Data Processing Addendum
Genuics — Analytics, Case Management & AI Platform
Effective Date: April 3, 2026 Last Updated: April 3, 2026
This Data Processing Addendum ("DPA") forms part of and is incorporated into the Terms of Service ("Agreement") between 1001560798 Ontario Inc., operating as Genuics ("Processor," "Genuics," "we," or "us") and the entity or individual agreeing to the Terms of Service ("Controller," "Customer," or "you").
This DPA applies to the extent that Genuics processes Personal Data on behalf of the Customer in the course of providing the Service.
1. Definitions
In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given to them in the Agreement.
"Applicable Data Protection Law" means all laws and regulations relating to the processing of Personal Data that apply to the parties, including but not limited to: Canada's Personal Information Protection and Electronic Documents Act (PIPEDA); the European Union General Data Protection Regulation (EU GDPR, Regulation 2016/679); the United Kingdom General Data Protection Regulation (UK GDPR); the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA); and any substantially similar provincial privacy laws in Canada (including Quebec's Act respecting the protection of personal information in the private sector).
"Controller" means the entity that determines the purposes and means of the processing of Personal Data. In the context of this DPA, the Controller is the Customer.
"Data Subject" means an identified or identifiable individual to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person that is contained within Customer Data and processed by Genuics on behalf of the Customer.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Processor" means the entity that processes Personal Data on behalf of the Controller. In the context of this DPA, the Processor is Genuics.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Sub-processor" means a third party engaged by Genuics to process Personal Data on behalf of the Customer.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data approved by the European Commission, as applicable to the transfer of Personal Data to processors in third countries.
2. Scope and Roles
2.1. This DPA applies only to Personal Data that is contained within Customer Data and processed by Genuics on behalf of the Customer through the Service.
2.2. The Customer acts as the Controller of Personal Data, and Genuics acts as the Processor.
2.3. This DPA does not apply to data for which Genuics acts as a data controller, such as account registration data and usage analytics, which are governed by the Privacy Policy.
3. Details of Processing
3.1. Subject Matter: Processing of Customer Data as part of providing the analytics, case management, and AI features of the Service.
3.2. Duration: For the term of the Agreement, plus the data retention period specified in the Agreement (thirty (30) days following termination).
3.3. Nature and Purpose of Processing: Storage, analysis, transformation, visualization, AI-powered analysis (on eligible paid plans), case management, reporting, and any processing necessary to deliver the features of the Service as described in the Agreement and documentation.
3.4. Types of Personal Data: Determined by the Customer and may include, but is not limited to: names, email addresses, phone numbers, addresses, identification numbers, financial data, employment data, health data, demographic data, and any other categories of personal data contained in datasets or files uploaded by the Customer.
3.5. Categories of Data Subjects: Determined by the Customer and may include, but are not limited to: the Customer's customers, employees, contractors, partners, patients, students, or any other individuals whose data the Customer uploads to the Service.
4. Obligations of the Processor (Genuics)
Genuics shall:
4.1. Process Personal Data only on documented instructions from the Controller (i.e., as described in the Agreement and this DPA), unless required to do so by applicable law. If Genuics is required by law to process Personal Data other than in accordance with the Controller's instructions, Genuics will notify the Controller of that legal requirement before processing, unless prohibited by law from doing so.
4.2. Ensure that all personnel authorized to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
4.3. Implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, as described in Section 7 of this DPA.
4.4. Comply with the conditions for engaging Sub-processors as set out in Section 6 of this DPA.
4.5. Taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to Data Subject requests to exercise their rights under Applicable Data Protection Law.
4.6. Assist the Controller in ensuring compliance with the Controller's obligations regarding security of processing, notification of Personal Data Breaches, data protection impact assessments, and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to Genuics.
4.7. At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of the Service, and delete existing copies unless applicable law requires continued storage. The Service provides data export functionality (including dataset downloads, report exports, and dashboard exports in PDF and PNG formats) to facilitate data retrieval prior to deletion.
4.8. Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or a qualified third-party auditor mandated by the Controller, subject to the terms of Section 9 of this DPA.
4.9. Immediately inform the Controller if, in Genuics's opinion, an instruction from the Controller infringes Applicable Data Protection Law.
5. Obligations of the Controller (Customer)
The Customer shall:
5.1. Ensure that it has all necessary rights, consents, and legal bases required under Applicable Data Protection Law to upload and process Personal Data through the Service.
5.2. Ensure that Data Subjects have been provided with appropriate privacy notices regarding the processing of their Personal Data, including the transfer of data to Genuics as a Processor.
5.3. Provide documented processing instructions to Genuics. The Agreement and this DPA constitute the Customer's complete processing instructions at the time of signing.
5.4. Be responsible for the accuracy, quality, and legality of Customer Data and the means by which it was collected.
5.5. Promptly notify Genuics if the Customer becomes aware of any circumstances that could affect Genuics's ability to comply with Applicable Data Protection Law.
6. Sub-processors
6.1. The Customer provides general authorization for Genuics to engage Sub-processors to process Personal Data on behalf of the Customer.
6.2. The current list of Sub-processors is:
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform (Google LLC) | Cloud infrastructure, hosting, and data storage | United States (us-central1) |
| Neon Tech Inc. | Database hosting (PostgreSQL) | United States |
| Google Cloud Vertex AI (Google LLC) | AI/ML processing for data analysis and insight generation (paid plans only) | United States |
| Stripe, Inc. | Payment processing | United States |
| Email Service Provider* | Transactional and notification email delivery | United States |
*We use an industry-standard transactional email service. The specific provider may change; this table will be updated accordingly.
6.3. Genuics shall notify the Customer by email at least thirty (30) days before adding or replacing a Sub-processor, providing the Customer an opportunity to object to the change. If the Customer objects to the new Sub-processor on reasonable grounds related to data protection, the parties will work in good faith to resolve the objection. If no resolution can be reached within thirty (30) days, the Customer may terminate the affected portion of the Service without penalty.
6.4. Genuics shall enter into a written agreement with each Sub-processor that imposes data protection obligations no less protective than those set out in this DPA.
6.5. Genuics remains fully liable to the Customer for the performance of each Sub-processor's obligations.
7. Security Measures
7.1. Genuics implements and maintains the following technical and organizational measures to protect Personal Data:
Infrastructure Security:
- (a) Data stored on SOC 2 certified cloud infrastructure (Google Cloud Platform, Neon);
- (b) Encryption of data at rest using AES-256 encryption;
- (c) Encryption of data in transit using TLS 1.2 or higher;
- (d) Multi-tenant architecture with row-level security ensuring logical data isolation between customers;
- (e) Regular automated backups with encrypted storage.
Access Controls:
- (f) Role-based access controls (RBAC) for internal access to production systems;
- (g) Principle of least privilege for all system access;
- (h) Multi-factor authentication for administrative access to infrastructure;
- (i) Unique user credentials for all authorized personnel.
Application Security:
- (j) Secure authentication mechanisms including password hashing (bcrypt/argon2) and SSO integration;
- (k) Regular security audits and vulnerability assessments;
- (l) Input validation and protection against common web vulnerabilities (SQL injection, XSS, CSRF);
- (m) Rate limiting to prevent abuse and denial-of-service attacks.
Operational Security:
- (n) Logging and monitoring of access to systems containing Personal Data;
- (o) Incident response procedures;
- (p) Personnel confidentiality obligations.
7.2. Genuics shall regularly review and update its security measures to ensure they remain appropriate to the risks presented by the processing.
8. Personal Data Breach Notification
8.1. Genuics shall notify the Customer of a confirmed Personal Data Breach without undue delay and in any event within seventy-two (72) hours of becoming aware of it.
8.2. The notification shall include, to the extent known:
- (a) A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects affected and the categories and approximate number of Personal Data records concerned;
- (b) The name and contact details of Genuics's point of contact for further information;
- (c) A description of the likely consequences of the Personal Data Breach;
- (d) A description of the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate its possible adverse effects.
8.3. If it is not possible to provide all information at the time of the initial notification, Genuics shall provide information in phases without further undue delay.
8.4. Genuics shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Personal Data Breach.
9. Audits
9.1. Upon the Customer's written request, and no more than once per twelve (12) month period, Genuics shall make available information reasonably necessary to demonstrate compliance with this DPA.
9.2. If the Customer requires an audit beyond the information provided, the Customer may engage a qualified, independent third-party auditor (subject to reasonable confidentiality obligations) to conduct an audit of Genuics's processing activities related to this DPA.
9.3. Audits shall be conducted during regular business hours, with at least thirty (30) days' advance written notice, and shall not unreasonably interfere with Genuics's business operations.
9.4. The Customer shall bear the costs of any audit, unless the audit reveals a material breach of this DPA by Genuics, in which case Genuics shall bear the reasonable costs of the audit.
9.5. Genuics may satisfy audit requests by providing relevant certifications, audit reports (such as SOC 2 Type II reports), or third-party assessment reports that address the matters covered by the requested audit.
10. International Data Transfers
10.1. Customer Data and Personal Data are stored and processed in the United States by Genuics and its Sub-processors. Data residency selection is not currently available; all Customer Data is processed and stored in the United States regardless of the Customer's location or subscription plan.
10.2. Transfers from Canada: Transfers of Personal Data from Canada to the United States are conducted in accordance with PIPEDA's requirements regarding accountability for data transferred to third parties. Genuics ensures through contractual means that Personal Data transferred outside of Canada receives a comparable level of protection.
10.3. Transfers from the EEA/UK: Where Personal Data originating in the EEA or UK is transferred to the United States or another country not recognized as providing adequate data protection, the transfer is conducted in reliance on:
- (a) Standard Contractual Clauses (SCCs) approved by the European Commission (Module Two: Controller to Processor); and/or
- (b) Any other valid transfer mechanism under Applicable Data Protection Law.
10.4. The Customer may request a copy of the applicable transfer safeguards by contacting privacy@genuics.com.
11. Data Subject Rights
11.1. If Genuics receives a request directly from a Data Subject regarding Personal Data processed on behalf of the Customer, Genuics shall promptly redirect the Data Subject to the Customer and notify the Customer of the request.
11.2. Genuics shall provide reasonable assistance to the Customer in responding to Data Subject requests, including requests for access, rectification, erasure, restriction, portability, or objection, taking into account the nature of the processing.
11.3. To the extent that the Customer is unable to independently access the relevant Personal Data within the Service, Genuics shall provide reasonable cooperation and assistance to fulfil the request.
12. Data Retention and Deletion
12.1. Upon termination or expiration of the Agreement, Genuics shall retain Customer Data (including any Personal Data therein) for a period of thirty (30) days to permit the Customer to export or retrieve their data using the Service's built-in export functionality.
12.2. After the thirty (30) day retention period, Genuics shall permanently and irrecoverably delete all Customer Data from its production systems and backup infrastructure, unless applicable law requires continued retention.
12.3. Upon the Customer's written request, Genuics shall provide written confirmation of data deletion.
13. HIPAA Considerations
13.1. HIPAA-compliant configurations and Business Associate Agreements (BAAs) are available exclusively to customers on an Enterprise subscription plan.
13.2. If the Customer intends to use the Service to process Protected Health Information (PHI) as defined under the United States Health Insurance Portability and Accountability Act (HIPAA), the Customer must: (a) subscribe to an Enterprise plan; and (b) execute a separate Business Associate Agreement with Genuics prior to processing any PHI.
13.3. Customers on Free, Starter, or Pro plans must not upload PHI to the Service. Genuics is not liable for any HIPAA violations resulting from the Customer's upload of PHI without an executed BAA.
13.4. The Service infrastructure (Google Cloud Platform, Neon) supports HIPAA-compliant configurations. However, HIPAA compliance is a shared responsibility, and the Customer is responsible for configuring and using the Service in a manner consistent with HIPAA requirements.
14. Limitation of Liability
14.1. The liability of each party under this DPA is subject to the limitations of liability set forth in the Agreement.
14.2. This DPA does not create any independent right to damages or remedies beyond those available under the Agreement.
15. Conflict
15.1. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
15.2. In the event of any conflict between this DPA and any Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
16. Term
16.1. This DPA shall remain in effect for the duration of the Agreement and shall automatically terminate upon termination or expiration of the Agreement, subject to Section 12 (Data Retention and Deletion).
17. Governing Law
17.1. This DPA shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, except where Applicable Data Protection Law requires the application of the law of another jurisdiction.
18. Contact
For questions about this DPA, please contact:
1001560798 Ontario Inc. (operating as Genuics) Data Protection Inquiries Email: privacy@genuics.com Website: genuics.com
© 2026 1001560798 Ontario Inc. operating as Genuics. All rights reserved.