Data Processing Addendum (DPA)

Effective date: September 1, 2025

This DPA forms part of your agreement for AdminARK Services.

Parties

Customer ("Controller"); and AdminARK, organized under the laws of British Columbia, Canada ("Processor"). Capitalized terms not defined here have the meaning in the Agreement.

1) Subject Matter & Duration

Processor will process Customer Personal Data on behalf of Controller to provide the Services. This DPA lasts for the Agreement term plus any agreed transition period.

2) Nature & Purpose of Processing

Hosting, storage, retrieval, transmission, collaboration, optional AI analysis (if enabled), e‑signature routing, email sending, calendar listing, export/deletion, auditing, and security monitoring.

3) Types of Personal Data & Data Subjects

Data Subjects include Controller’s users, employees/contractors, clients, counterparties, and signers. Data includes identity/contact data, business details, content in documents/templates, signatures/signer metadata, calendar metadata/events, email headers/content/attachments, logs/audit events. No special categories unless lawful and safeguarded.

4) Roles & Instructions

Controller is the controller; Processor acts only on documented instructions, including in‑product configurations, and will notify Controller if instructions appear unlawful.

5) Confidentiality

Processor ensures authorized persons are bound by confidentiality and trained appropriately.

6) Security

Processor implements measures described in Annex II (Security Measures).

7) Subprocessing

Controller authorizes the subprocessors in Annex III and replacements/additions with prior notice by updating the list and notifying Controller. Unresolved objections allow suspension/termination of the affected feature with pro‑rata refunds.

8) International Transfers

Appropriate safeguards (e.g., EU SCCs/UK Addendum) will be applied as required; parties will cooperate on alternatives if mechanisms change.

9) Assistance

Processor will assist with data subject requests and GDPR Art. 32–36 obligations as appropriate.

10) Personal Data Breach

Processor will notify Controller without undue delay after becoming aware of a breach affecting Customer Personal Data.

11) Return & Deletion

Upon termination/expiry, Processor will delete or return Customer Personal Data at Controller’s choice, unless retention is legally required. Self‑service export/deletion tools are available.

12) Audits

Processor will make available information for compliance and allow audits with reasonable limits; reputable third‑party reports may satisfy audit requests.

13) Liability

Liability is governed by the Agreement; this DPA does not increase liabilities.

14) Order of Precedence

This DPA prevails over the Agreement where they conflict on processing of Customer Personal Data.

15) Governing Law & Jurisdiction

As stated in the Agreement unless otherwise required by data protection law.

Annex I — Details of Processing

  • Subject matter & duration: Services term + transition as needed.
  • Nature & purpose: See above.
  • Data subjects & categories: See above.
  • Special categories: Not intended; avoid unless lawful and safeguarded.
  • Frequency: Continuous/on‑demand during subscription.
  • Retention: Directed by Controller; subject to legal retention.

Annex II — Security Measures (Summary)

  • Access Controls: Supabase Auth (JWT); business‑scoped RLS; role‑based access; least‑privilege; audit logs.
  • Encryption: TLS in transit; provider‑level at rest.
  • Storage Architecture: Private buckets; secure proxy with business checks, CORS allowlist, security headers, Range support.
  • Application Security: HSTS, CSP, X‑Content‑Type‑Options, Referrer‑Policy, Permissions‑Policy, COEP/CORP; powered‑by disabled; validation; session management; rate limits; circuit breakers.
  • Operational Security: Key/secret management; service‑role keys limited to admin/DSR; incident response; in‑app monitoring.
  • Data Minimization: AI opt‑in/per‑action; least necessary data sent to providers.
  • Reliability: Environment isolation; health endpoints; enterprise limiters.
  • Personnel: Confidentiality obligations; security/privacy training.

Annex III — Authorized Subprocessors (Feature‑Dependent)

  • Supabase – authentication, database, storage.
  • OpenAI – AI processing (only when invoked).
  • SendGrid – email delivery.
  • Google – OAuth for Calendar/Gmail; calendar metadata/events; optional Gmail send.
  • OneSpan – e‑signature workflow and signed files.