This Data Processing Agreement (“DPA”) governs the processing of Personal Information by ASC Creative Ltd. (the “Processor”) on behalf of the Subscriber (the “Controller”) in connection with the MeetingGenius Service. It is incorporated into and forms part of the Subscription Agreement and End User License Agreement. In the event of conflict, the DPA prevails on matters of data processing and privacy.

1. DEFINITIONS

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the EULA.

“Controller” means the Subscriber organization that determines the purposes and means of processing Personal Information uploaded to or generated through the Service, including Personal Information of residents, owners, and Authorized Users.

“Processor” means ASC Creative Ltd., which processes Personal Information on behalf of the Controller in accordance with the Controller’s instructions and this DPA.

“Personal Information” has the meaning given in PIPEDA and, where applicable to BC Subscribers, BC PIPA, and includes all information about an identifiable individual that the Controller provides to or generates through the Service.

“Processing” means any operation performed on Personal Information, including collection, storage, use, disclosure, retention, deletion, or transmission.

“Security Incident” means any unauthorized access to, acquisition, disclosure, or loss of Personal Information that could reasonably be expected to result in a risk of significant harm to an individual.

“Sub-Processor” means any third party engaged by the Processor to process Personal Information in connection with the Service on the Processor’s behalf.

“Applicable Privacy Law” means PIPEDA, BC PIPA (where applicable), and any other Canadian federal or provincial privacy legislation applicable to the Processor’s processing of Personal Information in connection with the Service.

2. ROLES AND RELATIONSHIP

2.1 The parties acknowledge that, with respect to Personal Information of residents, owners, board members, and Authorized Users processed through the Service:

(a) the Controller is the “organization” within the meaning of PIPEDA and BC PIPA that has collected or will collect such Personal Information in connection with its property management or governance activities;

(b) the Processor acts as a service provider processing Personal Information solely on behalf of and under the instructions of the Controller; and

(c) the Processor is not an “organization” that independently determines the purposes and means of processing the Controller’s Personal Information.

2.2 Each party is independently responsible for its own compliance with Applicable Privacy Law. The Controller is responsible for: the lawfulness of its collection of Personal Information; obtaining all required consents from residents, owners, and other data subjects; and ensuring that its instructions to the Processor comply with Applicable Privacy Law. The Processor is responsible for: processing Personal Information in accordance with this DPA and the Controller’s instructions; implementing appropriate security safeguards; and cooperating with the Controller in meeting its privacy obligations.

3. PROCESSING INSTRUCTIONS

3.1 The Processor will process Personal Information only in accordance with the Controller’s documented instructions as set out in this DPA, the EULA, and the Subscription Agreement, and as otherwise directed by the Controller through the Service’s administrative settings.

3.2 The Controller’s primary instructions to the Processor are:

(a) store all Personal Information on servers located exclusively in Canada, as described in Section 5 below;

(b) process Personal Information using the Private LLM (default) or, where the Controller has explicitly enabled this feature, the Public LLM, in accordance with Section 4.4 of the EULA;

(c) provide Authorized Users designated by the Controller with access to Personal Information in accordance with their assigned roles within the Service;

(d) retain Personal Information for the periods specified in the Controller’s account settings and applicable law, and in no case for less than seven (7) years following termination of the relevant Building subscription;

(e) return Personal Information to the Controller upon request (via data export) and delete or anonymize Personal Information following the applicable retention period; and

(f) assist the Controller in responding to access, correction, and deletion requests from data subjects as described in Section 7.

3.3 If the Processor reasonably believes that any instruction from the Controller would breach Applicable Privacy Law, the Processor will promptly notify the Controller and may suspend processing of the affected Personal Information pending clarification. The Processor will not be liable for any failure to process Personal Information where such failure results from its compliance with this clause.

4. PERMITTED PURPOSES

4.1 The Processor will process Personal Information only for the following purposes:

(a) providing the Service, including storage, display, and AI-assisted processing of meeting records, governance documents, and building administration data, in accordance with the Controller’s instructions;

(b) maintaining, supporting, and improving the technical infrastructure of the Service, including security monitoring, debugging, and performance analysis, using anonymized or aggregated data where possible;

(d) fulfilling the Processor’s obligations under this DPA, the EULA, and the Subscription Agreement.

4.2 The Processor will not:

(a) process Personal Information for its own independent commercial purposes, including advertising, profiling, or marketing;

(b) sell, rent, or trade Personal Information to any third party;

(c) combine Personal Information of one Controller’s data subjects with Personal Information of another Controller’s data subjects, except as necessary to provide shared infrastructure (in which case data isolation controls prevent cross-Controller access); or

(d) process Personal Information outside the purposes described in Section 4.1 without the Controller’s prior written consent.

5. DATA LOCATION AND TRANSFERS

5.1 Canadian Hosting. All Personal Information processed under this DPA is stored on servers located exclusively in Canada. The Processor will not transfer or replicate Personal Information to servers outside Canada except as described in Section 5.2.

5.2 Public LLM Processing. Where the Controller has explicitly enabled Public LLM processing through the Service’s administrative settings:

(a) Content — including meeting agenda text, governance documents, uploaded bylaws and rules, and building administration materials — may be transmitted to third-party AI providers (such as OpenAI or Google) located outside Canada for processing;

(b) Personal Information of individual residents and owners (including names, unit numbers, contact details, and email addresses) will NOT be transmitted to Public LLM providers; the Service is designed to exclude such information from Public LLM transmissions;

(c) the Controller acknowledges that, notwithstanding sub-clause (b), it remains responsible for ensuring that any Content it causes to be transmitted to Public LLM providers does not contain resident or owner Personal Information that the Controller does not have authority to transmit across borders; and

(d) the Controller’s enabling of Public LLM processing constitutes its instruction to the Processor to transmit Content as described in this Section, and its acceptance of responsibility for the cross-border transfer implications of that instruction.

5.3 Third-Party Hosting Infrastructure. The Processor uses Canadian cloud infrastructure providers to host the Service. These providers act as Sub-Processors under Section 6. All infrastructure Sub-Processors used by the Processor maintain servers in Canada and are contractually bound to process Personal Information in accordance with the Processor’s security and privacy standards.

ONTARIO SUBSCRIBERS — ADDITIONAL PROVISIONS:

5.3A Ontario Subscribers: The Processor acknowledges that PIPEDA applies to the cross-border transfer of Personal Information in the course of commercial activities. By storing Controller Personal Information in Canada, the Processor provides a level of protection that is consistent with PIPEDA’s requirements. Ontario Subscribers should note that transfers of Personal Information to Public LLM providers outside Canada, where enabled by the Controller, are subject to PIPEDA’s accountability principle: the Controller remains responsible for ensuring that such transfers comply with PIPEDA notwithstanding that processing is performed outside Canada.

6. SUB-PROCESSORS

6.1 The Controller authorizes the Processor to engage Sub-Processors to assist in providing the Service, subject to the conditions in this Section.

6.2 The Processor currently uses the following categories of Sub-Processors:

Cloud infrastructure providers (Canadian servers): for hosting, storage, and compute
Payment processor: for processing subscription payments — Stripe does not process Personal Information of residents or owners
Email delivery provider (SendGrid / Twilio): for transactional email delivery
AI inference infrastructure: for Private LLM processing within the Processor’s Canadian infrastructure
Public LLM providers (OpenAI, Google): where the Controller has enabled this feature, as described in Section 5.2

6.3 A current list of Sub-Processors, including the identity and location of each, is maintained at meetinggenius.ca/sub-processors and updated within thirty (30) days of any material change.

6.4 The Processor will:

(a) impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA;

(b) remain liable to the Controller for the acts and omissions of each Sub-Processor to the same extent as if the Processor had performed the processing directly; and

(c) notify the Controller at least thirty (30) days before engaging a new Sub-Processor that will process Personal Information, to allow the Controller reasonable opportunity to object.

6.5 The Controller may object to a new Sub-Processor by providing written notice to the Processor within fifteen (15) days of receiving notification. If the Controller objects and the Processor cannot accommodate the objection without materially altering the Service, either party may terminate the affected Building subscription on thirty (30) days’ written notice with a pro-rated refund of prepaid fees.

7. DATA SUBJECT RIGHTS

7.1 The Controller is primarily responsible for responding to requests from data subjects (residents, owners, Authorized Users) to access, correct, delete, or port their Personal Information.

7.2 The Processor will assist the Controller in fulfilling data subject requests by:

(a) providing the Controller with access to the relevant Personal Information through the Service’s administrative interface or, where not available through the interface, by providing a data export upon written request;

(b) implementing corrections to Personal Information upon the Controller’s written instruction where the data cannot be corrected directly through the Service interface;

(c) deleting or anonymizing specific Personal Information upon the Controller’s written instruction, subject to any retention obligations under applicable law; and

(d) responding to the Processor’s own obligations to data subjects, such as providing this DPA upon request to establish the basis of processing.

7.3 The Processor will forward to the Controller, without delay, any access, correction, or deletion request received directly from a data subject (resident or owner) in relation to the Controller’s buildings, so that the Controller can fulfill its obligations to that data subject.

8. SECURITY

8.1 The Processor will implement and maintain technical and organizational measures appropriate to the risk presented by the processing, to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. These measures include, as a minimum:

Encryption of all Personal Information in transit using TLS 1.2 or higher
Encryption of all Personal Information at rest using AES-256 or equivalent
Role-based access controls ensuring that the Processor’s personnel access Personal Information only on a need-to-know basis
Multi-factor authentication for all Processor personnel with access to production systems
Regular vulnerability assessments and security monitoring
Documented incident response procedures enabling the Processor to detect, report, and investigate Security Incidents
Physical and logical controls on access to servers and data centers operated or used by the Processor

8.2 The Processor will ensure that its personnel authorized to process Personal Information under this DPA are bound by appropriate confidentiality obligations.

8.3 The Processor will review and update its security measures as necessary to address evolving threats and vulnerabilities, and will take into account the nature, scope, context, and purposes of processing and the risk to individuals.

9. SECURITY INCIDENT NOTIFICATION

9.1 In the event that the Processor discovers or is notified of a Security Incident affecting Personal Information processed under this DPA, the Processor will:

(a) notify the Controller in writing within seventy-two (72) hours of the Processor discovering the Security Incident, where feasible;

(b) provide the Controller with the following information as soon as it becomes available: the nature of the Security Incident; the categories and approximate number of individuals affected; the categories and approximate number of Personal Information records affected; the likely consequences of the Security Incident; and the measures taken or proposed to address the incident and mitigate its effects;

(d) cooperate with the Controller and, where required by law, with the Office of the Information and Privacy Commissioner for British Columbia, the Office of the Privacy Commissioner of Canada, or other applicable regulatory authorities.

9.2 The Controller is responsible for determining whether the Security Incident triggers mandatory breach notification obligations under PIPEDA, BC PIPA, or other applicable law, and for fulfilling those obligations. The Processor’s notification to the Controller under this Section does not constitute an admission of liability or fault.

ONTARIO SUBSCRIBERS — ADDITIONAL PROVISIONS:

9.2A Ontario Subscribers: Under PIPEDA’s mandatory breach notification provisions, the Controller must notify the Office of the Privacy Commissioner of Canada and affected individuals as soon as feasible if a Security Incident poses a real risk of significant harm. The Processor’s 72-hour notification commitment is designed to give the Controller sufficient time to assess its obligations and take the required steps. The Controller should maintain an internal breach response plan that is triggered upon receiving notification from the Processor.

10. AUDIT AND COMPLIANCE ASSISTANCE

10.1 The Processor will maintain complete and accurate records of all processing activities carried out on behalf of the Controller under this DPA, including the categories of processing, Sub-Processors engaged, and security measures in place.

10.2 Upon the Controller’s written request (no more than once per calendar year, except where a Security Incident has occurred), the Processor will:

(a) provide the Controller with a written summary of the Processor’s security practices, Sub-Processor list, and data retention procedures;

(b) respond to reasonable written questionnaires from the Controller regarding the Processor’s compliance with this DPA; and

(c) make available any third-party security certifications or audit reports obtained by the Processor (such as SOC 2 reports, where available) subject to reasonable confidentiality obligations.

10.3 In the event that a regulatory authority requires an audit or inspection of the Processor’s processing activities in connection with the Controller’s Personal Information, the Processor will cooperate with such audit and provide the Controller with copies of any relevant regulatory correspondence.

11. DATA RETENTION AND DELETION

11.1 The Processor will retain Personal Information processed under this DPA for the periods specified in the Controller’s account settings and as required by applicable law, subject to the minimum retention commitments in the EULA (seven (7) years following termination of the relevant Building subscription).

11.2 Upon expiry of the applicable retention period, the Processor will securely delete or anonymize all Personal Information processed under this DPA, unless the Processor is required by applicable law to retain specific records for a longer period.

11.3 Upon the Controller’s written request (submitted at any time during the retention period), the Processor will provide a complete export of the Controller’s Personal Information in a machine-readable format (CSV or JSON) within fifteen (15) business days. After delivery of the export, the Controller may request deletion of its data ahead of the applicable retention period, subject to any legal retention requirements. The Processor will confirm in writing when deletion has been completed.

12. LIABILITY

12.1 Each party’s liability under this DPA is subject to the limitation of liability provisions in Section 10 of the EULA. The DPA does not expand or modify the liability caps in the EULA.

12.2 If the Processor is found liable to a data subject or a regulatory authority for a breach of this DPA or Applicable Privacy Law that was caused or contributed to by the Controller’s instructions or the Controller’s own breach of its obligations, the Controller will indemnify the Processor for the portion of any penalty, loss, or cost attributable to the Controller’s fault, in accordance with Section 11 of the EULA.

12.3 If the Controller is found liable to a data subject or a regulatory authority for a breach of Applicable Privacy Law that was caused by the Processor’s failure to comply with this DPA, the Processor will indemnify the Controller for the portion of any penalty, loss, or cost directly attributable to the Processor’s breach, subject to the liability caps in Section 10 of the EULA.

13. TERM AND TERMINATION

13.1 This DPA commences on the Effective Date and continues for as long as the Processor processes Personal Information on behalf of the Controller under the Subscription Agreement, including during any post-termination data retention period.

13.2 Termination of the Subscription Agreement or EULA automatically terminates this DPA with respect to active processing, but the Processor’s data retention, deletion, and security obligations under this DPA survive until all Personal Information has been deleted or anonymized in accordance with Section 11.

14. GOVERNING LAW

This DPA is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein, including PIPEDA and BC PIPA. Ontario Subscribers are governed by PIPEDA directly, as set out in Schedule A to the EULA and Section 5.3A of this DPA.

15. ACCEPTANCE

This DPA is incorporated into and accepted as part of the Subscription Agreement and EULA. By accepting the Subscription Agreement and EULA, the Subscriber accepts this DPA. No separate signature is required for the DPA to be binding.

Where a Subscriber requires a separately executed DPA (for example, for enterprise procurement or regulatory compliance purposes), a wet-ink or electronic signature version of this document may be requested by contacting legal@asccreative.com. The terms of any separately executed DPA will be identical to those published at meetinggenius.ca/dpa unless otherwise agreed in writing.

ASC CREATIVE LTD. (PROCESSOR)

British Columbia, Canada

legal@asccreative.com | privacy@asccreative.com

meetinggenius.ca/dpa

CONTROLLER — For wet-ink / offline execution only (electronic acceptance through the Service is standard)

Full Legal Name of Controller Organization: ________________________________

Province (BC / Ontario): ________________________________

Name of Authorized Signatory: ________________________________

Title: ________________________________

Date: ________________________________