DATA PROTECTION AGREEMENT

Quotely Labs Inc.

Effective Date: May 8th, 2026

This Data Protection Agreement (“DPA”) is made as of the DPA Effective Date (defined below) between Quotely Labs Inc., a Canadian corporation with a place of business at 407 9th Ave SE
Calgary, AB T2G 2K7, Canada (“Supplier” or “Company”), and _________________________, a _____________________located at ______________________ (“Customer”).

This DPA is incorporated into and forms part of the Quotely Software-As-A-Service Agreement between Company and Customer (a generic template of which is available at https://quoteperfectly.com/terms-of-service/), as applicable, or such other written or electronic agreement between Company and Customer for the use of services to be provided by Company (the “Principal Agreement”).

RECITALS

Company provides AI-powered quoting software, image analysis, and related services to Customer under the Agreement. Pursuant to the Agreement, Company may from time to time process Personal Data (as defined below) for which Customer may be a “Data Controller” as defined by Applicable Data Protection Law, including the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and applicable Canadian privacy legislation including the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial privacy laws. When processing such Personal Data, Company may be a “Data Processor” as defined by Applicable Data Protection Law.

Because such processing may, from time to time, require the maintenance and implementation of appropriate technical and organizational safeguards, Customer and Company have agreed to execute this DPA in order to ensure that adequate safeguards are established with respect to the protection of Personal Data.

1. DEFINITIONS

1.1  In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

• “Affiliate” means in relation to either Customer or Supplier, an entity that owns or controls, is owned or controlled by, or is under common control or ownership of such entity, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity;
• “Applicable Laws” means (a) Canadian federal and provincial privacy laws, including PIPEDA and applicable provincial equivalents, with respect to any Customer Personal Data in respect of which Customer is a Controller; (b) UK, European Union or Member State laws with respect to any Customer Personal Data in respect of which Customer or any Customer Affiliate is a Controller under EU Data Protection Laws and the UK Data Protection Laws; and (c) any other applicable law with respect to any Customer Personal Data in respect of which Customer or any Customer Affiliate is a Controller under any other Data Protection Laws;
• “Canadian Privacy Laws” means the Personal Information Protection and Electronic Documents Act (PIPEDA), the Act respecting the protection of personal information in the private sector (Quebec Law 25 / Bill 64), and any other applicable Canadian federal or provincial privacy legislation;
• “Contracted Processor” means Supplier or Supplier Affiliate and/or a Subprocessor, as the context requires;
• “Customer Personal Data” means any Personal Data Processed by any Contracted Processor pursuant to or in connection with the Principal Agreement;
• “Data Protection Laws” means the Canadian Privacy Laws, the European Data Protection Laws, UK Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country including the U.S. Privacy Laws as described in Appendix 5;
• “Delete” means the removal or obliteration of Personal Data such that it cannot be recovered or reconstructed;
• “EU Restricted Transfer” means a transfer of Personal Data that would be prohibited by EU Data Protection Laws in the absence of appropriate safeguards;
• “European Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”) and laws implementing or supplementing the GDPR;
• “EU Standard Contractual Clauses” means the standard contractual clauses set out in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended or replaced from time to time;
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data;
• “Relevant Date” means the date falling on the earlier of (i) the cessation of Processing of Customer Personal Data by any Contracted Processor; or (ii) termination of the Principal Agreement;
• “Services” means the quoting, image analysis, and related software services supplied by Supplier to Customer pursuant to the Principal Agreement;
• “Subprocessor” means any Processor appointed by or on behalf of Supplier or any Supplier Affiliate to Process Customer Personal Data;
• “Supervisory Authority” means (a) an independent public authority established by a Member State pursuant to Article 51 GDPR; (b) the UK Information Commissioner’s Office; or (c) the applicable Canadian privacy regulatory authority;
• “UK Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, and other data protection or privacy legislation in force from time to time in the United Kingdom.

   

1.2  The terms “Controller”, “Data Subject”, “Personal Data”, “Processing”, and “Processor” shall have the same meaning as in Applicable Data Protection Laws. Capitalized terms not defined herein shall have the meaning given to them in the Principal Agreement.

2. OBLIGATIONS ON SUPPLIER WHEN PROCESSING CUSTOMER PERSONAL DATA AS A CONTROLLER

2.1  The parties agree that, to the extent Supplier is acting as Controller in relation to Customer Personal Data, each acts as a separate and independent Controller from Customer.

2.2  To the extent that Supplier is acting as a Controller, Supplier shall:

• comply with all Applicable Data Protection Laws when Processing Customer Personal Data;
• only Process the Customer Personal Data: (i) in order to perform its obligations under the Principal Agreement; and (ii) solely to the extent permitted by Applicable Data Protection Laws for purposes including: (a) maintaining and developing Supplier’s relationship with Customer; (b) billing, invoicing, and payment processing through third-party payment processors (including Stripe); (c) compliance with quality control and risk management procedures; (d) security-related processing; (e) complying with legal and regulatory obligations; and (f) establishing, exercising and defending legal claims;
• notify Customer as soon as reasonably practicable upon becoming aware of a Personal Data Breach affecting Customer Personal Data; and
• comply with Applicable Data Protection Laws in relation to any Restricted Transfer.

3. OBLIGATIONS ON SUPPLIER WHEN PROCESSING CUSTOMER PERSONAL DATA AS A PROCESSOR

3.1  Supplier shall at all times Process Customer Personal Data in accordance with Applicable Data Protection Laws and shall:

• not Process Customer Personal Data other than on Customer’s documented instructions unless Processing is required by law, in which case Supplier shall inform Customer of that legal requirement before such Processing, unless prohibited by law;
• inform Customer if, in Supplier’s opinion, instructions given by the Customer infringe Applicable Data Protection Laws;
• restrict access to Customer Personal Data to members of its personnel strictly necessary for implementing, managing and monitoring the Principal Agreement, and ensure that such persons are under appropriate confidentiality obligations;
• promptly notify Customer if it receives a request from a Data Subject under any Data Protection Laws in respect of Customer Personal Data and provide full co-operation and support to Customer to comply with any such request;
• assist Customer in fulfilling its obligations to respond to Data Subjects’ requests to exercise their rights under Applicable Data Protection Laws;
• implement the technical and organisational measures specified in Appendix 3 (Technical and Organisational Measures) to ensure appropriate security of Customer Personal Data, including protection against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access;
• maintain a record of Processing activities conducted for and on behalf of Customer, including categories of Processing, categories of recipients, and details of any Restricted Transfers;
• make the record of Processing activities available to Customer within 48 hours of receiving such a request.

3.2  Customer instructs Supplier (and authorizes Supplier to instruct each Subprocessor) to Process Customer Personal Data, including to transfer Customer Personal Data to any country which is outside Canada, the UK, and/or EEA, subject always to the relevant Contracted Processor(s) complying with the terms of this DPA, as reasonably necessary to provide the Services and consistent with the Principal Agreement.

3.3  Appendix 1 to this DPA sets out information regarding the Contracted Processors’ Processing of the Customer Personal Data.

4. SUBPROCESSING

4.1  Supplier shall not engage any Subprocessors to Process Customer Personal Data other than with the prior written consent of Customer, and in each case subject to Supplier:

• carrying out adequate due diligence on each Subprocessor to ensure it is capable of providing the level of protection required by this DPA;
• providing Customer with full details of the Processing to be undertaken by each Subprocessor;
• entering into a written contract with each Subprocessor imposing data protection obligations at least as protective as those in this DPA;
• remaining fully liable to Customer for any act or omission of its Subprocessor; and
• notifying Customer of any failure by a Subprocessor to fulfill its obligations.

4.2  A current list of Supplier’s approved Subprocessors is set out in Appendix 4. Supplier shall provide at least 10 days’ prior written notice to Customer before adding or replacing any Subprocessor. If Customer objects to a new Subprocessor on reasonable data protection grounds, Customer shall notify Supplier in writing within 10 days of notice, and the parties shall negotiate in good faith to resolve the objection.

5. PERSONAL DATA BREACH

5.1  Supplier shall notify Customer without undue delay, and in any event within 72 hours, upon becoming aware of or reasonably suspecting a Personal Data Breach. Such notification shall include:

• a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Customer Personal Data records concerned;
• the name and contact details of Supplier’s data protection contact from whom more information may be obtained;
• the likely consequences of the Personal Data Breach; and
• the measures taken or proposed to be taken to address the Personal Data Breach, including to mitigate its possible adverse effects.

5.2  Supplier shall co-operate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, containment, and remediation of each Personal Data Breach.

5.3  In the event of a Personal Data Breach, Supplier shall not inform any third party without first obtaining Customer’s prior written consent, unless notification is required by applicable law. Where legally required disclosure is made without Customer’s consent, Supplier shall not refer to Customer in any such notification to the extent permitted by law.

6. ASSISTANCE TO CUSTOMER

6.1  Supplier shall assist Customer in ensuring compliance with the following obligations, taking into account the nature of the Processing and the information available to Supplier:

• the obligation to carry out a data protection impact assessment where a type of Processing is likely to result in a high risk to the rights and freedoms of natural persons;
• the obligation to consult the competent Supervisory Authority prior to Processing where a data protection impact assessment indicates a high risk; and
• the obligation to ensure that Customer Personal Data is accurate and up to date, by informing Customer without delay if Supplier becomes aware that Customer Personal Data it is Processing is inaccurate or outdated.

6.2  The technical and organisational measures by which Supplier is required to assist Customer are set out in Appendix 3.

7. DELETION OR RETURN OF CUSTOMER PERSONAL DATA

7.1  Subject to clause 7.2, Supplier shall promptly and in any event within 90 (ninety) calendar days of the Relevant Date: (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as notified by Customer to Supplier; (b) Delete and procure the Deletion of all other copies of Customer Personal Data Processed by each Contracted Processor; and (c) provide written certification to Customer that it has fully complied with this clause 7.1.

7.2  Each Contracted Processor may retain Customer Personal Data to the extent and for such period as required by Canadian, EU, UK, or other applicable law, provided that Supplier shall ensure: (i) the confidentiality of all such Customer Personal Data; and (ii) that such Customer Personal Data is only Processed for the purpose(s) specified in such law.

7.3  Until Customer Personal Data is Deleted or returned, each Contracted Processor shall continue to ensure compliance with this DPA.

8. AUDIT RIGHTS

8.1  Supplier shall make available to Customer on request all information necessary to demonstrate compliance with the obligations set out in this DPA and shall, at Customer’s request, permit and contribute to audits of the Processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, Customer may take into account relevant certifications held by Supplier (such as SOC 2 reports).

8.2  Customer may choose to conduct the audit itself or mandate an independent auditor. Audits may include inspections at Supplier’s premises or physical facilities and shall, where appropriate, be carried out with reasonable notice.

9. RESTRICTED TRANSFERS

9.1  In respect of any EU Restricted Transfer, Customer (as “data exporter”) and Supplier and each Contracted Processor (as “data importer”) hereby enter into the EU Standard Contractual Clauses (Module 2 – Controller to Processor) in respect of any such transfer. The following options shall apply:

• Clause 7 – Docking clause shall not apply;
• Clause 9 – Use of subprocessors: Option 2 shall apply, with a notice period of 10 days;
• Clause 11(a) – Redress: the optional language shall not apply;
• Clause 17 – Governing law: Option 1 shall apply, with the Member State to be agreed in writing by the parties;
• Annex 1 and Annex 2 of the EU Standard Contractual Clauses shall be deemed pre-populated with the relevant sections of Appendices 1 and 3 to this DPA.

9.2  In respect of any UK Restricted Transfer, Customer and Supplier hereby enter into the UK Standard Contractual Clauses (as amended by the International Data Transfer Addendum issued by the UK Information Commissioner) with the provisions of Section 9.1 applying as appropriate.

9.3  In respect of transfers of Personal Data between Canada and other jurisdictions, the parties shall implement appropriate safeguards to ensure compliance with Canadian Privacy Laws, including PIPEDA and applicable provincial requirements.

9.4  If, at any time, a Supervisory Authority mandates that transfers require additional safeguards, the parties shall work together in good faith to implement such safeguards.

10. NON-COMPLIANCE AND TERMINATION

10.1  Without prejudice to any provisions of relevant Data Protection Laws, in the event that Supplier is in breach of its obligations under this DPA, Customer may instruct Supplier to suspend the Processing of Customer Personal Data until the latter complies with this DPA or the Principal Agreement is terminated.

10.2  Customer shall be entitled to terminate the Principal Agreement insofar as it concerns Processing of Customer Personal Data in accordance with this DPA if:

• Processing of Customer Personal Data has been suspended pursuant to clause 10.1 and compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
• Supplier is in substantial or persistent breach of this DPA or its obligations under Data Protection Laws; or
• Supplier fails to comply with a binding decision of a competent court or Supervisory Authority regarding its obligations pursuant to this DPA or applicable Data Protection Laws.

11. GENERAL TERMS

11.1  Survival. Any obligation imposed on Supplier under this DPA in relation to the Processing of Personal Data shall survive any termination or expiration of this DPA.

11.2  Cross-default. Any breach of this DPA shall constitute a material breach of the Principal Agreement.

11.3  Precedence. The provisions of this DPA are supplemental to the relevant Principal Agreement. In the event of inconsistencies between the provisions of this DPA and the provisions of the relevant Principal Agreement, the provisions of this DPA shall prevail.

11.4  Compliance with Data Protection Laws. Each party to this DPA shall comply with all Applicable Data Protection Laws when Processing Customer Personal Data.

11.5  Cooperation with Supervisory Authorities. Supplier shall provide full co-operation to Customer in relation to any communication from a Supervisory Authority.

11.6  Governing Law. This DPA shall be governed by and construed in accordance with the laws of the Province of __Alberta__, Canada, and the federal laws of Canada applicable therein.

SIGNATURES

IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Principal Agreement with effect from the DPA Effective Date first set out above.

APPENDIX 1 – DESCRIPTION OF THE PROCESSING

Subject matter and duration of the Processing: The subject matter and duration of the Processing of Customer Personal Data are set out in the Principal Agreement. Processing shall continue for the term of the Agreement and for as long as Processor retains the Personal Data under applicable law.

Nature and purpose of the Processing: Supplier processes Customer Personal Data to provide AI-powered quoting software and services, including the analysis of customer-submitted images for the purposes of generating quotes, managing customer accounts, communicating with customers, facilitating payment processing through third-party payment platforms (including Stripe), and fulfilling Supplier’s obligations under the Principal Agreement.

Categories of Personal Data processed:

• Names
• Email addresses
• Postal/physical addresses
• Images, photographs and video recordings submitted by customers or their end users for the purpose of receiving a quote
• Payment-related data (processed via third-party payment processors; Quotely does not store full payment card numbers)
• IP addresses and other technical identifiers
• Any other Personal Data submitted by Customer or end users in connection with the Services

Special Categories of Personal Data: None intentionally collected. Images submitted may incidentally contain sensitive data; Supplier shall notify Customer promptly if any such data is identified.

Categories of Data Subjects:

• Customer’s assigned users of the Supplier’s software and services, including end users
• Customer’s employees, agents, contractors, or advisors
• Customers and prospective customers of the Customer

Frequency of transfer: Continuous, for the duration of the Principal Agreement.

Obligations and rights of Customer: The obligations and rights of Customer are set out in the Principal Agreement and this DPA.

APPENDIX 2 – DESCRIPTION OF TRANSFER (EU/UK SCCs)

A. List of Parties

Data Exporter (Customer):

Name: _______________________________________________

Address: ____________________________________________

Contact person / DPO: _______________________________

Role: Controller

Data Importer (Supplier):

Name: Quotely Labs Inc.

Address: ____________________________, Canada

Contact: ____________________________, team@quoteperfectly.com

Role: Processor

B. Description of Transfer

Categories of data subjects: As set out in Appendix 1.

Categories of personal data transferred: As set out in Appendix 1.

Sensitive data: None.

Frequency: Continuous.

Nature and purpose: Performance of the Services as set forth in the Principal Agreement.

Retention period: For the term of the Agreement and as long as required under applicable law.

Competent Supervisory Authority:

To be identified in accordance with the applicable Data Protection Laws of the data exporter’s jurisdiction: _______________________________________________

APPENDIX 3 – TECHNICAL AND ORGANISATIONAL MEASURES

Supplier has implemented and will maintain the following technical and organisational measures to protect Customer Personal Data against misuse, accidental loss, destruction, or unauthorized access:

Access Controls:

• Role-based access controls limiting access to Customer Personal Data to authorized personnel only
• Multi-factor authentication required for access to production systems
• Unique user IDs and passwords; regular access reviews

Data Security:

• Encryption of Customer Personal Data in transit using TLS 1.2 or higher
• Encryption of Customer Personal Data at rest using industry-standard encryption (AES-256 or equivalent)
• Images and personal data stored in secure, access-controlled cloud infrastructure

Payment Data:

• Payment processing handled by PCI DSS-compliant third-party processors (including Stripe); Supplier does not store full payment card numbers
• Supplier does not have access to raw payment credentials

Organizational Measures:

• Employee confidentiality agreements and data protection training
• Privacy-by-design principles applied in product development
• Incident response and Personal Data Breach notification procedures
• Regular internal security reviews

Subprocessor Management:

• Due diligence conducted on all Subprocessors
• Written agreements with Subprocessors imposing data protection obligations at least as protective as those in this DPA

Supplier may update its technical and organisational measures from time to time, provided that such updates do not materially reduce the overall level of protection afforded to Customer Personal Data. Supplier will provide an updated description upon request.

APPENDIX 4 – APPROVED SUBPROCESSORS

The following Subprocessors are approved as of the DPA Effective Date:

Supplier shall provide Customer with at least 10 days’ prior written notice before adding or replacing any Subprocessor.

APPENDIX 5 – U.S. PRIVACY LAWS

This Appendix applies to the extent Supplier processes Personal Data of individuals who are residents of U.S. states with applicable privacy laws.

1. Definitions

• “U.S. Privacy Laws” means, as applicable and as amended: (a) the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020 (CCPA/CPRA); (b) the Colorado Privacy Act; (c) the Connecticut Data Privacy Act; (d) the Utah Consumer Privacy Act; (e) the Virginia Consumer Data Protection Act; and (f) other applicable U.S. state data privacy laws.

2. Service Provider Appointment

Customer is a business or controller and discloses personal information to Supplier as its service provider or processor only for the limited and specific business purposes set forth in the Principal Agreement, this DPA, and applicable order forms. Each party is responsible for its compliance with applicable U.S. Privacy Laws.

3. Restrictions on Processing

Supplier shall not retain, use, or disclose Customer’s personal information: (i) for any purpose other than the business purposes specified in the Principal Agreement; or (ii) outside of the direct business relationship between Supplier and Customer. Supplier shall not sell or share personal information received from Customer under the Principal Agreement.

4. Consumer Rights

Supplier will promptly notify Customer if it receives a request from a consumer to exercise rights under applicable U.S. Privacy Laws and will cooperate with Customer in responding to and complying with such requests, to the extent legally permitted.

5. Deletion / Return

At Customer’s direction, Supplier shall delete or return all Customer personal information at the end of the provision of Services, unless retention is permitted or required under applicable law.

6. Audits & Compliance Demonstration

Upon Customer’s reasonable request, Supplier shall make available all information in Supplier’s possession necessary to demonstrate Supplier’s compliance with its obligations under applicable U.S. Privacy Laws, which may include SOC 2 reports or equivalent assessments.

7. Security

Each party shall implement and maintain reasonable security procedures appropriate to the type and nature of personal information it will provide and/or process, consistent with the measures described in Appendix 

APPENDIX 6 – CANADIAN PRIVACY LAW ADDENDUM

This Appendix applies to the extent Supplier processes Personal Information of individuals in Canada. It supplements the main DPA with requirements under Canadian Privacy Laws.

1. PIPEDA Compliance

Supplier shall comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws in the collection, use, and disclosure of Personal Information. This includes collecting only the minimum necessary Personal Information, obtaining appropriate consent, and using Personal Information only for the purposes for which it was collected.

2. Quebec Law 25 (Bill 64)

To the extent Customer Personal Data includes Personal Information of individuals in Quebec, Supplier shall comply with all applicable requirements under Quebec’s Act respecting the protection of personal information in the private sector (Law 25), including obligations related to data protection impact assessments, cross-border transfers, and the right of data subjects to access, correct, and withdraw consent.

3. Cross-Border Transfers

Where Supplier transfers Customer Personal Data outside of Canada, Supplier shall ensure that comparable protection is provided as required by Canadian Privacy Laws. Before transferring Personal Information outside Canada, Supplier shall conduct and document an assessment of the protection afforded to such data in the destination jurisdiction.

4. Privacy Officer

Supplier has designated an individual responsible for overseeing compliance with Canadian Privacy Laws. Supplier’s privacy contact can be reached at: team@quoteperfectly.com.

5. Breach Notification

Supplier shall notify Customer of any Personal Data Breach without undue delay (and in any event within 72 hours) and shall cooperate with Customer in meeting any mandatory breach notification obligations under PIPEDA and applicable provincial laws, including notification to the Office of the Privacy Commissioner of Canada where required.