Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below:

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller in connection with the Services.

"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Confidentiality Incident" (as defined by Quebec Law 25) or "Data Breach" means any unauthorized access to, use, disclosure, modification, loss, or destruction of Personal Data.

Terms not defined herein shall have the meanings given to them in the Terms of Service or applicable data protection legislation.

2. Scope & Purpose of Processing

This DPA applies to all Personal Data processed by BonAppify on behalf of the Controller in connection with the Services. The details of the processing are as follows:

Subject Matter: Provision of food sustainability auditing, waste tracking, carbon footprint calculation, and analytics services.

Duration: The processing continues for the duration of the Service agreement, plus any applicable data retention period.

Nature and Purpose: Processing of employee and operational data to deliver sustainability auditing services, generate reports, and provide analytics.

Categories of Data Subjects: Employees, contractors, and authorized users of the Controller's Business Account.

Types of Personal Data: Names, email addresses, job titles, user activity logs, and role assignments within the platform. Operational data (waste measurements, guest counts, cost data) is generally business data rather than personal data.

3. Obligations of the Processor

BonAppify, as Processor, shall:

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries. If required by applicable law to process Personal Data for any other purpose, we will inform the Controller in advance, unless prohibited by law.

Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7 of this DPA.

Not engage any Sub-processor without prior written authorization of the Controller, as described in Section 5 of this DPA.

Assist the Controller in fulfilling its obligations to respond to Data Subject requests, as described in Section 6 of this DPA.

Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits and inspections conducted by the Controller or its designated auditor.

At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless applicable law requires retention.

4. Obligations of the Controller

The Controller shall:

Ensure that its instructions regarding the processing of Personal Data comply with applicable data protection laws.

Obtain all necessary consents and provide all required notices to Data Subjects regarding the processing of their Personal Data by BonAppify.

Ensure that it has a lawful basis for transferring Personal Data to BonAppify for processing.

Promptly notify BonAppify of any changes to applicable data protection laws or regulations that may affect the processing of Personal Data under this DPA.

5. Sub-processors

The Controller provides general authorization for BonAppify to engage Sub-processors, subject to the following conditions:

BonAppify maintains a current list of Sub-processors, which is available upon request to the Controller.

BonAppify will notify the Controller of any intended changes to Sub-processors at least 30 days in advance, giving the Controller the opportunity to object.

If the Controller objects to a new Sub-processor, both parties will work in good faith to find an alternative solution. If no resolution is reached, the Controller may terminate the affected Services without penalty.

BonAppify ensures that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA.

Current Sub-processors include: Microsoft Azure (Canada Central) for cloud hosting and data storage; email delivery services for transactional notifications; and payment processing services for subscription billing.

6. Data Subject Rights

BonAppify will assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including:

Right of Access: Providing copies of Personal Data held within the platform.

Right of Rectification: Correcting inaccurate or incomplete Personal Data.

Right of Deletion: Deleting Personal Data from active systems and, after the backup retention period, from backup systems.

Right to Data Portability: Exporting Personal Data in a structured, commonly used, machine-readable format (JSON or CSV).

Right to Withdraw Consent: Facilitating the withdrawal of consent and cessation of processing where consent is the basis for processing.

BonAppify will respond to Controller requests related to Data Subject rights without undue delay and within 15 business days. Costs associated with manifestly unfounded or excessive requests may be charged to the Controller.

7. International Data Transfers

Personal Data processed under this DPA is stored and processed primarily within Canada, in the Microsoft Azure Canada Central region.

In the event that any processing occurs outside of Canada, BonAppify will:

Notify the Controller in advance of any such transfer.

Ensure that the transfer is subject to appropriate safeguards, including contractual clauses that provide a substantially similar level of protection to that afforded under Canadian privacy legislation.

Ensure that the receiving jurisdiction provides an adequate level of data protection or that supplementary measures are in place to bridge any gaps in protection.

The Controller acknowledges that certain Sub-processors may process limited data (such as email addresses for transactional emails) in jurisdictions outside Canada, subject to the safeguards described above.

8. Security Measures

BonAppify implements and maintains the following technical and organizational security measures:

Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest.

Access Control: Role-based access controls, multi-factor authentication, and the principle of least privilege. Administrative access requires additional verification.

Network Security: Firewalls, intrusion detection/prevention systems, and DDoS mitigation. Network traffic monitoring and logging.

Application Security: Regular code reviews, automated security testing (SAST/DAST), and dependency vulnerability scanning.

Physical Security: Hosting infrastructure (Microsoft Azure) maintains SOC 2 Type II, ISO 27001, and other physical and environmental security certifications.

Backup & Recovery: Regular automated backups with encryption. Documented disaster recovery procedures with defined recovery time and recovery point objectives.

Personnel Security: Background checks for employees with data access. Mandatory security awareness training. Confidentiality agreements for all personnel.

These measures are reviewed and updated at least annually or when significant changes occur in the threat landscape or technology environment.

9. Breach Notification

In the event of a Confidentiality Incident or Data Breach affecting Personal Data processed under this DPA, BonAppify will:

Notify the Controller without undue delay and no later than 48 hours after becoming aware of the incident.

Provide the Controller with sufficient information to enable the Controller to fulfill its own notification obligations to regulators and Data Subjects, including: the nature of the incident, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the incident.

Cooperate with the Controller in investigating and mitigating the incident.

Document all incidents and maintain a record of the facts, effects, and remedial actions taken.

Not notify Data Subjects or regulators directly without the Controller's prior authorization, unless required by law to do so independently.

10. Term & Termination

This DPA shall remain in effect for the duration of the Service agreement between the parties and for as long as BonAppify processes Personal Data on behalf of the Controller.

Upon termination of the Service agreement:

BonAppify will cease processing Personal Data on behalf of the Controller, except as necessary to comply with legal obligations.

At the Controller's request, BonAppify will return or export all Personal Data in a structured, commonly used format within 30 days of the termination date.

If no request is made within 30 days, BonAppify will securely delete all Personal Data from active systems. Backup copies will be deleted within the standard 90-day backup retention cycle.

The provisions of this DPA that by their nature should survive termination (including confidentiality obligations, liability limitations, and indemnification) shall continue in effect.

11. Liability & Indemnification

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

BonAppify shall indemnify the Controller against any losses, damages, or expenses (including reasonable legal fees) arising from BonAppify's breach of this DPA or applicable data protection laws, provided that the Controller promptly notifies BonAppify of any claim and cooperates in its defense.

This DPA does not limit either party's liability for breaches caused by willful misconduct or gross negligence.

12. General Provisions

Governing Law: This DPA is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein.

Amendments: This DPA may only be amended in writing, signed by both parties. BonAppify may update this DPA to reflect changes in applicable law with 30 days' prior notice to the Controller.

Conflict: In the event of a conflict between this DPA and the Terms of Service, the provisions of this DPA shall prevail with respect to data protection matters.

Severability: If any provision of this DPA is found to be unenforceable, the remaining provisions shall continue in full force and effect.

For questions about this Data Processing Agreement, please contact: BetterTable Inc., 142-757 Hastings St W, Vancouver, BC V6C 1A1, Canada. Email: info@bettertable.com.