Data Processing Agreement (DPA)

Last Updated: 2025-12-01

1. Introduction

This Data Processing Agreement ("DPA") is entered into between Hivi (Hivi-x) ("Processor," "we," "us") and the business user ("Controller," "you") that uses Hivi-x (the "Service") to collect and process personal data about their clients or end-users.

When you use the Service as a business to collect personal data, including identification documents, health information, or other personal information from your clients, you act as the data controller and we act as the data processor for that data. This DPA sets out the terms on which we process that data on your behalf.

2. Definitions

  • Controller: The business user (you) who determines the purposes and means of processing personal data of their clients or end-users through the Service.
  • Processor: Hivi (Hivi-x), which processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person that the Controller provides or that is submitted to the Service by or on behalf of the Controller's clients or end-users.
  • Processing: Any operation performed on Personal Data (collection, storage, use, disclosure, etc.).
  • Data Subject: The individual to whom the Personal Data relates (e.g., your client or end-user).
  • Sub-processor: Any third party engaged by the Processor to process Personal Data on the Processor's behalf.

3. Scope and Roles

3.1 This DPA applies to all Processing of Personal Data by the Processor on behalf of the Controller when the Controller uses the Service to collect, store, or process data about their clients or end-users.

3.2 The Controller is responsible for ensuring that it has a lawful basis and has provided appropriate notice (including a privacy notice) to Data Subjects before collecting their Personal Data through the Service. The Controller shall not use the Service to collect Personal Data in violation of applicable law or without the necessary consent or legal basis.

3.3 The Processor shall process Personal Data only on the Controller's documented instructions, including as set out in this DPA and the Terms of Service, unless required to do otherwise by applicable law.

3.4 If the Controller enables calendar features (including Google Calendar synchronization), the Controller instructs the Processor to process calendar event data, reminder metadata, and synchronization metadata as needed to provide those features under the Service.

4. Security and Confidentiality

4.1 The Processor shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, or alteration, in line with the Processor's Privacy Policy and security practices.

4.2 The Processor shall ensure that any person authorized to process Personal Data is bound by confidentiality obligations.

5. Sub-processors

5.1 The Controller acknowledges that the Processor may use Sub-processors (e.g., infrastructure, hosting, payment processing) to provide the Service. A list of key Sub-processors is available in the Processor's Privacy Policy.

5.2 The Processor shall ensure that any Sub-processor is bound by contractual obligations that are substantially equivalent to those in this DPA.

6. Data Subject Rights

6.1 The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights (e.g., access, correction, deletion, portability) to the extent necessary and as permitted by the Service functionality. The Controller remains responsible for responding to Data Subject requests; the Processor will support as set out in the Service and documentation.

7. Data Breach

7.1 The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data, and shall provide information reasonably necessary to allow the Controller to meet any legal reporting or notification obligations.

8. Return and Deletion of Data

8.1 Upon termination of the Controller's use of the Service or upon the Controller's request, the Processor shall, in accordance with the Service's data retention and deletion procedures, delete or return Personal Data processed on behalf of the Controller, unless required to retain it by law.

9. Audits and Compliance

9.1 The Processor shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA and shall allow for audits or inspections as required by applicable law, subject to reasonable notice and confidentiality.

10. Governing Law

10.1 This DPA shall be governed by the laws of the Province of Ontario, Canada, and is subject to the Terms of Service. In the event of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data on behalf of the Controller.

11. Contact

Questions regarding this DPA may be sent to: support@hivi.ca.

Effective Date: 2025-12-01
Last Updated: 2025-12-01

Fill forms in seconds – hiviTerms of ServiceData Processing AgreementBusiness TermsFor Clients of BusinessesPrivacy PolicyTrustData RequestsContact Privacy Officer