Categories

MigiHub (SaaS) – InnuCloud Experts Inc. (Processor) ↔ Customer (Controller)

1. Parties

This Data Processing Agreement ("DPA") forms part of the Subscription Agreement, Master Services Agreement or other written or electronic contract for the provision of the MigiHub software-as-a-service (the "Agreement") between:

• "Processor": InnuCloud Experts Inc., 2020 Trans-Canada Hwy, Dorval, Quebec H9P 2N4, operating the MigiHub SaaS; and
• "Controller": The customer entity that executes or accepts the Agreement ("Customer").

2. Background and Purpose

This DPA reflects the parties' agreement with respect to the processing of Personal Data by Processor on behalf of Controller in connection with the Services, as required by Article 28 of the EU General Data Protection Regulation (EU) 2016/679 ("GDPR").

3. Definitions

Capitalized terms not defined in this DPA have the meaning set out in the Agreement. "Personal Data", "Data Subject", "Processing", "Supervisory Authority", "Personal Data Breach" have the meanings given in the GDPR.

4. Scope; Roles of the Parties

4.1

Controller instructs Processor to process Personal Data solely for the purpose of providing, maintaining, securing, supporting and improving the Services under the Agreement (the "Permitted Purpose").

4.2

Controller is responsible for the lawfulness of Personal Data and for its instructions. Processor will not sell Personal Data, nor retain, use, or disclose it for any purpose other than the Permitted Purpose.

5. Description of Processing

5.1 Subject Matter:

Operation of the MigiHub SaaS and related support.

5.2 Duration:

For the term of the Agreement and until deletion or return in accordance with this DPA.

5.3 Nature and Purpose:

Hosting, storage, transmission, organization, retrieval, disclosure (to authorized users), analysis, and deletion as necessary to deliver the Services.

5.4 Categories of Data Subjects:

Controller's administrators and end-users; interpreters/contractors; clients and client personnel; applicants; and other individuals whose data is submitted to the Services by or on behalf of Controller.

5.5 Categories of Personal Data:

• Identity and contact data (e.g., name, initials, email, phone, address, organization/department).
• Account credentials and role/permission data (including SSO identifiers).
• Employment/HR-like data configured by Controller (e.g., employee number, union status, seniority, job status, date of hire, emergency contacts, gender preference fields, skills/qualifications, languages).
• Scheduling and assignment data (typical schedules, unavailability, bookings, VRS time slots, team leader flags), timesheets and expenses, signatures/attestations, attachments uploaded by users.
• Communications/notifications metadata (emails/SMS/browser notifications), logs, and change histories/audit trails.
• Location data if Controller enables geolocation or captures IP-based location; meeting links for remote sessions.
• Government or program identifiers submitted by Controller (e.g., medical card numbers or similar identifiers), where lawfully collected and configured by Controller.
• Any other Personal Data that Controller submits to the Services, at its discretion.

5.6 Special Categories:

The Services are not intended to require processing of special categories of data. Where Controller chooses to process such data, Controller is responsible for the lawful basis and for appropriate safeguards; Processor will apply the security measures described in Annex II.

6. Processor Obligations

6.1 Processing on Instructions.

Processor will process Personal Data only on documented instructions from Controller, including with regard to international transfers, unless required to do so by EU or Member State law; in such case, Processor will inform Controller of that legal requirement before processing (unless that law prohibits such information).

6.2 Confidentiality.

Processor ensures that persons authorized to process Personal Data are under appropriate confidentiality obligations.

6.3 Security.

Processor shall implement appropriate technical and organizational measures ("TOMs") to protect Personal Data as described in Annex II (Security Measures).

6.4 Sub-processors.

Controller hereby grants a general authorization for Processor to engage Sub-processors to support the Permitted Purpose, subject to the conditions in Section 8 and Annex III.

6.5 Assistance.

Taking into account the nature of the processing, Processor will assist Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of Controller's obligations to respond to requests to exercise Data Subject Rights under the GDPR.

6.6 Breach Notification.

Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach and will provide information reasonably required for Controller to meet its breach-notification obligations.

6.7 Data Protection Impact Assessments.

Processor will provide Controller with reasonable assistance with data protection impact assessments and prior consultations with Supervisory Authorities, taking into account the nature of processing and information available to Processor.

6.8 Deletion or Return.

At termination of the Services, upon Controller's written request and subject to applicable law, Processor will return or delete Personal Data, as set out in Section 10.

6.9 Records and Audits.

Processor will maintain records of processing activities as required by Article 30(2) GDPR and make them available to the Supervisory Authority on request. Subject to Section 9, Processor will contribute to audits conducted by Controller or an independent auditor mandated by Controller.

7. Sub-processors

7.1 Authorization.

Processor has Controller's general authorization to appoint Sub-processors for hosting, infrastructure, communications delivery, analytics, and support, provided that Processor imposes data protection obligations on such Sub-processors no less protective than those set out in this DPA and remains responsible for their performance.

7.2 Changes.

Processor will provide advance notice of any intended changes concerning the addition or replacement of Sub-processors and allow Controller to object on reasonable grounds. If Controller objects, the parties will discuss in good faith to find a solution.

8. International Data Transfers

8.1 EEA/UK/Swiss Transfers.

Where Processor or its Sub-processors transfer Personal Data originating in the EEA, UK, or Switzerland to a country that does not ensure an adequate level of protection under applicable Data Protection Laws, such transfers will be governed by the applicable standard contractual clauses:

• For EEA transfers: the European Commission's Standard Contractual Clauses (SCCs) for controller-to-processor transfers (Module 2) and, where applicable, processor-to-processor transfers (Module 3).
• For UK transfers: the UK International Data Transfer Agreement (IDTA) (or the UK International Data Transfer Agreement) as issued by the UK ICO, as applicable.
• For Swiss transfers: the Swiss Agreement or required adjustments to the SCCs to address Swiss law.

8.2 Supplementary Measures.

Processor will implement supplementary measures where required to ensure a level of protection essentially equivalent to that guaranteed in the EEA.

9. Audits and Certifications

9.1

Upon reasonable written notice, not more than once every 12 months (or more frequently following a confirmed Personal Data Breach), during normal business hours, Controller may audit Processor's compliance with this DPA. Audits will avoid disruption, maintain confidentiality, and first make use of available third-party compliance reports or certifications (e.g., ISO/ SOC reports), if any.

9.2

Audit scope excludes information that would compromise Processor's or its Sub-processors' security or confidentiality.

10. Return and Deletion of Data

Within 90 days after termination or expiry of the Agreement, upon Controller's written request, Processor will provide Controller with an export of Personal Data in a commonly used, machine-readable format and will delete remaining Personal Data from its systems, unless retention is required by law or technical backups that are automatically overwritten on scheduled cycles.

11. Liability

Liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement, to the maximum extent permitted by applicable law.

12. Miscellaneous

12.1 Conflict.

In case of conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict as regards the processing of Personal Data.

12.2 Governing Law.

As set out in the Agreement, without prejudice to mandatory application of Data Protection Laws.

12.3 Severability.

If any provision of this DPA is held invalid, the remainder will continue in full force and effect.

Annex I – Details of Processing (GDPR Art. 28(3) and SCC Annex I)

A. List of Parties

• Data Exporter (Controller): Customer identified in the Agreement.
• Data Importer (Processor): InnuCloud Experts Inc., 2020 Trans-Canada Hwy, Dorval, Quebec H9P 2N4; contact: [email protected] (update during signature).

B. Description of Processing

• Categories of Data Subjects: as described in Section 5.4.
• Categories of Personal Data: as described in Section 5.5.
• Sensitive Data: not intended; may occur at Controller's discretion.
• Frequency of Transfer: continuous as needed for the Services.
• Nature of Processing and Purpose: as described in Section 5.3.
• Duration of Processing: for the term and as per Section 10.
• Competent Supervisory Authority: determined per GDPR Art. 56 based on Controller's main establishment in the EEA; for SCCs, the authority of the Member State where Controller is established.

Annex II – Technical and Organizational Measures

Processor maintains and will continue to maintain a security program appropriate to the risks, including the following controls, as applicable to the Services:

• Governance: documented security policies; role-based access; least privilege; personnel background checks where permitted; annual security training.
• Identity and Access Management: SSO (e.g., Azure AD), strong password policies, MFA where supported; session management; IP restriction options.
• Encryption: TLS for data in transit; encryption at rest for production data; key management with restricted access.
• Application Security: secure SDLC; code review; vulnerability scanning; dependency management; configuration hardening; CAPTCHA/anti-abuse on public endpoints where applicable.
• Data Segregation and Minimization: tenant logical separation; configurable retention; minimization of special categories; masking in lower environments.
• Logging and Monitoring: audit trails of material changes; system and access logs; alerting for anomalous behavior; time-synced logs retained per policy.
• Business Continuity and Backups: regular encrypted backups; restoration testing; high-availability architecture appropriate to SLA commitments.
• Physical and Infrastructure Security: reputable hosting providers with industry-standard certifications; network security (firewalls, segmentation).
• Incident Response: documented plan; 24x7 access to on-call responders; breach notification workflows supporting GDPR timelines.
• Vendor Risk Management: due diligence and contractual data-protection terms for Sub-processors; periodic reassessment.
• Data Subject Rights Support: tools or processes to export, correct, or delete data upon Controller's instructions.
• Privacy by Design: features designed to limit data collection; optional geolocation disabled unless enabled by Controller; configurable roles/permissions and audit logging.

Annex III – Authorized Sub-processors (General Authorization)

Processor is authorized to use the following categories of Sub-processors (non-exhaustive):

• Cloud infrastructure and storage providers (hosting, databases, content delivery).
• Email, SMS, and push-notification delivery providers.
• Customer support tools (ticketing and CRM) and error monitoring services.
• Analytics and telemetry platforms for service performance and security.
• Video-conferencing integrations as selected by Controller (e.g., Zoom, Teams, Google Meet) for meeting links and metadata only; Processor does not record or store meeting content unless configured by Controller.

A current list of specific Sub-processors will be provided upon request or through Processor's standard notice mechanism.