Data Processing Agreement

Standard terms for processing personal data on behalf of our B2B customers

Data Processor:Axenvoy Inc. ("Sergio")
Version:1.1
Effective:December 21, 2025
Jurisdiction:Saskatchewan, Canada

Mailing Address: Axenvoy Inc., Saskatchewan, Canada

Privacy Officer: Cody Lepine | legal@axenvoy.com

What This Agreement Covers

This Data Processing Agreement ("DPA") supplements the Sergio Terms of Service and governs how we process personal data on your behalf when you use the Sergio platform.

You are the Data Controller
Sergio is the Data Processor
PIPEDA & Quebec Law 25 compliant
Standard contractual clauses

Roles & Responsibilities

Data Controller (Customer)

  • - Determine purposes and means of processing
  • - Ensure lawful basis for data collection
  • - Obtain required consents from data subjects
  • - Handle data subject access requests
  • - Comply with applicable privacy laws

Data Processor (Sergio)

  • - Process data only on your documented instructions
  • - Implement appropriate security measures
  • - Assist with data subject requests
  • - Notify you of data breaches within 72 hours
  • - Delete data upon termination of services

Data We Process

CategoryData ElementsPurpose
End Customer DataName, email, phone, addressService delivery, communications
Employee/User DataName, email, role, login activityPlatform access, authentication
Location DataGPS coordinates (opt-in)Navigation, geofencing
Service DataJob records, invoices, notesBusiness operations

Authorized Sub-Processors

We engage the following sub-processors. All have signed DPAs with equivalent protections:

Essential Services

Supabase - Database (Canada)
Stripe - Payments (US)
Cloudflare - CDN/Security (Global)

Feature-Specific Services

Mapbox - Mapping (US)
Resend - Email (US)
Telnyx - SMS/Voice (US)
Anthropic - AI/ML Processing (US)

Optional Integrations (Opt-in Only)

QuickBooks/Intuit - Accounting (US)

We provide 30 days notice before adding new sub-processors. You may object if they present material privacy risks. A current list is maintained at sergio.app/legal/subprocessors.

Security Measures

Encryption in transit (TLS 1.2+)
Encryption at rest (AES-256)
Row-level security isolation
Multi-factor authentication
Access logging and auditing
SOC 2 certified infrastructure

Data Breach Notification

In the event of a security breach affecting personal data we process on your behalf:

Breach Notification Chain

Sub-processorto Sergio
48 hours
Sergioto Controller (You)
72 hours
  • We will notify you within 72 hours of becoming aware of a breach
  • Notification includes nature of breach, data affected, and remediation steps
  • We assist with your regulatory notification obligations

Breach Record Keeping

As required by PIPEDA and Quebec Law 25, we maintain a comprehensive breach register:

24-month minimum retention of all breach records
Records include: date of incident, categories of personal information involved, number of individuals affected, measures taken
Available upon Controller request for your own breach register compliance

Data Retention & Deletion

Upon termination of services or your written request:

  • 30-day export window: Access your data via self-service export tools
  • 60-day deletion: All personal data permanently deleted from production systems
  • 90-day backup purge: Backup copies overwritten per normal rotation
  • Deletion certificate: Available upon request within 10 business days

Annex D: Quebec Law 25 Addendum

This Annex applies to the processing of personal information of Quebec residents and supplements the main DPA terms.

D.1 Privacy Governance

Privacy Officer: Cody Lepine

Contact: legal@axenvoy.com

D.2 Enhanced Consent Standards

For Quebec residents, consent must be:

  • Manifest: Clear and unambiguous affirmative action
  • Free: Not bundled with unrelated services or coerced
  • Informed: Full disclosure of purposes, recipients, rights
  • Specific: Granted for each distinct processing purpose
  • Revocable: May be withdrawn at any time

D.3 De-indexation Right

Quebec residents have the right to request de-indexation of personal information from search results. We assist Controllers by:

  • - Removing specified records from Platform search results
  • - Excluding records from API responses (upon Controller instruction)
  • - Providing technical documentation for Controller compliance

D.4 Automated Decision-Making Transparency

The Platform includes AI-powered features that may assist in decision-making:

  • - AI Glass Expert (damage assessment recommendations)
  • - AI Photo Moderation (content flagging)
  • - Route optimization algorithms

Important: These features are advisory only. Human review is required for decisions affecting Quebec residents. Individuals have the right to present observations and request human review of automated decisions.

D.5 Commission d'acces a l'information (CAI) Reporting

For confidentiality incidents affecting Quebec residents presenting a "risk of serious injury":

Controller Responsibilities:

  • - Notify the CAI promptly via online portal
  • - Notify affected Quebec individuals without delay
  • - Maintain incident register per Law 25

Sergio Assistance:

  • - Provide incident details within 48 hours
  • - Supply technical documentation for CAI submissions
  • - Support Controller's incident response

D.6 Confidentiality Incident Register

As required by Law 25 Section 3.8, we maintain a register of all confidentiality incidents including:

  • - Date of incident discovery and Controller notification
  • - Personal information involved and number of persons affected
  • - Circumstances, cause, and measures taken
  • - Notifications sent to regulators and individuals

Register entries are retained minimum 24 months (per PIPEDA and Quebec Law 25 requirements).

Download Full DPA

Get the complete Data Processing Agreement for your legal records. This DPA is automatically incorporated by reference into your Terms of Service.

View & Print Full DPA

Opens in new tab. Use Print to Save as PDF.

Need a Custom DPA?

Enterprise customers may request customized data processing terms. Contact our legal team.

Contact Legal Team