Data Processing Addendum

DRAFT v1.0 — pending counsel review. This DPA is offered alongside the Terms of Service for customers whose use of the Service is subject to GDPR, UK GDPR, PIPEDA, or similar data-protection law.

1. Introduction

This Data Processing Addendum ("DPA") supplements the JULOAI ERP Terms of Service (the "Agreement") between the subscribing organization ("Customer" or "Controller") and JULOAI Technology, Ltd. ("JULOAI" or "Processor"). If there is a conflict, this DPA prevails on data-protection matters.

By accepting the Terms of Service, Customer also enters into this DPA.

2. Definitions

Unless defined below, capitalised terms have the meaning given in the GDPR / UK GDPR / PIPEDA as applicable.

  • Applicable Data Protection Law — GDPR (Regulation (EU) 2016/679), UK GDPR, Personal Information Protection and Electronic Documents Act (Canada, "PIPEDA"), the California Consumer Privacy Act ("CCPA") and other comparable laws.
  • Customer Personal Data — personal data Processor processes on behalf of Controller in connection with the Service.
  • Data Subject Request — a request by a data subject to exercise a right under Applicable Data Protection Law.
  • Subprocessor — a third party engaged by Processor to process Customer Personal Data.

3. Roles and scope

Controller is the controller of Customer Personal Data; Processor acts as processor / service provider. Processor will process Customer Personal Data only on Controller's documented instructions, which include: (a) the Agreement; (b) Customer's configuration and use of the Service; and (c) any lawful additional instructions given in writing.

| Item | Description | | --- | --- | | Subject matter | Providing the Service described in the Agreement. | | Duration | The term of the Agreement plus retention under §9. | | Nature and purpose | Hosting, storing, transmitting, displaying, and otherwise processing Customer Personal Data to operate the Service. | | Data types | As determined by Customer — typically contact details of customers, suppliers, employees; invoice and receipt metadata; attachment contents; audit log entries. | | Data subjects | Customer's customers, suppliers, employees, contacts, approvers, and other users. |

4. Confidentiality

Processor ensures that personnel authorised to process Customer Personal Data are bound by confidentiality obligations.

5. Security measures

Processor implements appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:

  • TLS in transit and encryption at rest for the primary database;
  • least-privilege access controls and MFA for administrative access;
  • secrets stored in a dedicated secret manager, not in source code;
  • network isolation of the application tier from the public internet;
  • centralised audit and system logs;
  • periodic review of access, dependencies, and security posture;
  • documented incident-response procedure.

Specific current measures are described in Processor's Security page, as updated from time to time.

6. Subprocessors

Controller authorises Processor to engage the Subprocessors listed on the Subprocessor List page. Processor will:

  • impose data-protection obligations on each Subprocessor no less protective than this DPA;
  • remain liable for each Subprocessor's performance;
  • give Controller advance notice of any new Subprocessor and a reasonable opportunity to object on reasonable grounds, in which case the parties will discuss a good-faith resolution; failing that, Controller may terminate the affected portion of the Service.

7. Data subject requests

Processor will, taking into account the nature of the processing, assist Controller by appropriate technical and organisational measures, insofar as possible, to fulfil Controller's obligation to respond to Data Subject Requests. If Processor receives a Data Subject Request directly, it will without undue delay forward the request to Controller.

8. Personal data breach

Processor will notify Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data. Processor will provide the information required by Applicable Data Protection Law to enable Controller to notify regulators and data subjects where required.

9. Deletion and return

On termination of the Agreement, Processor will, at Controller's choice, delete or return all Customer Personal Data within 30 days of termination, unless a longer retention is legally required. Back-ups are deleted within a further ninety (90) days on ordinary back-up rotation.

10. Audits

Processor will make available to Controller information reasonably necessary to demonstrate compliance with this DPA. Where required by Applicable Data Protection Law, Processor will allow for and contribute to audits conducted by Controller or another auditor mandated by Controller. In the ordinary course, Processor's then-current SOC 2 or equivalent attestation reports (when available), security whitepaper, and completed vendor questionnaires may satisfy this obligation.

Any on-site audit must be scheduled with reasonable advance notice, at Controller's cost, subject to confidentiality, and no more than once per year unless triggered by an incident.

11. International transfers

Where Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Decision 2021/914), UK Addendum, and Swiss addenda — as applicable, and in the module(s) matching this processing relationship — are incorporated by reference and take effect automatically.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Agreement.

13. Governing law

This DPA is governed by the same law as the Agreement, except where mandatory Applicable Data Protection Law requires otherwise.

14. Contact

[email protected] · JULOAI Technology, Ltd. · British Columbia, Canada.