Data Processing Agreement
Last updated: April 11, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the agreement between Gift of Gab Tech Inc. ("Processor," "we," "us") and the customer ("Controller," "you") for the use of the EMMA platform ("Service"). This DPA sets out the terms under which we process personal data on your behalf in connection with the Service.
This DPA is designed to comply with the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation in Canada, as well as other applicable data protection laws.
2. Scope of Data Processing
In the course of providing the Service, we process personal data on behalf of the Controller. The scope of processing includes:
- Categories of data subjects: The Controller's contacts, leads, clients, and end users as imported into or generated within the EMMA platform.
- Types of personal data: Names, email addresses, phone numbers, mailing addresses, CRM interaction history, conversation transcripts, notes, tags, and any other data the Controller submits to the Service.
- Purpose of processing: To provide CRM intelligence, AI-powered insights, contact management, communication features, and related services as described in the Service agreement.
- Duration: Processing continues for the duration of the Controller's active subscription and for a retention period of 30 days following account cancellation, after which data is scheduled for deletion.
3. Sub-Processors
We engage the following sub-processors to deliver the Service. Each sub-processor is contractually bound to protect the confidentiality and security of personal data:
| Sub-Processor | Purpose | Data Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure, hosting, database, AI services | United States / Canada (on request) |
| Stripe | Payment processing and billing | United States |
| Twilio | Voice services, SMS, and communication infrastructure | United States |
| Deepgram | Speech-to-text transcription for voice features | United States |
| OpenAI | AI model inference for contact insights and analysis | United States |
We will notify the Controller of any intended changes to sub-processors at least 30 days in advance. The Controller may object to a new sub-processor by providing written notice within 14 days of notification.
4. Data Retention and Deletion
- Active subscription: All Controller data is retained for the duration of the active subscription.
- Post-cancellation: Upon cancellation or termination, Controller data is retained for 30 days to allow for data export or account reactivation. After this period, data is permanently deleted from production systems.
- Backup retention: Encrypted backups may persist for up to 90 days following deletion from production systems, after which they are purged.
- Deletion upon request: The Controller may request deletion of specific personal data or all data at any time by contacting privacy@giftofgab.tech. We will process deletion requests within 30 days.
5. Data Subject Rights
We will assist the Controller in fulfilling data subject access, correction, deletion, and portability requests to the extent technically feasible and as required by applicable law. The Controller remains responsible for responding to data subject requests within the timeframes prescribed by applicable legislation.
6. Security Measures
We implement appropriate technical and organizational measures to protect personal data, including:
- AES-256 encryption for data at rest
- TLS 1.3 encryption for data in transit
- Role-based access controls and audit logging
- Regular security assessments and penetration testing
- Employee security training and background checks
- Incident response and breach notification procedures
A detailed description of our security practices is available in our Security Overview.
7. Breach Notification
In the event of a confirmed personal data breach, Gift of Gab Tech Inc. will:
- Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach.
- Provide the Controller with sufficient information to meet its own notification obligations under applicable law, including the nature of the breach, categories and approximate number of data subjects affected, and measures taken or proposed to address the breach.
- Cooperate with the Controller and take reasonable steps to mitigate the effects and minimize any damage resulting from the breach.
8. PIPEDA Compliance
Gift of Gab Tech Inc. processes personal data in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Our data handling practices adhere to the ten fair information principles set out in PIPEDA, including:
- Accountability for personal information under our control
- Limiting collection, use, disclosure, and retention of personal information to purposes identified at or before the time of collection
- Maintaining accuracy and providing individuals with access to their personal information upon request
- Implementing safeguards appropriate to the sensitivity of the information
9. Governing Law
This DPA shall be governed by and construed in accordance with the federal laws of Canada and the laws of the Province of Ontario, without regard to conflict of law provisions, except where superseded by mandatory provisions of applicable data protection law, including the Personal Information Protection and Electronic Documents Act (PIPEDA).
10. Request a Signed Copy
To obtain an executed copy of this Data Processing Agreement countersigned by Gift of Gab Tech Inc., please contact our privacy team:
- Gift of Gab Tech Inc.
- Privacy Team: privacy@giftofgab.tech