DRAFT — FOR LEGAL REVIEW. NOT YET IN EFFECT.
Prepared for LeadQor Canada Inc. [incorporation pending], Ontario, Canada. To be verified by counsel before publication.
Version: 1.0-draft · Last updated: [DATE]
1. Introduction and Incorporation
This Data Processing Addendum ("DPA") forms part of, and is incorporated by reference into, the LeadQor Terms of Service (the "Agreement") between LeadQor Canada Inc. [incorporation pending], an Ontario corporation ("LeadQor", "we", "us"), and the business customer that accepts the Agreement (the "Tenant", "you").
This DPA applies automatically to every Tenant, including self-serve Tenants, without any separate signature. By accepting the Agreement or using the Services, you also accept this DPA. If there is a conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA controls.
This DPA applies whenever LeadQor processes Personal Data on your behalf in the course of providing the Services — the LeadQor platform, including CRM, scheduling, financial tools, review management, messaging (SMS, voice, and email sent through the platform), payment facilitation via Stripe Connect, and the website builder, in each case whether provided under the LeadQor brand or under your white-label brand.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable individual that you or your Users submit to the Services, or that is collected through the Services on your behalf — including the personal information of your End Customers (names, contact details, addresses, service and equipment history, communications, appointment records, and invoices). Under CCPA, Personal Data means "personal information."
- "End Customer" means an individual whose Personal Data you store or process in the Services — typically your own customers, leads, and contacts.
- "Users" means your staff and other individuals you authorize to access your Tenant account.
- "Data Protection Laws" means all privacy and data protection laws applicable to the processing of Personal Data under this DPA, which may include the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA"), substantially similar Canadian provincial private-sector privacy laws, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and other applicable U.S. state privacy laws.
- "Subprocessor" means a third party engaged by LeadQor to process Personal Data on your behalf in the course of providing the Services.
- "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Personal Data processed by LeadQor on your behalf.
- "Services" means the LeadQor platform and related services described in the Agreement.
Terms like "controller," "processor," "business," "service provider," "sell," and "share" have the meanings given in the applicable Data Protection Laws.
3. Roles of the Parties
3.1 With respect to Personal Data processed under this DPA:
- You are the controller (and, under CCPA, the "business"). You determine the purposes and means of processing your End Customers' Personal Data. You own the relationship with your End Customers.
- LeadQor is the processor (and, under CCPA, your "service provider"). We process Personal Data only on your behalf and on your documented instructions.
3.2 You are responsible for the lawfulness of the Personal Data you put into the Services, including having an appropriate legal basis and any required consents from End Customers, providing legally required privacy notices to End Customers, and complying with Data Protection Laws that apply to you as a business. Because the Services can be white-labeled, your End Customers may see only your brand; you remain the party responsible to them.
3.3 For clarity, LeadQor acts as an independent controller (not your processor) for a limited set of data: your own account and billing information, Tenant-level usage and telemetry, and data we must process to comply with law. That processing is governed by the LeadQor Privacy Policy, not this DPA.
4. Scope of Processing and Instructions
4.1 Documented instructions. LeadQor will process Personal Data only on your documented instructions, including with regard to disclosures and transfers, unless required to do otherwise by applicable law (in which case, unless legally prohibited, we will inform you of that legal requirement before processing).
4.2 What counts as your instructions. Your documented instructions are:
- the Agreement (including this DPA);
- your configuration and use of the Services — including the features you enable, the automations and campaigns you set up, the integrations you connect, and the actions you and your Users take in the platform; and
- any additional written instructions you give us that are consistent with the Agreement.
4.3 Unlawful instructions. If we believe an instruction violates Data Protection Laws, we will inform you and may suspend performance of that instruction until it is resolved.
4.4 Details of processing. The subject matter, duration, nature and purpose of processing, categories of Personal Data, and categories of data subjects are described in Annex A.
5. CCPA / U.S. State Privacy Law — Service Provider Terms
To the extent CCPA or a similar U.S. state privacy law applies to Personal Data processed under this DPA, LeadQor, as your service provider (or "processor" under other state laws):
5.1 will not sell or share Personal Data (as "sell" and "share" are defined in CCPA);
5.2 will not retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Agreement and this DPA — that is, providing, maintaining, securing, and improving the Services for you — or as otherwise permitted for service providers under CCPA;
5.3 will not retain, use, or disclose Personal Data outside of the direct business relationship between you and LeadQor;
5.4 will not combine Personal Data received from or on behalf of you with personal information from other sources, except as permitted for service providers under CCPA (for example, to detect security incidents or protect against fraudulent or illegal activity);
5.5 will comply with applicable obligations under CCPA and provide the same level of privacy protection as CCPA requires of businesses;
5.6 grants you the right to take reasonable and appropriate steps to ensure that we use Personal Data consistently with your CCPA obligations (the mechanisms in Sections 12 and 13 satisfy this), and to stop and remediate any unauthorized use of Personal Data upon notice;
5.7 will notify you if we determine that we can no longer meet our obligations under CCPA; and
5.8 certifies that it understands and will comply with the restrictions in this Section 5.
6. GDPR-Shaped Structure; EU/EEA Note
This DPA is structured to follow Article 28 of the EU General Data Protection Regulation ("GDPR") as a matter of good practice.
[BRACKETED NOTE — EU/EEA AND UK DATA SUBJECTS: LeadQor's Services are currently offered to businesses in the United States and Canada only (excluding Quebec), in English only, and are not directed at data subjects in the EU/EEA or UK. The parties do not intend GDPR or UK GDPR to apply to processing under this DPA. If LeadQor begins processing Personal Data of EU/EEA or UK data subjects on your behalf, or offers the Services in those regions, the parties will execute the EU Standard Contractual Clauses (Module 2, controller-to-processor) and/or the UK International Data Transfer Addendum, and this DPA will be updated accordingly.]**
7. Confidentiality of Processing Personnel
LeadQor will ensure that all personnel authorized to process Personal Data (including employees and contractors):
- are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality;
- are granted access only to the extent needed to perform their role (least privilege); and
- receive appropriate training on data protection and security.
8. Security
8.1 LeadQor will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against Security Incidents, taking into account the nature of the data and the risks of the processing. These measures are described in Annex B (Security Measures).
8.2 We may update Annex B from time to time, provided the updates do not materially reduce the overall level of protection during the term of the Agreement.
8.3 You are responsible for security within your control: your Users' credentials, appropriate role assignments and permission settings inside your Tenant, the devices and networks your team uses, and the data you choose to put into the Services.
9. Subprocessors
9.1 General authorization. You provide general written authorization for LeadQor to engage Subprocessors to provide the Services. Our current Subprocessors are listed on our public Subprocessor List at [leadqor.com/legal/subprocessors] (referenced in Annex C).
9.2 Notice of changes. Before adding or replacing a Subprocessor, we will update the Subprocessor List and notify you by email to your account owner and/or by prominent notice on the Subprocessor List page, at least 30 days before the new Subprocessor begins processing Personal Data (except in urgent cases needed to maintain security or continuity of the Services, in which case we will notify you as soon as reasonably possible).
9.3 Objection. You may object on reasonable data-protection grounds within 30 days of the notice by contacting [privacy@leadqor.com]. We will work with you in good faith to address the objection (for example, by offering a configuration change that avoids the Subprocessor). If we cannot reasonably accommodate the objection, you may terminate the affected Services and receive a pro-rata refund of prepaid fees for the terminated portion, as your sole remedy.
9.4 Flow-down and responsibility. We will impose data-protection obligations on each Subprocessor that are materially no less protective than those in this DPA, by way of a written contract. LeadQor remains responsible to you for the performance of its Subprocessors' obligations.
10. Data Subject and Consumer Requests
10.1 Self-serve first. The Services include tools that allow you to search, access, correct, export, and delete End Customer records directly. You agree to use these self-serve tools to respond to requests from your End Customers (access, correction, deletion, portability, opt-out, and similar rights requests) wherever possible.
10.2 Assistance. Taking into account the nature of the processing, LeadQor will provide reasonable assistance, through appropriate technical and organizational measures, where you cannot fulfill a request using the self-serve tools. We may charge a reasonable fee for assistance that is excessive or clearly beyond the platform's standard capabilities, where permitted by law.
10.3 Requests received by LeadQor. If an End Customer contacts LeadQor directly with a rights request relating to your data, we will not respond substantively (except to direct the individual to you) and will promptly forward the request to you. You are responsible for responding.
11. Personal Data Breach (Security Incident)
11.1 Notice to you. If LeadQor becomes aware of a Security Incident affecting your Personal Data, we will notify you without undue delay after becoming aware of it.
11.2 Contents. To the extent known at the time (and supplemented as information becomes available), the notice will describe: the nature of the incident; the categories and approximate number of affected individuals and records; the likely consequences; the measures taken or proposed to address the incident and mitigate harm; and a contact point at LeadQor.
11.3 Assistance. We will take reasonable steps to contain, investigate, and remediate the Security Incident, and will provide reasonable cooperation and information to assist you in meeting your own breach-notification obligations.
11.4 Your role. As controller/business, you are responsible for determining whether, when, and how to notify affected individuals, regulators, and other parties, and for making those notifications. LeadQor will not notify your End Customers or your regulators on your behalf unless required by law or agreed in writing.
11.5 Our notification of, or response to, a Security Incident is not an acknowledgment of fault or liability.
12. Return and Deletion of Personal Data
12.1 During the term. You can export your data (including End Customer records) using the Services' export tools at any time during the term.
12.2 On termination — retention ladder. Upon termination or expiry of the Agreement, the retention ladder in the Agreement applies:
- Days 0–60 (export window): your data remains available for export. You may retrieve your Personal Data in a commonly used, machine-readable format (e.g., CSV) using self-serve tools, or by request to support.
- After day 60 (deletion): we delete or de-identify your Personal Data from the live production systems, unless retention is required by applicable law.
- By approximately day 90 (backups): your Personal Data ages out of encrypted backups through the normal backup rotation cycle. Backup copies are not restored or used except for disaster recovery, and remain protected by the measures in Annex B until they expire.
12.3 Legal retention. We may retain Personal Data to the extent and for the duration required by applicable law, subject to continued confidentiality and security protections, and will not actively process it for any other purpose.
13. Audit and Information Rights
13.1 LeadQor will make available to you information reasonably necessary to demonstrate compliance with this DPA. This includes, on written request (no more than once per 12-month period, absent a Security Incident affecting your data or a regulator requirement):
- copies of LeadQor's then-current third-party security attestations or audit reports (e.g., SOC 2), when and as available; and
- written responses to a reasonable security and privacy questionnaire.
13.2 For self-serve tier Tenants, the reports and questionnaire responses in Section 13.1 satisfy your audit rights in full; on-site or remote technical audits are not offered at the self-serve tier. Enterprise audit terms, if any, must be agreed in a separate written agreement.
13.3 All audit information is LeadQor Confidential Information under the Agreement.
14. International Data Transfers
14.1 LeadQor is located in Ontario, Canada. The Services are hosted with Subprocessors whose infrastructure is primarily located in the United States (see the Subprocessor List). By using the Services, you instruct LeadQor to transfer and process Personal Data in Canada and the United States.
14.2 You are responsible for any notices to End Customers regarding storage or processing outside their jurisdiction that may be required under applicable Canadian privacy law (e.g., PIPEDA's openness and accountability principles).
14.3 (EU/EEA/UK transfers) See the bracketed note in Section 6. No EU/EEA or UK transfer mechanism is currently in place because no such data is intentionally processed.
15. General
15.1 Term. This DPA takes effect when you accept the Agreement and continues as long as LeadQor processes Personal Data on your behalf.
15.2 Liability. Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Agreement.
15.3 Order of precedence. This DPA prevails over conflicting terms in the Agreement with respect to processing of Personal Data; executed SCCs or statutory addenda (if any, in future) prevail over this DPA.
15.4 Changes. We may update this DPA to reflect changes in law or the Services. Material changes will be notified per the Agreement's change-notice provisions. Continued use of the Services after the effective date of a change constitutes acceptance.
15.5 Governing law. This DPA is governed by the law governing the Agreement (Ontario, Canada), except where Data Protection Laws require otherwise.
Annex A — Details of Processing
| Item | Description |
|---|---|
| Subject matter | Provision of the LeadQor platform: CRM, lead and customer management, scheduling and dispatch, time tracking, financial tools (invoices, quotes, bookkeeping), review management, communications (SMS, voice, email) sent through the platform, payment facilitation via Stripe Connect, and website builder. |
| Duration | The term of the Agreement, plus the post-termination retention ladder in Section 12.2 (export to day 60; deletion after day 60; backup expiry by ~day 90). |
| Nature of processing | Hosting, storage, organization, structuring, retrieval, display, transmission (including sending communications the Tenant initiates or configures), analysis for Tenant-facing features (e.g., dashboards, dedupe, activity timelines), backup, and deletion. |
| Purpose | To provide, maintain, secure, support, and improve the Services for the Tenant, per the Tenant's instructions (Section 4.2). No other purpose. |
| Categories of Personal Data | End Customers: names; contact details (phone, email, mailing/service addresses); service, job, appointment, and equipment history; communications content and metadata (SMS, call logs/recordings where enabled by Tenant, emails); invoices, quotes, and payment-related records (payment card data is processed by Stripe, not stored by LeadQor); notes and custom fields entered by the Tenant; review content and reviewer names. Users: names, work contact details, role/permission data, scheduling and time-clock records, activity logs. |
| Special categories | None intended. The Services are not designed for sensitive data (e.g., health, biometric, government ID numbers); Tenants agree not to submit such data except as strictly incidental to service records. |
| Categories of data subjects | The Tenant's End Customers, leads, and prospects; the Tenant's Users (staff and contractors); individuals who communicate with the Tenant through the Services (e.g., inbound callers, form submitters, reviewers). |
Annex B — Security Measures
LeadQor maintains the following technical and organizational measures:
- Tenant isolation. Multi-tenant data is segregated logically with a tenant identifier on every record and enforced at the database layer via row-level security (RLS) policies, so queries are scoped to a single tenant by default.
- Encryption in transit. All data in transit between clients and the Services, and between LeadQor and its Subprocessors, is encrypted using TLS.
- Encryption at rest. Production databases, file storage, and backups are encrypted at rest.
- Access control (RBAC). Role-based access control within each Tenant, with configurable roles and per-action permissions; sensitive fields gated behind elevated permissions.
- Audit logging. Application-level activity logging of data access and changes; administrative and support access is logged and reviewable.
- Per-tenant data scoping. All application queries, exports, APIs, and background jobs are scoped by tenant identifier; deletion operations are tenant-scoped.
- Backups. Nightly encrypted backups with copies replicated to an offsite storage provider in a separate infrastructure environment; backup restoration procedures are tested periodically.
- Least-privilege access. Production access is restricted to authorized personnel with a need to know; service credentials are scoped to the minimum required; secrets are stored in managed secret stores, not in code.
- Staff and support access. Support personnel access Tenant data only when needed to resolve an issue, under confidentiality obligations, and such access is audited.
- Secure development. Code review before deployment; separation of development and production environments; dependency and vulnerability monitoring.
- Personnel. Confidentiality obligations (Section 7) and security awareness expectations for all personnel with data access.
- Incident response. A documented process to detect, contain, assess, and notify (per Section 11) Security Incidents.
- Subprocessor security. Subprocessors are selected with regard to their security practices and certifications and are bound by written data-protection terms (Section 9.4).
Annex C — Subprocessors
The current list of Subprocessors, including entity names, functions, and locations, is maintained at:
[https://leadqor.com/legal/subprocessors]
That page, together with the notice-and-objection mechanism in Section 9, forms part of this DPA.