Data Processing Agreement (DPA)
Last Updated: March 12, 2026
Enterprise Data Protection
This Data Processing Agreement governs how CanadaInvesting processes personal data on behalf of our enterprise clients, ensuring PIPEDA compliance and data protection best practices.
PIPEDA
Compliant
SOC 2
In Progress
24/7
Monitoring
1. Parties and Definitions
1.1 Parties
- Data Controller: The Client organization using CanadaInvesting services
- Data Processor: CanadaInvesting Inc., Toronto, ON
- Data Protection Officer: Arthur Kostaras (support@canadainvesting.app)
1.2 Definitions
- Personal Data: Any information relating to an identified or identifiable natural person as defined under PIPEDA
- Processing: Any operation performed on personal data, including collection, storage, analysis, and deletion
- Data Breach: Any unauthorized access, disclosure, or loss of personal data
- Sub-processor: Third-party service providers engaged to assist with data processing
2. Data Processing Details
2.1 Categories of Personal Data
Investor Contact Data
- Name and title
- Email address
- Phone number
- Investment preferences
Advisor Professional Data
- CIRO registration details
- Designations (CFA, CFP, CIM)
- Geographic service areas
- Professional profile data
2.2 Processing Purposes
- Advisor-investor matching and recommendations
- Lead distribution and communication facilitation
- Platform analytics and service improvement
- Customer support and technical assistance
- Billing and subscription management
- Compliance monitoring and quality assurance
2.3 Data Retention
- Active Account Data: Retained while account is active plus 90 days
- Transaction Records: 7 years (CRA requirement compliance)
- Marketing Communications: Until unsubscribed plus 30 days
- Support Records: 3 years for quality assurance
3. Technical and Organizational Security Measures
3.1 Technical Safeguards
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Access Controls: Multi-factor authentication required
- Monitoring: 24/7 security monitoring and alerting
- Backups: Automated daily backups with 30-day retention
- Infrastructure: Railway platform with enterprise security
3.2 Organizational Controls
- Staff Training: Privacy and security training for all personnel
- Access Management: Role-based access with regular reviews
- Incident Response: 24-hour breach notification protocol
- Auditing: Regular security assessments
- Documentation: Comprehensive security policies
4. Sub-processors
4.1 Authorized Sub-processors
| Service Provider | Service | Data Location | Compliance |
|---|---|---|---|
| Railway | Platform Hosting | Google Cloud (US) | SOC 2, ISO 27001 |
| Stripe | Payment Processing | US/Canada | PCI DSS Level 1 |
| Resend | Email Communications | US | SOC 2 Type II |
4.2 Sub-processor Management
- All sub-processors undergo security and privacy assessments
- Contractual data protection obligations equivalent to this DPA
- 30-day advance notice for new sub-processors
- Client right to object to sub-processor changes
5. Data Subject Rights
5.1 Individual Rights Under PIPEDA
- Right to access personal information
- Right to correction of inaccurate data
- Right to withdraw consent
- Right to file complaints with Privacy Commissioner
- Right to reasonable explanation of data use
5.2 Response Procedures
- 30-day maximum response time
- Dedicated privacy email: support@canadainvesting.app
- Phone support: (647) 956-7290
- Identity verification required
- Written responses with clear explanations
6. Data Breach Notification
6.1 Notification Timeline
24 hours
Initial notification to Client
72 hours
Detailed incident report
30 days
Post-incident review
6.2 Notification Content
- Nature and scope of the data breach
- Categories and number of affected individuals
- Likely consequences and potential harm
- Measures taken to address the breach
- Recommendations for Client actions
7. Agreement Terms
- This DPA remains in effect while processing personal data for Client
- Survives termination of main service agreement for data retention period
- Governed by the laws of Ontario, Canada
- Subject to PIPEDA and applicable provincial privacy laws
- Data return or destruction within 90 days of termination
8. Contact Information
Data Protection Officer
Name: Arthur Kostaras
Title: Privacy Officer & CEO
Email: support@canadainvesting.app
Phone: (647) 956-7290
Regulatory Authority
Agency: Office of the Privacy Commissioner of Canada
Website: www.priv.gc.ca
Phone: 1-800-282-1376
Email: info@priv.gc.ca