shall comply with the obligations of the data exporter as set out in the Model Clauses.
11.2 Where the Data Processor appoints an affiliate or Sub-Processor to process Personal Data in a Third Country, the Data Processor must ensure that such processing takes place in accordance with the requirements of the Applicable Data Protection Laws. The Parties agree that Personal Data may be transferred to an affiliate or third-party Sub-Processor in the United States who agrees to process Personal Data according to the Model Clauses.
11.3 The Data Processor will only process data in, or transfer Personal Data to, Sub-Processors in a province other than Quebec after performing an “Assessment of the privacy-related factors” (a “PIA”), as per the Quebec Privacy Act, prior to Personal Data leaving Quebec. If the PIA does not meet the Data Processor’s standards and the standards required by the Quebec Privacy Act, the Data Processor will not transfer Personal Data to such Sub-Processor.
12. General provisions
12.1 This DPA will terminate upon termination of the Agreement or when the Data Processor ceases to Process Personal Data, whichever is later, unless otherwise agreed in writing between the Parties.
12.2 The Parties hereby acknowledge and agree that a person with rights under this DPA may be irreparably harmed by any breach of its terms and that damages alone may not be an adequate remedy. Accordingly, a person bringing a claim under this DPA shall be entitled to the remedies of injunction, specific performance or other equitable relief for any threatened or actual breach of the terms of this DPA.
12.3 If either Party seeks changes to the DPA to comply with a change in Applicable Data Protection Laws or binding and final decision of a Regulator with jurisdiction over the Party’s Processing of Personal Data, the Parties will discuss in good faith how to address any necessary changes.
12.4 The section headings contained in this DPA are for reference purposes only and shall not in any way affect the meaning or interpretation of this DPA.
Schedule 1 : Processing details
Processing Activities
Personal Data Processed by Data Processor will be subject to the following basic Processing activities:
Provision of the Services, as outlined in the Agreement and as otherwise agreed upon by the Parties.
Duration
Personal Data Processed by Data Processor will be Processed for the following duration:
The length of the term of the Agreement between the Data Controller and the Data Processor.
Data Subjects
Personal Data Processed by Data Processor concern the following categories of Data Subjects:
(i) the Customer’s employees, consultants or agents that are authorized by the Customer to access and use the Software (the “ Users”); and
(ii) any other natural person whose Personal Data is entered into the Software by a User.
Categories of Data
Personal Data Processed by Data Processor includes the following categories of data:
Software and Customer Information:
• Account Information: Name and email address
• Software Inputs: Any Personal Data that a User submits to the Software as an input
• Additional Information: Any other Personal Data (i) that the Customer collects from its Users through the Software; or (ii) that may be submitted to, or used or Processed in connection with, the Software by a User in relation to a natural person
Payment Information:
• Credit card number, credit card expiry date, credit card security code (CVV), billing address and name associated with the credit card
Analytics Information:
• Unique analytics identifiers
• IP addresses
Special Categories of Data (if applicable)
Personal Data Processed by Data Processor concern the following special categories of data:
None by default.
Schedule 2: List of sub-processors
Sub-Processor Name | Location and Where to Find More Information |
Microsoft Azure: Software hosting; provider of artificial intelligence services | Location: Depends on the Customer’s location |
Stripe: Payment processing | Location: Depends on the Customer’s location |
Odoo: ERP service provider | Location: North America |
Beamer: Software communications service provider (notifications; updates) | Location: United States |
