Data Processing Agreement

Last modified: January 2026

This Personal Information Processing Agreement ("Processing Agreement") sets out additional terms, requirements, and conditions for collecting, processing, disclosing, transferring, or storing Personal Information when Accorderly Technologies Inc. ("Provider") provides the TermCal service under the Terms of Service ("Master Agreement") to you ("Customer").

1. Definitions and Interpretation

"Personal Information" means any information the Provider collects, uses, processes, or maintains for the Customer that relates to an identifiable individual and identifies or can be used to identify that individual, directly or indirectly.

"Processing" means any activity that involves the use of Personal Information. It includes obtaining, recording, or holding the data, or carrying out any operation or set of operations on the data including organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also includes transferring Personal Information to third parties.

"Privacy and Data Protection Requirements" means all applicable federal, provincial, and foreign laws and regulations relating to the processing, protection, or privacy of the Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies. This includes PIPEDA, the Quebec Act respecting the protection of personal information in the private sector, and GDPR where applicable.

"Security Breach" means any act or omission that compromises the security, confidentiality, or integrity of Personal Information or the physical, technical, administrative, or organizational safeguards put in place to protect it.

2. Personal Information Types and Processing Purposes

The Customer retains control of the Personal Information and remains responsible for its compliance obligations under the applicable Privacy and Data Protection Requirements, providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Provider.

Categories of Personal Information processed:

• Documents and text input you provide (may contain names, addresses, contact information)

• Schedule and reminder data (titles, dates, terms)

• User account information (name, email address)

• Calendar and reminder data

Business Purposes:

• Extracting dates from documents using AI

• Storing documents and schedule data

• Sending reminder notifications

• Syncing calendars

3. Provider's Obligations

The Provider will only process the Personal Information to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer's instructions. The Provider will not process the Personal Information for any other purpose or in a way that does not comply with this Processing Agreement or the Privacy and Data Protection Requirements.

The Provider will maintain the confidentiality of all Personal Information and will not disclose Personal Information to third parties unless the Customer or this Processing Agreement specifically authorizes the disclosure in compliance with Privacy and Data Protection Requirements, or as otherwise required by law.

The Provider will reasonably assist the Customer with meeting the Customer's compliance obligations under the Privacy and Data Protection Requirements, considering the nature of the Provider's processing and the information available to the Provider.

4. Security

The Provider must at all times implement appropriate technical and organizational measures designed to safeguard Personal Information against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage.

Security measures include:

• Encryption of data in transit and at rest

• Access controls and authentication (role-based access)

• Regular security updates and vulnerability monitoring

• Data backup and recovery procedures

• Secure password hashing

5. Security Breaches and Personal Information Loss

The Provider will promptly notify the Customer if any Personal Information is lost or destroyed or becomes damaged, corrupted, or unusable. The Provider will restore such Personal Information at its own expense.

The Provider will notify the Customer within 72 hours if it becomes aware of any unauthorized or unlawful processing of the Personal Information or any Security Breach.

Immediately following any Security Breach, the Parties will coordinate with each other to investigate the matter. The Provider will reasonably cooperate with the Customer in the Customer's handling of the matter, including assisting with any investigation and providing the Customer with access to all relevant records, logs, files, and data.

The Customer has the sole right to determine whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by Privacy and Data Protection Requirements.

6. Cross-Border Personal Information Transfers

All data processing occurs within Canada and the European Union. The countries where the Provider may receive, access, transfer, or store Personal Information are:

• Canada (primary infrastructure)

• France (AI processing; email delivery)

The Provider will not transfer any Personal Information to another country unless the transfer complies with the Privacy and Data Protection Requirements. We are not subject to any US jurisdiction (including the CLOUD Act).

7. Subcontractors

The Provider uses subcontractors listed on our Subprocessors page. The Provider has entered into written contracts with each subcontractor that contain terms substantially the same as those set out in this Processing Agreement.

Where the subcontractor fails to fulfil its obligations under such written agreement, the Provider remains fully liable to the Customer for the subcontractor's performance of its agreement obligations.

8. Data Subject Requests and Third-Party Rights

The Provider must notify the Customer within 5 working days if it receives a request from a Data Subject for access to their Personal Information or a request to correct, delete, or withdraw consent from any use by Customer or Provider of same.

The Provider will give the Customer its full cooperation and assistance in responding to any complaint, notice, communication, or Data Subject request. Self-service tools are available in account settings for most requests.

9. Term and Termination

This Processing Agreement will remain in full force and effect until the later of: (a) the Master Agreement remains in effect; or (b) the Provider retains any Personal Information related to the Master Agreement in its possession or control.

The Provider's failure to comply with the terms of this Processing Agreement is a material breach of the Master Agreement. In such event, the Customer may terminate the Master Agreement effective immediately upon written notice to the Provider.

10. Data Return and Destruction

At the Customer's request, the Provider will give the Customer a copy of or access to all or part of the Customer's Personal Information in its possession or control in a commonly used, machine-readable format.

On termination of the Master Agreement for any reason or expiration of its term, the Provider will securely destroy or, if directed in writing by the Customer, return and not retain, all Personal Information related to this Processing Agreement within 30 days.

If any law, regulation, or government or regulatory body requires the Provider to retain any documents or materials, it will notify the Customer in writing of that retention requirement. The Provider may only use this retained Personal Information for the required retention reason or audit purposes.

11. Audit

The Provider will keep detailed, accurate, and up-to-date records regarding any Personal Information processing it carries out for the Customer, including the access, control, and security of the Personal Information.

The Provider will ensure that the records are sufficient to enable the Customer to verify the Provider's compliance with its obligations under this Processing Agreement.

12. Notice and Contact

Any notice or other communication given under or in connection with this Processing Agreement must be in writing and delivered to:

For the Provider:

Privacy Officer

Accorderly Technologies Inc.

Email: privacy@termcal.com

For DPA-related inquiries or to request a signed copy of this agreement, please contact privacy@termcal.com.