MarketingIQ

Data Processing Agreement

Effective Date: June 2, 2026 Last Updated: June 2, 2026

This Data Processing Agreement (the "DPA") supplements and forms part of the Terms of Service between you ("Customer" or "Controller") and Jacques Amzallag, operating MarketingIQ as a sole proprietor at 4001 Crémazie East, unit 100, Montréal, Québec, H1Z 2L2, Canada ("MarketingIQ", "we", "us", "Processor") (the "Main Agreement").

This DPA applies whenever MarketingIQ processes Personal Information on Customer's behalf in the course of providing the Service. It is automatically binding on both parties as part of the Main Agreement and does not require separate signature.

In the event of any conflict between this DPA and the Main Agreement with respect to the processing of Personal Information, this DPA controls.

1. Definitions

"Applicable Privacy Laws" means the Act respecting the protection of personal information in the private sector (Québec) (the "Law 25"), the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA"), and any other privacy or data protection law applicable to a party's processing of Personal Information.

"Customer Personal Information" means any Personal Information that Customer or its users submit to, or generate through, the Service, and that pertains to natural persons other than Customer's own personnel — typically including Customer's broker-clients and prospects.

"Personal Information" means any information relating to an identified or identifiable natural person, as defined in Applicable Privacy Laws.

"Personal Information Breach" means a confidentiality incident under Law 25 — specifically, any access not authorized by law, use not authorized by law, communication not authorized by law, loss, or any other breach of the protection of Personal Information.

"Process" (and its variants) means any operation performed on Personal Information, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, transmission, alignment, restriction, erasure, or destruction.

"Sub-processor" means any third party engaged by MarketingIQ to Process Customer Personal Information.

Capitalized terms not defined here have the meanings given to them in the Main Agreement.

2. Roles and Scope

2.1 With respect to Customer Personal Information, the parties acknowledge that:

  • Customer is the Controller ("responsable" under Law 25) of the Customer Personal Information. Customer determines the purposes and means of the Processing.
  • MarketingIQ is the Processor (acting as Customer's "mandataire" under Law 25). MarketingIQ Processes Customer Personal Information only on Customer's instructions, as set out in this DPA and the Main Agreement.

2.2 This DPA does not apply to:

  • Personal Information about Customer's own personnel that Customer provides to MarketingIQ when signing up or administering its account (for which MarketingIQ is a Controller and the Privacy Policy at /legal/privacy applies); or
  • Aggregated or de-identified information derived from Customer Personal Information that no longer relates to an identifiable individual.

2.3 The subject matter, duration, nature, purpose, types of Personal Information, and categories of data subjects involved in the Processing are described in Annex A (Details of Processing).

3. Customer Instructions

3.1 Documented instructions. MarketingIQ will Process Customer Personal Information only on Customer's documented instructions. The Main Agreement, this DPA, and Customer's use of the Service in the manner intended by its design constitute Customer's documented instructions.

3.2 Compliance with law. MarketingIQ will inform Customer promptly if, in its opinion, an instruction infringes Applicable Privacy Laws. MarketingIQ may decline to follow such an instruction without incurring liability.

3.3 No secondary use. MarketingIQ will not Process Customer Personal Information for its own purposes, for the purposes of other customers, or for any purpose not authorized by Customer. In particular, MarketingIQ will not use Customer Personal Information to train, fine-tune, develop, or improve any artificial intelligence or machine learning model.

4. Personnel and Confidentiality

4.1 Restricted access. MarketingIQ will limit access to Customer Personal Information to personnel who need access to perform the Service. As of the Effective Date, the only person with administrative access to production systems is Jacques Amzallag.

4.2 Confidentiality obligation. MarketingIQ ensures that all personnel with access to Customer Personal Information are bound by appropriate confidentiality obligations, whether contractual or statutory.

4.3 Training. MarketingIQ ensures that personnel with access to Customer Personal Information have received reasonable training on privacy and security obligations under Applicable Privacy Laws.

5. Security Measures

5.1 MarketingIQ implements and maintains the technical and organizational measures described in Annex B to protect Customer Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

5.2 MarketingIQ will review and update its security measures periodically in response to new threats, technological developments, and the evolving requirements of Applicable Privacy Laws. Material reductions in security measures will not be made.

5.3 Upon written request (no more than once per calendar year, unless a Personal Information Breach has occurred), MarketingIQ will provide Customer with reasonably available information sufficient to demonstrate compliance with this Section 5, such as summaries of security audits, penetration tests, or certifications (when MarketingIQ obtains them).

6. Sub-processors

6.1 Authorization. Customer authorizes MarketingIQ to engage Sub-processors to Process Customer Personal Information, subject to the conditions of this Section 6.

6.2 Current sub-processors. The list of Sub-processors approved by Customer as of the Effective Date is published at /legal/subprocessors. The list is also reproduced in Annex C of this DPA.

6.3 Changes to sub-processors. MarketingIQ will give Customer at least 30 days' notice before engaging any new Sub-processor or replacing an existing one, by updating the list at /legal/subprocessors and emailing notice to the workspace owners of paid plans. If Customer objects to the new Sub-processor on reasonable privacy or security grounds, Customer may terminate the affected Service before the new Sub-processor begins Processing, and MarketingIQ will refund any prepaid fees on a pro-rata basis for the unused portion of the term.

6.4 Sub-processor obligations. Before engaging a Sub-processor, MarketingIQ will enter into a written agreement with the Sub-processor that imposes obligations no less protective than those in this DPA. MarketingIQ remains liable for the acts and omissions of its Sub-processors in respect of their Processing of Customer Personal Information.

7. Cross-Border Transfers

7.1 Disclosure. Customer acknowledges that some of MarketingIQ's Sub-processors are located outside Québec and that, as a result, Customer Personal Information will be Processed outside Québec. The countries and Sub-processors involved are identified in Annex C.

7.2 Law 25 section 17. Before transferring Customer Personal Information outside Québec, MarketingIQ has conducted a Privacy Impact Assessment (also known as a Transfer Impact Assessment) for each cross-border transfer, as required by section 17 of Law 25. The assessments considered:

  • the sensitivity of the information;
  • the purposes for which it is to be used;
  • the protection measures, including contractual ones, that would apply;
  • the legal regime applicable in the receiving jurisdiction, including in respect of the protection of personal information.

MarketingIQ has concluded that the Customer Personal Information transferred receives an adequate level of protection. A summary of these assessments is available to Customer upon request to privacy@marketingiq.ca.

7.3 Safeguards. Each cross-border transfer is governed by a written agreement between MarketingIQ and the receiving Sub-processor that imposes contractual safeguards, including but not limited to:

  • prohibitions on using Customer Personal Information for any purpose other than providing the contracted service;
  • prohibitions on using Customer Personal Information for AI training;
  • encryption requirements in transit and at rest;
  • breach notification timelines;
  • restrictions on further cross-border transfers without notice.

8. Data Subject Rights

8.1 Cooperation. MarketingIQ will, taking into account the nature of the Processing, provide Customer with reasonable assistance through appropriate technical and organizational measures, insofar as possible, to enable Customer to respond to requests from data subjects exercising rights under Applicable Privacy Laws, including:

  • right to be informed;
  • right of access;
  • right to rectification;
  • right to deletion (right to be forgotten);
  • right to withdraw consent;
  • right to data portability;
  • right to be informed of automated decisions and to request human review;
  • right to deindexing.

8.2 Functionality provided. The Service includes built-in functionality for Customer to respond to many such requests directly: viewing, editing, exporting, and deleting Customer Personal Information within a workspace.

8.3 Direct requests. If MarketingIQ receives a request directly from a data subject relating to Customer Personal Information, MarketingIQ will (i) not respond to the request other than to confirm receipt and direct the data subject to Customer or to the workspace owner, and (ii) notify Customer of the request without undue delay.

8.4 Reasonable cost. Customer is responsible for verifying the identity of data subjects making requests. MarketingIQ provides assistance under this Section 8 at no additional charge. If a particular request requires MarketingIQ to perform work beyond the functionality built into the Service and beyond what is reasonable in scope, MarketingIQ may charge a reasonable fee, with prior written notice to Customer.

9. Personal Information Breach Notification

9.1 Detection. MarketingIQ maintains detection mechanisms and response procedures designed to identify Personal Information Breaches.

9.2 Notice to Customer. If MarketingIQ becomes aware of a Personal Information Breach affecting Customer Personal Information, MarketingIQ will notify Customer without undue delay and in any event within 72 hours of becoming aware. The notice will include, to the extent known at the time of notification:

  • the nature of the breach, the categories and approximate number of data subjects concerned, and the categories and approximate number of Personal Information records concerned;
  • the likely consequences of the breach;
  • the measures taken or proposed to address the breach, including measures to mitigate possible adverse effects;
  • the contact point for further information.

9.3 Updates. If full information is not available at the time of initial notification, MarketingIQ will provide updates as information becomes available, until the matter is resolved.

9.4 Cooperation with regulators. MarketingIQ will cooperate reasonably with Customer to enable Customer to comply with its own notification obligations to data subjects and to the Commission d'accès à l'information du Québec ("CAI") under section 3.5 of Law 25 and under any other applicable law.

9.5 No admission of liability. A notice under this Section 9 is not an admission of fault or liability.

10. Audits

10.1 Information. MarketingIQ will make available to Customer, on reasonable written request, the information necessary to demonstrate compliance with this DPA, including the documents listed in Section 5.3.

10.2 Audits. If the information made available under Section 10.1 is insufficient and Customer has a reasonable basis to believe MarketingIQ is in material breach of this DPA, Customer may, no more than once per calendar year (unless a Personal Information Breach has occurred), conduct an audit of MarketingIQ's compliance with this DPA. The audit will be:

  • conducted during regular business hours;
  • subject to MarketingIQ's reasonable confidentiality and security requirements;
  • conducted in a manner that does not disrupt MarketingIQ's operations or compromise the personal information of other customers;
  • at Customer's expense, except where the audit identifies a material breach by MarketingIQ, in which case MarketingIQ will bear the reasonable costs of the audit.

10.3 Regulator audits. MarketingIQ will cooperate with the CAI or any other competent regulator in connection with the regulator's exercise of audit or investigation powers.

11. Return or Deletion on Termination

11.1 Upon expiry or termination of the Main Agreement, or earlier upon Customer's written request, MarketingIQ will, at Customer's option:

  • return all Customer Personal Information to Customer by means of the workspace export functionality; or
  • delete all Customer Personal Information from the Service.

11.2 Default. If Customer does not specify a choice within 30 days of termination, MarketingIQ will delete the Customer Personal Information.

11.3 Backup retention. MarketingIQ may retain Customer Personal Information in encrypted backups for up to 90 days after deletion of the primary record. Backups are not accessed during this period except as necessary to restore data following a system failure, and are securely overwritten on a rolling basis.

11.4 Legal retention. MarketingIQ may retain Customer Personal Information beyond the periods set out in Section 11.1–11.3 only where required by Applicable Privacy Laws or other applicable laws (for example, tax-law records retention obligations). Any such retained information remains subject to the obligations of this DPA.

12. Liability

The liability of each party under this DPA is subject to the limitations of liability set out in the Main Agreement, except that nothing in this DPA or the Main Agreement limits a party's liability where such limitation is prohibited by Applicable Privacy Laws.

13. Term

This DPA is effective as of the Effective Date and remains in effect for as long as MarketingIQ Processes Customer Personal Information.

14. Conflict with Main Agreement

In the event of any conflict between this DPA and the Main Agreement (including the Privacy Policy) with respect to the Processing of Customer Personal Information, this DPA controls.

15. Notices

Notices under this DPA are given in accordance with the Main Agreement. Privacy-specific notices may also be sent to privacy@marketingiq.ca.

16. Language

This DPA is available in English and French. The version Customer accepted (along with the Main Agreement) is the controlling version. The other-language version is provided for reference. In case of discrepancy between language versions, the version Customer accepted prevails.

17. Governing Law

This DPA is governed by the laws of the Province of Québec and the federal laws of Canada applicable therein, consistent with the governing law clause of the Main Agreement.

Annex A — Details of Processing

ItemDescription
Subject matterProvision of the MarketingIQ software-as-a-service platform to Customer
DurationFor the term of the Main Agreement, plus the retention periods specified in this DPA
Nature of processingCollection, recording, storage, hosting, organization, transmission, display, indexing, retrieval, modification (at Customer's instruction), and deletion of Customer Personal Information
PurposeEnabling Customer to manage its insurance marketing files, including client and prospect information, quote workflows, communications, and (in paid plans) AI-assisted features
Types of Personal InformationNames; contact information (email, phone, postal address); language preferences; insurance-specific information including coverage requirements, claims history, policy details, prior insurer relationships; commercial information for business clients (business operations, financial parameters); notes and observations recorded by Customer about its broker-clients and prospects
Categories of data subjectsCustomer's broker-clients (natural persons and authorized representatives of business clients); prospects of Customer; named insureds and additional named insureds appearing in marketing files
Special categoriesCustomer Personal Information may include information about claims history that could indirectly reveal health information; Customer is responsible for obtaining any heightened consent required by Applicable Privacy Laws

Annex B — Technical and Organizational Measures

MarketingIQ implements and maintains the following measures, as updated from time to time:

B.1 Access Control

  • Multi-factor authentication required for all administrative access to production systems
  • Role-based access controls within the Service (workspace owner / member roles), enforced server-side
  • Workspace data is logically isolated using row-level security policies in the database
  • The principle of least privilege is applied to all personnel access
  • Access is reviewed periodically

B.2 Encryption

  • TLS 1.2 or higher for all data in transit between Customer's browser and the Service
  • AES-256 (or equivalent) encryption at rest for all stored data, including backups, provided by our hosting and database sub-processors
  • Passwords stored only as cryptographic hashes (bcrypt or equivalent), never in plaintext

B.3 Audit Logging

  • The Service maintains an activity log of significant actions performed within each workspace, available for export by workspace owners
  • Database-level audit logs are maintained by our database Sub-processor
  • Logs are retained for at least 2 years

B.4 Network Security

  • Production traffic served exclusively over HTTPS
  • DDoS protection provided through our hosting Sub-processor
  • Database and application servers are network-isolated from the public internet except for properly authenticated API endpoints

B.5 Sub-processor Security

  • Each Sub-processor has been selected in part based on demonstrated security posture (SOC 2, ISO 27001, or equivalent certifications, where available)
  • Each Sub-processor is bound by a written agreement that includes security obligations no less protective than this DPA
  • A list of Sub-processors and their certifications is maintained at /legal/subprocessors

B.6 Resilience and Recovery

  • The database is backed up at least daily by our database Sub-processor
  • Backups are retained for 30 days (rolling)
  • Application code is version-controlled and deployable in under 10 minutes in the event of a service disruption
  • The Service has not adopted a formal Recovery Time Objective (RTO) or Recovery Point Objective (RPO) commitment as of the Effective Date

B.7 Personnel

  • All personnel with administrative access are bound by confidentiality obligations
  • Personnel access is revoked promptly upon termination of their relationship with MarketingIQ
  • As of the Effective Date, the sole administrator is Jacques Amzallag

B.8 Incident Response

  • A documented incident response procedure is maintained
  • Personal Information Breach notification is performed in accordance with Section 9 of this DPA
  • Lessons learned from incidents are reviewed and result in improvements to security measures

B.9 Future improvements (planned)

The following measures are planned but not yet implemented as of the Effective Date:

  • SOC 2 Type I attestation (target: within 18 months of first paid customer)
  • Multi-factor authentication for all User accounts (currently required only for administrative access)
  • Independent annual penetration test

Annex C — Approved Sub-processors

The current list of Sub-processors is maintained at /legal/subprocessors. As of the Effective Date, the list comprises:

Sub-processorPurposeHosting jurisdictionCross-border transfer?
Supabase, Inc.Database, authentication, file storageData stored in Canada (AWS Montréal); company headquartered in the United StatesNo, data is stored in Canada
Vercel, Inc.Application hosting, edge runtimeUnited StatesYes — Transfer Impact Assessment completed
Anthropic, PBCAI inference (Paid plans only, when AI Features are invoked)United StatesYes — Transfer Impact Assessment completed
Resend, Inc.Transactional email deliveryUnited StatesYes — Transfer Impact Assessment completed
Stripe, Inc. (planned; not yet active)Payment processing for paid plansUnited StatesWill be assessed before activation

This Data Processing Agreement was last updated on June 2, 2026.