Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between AtlasBrokers Inc. ("Processor") and the customer ("Controller"). It describes how we process personal data on your behalf.

• Personal Data — Any information relating to an identified or identifiable individual, including name, email, phone number, and any data stored in your workspace.
• Processing — Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.
• Controller — You (the customer) who determines the purposes and means of processing personal data through the Service.
• Processor — AtlasBrokers Inc., which processes personal data on behalf of the Controller in accordance with this DPA.
• Sub-Processor — A third-party service provider engaged by AtlasBrokers to assist in processing personal data.
• Data Subject — The individual whose personal data is being processed (e.g., your clients, leads, or contacts).

We process the following categories of personal data for the purposes described below:

Categories of Data

• Contact Information — Names, email addresses, phone numbers, and mailing addresses of your clients and leads.
• Business Data — Insurance policy details, quotes, claims, and related business records stored in your workspace.
• Communication Records — Email content, SMS messages, and call logs related to client communications.
• Documents & Files — Documents, images, and files uploaded to your workspace.
• Account Data — User account information including login credentials, profile details, and workspace settings.

Purposes of Processing

• Providing and maintaining the AtlasBrokers platform and workspace services.
• Processing and storing CRM data, leads, and client records as instructed by the Controller.
• Sending transactional communications (emails, SMS) on behalf of the Controller.
• Providing AI-powered features including lead scoring, email drafting, and analytics.
• Generating reports, dashboards, and analytics to help the Controller manage their business.

We use the following sub-processors to help deliver the Service. Each sub-processor is bound by data processing agreements that meet PIPEDA requirements.

We will notify you of any changes to our sub-processors with at least 30 days' notice, giving you the opportunity to object before the change takes effect.

We implement appropriate technical and organizational measures to protect personal data:

• Encryption — All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Database connections use SSL.
• Access Controls — Role-based access controls with least-privilege principles. All access is logged and auditable.
• Network Security — Private networking, firewall rules, and DDoS protection across all infrastructure.
• Monitoring — 24/7 monitoring with automated alerts for security anomalies and unauthorized access attempts.
• Backup & Recovery — Automated encrypted backups with point-in-time recovery. Backups are retained for 30 days.
• Vulnerability Management — Regular security scanning, dependency audits, and penetration testing.

For more details, see our Security page for a comprehensive overview of our security practices.

We assist you in fulfilling data subject requests under PIPEDA and applicable provincial legislation:

• Request Routing — Data subject requests received by AtlasBrokers are promptly forwarded to you (the Controller) for handling.
• Assistance — We provide reasonable technical assistance to help you respond to access, correction, and deletion requests.
• Self-Service Tools — Workspace owners can export, modify, or delete data directly through the platform's built-in tools.
• Response Timeframe — We support your obligation to respond to data subject requests within 30 days as required by PIPEDA.

Personal data may be transferred and processed outside of Canada. We ensure appropriate safeguards are in place:

• Primary Storage — All primary data is stored in North American data centers (US-East / Canada).
• Cross-Border Transfers — Where data is processed by sub-processors outside Canada, we ensure compliance with PIPEDA's requirements for cross-border transfers.
• Contractual Safeguards — All sub-processors are bound by data processing agreements that require equivalent levels of data protection.
• Transparency — Our sub-processor list (above) discloses all locations where personal data may be processed.

You have the right to verify our compliance with this DPA through the following mechanisms:

• Documentation — We make available relevant security documentation, certifications, and audit reports upon request.
• Third-Party Audits — We engage independent third-party auditors to verify our security and privacy practices.
• On-Site Audits — Enterprise customers may request on-site audits with reasonable advance notice and at their own expense.
• Frequency — Audit requests are accommodated up to once per year, unless a data breach or material concern warrants additional review.

This DPA remains in effect for as long as we process personal data on your behalf:

• Duration — This DPA is effective from the date you begin using the Service and continues until your account is terminated.
• Data Return — Upon termination, you may export all personal data from your workspace within 30 days.
• Data Deletion — After the 30-day export period, all personal data is permanently deleted from our systems within 90 days.
• Surviving Obligations — Confidentiality and data protection obligations survive termination of this DPA.

For questions about this Data Processing Agreement, please contact us: