Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between 10000090921 ONTARIO INC., doing business as "SAYYARA" (the "Company", "we", "us", or "our") and you ("Customer", "you", or "your") and governs the processing of Personal Data by Company on behalf of Customer in connection with the Sayyara automotive service management platform and related services ("Services").

This DPA complies with applicable privacy laws including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Québec's Law 25, the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and other applicable U.S. state privacy laws.

1. Definitions

• "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked with a particular individual or household, including but not limited to vehicle owner contact information, vehicle details, service history, and payment information.
• "Controller"/"Business" means the entity that determines the purposes and means of processing Personal Data (typically the Service Provider customer).
• "Processor"/"Service Provider" means Company when processing Personal Data on behalf of Customer.
• "Sub-processor" means any third party engaged by Company to process Personal Data on behalf of Customer.

2. Scope and Purpose of Processing

2.1 Processing Activities

Company processes Personal Data solely to provide the Services, including:

• Storing and managing vehicle owner profiles and contact information
• Processing work orders, appointments, and service history
• Facilitating communication between Service Providers and Vehicle Owners
• Processing payments and generating invoices (when payment features are enabled)
• Providing analytics and reporting to Service Provider customers
• Maintaining system security, backups, and technical support

2.2 Categories of Personal Data

• Contact Information: Names, email addresses, phone numbers, addresses
• Vehicle Information: Make, model, year, VIN, license plate, mileage
• Service Data: Maintenance history, repair records, inspection reports
• Financial Information: Billing addresses, payment method details (processed via Stripe)
• Communication Data: Messages, reviews, ratings, support inquiries

2.3 Categories of Data Subjects

• Vehicle Owners (customers of Service Provider customers)
• Authorized representatives of Vehicle Owners
• Service Provider employees (when applicable)

3. Company Obligations as Processor

3.1 Processing Instructions

• Company shall process Personal Data only on documented instructions from Customer, including through the Services interface and this DPA.
• Company shall immediately inform Customer if instructions violate applicable privacy laws.
• Customer instructions are deemed to include use of the Services as described in the Terms of Service and this DPA.

3.2 Confidentiality and Staff Training

• Company ensures all personnel processing Personal Data are bound by confidentiality obligations.
• All staff receive regular privacy and security training.
• Access to Personal Data is limited to personnel who need access to perform their duties.

3.3 Data Security Measures

Company implements appropriate technical and organizational measures to protect Personal Data:

• Encryption: Data is encrypted in transit and at rest by our providers. We do not make specific cryptographic guarantees.
• Access Controls: Authentication is email-and-password based. Multi-factor authentication (MFA) is not currently supported.
• Infrastructure Security: Services are hosted on reputable cloud and platform providers. We rely on their published security controls. We do not hold SOC 2 or similar certifications and do not undergo formal audits at this time.
• Regular Assessments: Best-effort security reviews of dependencies and configs.
• Backup and Recovery: No automatic backups are performed by us while operating on the Supabase free tier. Backup features may be enabled in the future if we upgrade to a paid tier, subject to provider capabilities.

4. Sub-processors

4.1 Current Sub-processors

Customer consents to Company's use of sub-processors in the following categories. Specific providers within each category may change over time:

• Cloud infrastructure, hosting, and content delivery
• Managed database and authentication services
• Email delivery services
• Payment processing services
• Backend platform and developer tooling
• Analytics and monitoring (if enabled)

4.2 New Sub-processors

• Company may engage new sub-processors with 30 days' prior written notice to Customer.
• Customer may object to new sub-processors within 30 days if objection is based on reasonable data protection concerns.
• If Customer objects and Company cannot accommodate, either party may terminate the affected Services with 30 days' notice.

4.3 Sub-processor Obligations

• Company ensures all sub-processors are bound by data protection obligations equivalent to this DPA.
• Company remains responsible for its obligations under this DPA and for ensuring that sub-processors it engages are contractually bound to obligations consistent with this DPA. Company's liability for acts or omissions of sub-processors is subject to the limitations and exclusions in the Terms of Service and limited to the extent Company failed to appropriately select, contract with, or oversee such sub-processors.

5. International Data Transfers

5.1 Transfer Locations

• Primary Storage: Canada (when technically feasible via Supabase Canadian regions)
• Processing Locations: Personal Data may be processed in the United States, Canada, and European Union through our sub-processors
• Backup Storage: May include US-based cloud storage with appropriate safeguards (if and when backups are enabled in the future)

5.2 Transfer Safeguards

• All international transfers include appropriate contractual protections meeting or exceeding requirements under applicable privacy laws.
• For transfers from Quebec, Company conducts privacy impact assessments as required by Law 25.
• Sub-processors in the United States are subject to contractual obligations providing adequate protection for Personal Data.

6. Data Subject Rights Support

6.1 Rights Requests

Company will assist Customer in responding to data subject rights requests, including:

• Access: Providing data subject's Personal Data processed by Company
• Rectification: Correcting inaccurate Personal Data
• Erasure/Deletion: Deleting Personal Data upon valid request
• Portability: Providing Personal Data in machine-readable format
• Restriction: Limiting processing upon valid request
• Objection: Ceasing processing upon valid objection

6.2 Request Process

• Customer remains responsible for verifying data subject identity and request validity.
• Company will respond to Customer's verified requests within 30 days or as required by applicable law.
• Company may charge reasonable fees for excessive or repetitive requests as permitted by law.

7. Data Breach Notification

7.1 Incident Response

• Company will notify Customer without undue delay and no later than 72 hours after becoming aware of a Personal Data breach affecting Customer's data.
• Notification will include description of breach, categories of data affected, likely consequences, and measures taken to address the breach.
• Company will provide reasonable assistance to Customer in meeting breach notification obligations to regulators and data subjects.

7.2 Incident Documentation

• Company maintains detailed incident logs as required by PIPEDA and other applicable laws.
• Incident records are retained for at least 24 months or as required by applicable law.

8. Data Retention and Deletion

8.1 Retention Period

• Company retains Personal Data only as long as necessary to provide Services and fulfill legal obligations.
• Upon termination of Services, Company will delete or return Personal Data within 30 days unless legal retention is required.
• Backup data, if enabled in the future, will be deleted according to the applicable third-party provider's retention schedule.

8.2 Deletion Procedures

• Company uses secure deletion methods ensuring Personal Data cannot be recovered.
• Customer may request certification of deletion upon request.

9. Audits and Compliance

9.1 Audit Rights

• Customer may audit Company's compliance with this DPA once per year upon reasonable notice.
• We do not currently hold SOC 2 or similar certifications.
• Audits must not disrupt Company's operations or compromise security.

9.2 Compliance Monitoring

• Company regularly monitors compliance with this DPA and applicable privacy laws.
• Company will promptly notify Customer of any compliance issues that may affect Personal Data processing.

10. Liability and Indemnification

10.1 Allocation of Liability

• Each party is liable for its own compliance with applicable privacy laws in its role as Controller or Processor.
• Company's liability is limited as set forth in the Terms of Service, except where prohibited by law.

10.2 Customer Responsibilities

• Customer is responsible for ensuring lawful basis for processing and obtaining necessary consents.
• Customer must provide clear privacy notices to data subjects.
• Customer is responsible for responding to data subject rights requests and regulatory inquiries.

11. Term and Termination

• This DPA remains in effect while Company provides Services to Customer.
• Upon termination, Company will delete or return Personal Data as specified in Section 8.
• Provisions regarding confidentiality, data deletion, and liability survive termination.

12. Changes to This DPA

• Company may update this DPA to reflect changes in law, regulations, or business practices.
• Material changes will be communicated with 30 days' advance notice via email or platform notification.
• Continued use of Services after changes take effect constitutes acceptance of the updated DPA.

13. Governing Law and Disputes

• This DPA is governed by the same law as the Terms of Service (Ontario, Canada law).
• Privacy law compliance obligations remain subject to the jurisdiction where Customer operates.
• Disputes will be resolved through the same procedures specified in the Terms of Service.

14. Contact Information

For questions about this DPA or to exercise rights related to Personal Data processing:

This Data Processing Addendum was last updated on August 20, 2025 and is effective immediately.