Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between the Customer (acting as controller) and Quiresoft Technologies Inc. (acting as processor) and applies to Quiresoft’s processing of personal information about the Customer’s End Clients and other individuals on the Customer’s behalf. It is intended to satisfy Article 28 of the GDPR and the comparable accountability requirements of PIPEDA and Quebec’s Law 25. If there is any conflict between this DPA and the Terms regarding the processing of such personal information, this DPA controls.

1. Roles and Scope

For personal information that the Customer submits about its End Clients, jobs, quotes, and invoices, the Customer is the controller and Quiresoft is the processor. Quiresoft processes such personal information only to provide the Service and as instructed by the Customer. The subject matter is the provision of the Service; the duration is the term of the Account; the nature and purpose are the operation of field-service management, quoting, invoicing, scheduling, and payment-related functions; the types of data are those described in Section 3 of the Privacy Policy; and the data subjects are the Customer’s End Clients and personnel.

2. Processing Instructions

Quiresoft will process personal information only on the documented instructions of the Customer, including as set out in the Terms and this DPA, unless required to do otherwise by law, in which case Quiresoft will inform the Customer of that legal requirement before processing unless prohibited from doing so.

3. Confidentiality and Security

Quiresoft ensures that personnel authorized to process personal information are bound by confidentiality obligations. Quiresoft maintains the technical and organizational security measures described in Section 9 of the Privacy Policy, appropriate to the risk.

4. Sub-Processors

The Customer authorizes Quiresoft to engage the sub-processors listed in Section 6 of the Privacy Policy. Quiresoft imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for their performance. Quiresoft will maintain an up-to-date list of sub-processors and will give the Customer reasonable prior notice of the addition or replacement of a sub-processor, allowing the Customer to object on reasonable data-protection grounds.

5. Data Subject Requests

Taking into account the nature of the processing, Quiresoft will assist the Customer by appropriate technical and organizational measures, insofar as possible, in responding to requests from individuals exercising their rights under applicable law. Where Quiresoft receives such a request directly, it will forward it to the Customer.

6. Breach Notification

Quiresoft will notify the Customer without undue delay after becoming aware of a personal-data breach affecting the Customer’s data, and will provide information reasonably available to assist the Customer in meeting its own breach-notification and reporting obligations under PIPEDA, Law 25, the GDPR, and other applicable laws.

7. Deletion and Return

On termination of the Account, Quiresoft will, at the Customer’s choice, delete or return the personal information processed on the Customer’s behalf, and delete existing copies, except to the extent retention is required by law, in accordance with the retention period described in Section 8 of the Privacy Policy.

8. Audits and International Transfers

Quiresoft will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to reasonable audits, subject to confidentiality. Where personal information is transferred across borders, Quiresoft relies on the lawful transfer mechanisms described in Section 7 of the Privacy Policy, including the Standard Contractual Clauses, which are incorporated by reference where applicable.