Data Processing Agreement
Standard Contractual Terms for Data Processors
About This Agreement
This Data Processing Agreement ("DPA") sets forth the terms and conditions under which Eldercare Concierge ("Data Controller" or "Company") engages third-party service providers ("Data Processors") to process personal information on its behalf, in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
1. Parties to This Agreement
This DPA is entered into between:
Data Controller:
Eldercare Concierge, a division of Arcadia Health Alliance
("Company", "we", "us", or "our")
Data Processor:
The third-party service provider identified in the applicable Service Agreement
("Processor", "you", or "your")
2. Definitions
"Personal Information" means information about an identifiable individual, as defined under PIPEDA, including but not limited to name, contact information, health information, and assessment data collected through our platform.
"Processing" means any operation performed on Personal Information, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
"Data Subject" means the individual whose Personal Information is being processed, including our users, family members, and care recipients.
"Security Breach" means any unauthorized access to, disclosure of, or loss of Personal Information that compromises its security, confidentiality, or integrity.
3. Scope of Processing
The Processor agrees to process Personal Information only:
- For the specific purposes described in the Service Agreement
- In accordance with documented instructions from the Company
- In compliance with PIPEDA and applicable privacy laws
- To the extent necessary to provide the contracted services
Categories of Data Processed
- - User account information (names, email addresses, phone numbers)
- - Assessment responses and care planning data
- - Health-related information about care recipients
- - Payment and billing information (where applicable)
- - Usage logs and technical data
4. Processor Obligations
4.1 Confidentiality
The Processor shall:
- Ensure that all personnel processing Personal Information are bound by confidentiality obligations
- Not disclose Personal Information to any third party without prior written consent
- Limit access to Personal Information to authorized personnel on a need-to-know basis
4.2 Security Measures
The Processor shall implement appropriate technical and organizational measures, including:
- Encryption of Personal Information in transit and at rest (minimum AES-256)
- Access controls and authentication mechanisms
- Regular security assessments and vulnerability testing
- Secure data backup and disaster recovery procedures
- Employee security training and awareness programs
4.3 Sub-Processors
The Processor shall:
- Obtain prior written authorization before engaging any sub-processor
- Ensure sub-processors are bound by equivalent data protection obligations
- Remain fully liable for the acts and omissions of any sub-processor
- Maintain a current list of sub-processors available upon request
4.4 Data Subject Rights
The Processor shall assist the Company in responding to Data Subject requests for:
- Access to their Personal Information
- Correction of inaccurate information
- Deletion of Personal Information
- Data portability and export
5. Security Breach Notification
In the event of a Security Breach, the Processor shall:
Notification Requirements
- Within 24 hours: Notify the Company of any confirmed or suspected Security Breach
- Within 48 hours: Provide initial assessment of scope and affected data
- Ongoing: Cooperate fully with breach investigation and remediation
- Documentation: Maintain detailed records of all breach response activities
Notification shall include:
- Description of the nature of the breach
- Categories and approximate number of affected Data Subjects
- Categories and approximate volume of affected records
- Likely consequences of the breach
- Measures taken or proposed to address the breach
6. Audit Rights
The Company reserves the right to:
- Conduct audits of the Processor's data processing activities upon reasonable notice
- Request certifications, reports, and evidence of compliance (e.g., SOC 2, ISO 27001)
- Engage independent auditors to assess security and compliance
- Review sub-processor arrangements and security measures
The Processor shall make available all information necessary to demonstrate compliance with this DPA and PIPEDA requirements.
7. Data Retention and Deletion
Upon termination of the Service Agreement or upon request, the Processor shall:
- Return all Personal Information to the Company in a standard format
- Securely delete all copies of Personal Information within 30 days
- Provide written certification of deletion
- Ensure all sub-processors comply with the same deletion requirements
Exception: Retention may continue only to the extent required by applicable law, in which case the Processor shall inform the Company and continue to protect such data.
8. International Data Transfers
If the Processor transfers Personal Information outside of Canada, it shall ensure:
- The receiving jurisdiction provides comparable privacy protection
- Appropriate contractual safeguards are in place (e.g., Standard Contractual Clauses)
- Data Subjects are informed of potential foreign access risks
- The Company has provided prior written authorization
9. Liability and Indemnification
The Processor shall indemnify and hold harmless the Company from any:
- Claims, damages, or losses arising from Processor's breach of this DPA
- Regulatory fines or penalties resulting from Processor's non-compliance
- Costs associated with breach notification and remediation caused by Processor
- Third-party claims arising from unauthorized processing by Processor
10. Term and Termination
This DPA shall remain in effect for the duration of the Service Agreement and shall survive termination with respect to any Personal Information retained by the Processor.
The Company may terminate this DPA immediately if the Processor:
- Materially breaches its obligations under this DPA
- Fails to comply with PIPEDA or other applicable privacy laws
- Is subject to a significant Security Breach
- Becomes insolvent or enters bankruptcy proceedings
11. Agreement and Signatures
By signing below, the parties agree to be bound by the terms of this Data Processing Agreement.
Data Controller
Eldercare Concierge
Division of Arcadia Health Alliance
Data Processor
Contact Information
Privacy Officer
privacy@eldercareconcierge.ca
Legal Department
legal@eldercareconcierge.ca
Eldercare Concierge, Division of Arcadia Health Alliance
Healthcare Innovation Center, Canada