The DPA your firm signs.

This Data Processing Addendum ("DPA") supplements the Terms of Service between ExpatReady Technologies Inc. ("Processor") and the subscribing firm ("Controller") for processing Personal Data through the ExpatReady Service.

Personal Data: information relating to an identified or identifiable natural person processed through the Service. Subprocessor: a third party engaged by Processor to process Personal Data. Data Subject: the individual to whom Personal Data relates.

For end-client (applicant) data, Controller is the firm and Processor is ExpatReady. For firm-side authentication data, ExpatReady is the controller (covered by the Privacy Policy).

Processing happens for the term of the subscription. Nature: providing the Service. Purpose: enabling Controller to run their immigration practice. Categories of data subjects: Controller's employees, contractors, and end-clients (immigration applicants and their family members).

Controller warrants it has lawful basis to process all Personal Data submitted to the Service. Controller is solely responsible for CICC professional conduct, trust account handling, retainer requirements, and informed consent from end-clients.

Processor will: process Personal Data only on Controller's documented instructions; impose confidentiality obligations on personnel; implement technical and organizational measures (see Annex 2); assist Controller with data subject requests; notify Controller of personal data breaches within 72 hours; delete or return Personal Data on termination.

Processor will not access Customer Data except as required to provide the Service or for support tickets.

Primary processing in AWS Canada Central (ca-central-1). Secondary processing (Stripe, transactional email) may occur in the US under SCCs Module Two equivalents. Annex 3 lists all transfers.

Controller pre-authorizes the subprocessors listed at /legal/subprocessors. Processor will give 30 days notice of new subprocessors. Controller may object - if Processor cannot accommodate, Controller may terminate the affected portion of the Service.

Processor will assist Controller in fulfilling data subject requests (access, correction, deletion, portability, restriction). Tools for export are built into the Service.

Processor will notify Controller of any personal data breach affecting Customer Data within 72 hours of becoming aware, with details of nature, categories, approximate number of records, and mitigation steps.

Controller may audit Processor's compliance with this DPA once per calendar year on reasonable notice. Processor will provide written security documentation including SOC 2 / ISO 27001 reports when available.

On termination, Processor will, at Controller's option, return Personal Data in a structured format or delete it (subject to legal retention). Backup deletion follows standard retention schedules with no longer than 90 days from termination.

Categories of data: account credentials, profile data, client identifiers and contact info, immigration history, family info, education, employment, financial data, medical and police certificate documents (uploaded files), case communications, payment records.

AES-256 encryption at rest (AWS S3 SSE), TLS 1.3 in transit, bcrypt password hashing, JWT with refresh-token rotation, role-based access control, per-firm data isolation, append-only audit log on every entity, Stripe-managed PCI scope, AWS Canada-Central hosting. Detail: /security.

Maintained at /legal/subprocessors with: name, service, data accessed, region, contract date.