Data Processing Addendum

Updated October 23, 2024

This Data Processing Addendum (“Addendum”), having as an effective date the same Effective Date given in the Master Agreement (defined below) is entered into by and between Wealth Write-Up Inc., a Canadian corporation with offices located at 2000 Avenue McGill-College, Montréal, Québec, H3A 3H3, Canada (“Service Provider”), and Customer (Service Provider and Customer may each be referred to as a "Party", or collectively, the "Parties").

RECITALS

WHEREAS, the Customer and the Service Provider have entered into that certain Agreement (the "Master Agreement"), the form of which is available at https://wealthwriteup.com/ saas-agreement that may require the Service Provider to process personal information provided by or collected on behalf of the Customer; and

WHEREAS, this Addendum sets out additional terms, requirements and conditions for collecting, using, processing, disclosing, transferring or storing Personal Information when the Service Provider provides services under the Master Agreement;

NOW, THEREFORE, in consideration of the mutual covenants and agreements contained in this Addendum and for other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged, the Parties agree as follows:

1.              Definitions and Interpretation

1.1           The following definitions and rules of interpretation apply in this Addendum. Terms capitalized but not defined herein have the same meaning as given to them in the Master Agreement.

(i)    "Business Purpose" means the services described in the Master Agreement.

(ii)   "Individual" means an individual who is the subject of Personal Information.

(iii)  "Personal Information" means any information the Service Provider collects, uses, processes or maintains for the Customer that is about or relates to an identifiable individual or identifies or can be used to identify that individual, directly or indirectly, either alone or in combination with other information, and includes as applicable any “personal information”, “personally identifiable information” or  “personal data” as defined under Privacy and Data Protection Laws. Personal information does not include anonymized information.

(iv)  "Processing, processes, or process" means any activity that involves the use of Personal Information or that the relevant Privacy and Data Protection Laws may otherwise include in the definition of processing, processes, or process. It includes collecting, using, disclosing, or carrying out any operation or set of operations on the Personal Information.

(v)   "Privacy and Data Protection Laws" means all applicable federal, provincial, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, as each may be amended or replaced from time to time.

(vi)  "Security Breach" means any act or omission that materially compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it.

1.2           This Addendum forms part of and is incorporated into the Master Agreement. In the case of conflict or ambiguity between any of the provisions of this Addendum and the provisions of the Master Agreement, the provisions of this Addendum will prevail.

2.              Customer Responsibilities

2.1           The Customer remains at all times accountable for and in control of the Personal Information, and responsible for its compliance obligations under the applicable Privacy and Data Protection Laws, providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Service Provider.

2.2           The Customer represents and warrants that the Service Provider's expected use of the Personal Information for the Business Purpose and as specifically instructed by the Customer under this Addendum will comply with all Privacy and Data Protection Laws.

3.              Service Provider Obligations

3.1           The Service Provider will only process the Personal Information to the extent, and in such a manner, as is necessary for the Business Purpose. The Service Provider will not process the Personal Information in a way that does not comply with this Addendum, Customer’s instructions, or the Privacy and Data Protection Laws.

3.2           The Service Provider will promptly comply with any Customer request or instruction requiring the Service Provider to amend, transfer, or delete the Personal Information, or to stop, mitigate or remedy any unauthorized processing.

3.3           The Service Provider will maintain the confidentiality of all Personal Information and will not disclose Personal Information to third parties unless the Customer or this Addendum specifically authorizes the disclosure in compliance with Privacy and Data Protection Laws, or as otherwise required by law. If a law requires the Service Provider to process or disclose Personal Information, the Service Provider will first notify the Customer of the legal requirement and give the Customer an opportunity to object or challenge the requirement at the Customer’s sole cost and expense, unless the law prohibits such notice.

3.4           The Service Provider will reasonably assist the Customer with meeting the Customer's compliance obligations under the Privacy and Data Protection Laws, considering the nature of the Service Provider's processing and the information available to the Service Provider. The Customer acknowledges that the Service Provider is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions or the Personal Information other than as required under the Privacy and Data Protection Laws.

3.5           The Service Provider will limit Personal Information access to those employees who require it to meet the Service Provider's obligations under this Addendum and the Master Agreement.

3.6           The Service Provider will implement and maintain appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction or damage.   

3.7           The Service Provider will promptly notify the Customer if it becomes aware of any Security Breach and will take steps to contain and mitigate the Security Breach. The Service Provider will reasonably co-operate with the Customer in the Customer's handling of the matter, including making available all relevant information to the extent required to comply with all Privacy and Data Protection Laws. The Service Provider will not inform any third party of any Security Breach without first obtaining the Customer's prior written consent, except when Privacy and Data Protection Laws, or other laws or regulations, require it. The Service Provider agrees that the Customer has the sole right, to the extent permitted by applicable laws, to determine whether to provide notice of the Security Breach to any Individuals, regulators, law enforcement agencies or others, as required by Privacy and Data Protection Laws.

4.              International Transfers

Customer acknowledges and agrees that Service Provider may process the Personal Information  on a global basis as necessary for the Business Purpose, and in particular that Personal Information may be transferred to and processed by Service Provider in Canada, the United States and other jurisdictions where Service Provider affiliates and subprocessors have operations. Wherever the Personal Information is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of applicable Privacy and Data Protection Laws.  

5.              Subprocessors

5.1           Customer agrees that Service Provider may engage subprocessors to process the Personal Information on Customer's behalf, provided the Service Provider enters into a written contract with the subprocessor that imposes data protection terms that require the subprocessor to protect the Personal Information to the standard required by applicable Privacy and Data Protection Laws. A list of current subprocessors is available at https://wealthwriteup.com/sub-processors

6.              Complaints, Individual Requests and Third Party Rights

6.1           The Service Provider will promptly notify the Customer if it receives any complaint, notice, or communication that directly or indirectly relates to the Personal Information processing or to either Party's compliance with the Privacy and Data Protection Laws.

6.2           The Service Provider will promptly notify the Customer if it receives a request from an Individual for access to their Personal Information or a request to correct, delete, or withdraw its consent from any use by Customer or Service Provider of same.

6.3           The Service Provider will cooperate with the Customer in responding to any complaint, notice, communication, or Individual request.

6.4           The Service Provider will not directly disclose the Personal Information to any Individual or to a third party unless the disclosure is required by law.

7.              Term and Termination

7.1           This Addendum will remain in full force and effect until the expiry or termination of the Master Agreement (the “Term”).

7.2           If a change in any Privacy and Data Protection Law prevents either Party from fulfilling all or part of its Master Agreement obligations, the Parties will suspend the processing of Personal Information until that processing complies with the new requirements. If the Parties are unable to bring the Personal Information processing into compliance with the applicable Privacy and Data Protection Law by making commercially reasonable efforts, either Party may terminate the Master Agreement upon written notice to the other Party, without prejudice to any fees incurred by Customer prior to suspension or termination.

8.              Data Return and Destruction

8.1           On termination of the Master Agreement for any reason or expiration of its term, the Service Provider will securely destroy or, if directed in writing by the Customer, return and not retain, all or any Personal Information related to this Addendum in its possession or control, unless applicable law permits or requires retention by Service Provider.

8.2           If any law, regulation, or government or regulatory body requires the Service Provider to retain any documents or materials that the Service Provider would otherwise be required to return or destroy, to the extent permitted by law the Service Provider will notify the Customer in writing of that retention requirement and, to the extent determinable, when the retention requirement ends. 

8.3           The Service Provider will certify in writing that it has destroyed the Personal Information upon Customer’s request.

9.              Audit

The Service Provider will permit the Customer and its third-party representatives to audit the Service Provider's compliance with its Addendum obligations, upon reasonable prior notice. The Service Provider will give the Customer and its third-party representatives access to such information as needed to conduct such audits in compliance with Privacy and Data Protection Laws. To the extent physical access to Service Provider’s records or premises is required to conduct such audits in compliance with Privacy and Data Protection Laws, (i) such access will only be provided during regular business hours and will be limited strictly to such records or premises as required to comply with Privacy and Data Protection Laws; and (ii) Customer and its third-party representatives agree to be accompanied by Service Provider’s representatives at all times and each shall execute confidentiality agreements as required by Service Provider. Under no circumstances will Customer be provided with access to information concerning, or the records or data of, other customers of Service Provider.

10.           Limitation of Liability

The limitations of liability set forth in the Master Agreement will apply to this Addendum.