Data Processing & Subprocessors
Draft — pending legal review. Not yet in effect.
Version 0.1 · Effective date: pending counsel sign-off. This document is published for transparency and is not a binding agreement until a reviewed version takes effect.
This Data Processing Addendum forms part of the Terms of Service between Miles Rae, operating as Advirra ("Advirra") and the Customer. It governs Advirra's processing of personal information that the Customer places in its instance of the Service ("Instance Data").
1. Roles and scope
1.1 For Instance Data, the Customer is the organization accountable under PIPEDA/Law 25 for the personal information of its clients; Advirra is a service provider processing Instance Data solely on the Customer's documented instructions as embodied in the Service's functionality and the Customer's use of it.
1.2 Instance Data may include: client and household contact details, dates of birth, government identifiers (including Social Insurance Numbers), know-your-client and suitability records, account and asset information, meeting notes, documents, and correspondence.
2. Advirra's obligations
Advirra will:
- (a) process Instance Data only to provide, secure, and support the Service, and never for its own purposes (no marketing, analytics products, or model training on Instance Data);
- (b) ensure persons authorized to process Instance Data are bound by confidentiality;
- (c) implement and maintain the safeguards in Section 4;
- (d) assist the Customer, by appropriate technical and organizational measures, in responding to individuals' access/correction requests;
- (e) notify the Customer as set out in Section 6 upon a confirmed breach of security safeguards involving Instance Data;
- (f) delete Instance Data on the schedule in the Terms (60-day export window after cancellation, then deletion, with backups expiring on their fixed schedule) and confirm deletion in writing on request;
- (g) make available information reasonably necessary to demonstrate compliance, including the Security Overview and, when available, third-party audit reports;
- (h) not disclose Instance Data to any authority except under a valid legal demand, and notify the Customer of such demands unless legally prohibited.
3. Subprocessors
3.1 The Customer authorizes the following subprocessors:
| Subprocessor | Purpose | Location of processing |
|---|---|---|
| Amazon Web Services, Inc. (AWS) | Cloud hosting: compute, database, storage, key management, email delivery | Canada (ca-central-1) |
| Stripe, Inc. | Payment processing and tax calculation (platform billing data only — no Instance Data) | Canada/US (Stripe's infrastructure) |
| GitHub, Inc. | Source-code hosting and CI (no Instance Data) | US |
| ntfy (ntfy.sh) | Operational alerting to Advirra staff (system identifiers only — no Instance Data) | EU (ntfy.sh) |
3.2 Advirra will give the Customer at least 30 days' notice before adding or replacing a subprocessor that processes Instance Data. If the Customer reasonably objects on data-protection grounds and Advirra cannot offer an alternative, the Customer may terminate the affected Service and receives a pro-rata refund of prepaid fees.
3.3 Advirra remains responsible for its subprocessors' performance.
4. Security measures
As detailed in the Security Overview:
- Per-customer isolation: dedicated application container, dedicated logical database with unique credentials, dedicated S3 bucket, dedicated KMS encryption key.
- Encryption in transit (TLS) and at rest; field-level encryption of sensitive identifiers (e.g. SINs) under the customer-dedicated key.
- Data residency: all Instance Data (including backups) in AWS ca-central-1.
- Multi-factor authentication; role-based access in the Customer's instance; per-instance audit logging of administrative and data changes.
- No standing Advirra access to instance databases; break-glass access is reasoned, time-boxed, auto-revoked, and logged.
- Backups meeting RPO ≤ 24h; restore capability targeting RTO ≤ 8 business hours.
5. Data residency
Instance Data is stored and processed in Canada (AWS ca-central-1). Advirra will not transfer Instance Data outside Canada without the Customer's prior written agreement and 30 days' notice.
6. Breach notification
6.1 Advirra will notify the Customer without undue delay, and in any event within 72 hours of confirming a breach of security safeguards involving Instance Data, with: the nature and scope of the breach, the categories and approximate volume of records involved, measures taken or proposed, and a contact point.
6.2 Advirra will cooperate with the Customer's own assessment of "real risk of significant harm" and its notifications to individuals, the Privacy Commissioner of Canada, and (where applicable) Quebec's Commission d'accès à l'information, and will maintain its own breach register.
7. Audit
Advirra will respond to the Customer's reasonable written security questionnaires no more than once per year, and will make available summaries of any third-party assessments.
8. Return and deletion
On termination, the Customer may export Instance Data through the Service during the 60-day export window; Advirra will provide a complete machine-readable export on request. Deletion then proceeds per the Terms, including scheduled destruction of the customer-dedicated KMS key, which renders residual encrypted materials unreadable.
9. Precedence
If this DPA conflicts with the Terms regarding Instance Data, this DPA prevails.