This Data Processing Agreement ("DPA") forms part of the Sergio Terms of Service ("Agreement") between Axenvoy Inc. ("Processor," "Sergio," "we," or "us") and the Customer ("Controller" or "you") who has agreed to the Terms of Service.
This DPA sets out the terms that apply when Processor processes Personal Data on behalf of Controller in connection with the Sergio platform services.
2. Definitions
"Personal Data" means any information relating to an identified or identifiable individual that is processed by Processor on behalf of Controller through the Services.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" means an identified or identifiable individual whose Personal Data is processed.
"Sub-Processor" means any third party engaged by Processor to process Personal Data on behalf of Controller.
"Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"Applicable Data Protection Law" means PIPEDA, Quebec Law 25, and any other applicable Canadian provincial or US state privacy laws.
3. Roles and Responsibilities
3.1 Controller Responsibilities
Controller shall:
Determine the purposes and means of Processing Personal Data
Ensure there is a lawful basis for all Processing instructions given to Processor
Obtain all necessary consents from Data Subjects where required
Provide appropriate notices to Data Subjects regarding Processing
Respond to Data Subject requests (with Processor's assistance as needed)
Comply with all Applicable Data Protection Law
3.2 Processor Responsibilities
Processor shall:
Process Personal Data only on Controller's documented instructions
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Engage Sub-Processors only with Controller's authorization
Assist Controller in responding to Data Subject requests
Notify Controller of Data Breaches without undue delay
Delete or return Personal Data upon termination of Services
Make available information necessary to demonstrate compliance
4. Categories of Personal Data
Category
Data Elements
Data Subjects
Purpose
End Customer Data
Name, email, phone, service address
Controller's customers
Service delivery, communications
Employee/User Data
Name, email, role, login activity
Controller's employees
Platform access, authentication
Location Data
GPS coordinates (opt-in)
Field technicians
Navigation, geofencing
Service Records
Job details, invoices, notes
Controller's customers
Business operations
Sensitive Data: Processor does not knowingly process special categories of Personal Data (health, biometric, religious, political, etc.).
5. Sub-Processors
5.1 Authorized Sub-Processors
Controller authorizes Processor to engage the following Sub-Processors:
Sub-Processor
Service
Location
DPA Date
Supabase Inc.
Database, authentication, storage
Canada (Montreal)
August 5, 2025
Stripe Inc.
Payment processing
United States
October 26, 2025
Mapbox Inc.
Mapping, geocoding, routing
United States
December 3, 2025
Resend Inc.
Transactional email
United States
December 3, 2025
OpenPhone Inc.
SMS delivery
United States
December 3, 2025
Cloudflare Inc.
CDN, security, DNS
Global
December 3, 2025
Intuit Inc. (QuickBooks)
Accounting integration (opt-in)
United States
October 26, 2025
5.2 Changes to Sub-Processors
Processor will provide Controller with at least 30 days' notice before engaging any new Sub-Processor. Controller may object to a new Sub-Processor within 14 days if the Sub-Processor presents a material privacy risk. If Controller objects and Processor cannot accommodate, Controller may terminate affected Services.
6. Security Measures
Processor implements the following security measures:
6.1 Technical Measures
Encryption in transit using TLS 1.2 or higher
Encryption at rest using AES-256
Row-Level Security (RLS) for multi-tenant data isolation
Multi-factor authentication available for all users
Processor shall notify Controller of any Data Breach without undue delay, and in any event within 72 hours of becoming aware of the breach.
7.2 Notification Contents
Breach notification shall include:
Description of the nature of the breach
Categories and approximate number of Data Subjects affected
Categories and approximate number of records affected
Name and contact details of Processor's Privacy Officer
Description of likely consequences
Description of measures taken or proposed to address the breach
7.3 Cooperation
Processor shall cooperate with Controller in investigating the breach, mitigating harm, and fulfilling Controller's notification obligations under Applicable Data Protection Law.
8. Data Subject Rights
Processor shall assist Controller in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including:
Right of access to Personal Data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to data portability
Right to withdraw consent
Processor shall respond to Controller's assistance requests within 5 business days. If Processor receives a request directly from a Data Subject, Processor shall promptly redirect the Data Subject to Controller unless legally prohibited.
9. Data Retention and Deletion
9.1 During Services
Processor retains Personal Data for the duration necessary to provide Services and in accordance with documented retention schedules.
9.2 Upon Termination
Upon termination of Services or Controller's written request:
Export Period: Controller has 30 days to export Personal Data via self-service tools
Deletion: Processor shall delete Personal Data within 60 days of termination
Backup Purge: Backup copies overwritten within 90 days per normal rotation
Certification: Processor shall provide written certification of deletion upon request
9.3 Exceptions
Processor may retain Personal Data to the extent required by Applicable Data Protection Law, provided that Processor ensures confidentiality and limits Processing to purposes required by law.
10. International Transfers
Primary Data Location: Personal Data is primarily stored in Canada (Montreal, AWS ca-central-1).
US Transfers: Some Sub-Processors operate in the United States. All US-based Sub-Processors have signed Data Processing Agreements including:
Processing only on documented instructions
Confidentiality obligations
Appropriate security measures
Breach notification requirements
Deletion upon termination
11. Audit Rights
Upon Controller's reasonable request and subject to confidentiality obligations:
Processor shall make available information necessary to demonstrate compliance with this DPA
Processor shall allow for and contribute to audits conducted by Controller or an independent auditor
Audits shall be conducted during normal business hours with reasonable advance notice
Controller bears the cost of any audit unless the audit reveals material non-compliance
12. Term and Termination
This DPA shall remain in effect for the duration of the Agreement. Upon termination of the Agreement, Processor shall comply with the data deletion requirements in Section 9.
This DPA is governed by the laws of the Province of Saskatchewan, Canada, without regard to conflict of law principles. Any disputes shall be resolved in accordance with the dispute resolution provisions of the Agreement.
14. Contact Information
Privacy Officer: Cody Lepine
Email: legal@axenvoy.com
Address: Axenvoy Inc., Suite 1002, 1 Springs Drive, Unit #208, Swift Current, SK S9H 3X6, Canada