Data Processing Agreement (DPA)
ℹ
Enterprise Data Protection
This Data Processing Agreement governs how CanadaLawyers processes personal data on behalf of our enterprise clients, ensuring PIPEDA compliance and data protection best practices.
PIPEDA
Compliant
SOC 2
In Progress
24/7
Monitoring
1. Parties and Definitions
1.1 Parties
- Data Controller: The Client organization using CanadaLawyers services
- Data Processor: CanadaLawyers Inc., Toronto, ON, Canada
- Data Protection Officer: Arthur Kostaras (support@canadalawyers.app)
1.2 Definitions
- Personal Data: Any information relating to an identified or identifiable natural person as defined under PIPEDA
- Processing: Any operation performed on personal data, including collection, storage, analysis, and deletion
- Data Breach: Any unauthorized access, disclosure, or loss of personal data
- Sub-processor: Third-party service providers engaged to assist with data processing
2. Data Processing Details
2.1 Categories of Personal Data
Business Contact Data
- • Name and title
- • Business email address
- • Business phone number
- • Company information
Lawyer Professional Data
- • Professional credentials
- • Practice specializations
- • Geographic service areas
- • Professional profile data
2.2 Processing Purposes
- Lawyer-business matching and recommendations
- Lead distribution and communication facilitation
- Platform analytics and service improvement
- Customer support and technical assistance
- Billing and subscription management
- Compliance monitoring and quality assurance
2.3 Data Retention
- Active Account Data: Retained while account is active plus 90 days
- Transaction Records: 7 years (CRA requirement compliance)
- Marketing Communications: Until unsubscribed plus 30 days
- Support Records: 3 years for quality assurance
3. Technical and Organizational Security Measures
3.1 Technical Safeguards
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Access Controls: Multi-factor authentication required
- Monitoring: 24/7 security monitoring and alerting
- Backups: Automated daily backups with 30-day retention
- Infrastructure: Railway platform with enterprise security
3.2 Organizational Controls
- Staff Training: Privacy and security training for all personnel
- Access Management: Role-based access with regular reviews
- Incident Response: 24-hour breach notification protocol
- Auditing: Regular security assessments and SOC 2 compliance
- Documentation: Comprehensive security policies and procedures
4. Sub-processors
4.1 Authorized Sub-processors
| Service Provider | Service | Data Location | Compliance |
|---|---|---|---|
| Railway | Platform Hosting | Google Cloud (US) | SOC 2, ISO 27001 |
| Stripe | Payment Processing | US/Canada | PCI DSS Level 1 |
| Resend | Email Communications | US | SOC 2 Type II |
4.2 Sub-processor Management
- All sub-processors undergo security and privacy assessments
- Contractual data protection obligations equivalent to this DPA
- 30-day advance notice for new sub-processors
- Client right to object to sub-processor changes
- Regular monitoring and compliance reviews
5. Data Subject Rights
5.1 Individual Rights Under PIPEDA
- Right to access personal information
- Right to correction of inaccurate data
- Right to withdraw consent
- Right to file complaints with Privacy Commissioner
- Right to reasonable explanation of data use
5.2 Response Procedures
- 30-day maximum response time
- Dedicated privacy email: support@canadalawyers.app
- Phone support: (647) 956-7290
- Identity verification required
- Written responses with clear explanations
6. Data Breach Notification
6.1 Notification Timeline
24 hours
Initial notification to Client
72 hours
Detailed incident report
30 days
Post-incident review
6.2 Notification Content
- Nature and scope of the data breach
- Categories and number of affected individuals
- Likely consequences and potential harm
- Measures taken to address the breach
- Recommendations for Client actions
- Contact information for further details
7. Agreement Terms
7.1 Term and Termination
- This DPA remains in effect while processing personal data for Client
- Survives termination of main service agreement for data retention period
- Client may terminate for material breach with 30-day cure period
- Data return or destruction within 90 days of termination
7.2 Governing Law
- Governed by the laws of Ontario, Canada
- Subject to PIPEDA and applicable provincial privacy laws
- Disputes resolved in Ontario courts or agreed arbitration
- Privacy Commissioner of Canada may investigate complaints
7.3 Amendments
- Material changes require written agreement from both parties
- Administrative updates provided with 30-day notice
- Current version always available at canadalawyers.app/data-processing-agreement
- Continued use constitutes acceptance of administrative changes
8. Contact Information
Data Protection Officer
Name: Arthur Kostaras
Title: Privacy Officer & CEO
Email: support@canadalawyers.app
Phone: (647) 956-7290
Address: Toronto, ON, Canada
Regulatory Authority
Agency: Office of the Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376
Email: info@priv.gc.ca
Address: 30 Victoria Street, Gatineau, QC K1A 1H3
This Data Processing Agreement was last updated on March 12, 2026
For questions about this agreement, contact our Privacy Officer at support@canadalawyers.app