Data Processing Agreement

1. Introduction & Parties

This DPA is entered into between the Client (acting as data controller) and Avi Technologies Inc. (acting as data processor) and forms part of the Terms of Service governing the Client's use of FleetForge.

This DPA applies whenever Client Data uploaded to or generated within FleetForge includes personal data, as defined under the Personal Information Protection and Electronic Documents Act (PIPEDA), the BC Personal Information Protection Act (BC PIPA), or — for individuals in the European Economic Area — the General Data Protection Regulation (GDPR).

2. Scope of Processing

2.1 Categories of Personal Data

• Employee and driver records (name, contact details, role, licence numbers)
• Customer contacts (company representatives, billing contacts)
• Authorized User accounts (admin staff using FleetForge)
• GPS / telematics data linked to driver-operated vehicles (when integration enabled)
• Communications records (support messages, in-app chat, emails sent through FleetForge)

2.2 Categories of Data Subjects

• Client's employees, contractors, and drivers
• Client's customers and their representatives
• Visitors to the Client's customer portal

2.3 Purposes of Processing

To provide FleetForge as described in the Terms of Service: fleet management, lease administration, billing, compliance tracking, reservations, customer portal access, and any reasonable supporting functions.

2.4 Duration

For the duration of the Subscription, plus the post-termination data export period (typically 30 days) and the deletion period (typically 90 days) defined in Section 5 of the Terms of Service.

3. Processor Obligations

Avi Technologies, as data processor, agrees to:

• Process personal data only on documented instructions from the Client, including with regard to international transfers, unless required by Canadian law (in which case Avi Technologies will inform the Client of the legal requirement before processing, unless prohibited by law)
• Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement and maintain the technical and organizational security measures described in Section 5
• Not engage another processor (sub-processor) without compliance with Section 4
• Assist the Client, taking into account the nature of processing, in fulfilling its obligations to respond to data subject rights requests
• Assist the Client in ensuring compliance with security, breach notification, data protection impact assessment, and prior consultation obligations
• At the choice of the Client, delete or return all personal data after the end of the provision of services, except where Canadian law requires storage
• Make available to the Client all information necessary to demonstrate compliance with this DPA

4. Sub-processors

The Client provides general authorization for Avi Technologies to engage the sub-processors listed below, subject to the conditions in this section.

4.1 Current Sub-processors

4.2 New Sub-processors

Avi Technologies will provide at least 30 days' written notice before adding a new sub-processor that will process personal data on behalf of the Client. The Client may object to the addition on reasonable grounds related to data protection. If the parties cannot resolve the objection within 30 days of notice, the Client may terminate the Subscription without penalty, with a pro-rated refund of prepaid fees for unused periods.

4.3 Flow-down Obligations

Avi Technologies imposes data protection obligations on each sub-processor through written agreements that are substantially equivalent to those set out in this DPA, and remains liable to the Client for the sub-processor's performance.

5. Security Measures

Avi Technologies implements the following technical and organizational measures:

5.1 Encryption

• AES-256 encryption at rest for databases, file storage, and backups
• TLS 1.2+ for all data in transit
• HMAC-SHA256 signed URLs for time-limited file access

5.2 Access Controls

• Role-based access control with granular permissions
• bcrypt password hashing (cost factor 12)
• Session management with httpOnly + SameSite cookies
• Account lockout after 5 failed login attempts
• IP rate limiting on authentication endpoints
• Audit logging of every state-changing action

5.3 Infrastructure

• Hosted on AWS — physical security per AWS ISO 27001 / SOC 2 Type II certifications
• Network isolation, security groups, and least-privilege IAM policies
• Automated daily backups with 30-day retention
• Disaster recovery testing performed at least annually

5.4 Personnel

• Background checks for employees with production access
• Confidentiality agreements signed by all employees and contractors
• Security awareness training annually
• Access to Client Data on a need-to-know basis with periodic review

5.5 Vulnerability Management

• Automated dependency scanning on every build
• Penetration testing conducted at least once per year by a qualified third party
• Coordinated vulnerability disclosure program (security@avitechnologies.ca)

6. Data Subject Rights

Where a data subject contacts Avi Technologies directly with a rights request relating to Client Data, Avi Technologies will, where lawfully permitted, redirect the data subject to the Client and notify the Client within 5 business days.

Avi Technologies will provide the Client with reasonable assistance — through technical functionality in FleetForge (data export, search, deletion features) — to enable the Client to respond to data subject access, correction, deletion, portability, and objection requests within statutory time limits.

7. Breach Notification

Avi Technologies will notify the Client without undue delay, and in any event within 72 hours after becoming aware, of any Personal Data Breach affecting Client Data. The notification will include, to the extent known:

• The nature of the breach, including categories and approximate numbers of data subjects and records concerned
• The name and contact details of the data protection point of contact
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate harm

If complete information is not available within 72 hours, Avi Technologies will provide initial information and follow up with details as they become available.

8. Audit Rights

The Client may audit Avi Technologies' compliance with this DPA once per calendar year, upon at least 30 days' written notice. Avi Technologies may satisfy the audit obligation by providing copies of recent third-party audit reports (SOC 2 Type II, ISO 27001) where available.

Audits must be conducted during business hours, must not unreasonably interfere with Avi Technologies' operations, must comply with confidentiality obligations, and are at the Client's expense (except where the audit reveals material non-compliance, in which case reasonable costs are borne by Avi Technologies).

9. International Transfers

Client Data is primarily processed in Canada (AWS ca-central-1) with backup and redundancy infrastructure in the United States. For Client Data subject to GDPR, transfers outside the EEA are governed by the Standard Contractual Clauses (Commission Decision 2021/914), incorporated into this DPA by reference where applicable.

10. Term & Termination

This DPA takes effect at the same time as the Terms of Service and continues until those Terms terminate or expire. Upon termination, Avi Technologies will, at the Client's choice, delete or return all Client Data within 90 days, except where Canadian law requires longer retention (e.g. financial records under CRA rules).

11. Liability

Each party's liability arising out of or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service.

12. Contact

Data Protection Point of Contact — Avi Technologies Inc.
Email: privacy@avitechnologies.ca
Address: Surrey, British Columbia, Canada