Data Processing Agreement

Data Processing Agreement (DPA)

RecordIQ – Enterprise Edition Effective Date: March 31, 2026

This Data Processing Agreement (“DPA”) is entered into by and between:

• Customer: [Organization Name], the entity that determines the purposes and means of processing Personal Data; and
• Service Provider: RecordIQ Software LLC, provider of RecordIQ – Enterprise Edition software (“Software”), collectively referred to as the “Parties.”

This DPA governs the processing of Personal Data under:

• applicable US and Canadian privacy law: HIPAA, CCPA/CPRA, and PIPEDA requirements;
• Canadian PIPEDA: Principle 4.1.3 and applicable provincial privacy laws, including Quebec Law 25, BC PIPA, and Alberta PIPA;
• USA privacy considerations: applicable federal and state regulations (e.g., HIPAA where relevant).

The Parties acknowledge that RecordIQ – Enterprise Edition is an offline, locally-operated software solution, with no transmission of Personal Data to the Service Provider, cloud infrastructure, or third parties, limiting the scope of processing by the Service Provider.

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person, including Special Categories such as health data.
• Processing: Any operation on Personal Data, including collection, storage, extraction, indexing, retrieval, and deletion.
• Special Categories of Personal Data: Data revealing health status, biometric, genetic, racial, or other sensitive information.
• Individual: Any individual whose Personal Data is processed.
• Sub-processor: Any third party engaged to process Personal Data on behalf of the Service Provider.

Other terms retain their meanings under applicable law.

Controller: The Customer, as the entity that determines the purposes and means of processing Personal Data. For HIPAA purposes, the Controller is the Covered Entity as defined in the separately executed Business Associate Agreement.

Processor: The Service Provider (RecordIQ Software LLC), which processes Personal Data on behalf of the Controller. For HIPAA purposes, the Processor is the Business Associate as defined in the separately executed Business Associate Agreement.

2. Scope and Purpose

The Customer installs and operates the Software on its own systems to:

• Perform OCR-based document analysis on documents the Customer elects to process.
• Extract and structure relevant data fields.
• Index and store processed records locally on encrypted storage.

Key Note: All processing occurs exclusively on the Customer’s local device. No document data or PHI leaves the Customer’s premises. License administration data is processed as described in Section 4.

3. Customer Responsibilities

The Customer shall:

• Ensure a lawful basis under applicable law for all Personal Data processing.
• Maintain physical and technical security of workstations, including updates, endpoint protection, and access controls.
• Control user access and ensure PINs or credentials are not shared.
• Conduct privacy impact assessments where required under applicable North American privacy law (e.g., Quebec Law 25, PIPEDA).
• Provide privacy notices to Individuals.
• Import only necessary Personal Data into the Software.
• Maintain records of processing as required by law.

4. Service Provider Responsibilities

The Service Provider shall:

• Process Personal Data only according to Customer’s documented instructions, to the extent processing occurs.
• Ensure employees or contractors handling software development or support are under confidentiality obligations.
• Maintain technical and organizational security measures within the Software (see Section 7).
• Manage Sub-processors solely for license/payment administration:
• Stripe, Inc.: payment processing (PCI DSS Level 1)
• Microsoft Azure: license storage (encrypted, SOC 2 Type II, ISO 27001)

Cloudflare, Inc.: website content delivery and security (SOC 2 Type II)

Google Workspace: business email and calendar administration

Azure Communication Services: email verification for EULA acceptance

Google Analytics (Google LLC): anonymous website usage statistics

Tawk.to: website live chat support (session cookies, no PHI)

Detailed technical specifications for each sub-processor are set forth in the EULA, Sections 10.1 and 10.2.

• Assist Controller in responding to Individual rights requests to the extent technically feasible.
• Processor shall notify Controller of any Personal Data breach without unreasonable delay and in no case later than sixty (60) calendar days after becoming aware of it.

For Canadian Customers, notification shall occur as soon as feasible and in any event within the timeframes required by applicable provincial legislation, which may be shorter than sixty (60) calendar days. For Quebec Customers, notification to the Commission d’accès à l’information du Québec (CAI) shall occur with diligence as required by Quebec Law 25.

• Delete all Personal Data under Customer’s direction at the end of service.

4.5 Sub-Processor Changes. The Service Provider shall notify the Customer in writing at least thirty (30) days prior to engaging any new Sub-processor. The Customer may object to the engagement of a new Sub-processor within fourteen (14) days of receiving notice. If the Customer objects on reasonable data protection grounds, the Service Provider shall either (a) not engage the Sub-processor for processing the Customer’s data, or (b) offer the Customer the option to terminate the DPA without penalty.

5. Individual Rights

• Access, rectification, erasure, restriction, portability, and objection rights are exercised by the Customer using Software functionality.
• Service Provider shall document relevant capabilities and assist as feasible.
• The offline architecture ensures Processor cannot act independently on Individual requests.

6. Technical & Organizational Measures

• Encryption: AES-256-GCM, per-record keys, secure deletion.
• Access control: PIN authentication, session management, audit logging.
• Data integrity: Immutable audit trails, tamper detection.
• Offline architecture: No transmission, no telemetry, optional, user-initiated support diagnostics that automatically filter all PHI before any transmission.

6.1 Designated Privacy Officer

Pursuant to Quebec Law 25, Article 3.1, RecordIQ Software LLC designates the following individual as the person responsible for the protection of personal information:

Name: Ulises Rodriguez

Title: Founder & CEO

Email: legal@recordiq.app

Mailing Address: RecordIQ Software LLC, 30 N Gould St Ste N, Sheridan, WY 82801, United States

Language Support: English and French

The Privacy Officer is responsible for: (a) ensuring compliance with applicable privacy legislation; (b) responding to access, correction, and complaint requests within thirty (30) calendar days; (c) overseeing privacy impact assessments; (d) establishing and maintaining the organization’s privacy governance program; and (e) acting as the point of contact for the Commission d’accès à l’information du Québec (CAI) and the Office of the Privacy Commissioner of Canada.

6.2 Provincial Privacy Acts

In addition to PIPEDA (federal) and HIPAA (US federal), the Service Provider acknowledges and supports compliance with the following provincial privacy legislation, to the extent applicable to the Customer’s operations:

(a) Quebec: An Act respecting the protection of personal information in the private sector (Law 25), including privacy impact assessment requirements, incident notification to the CAI, and designation of a person responsible for the protection of personal information;

(b) British Columbia: Personal Information Protection Act (PIPA BC), including consent and breach notification requirements;

(c) Alberta: Personal Information Protection Act (PIPA AB) and Health Information Act (HIA), including health information custodian obligations;

(d) Ontario: Personal Health Information Protection Act (PHIPA), to the extent health information is processed;

(e) Other provinces: Applicable provincial health privacy statutes in Nova Scotia, New Brunswick, Newfoundland and Labrador, Manitoba, and Saskatchewan.

The Customer is solely responsible for determining which provincial legislation applies to its operations and ensuring compliance with all applicable requirements.

7. Personal Data Breach

• Processor: Notifies Controller of any breach of Service Provider systems.
• Controller: Responsible for breaches of local workstation data.
• Breach documentation maintained and shared with Controller as required by law.

Processor shall maintain records of all security breaches for a minimum of twenty-four (24) months as required by PIPEDA Breach of Security Safeguards Regulations.

8. International Transfers

• No document data or PHI is transmitted internationally. License administration data is stored in Microsoft Azure data centers within North America (US East 2 and Canada East regions).
• No international transfer mechanisms are needed. All data remains within the United States and Canada.
• Customer remains responsible for any exports outside the Software.

9. Term and Termination

• Effective duration: DPA aligns with Software license term.
• Termination obligations: Service Provider holds no Personal Data; Customer may use secure deletion.
• The following obligations survive termination: confidentiality, audit support, deletion obligations, breach notification (Section 7), liability limitations (Section 11), and governing law (Section 13).

10. Audit Rights

• Customer may audit Service Provider compliance not more than once per twelve (12) month period, with reasonable notice of thirty (30) days, unless a material breach is reasonably suspected, in which case additional audits may be conducted.
• Audit scope limited to Software security architecture, internal policies, and absence of data transmission.
• Audit costs borne by Customer unless material non-compliance is identified.

11. Liability

• Service Provider liability is limited to failure to implement security, software defects, or failure to notify known vulnerabilities.
• Customer liability covers local processing infringements.
• Aggregate Service Provider liability capped at total license fees paid in prior 12 months, except in cases of willful misconduct or gross negligence.
• The foregoing limitation shall not apply to: (a) indemnification obligations; (b) liability arising from willful misconduct or gross negligence; (c) claims that cannot be limited under applicable law, including Individual claims under PIPEDA, HIPAA, or CCPA/CPRA; or (d) civil money penalties imposed by regulatory authorities.

11.1 Indemnification. Each Party shall indemnify, defend, and hold harmless the other Party from and against any third-party claims, damages, losses, and expenses (including reasonable attorneys’ fees) arising from: (a) the indemnifying Party’s material breach of this DPA; (b) the indemnifying Party’s gross negligence or willful misconduct; or (c) the indemnifying Party’s violation of applicable data protection law. The indemnification procedure, including notice requirements and sole control of defense, shall follow the terms set forth in the End User License Agreement, Section 15.3.

12. Canadian & US Specific Compliance

• PIPEDA Principle 4.1.3: Service Provider maintains accountability for license-related personal info.
• Quebec Law 25: Privacy Impact Assessment completed; incident notifications to CAI as required.
• US HIPAA: Service Provider does not access PHI; offline processing ensures minimal liability.
• Data residency: PHI remains local; license data may reside in Azure (confirmable on request).

13. Governing Law

• The DPA is governed by State of Wyoming, United States, subject to mandatory PIPEDA and relevant US federal/state law obligations (including HIPAA and CCPA/CPRA)

SIGNATURES

By signing below, the Parties agree to be bound by the terms of this Data Processing Agreement.

CUSTOMER:

Name: ________________________________

Title: ________________________________

Organization: ________________________________

Signature: ________________________________

Date: ________________________________

SERVICE PROVIDER:

Name: ________________________________

Title: ________________________________

Organization: RecordIQ Software LLC

Signature: ________________________________

Date: ________________________________

ANNEX A — PROCESSING DETAILS (applicable privacy law requirements)

1. Categories of Individuals:

• • Licensee’s employees (Authorized Users)

• • Licensee’s clients whose documents are processed by the Software

2. Types of Personal Data:

• • Names, dates of birth, addresses, phone numbers

• • Medical record numbers, health insurance information

• • Protected Health Information (PHI) as defined by HIPAA

• • Social Security Numbers (when present in source documents)

• • Any other personal data contained within documents imported into the Software

3. Nature and Purpose of Processing:

• • OCR (Optical Character Recognition) extraction from scanned documents

• • Document classification, indexing, and chronological ordering

• • PHI detection and redaction

• • Report generation (chronologies, summaries, production sets)

4. Duration of Processing:

• • Processing occurs only during active use of the Software

• • All processing is performed locally on the Customer’s workstation

• • No personal data is retained by the Service Provider after processing completes

5. Location of Processing:

• • Exclusively on the Customer’s local device

• • No data is transmitted to Service Provider systems

• • License data (email, machine ID) stored in Microsoft Azure (US East 2 and Canada East regions)