Flarepoint — Data Processing Addendum (DPA)

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Terms of Service or other agreement (the "Agreement") between Flarepoint Marketing Ltd. ("Flarepoint", "we") and the customer that has accepted the Agreement (the "Customer", "you"). It governs Flarepoint's handling of personal information that the Customer is responsible for and that Flarepoint processes on the Customer's behalf to provide the Service.

Effective date: the date the Agreement takes effect. Governing privacy laws: Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and British Columbia's Personal Information Protection Act (BC PIPA) (together, "Applicable Privacy Laws").

If there is a conflict between this DPA and the rest of the Agreement regarding the handling of Customer Personal Information, this DPA controls.

1. Definitions

• "Customer Personal Information" — personal information about identifiable individuals that the Customer (or its users) submits to or generates in the Service and for which the Customer is the organization responsible, including information about Owners and other individuals whose data the Customer inputs.
• "Individual" / "Data Subject" — the identifiable individual the Customer Personal Information is about (for example, a boat Owner or representative).
• "Process / Handle" — any operation performed on Customer Personal Information (collection, use, storage, disclosure, transmission, deletion, etc.).
• "Service Provider" — Flarepoint, acting on the Customer's behalf and instructions.
• "Sub-processor" — a third party engaged by Flarepoint to Process Customer Personal Information (see Annex C).
• "Security Incident" — a breach of security safeguards leading to the loss of, unauthorized access to, or unauthorized disclosure of Customer Personal Information.

Capitalized terms not defined here have the meaning given in the Agreement.

2. Roles of the parties

2.1 The Customer is the organization responsible for the Customer Personal Information (equivalent to a "controller"). The Customer determines the purposes for which it is Processed and is responsible for obtaining any required consents from Individuals (including Owners) and for the lawfulness of its instructions.

2.2 Flarepoint acts as the Customer's Service Provider (equivalent to a "processor"). Flarepoint Processes Customer Personal Information only on the Customer's documented instructions and to provide, secure, support, and improve the Service as permitted by the Agreement, this DPA, and the Privacy Policy, except where law requires otherwise (in which case Flarepoint will inform the Customer unless legally prohibited).

2.3 Flarepoint will inform the Customer if, in its opinion, an instruction infringes Applicable Privacy Laws.

3. Scope & details of Processing

The subject matter, duration, nature and purpose of Processing, the types of Customer Personal Information, and the categories of Individuals are described in Annex A.

4. Customer obligations

4.1 The Customer warrants that it has the right to provide the Customer Personal Information to Flarepoint and to instruct the Processing described in the Agreement, and that it has obtained all consents and provided all notices required under Applicable Privacy Laws (including from Owners). 4.2 The Customer is responsible for the accuracy, quality, and legality of the Customer Personal Information and the means by which it acquired it. 4.3 The Customer is responsible for configuring user roles and access appropriately and for the acts and omissions of its users. 4.4 The Customer warrants that its instructions to Flarepoint are lawful, and will defend and indemnify Flarepoint against any claim, fine, or cost arising from the Customer's instructions, Customer Personal Information, or failure to obtain required consents or to comply with Applicable Privacy Laws or CASL.

5. Flarepoint obligations

Flarepoint will:

5.1 Process on instructions — Process Customer Personal Information only as set out in §2.2. 5.2 Confidentiality — ensure personnel authorized to Process Customer Personal Information are bound by confidentiality obligations and access it on a need-to-know basis. 5.3 Security — implement and maintain the technical and organizational security measures described in Annex B, appropriate to the sensitivity of the information. 5.4 Assist with Individual requests — taking into account the nature of the Processing, provide reasonable assistance (including appropriate technical and organizational measures) to help the Customer respond to requests from Individuals to access, correct, delete, or otherwise exercise their rights. If Flarepoint receives such a request directly, it will, unless legally required to respond, refer the Individual to the Customer. 5.5 Assist with compliance — provide reasonable assistance to the Customer with security, Security Incident handling, and privacy impact assessments, taking into account the information available to Flarepoint. 5.6 Return or delete — on termination, handle Customer Personal Information as set out in §9. 5.7 Demonstrate compliance — make available information reasonably necessary to demonstrate compliance with this DPA, as further described in §10.

6. Sub-processors

6.1 The Customer authorizes Flarepoint to engage Sub-processors to Process Customer Personal Information. A current list is in Annex C and available on request. 6.2 Flarepoint will impose data-protection and security obligations on each Sub-processor that are substantially consistent with this DPA, and remains responsible for its Sub-processors' performance of those obligations. 6.3 Flarepoint will give the Customer reasonable prior notice (for example, by email or by updating the Sub-processor list) before adding or replacing a Sub-processor that Processes Customer Personal Information. If the Customer has a reasonable, documented data-protection objection, the parties will work in good faith to resolve it; if they cannot, the Customer may, as its sole remedy, terminate the affected part of the Service.

7. Security Incidents

7.1 Flarepoint will notify the Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Information. 7.2 The notice will include, to the extent known and as it becomes available: the nature of the incident, the categories and approximate amount of information involved, likely consequences, and the measures taken or proposed. 7.3 Flarepoint will take reasonable steps to contain and remediate the incident and will reasonably assist the Customer with its own notification and record-keeping obligations under Applicable Privacy Laws (including PIPEDA's breach-reporting requirements). Notification is not an acknowledgement of fault or liability.

8. Data residency & cross-border Processing

8.1 Customer Personal Information is hosted in Canada (see Annex C). 8.2 Some Sub-processors may Process limited data outside Canada (for example, message-delivery metadata, or de-identified AI queries). Where this occurs, Flarepoint uses contractual and technical safeguards to protect the information, and the information may become subject to the laws of the jurisdiction where it is Processed. 8.3 Flarepoint's AI features are designed to minimize and de-identify data and to avoid sending personal information to AI providers that operate outside Canada, as described in the Privacy Policy.

9. Return & deletion on termination

On expiry or termination of the Agreement, the Customer may export its Customer Personal Information for 30 days. After that period, Flarepoint will delete or de-identify Customer Personal Information in its production systems within a commercially reasonable time, except to the extent retention is required by law or stored in routine backups that expire on a rolling basis (and which remain protected by this DPA until deleted).

10. Audit & demonstrating compliance

10.1 Flarepoint will, on reasonable written request and no more than once per 12 months (unless required by a regulator or following a Security Incident), make available information reasonably necessary to demonstrate compliance with this DPA, such as summaries of its security practices and any available third-party assessments. 10.2 Where that information is insufficient, the Customer may request an audit, conducted on reasonable prior notice, during business hours, subject to confidentiality, in a manner that does not disrupt the Service or compromise other customers' data, and at the Customer's expense.

11. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

12. Term & general

12.1 This DPA takes effect with the Agreement and continues until Flarepoint has returned or deleted Customer Personal Information in accordance with §9. 12.2 This DPA is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable there, consistent with the Agreement. 12.3 Except as amended by this DPA, the Agreement remains in full force and effect.

Annex A — Details of Processing

• Subject matter: provision of the Flarepoint Service (marina/boatyard operating software) to the Customer.
• Duration: for the term of the Agreement, plus the post-termination period in §9.
• Nature & purpose: hosting, storage, organization, display, transmission, generation of documents and notifications, compliance signalling, and (where modules are enabled) invoicing and payment facilitation — all to provide, secure, support, and improve the Service on the Customer's behalf.
• Types of Customer Personal Information: names and contact details; vessel and slip/berth assignments; contract, placement, and insurance details; identification provided at check-in; photos captured during audits or incidents (which may incidentally include individuals); check-in/check-out and vessel-movement records; communications and notification preferences; and, where the Payments module is enabled, billing and payment-related details (full card data is handled by PCI-compliant processors, not stored by Flarepoint).
• Categories of Individuals: boat Owners and their representatives, and other individuals whose information the Customer inputs into the Service.

Annex B — Technical & organizational security measures

Flarepoint maintains measures including:

• Encryption of Customer Personal Information in transit (TLS) and at rest.
• Tenant isolation & access control: default-deny, row-level security keyed to each organization and (where relevant) marina/dock scope, so one Customer cannot access another's data; role-based permissions.
• Authentication: salted/hashed passwords; multi-factor authentication (mandatory for privileged roles, available to others).
• Document protection: private storage with signed-URL access and access logging.
• Least privilege & logging: restricted, need-to-know internal access; audit logging of privileged and document access; security monitoring.
• Secure development & operations: secrets management, environment separation, and change control.
• Resilience: backups and recovery processes.
• Sub-processor controls: contractual data-protection and security obligations on Sub-processors.

(Annex B must reflect Flarepoint's actual, current practices; update as the product evolves.)

Annex C — Sub-processors

(Maintain this list and notify Customers of changes per §6.3.)