Canadian Data Processing Agreement
This Canadian Data Processing Agreement (“DPA”) supplements the Master Services Agreement, Order Form(s), Schedules, and any applicable Service Attachments (collectively, the “Agreement”) between PaymentEvolution (“PaymentEvolution”, “we”, “us”, “our”) and the Client identified in the Order (“Client”, “you”, “your”).
This DPA applies when PaymentEvolution processes Personal Information on behalf of Client in connection with the Services. This DPA overrides the MSA but not the Beta Agreement for Pre-Release Materials.
1. Purpose and Scope
1.1 Role of PaymentEvolution.
For purposes of PIPEDA, substantially similar provincial privacy laws (including Alberta PIPA, BC PIPA, Quebec Law 25), and other Applicable Privacy Laws, PaymentEvolution acts as a:
Service Provider / Processor / Information Manager / Agent,
processing Personal Information solely on behalf of Client and in accordance with this DPA and the Agreement.
1.2 Scope.
This DPA governs PaymentEvolution’s processing of Personal Information in connection with:
payroll administration and calculations,
government remittances,
payments and disbursements,
HR, benefits, scheduling, and record-of-employment workflows,
identity verification,
security and fraud prevention,
API and platform integrations, and
any additional Services ordered by Client.
1.3 Interpretation.
If this DPA conflicts with any term of the Agreement, this DPA prevails to the extent necessary to comply with Applicable Privacy Law. For clarity, Quebec consumer protection obligations regarding contract cancellation and pricing notices do not apply to this DPA.
2. Key Definitions
Applicable Privacy Law means all Canadian federal and provincial privacy and data-protection laws, including PIPEDA, Quebec Law 25, Alberta PIPA, BC PIPA, health-sector statutes where applicable, and associated regulations and guidance.
Personal Information means any information relating to an identifiable individual that PaymentEvolution processes on behalf of Client, including payroll information, identity documents, addresses, compensation, tax details, banking information, employment records, and Personal Health Information where required for Services.
De-Identified Data means data that has been altered, aggregated, anonymized, or transformed so that it no longer identifies an individual and cannot reasonably be re-identified.
Records means any data, documents, logs, reports, or information stored or processed by PaymentEvolution on behalf of Client, excluding Excluded Information.
Permitted Purpose means processing Personal Information as necessary to deliver the Services, ensure platform functionality, maintain security, comply with law, improve system performance, and fulfill Client’s documented instructions.
Conflicting Foreign Order has the meaning provided in your original agreement.
3. Roles and Responsibilities
3.1 Client as Controller.
Client remains responsible for:
determining the lawful basis for processing;
obtaining all necessary consents;
providing required notices;
accuracy of Personal Information submitted to PaymentEvolution; and
complying with its own legal obligations as an employer or data custodian.
3.2 PaymentEvolution as Processor / Service Provider.
PaymentEvolution will process Personal Information:
only for Permitted Purposes;
consistent with Client’s documented instructions;
in compliance with Applicable Privacy Law;
using Personnel subject to confidentiality obligations.
4. Collection, Use, and Disclosure
4.1 Permitted Processing.
PaymentEvolution will collect, access, use, store, disclose, modify, or process Personal Information only as required to:
deliver the Services;
maintain, troubleshoot, and secure the platform;
detect and prevent fraud or unauthorized access;
comply with legal or regulatory obligations;
detect fraud
comply with RPAA, PCMLTFA
improve the system
provide support, analytics, service optimization, and quality assurance;
develop and enhance PaymentEvolution’s Services, provided that such enhancements use De-Identified Data.
4.2 Automated Processes.
Client authorizes PaymentEvolution to use automated systems, workflows, rules engines, and API-based processes as needed to deliver the Services.
4.3 Prohibited Processing.
Except where legally required, PaymentEvolution will not:
sell Personal Information;
use Personal Information for marketing to data subjects;
use Personal Information except as permitted under this DPA.
5. Cross-Border Processing and Cloud Infrastructure
5.1 Cloud Hosting.
Client acknowledges and consents that PaymentEvolution may store or process Personal Information:
within Canada,
in the United States,
or in other jurisdictions with appropriate contractual, security, and privacy measures.
5.2 Client Obligations.
Client confirms that it has provided all required notices and obtained all required consents from data subjects for international processing.
5.3 Adequate Protections.
PaymentEvolution uses industry-leading security controls, contractual measures, encryption, and organizational safeguards to ensure any offshore processing complies with PIPEDA and other Applicable Privacy Laws.
6. Security Measures
6.1 Safeguards.
PaymentEvolution will implement and maintain administrative, technical, and physical safeguards appropriate to the sensitivity of Personal Information, including:
encryption in transit and at rest;
access controls, MFA, role-based permissions;
regular penetration testing and vulnerability scanning;
intrusion detection and monitoring;
data minimization and secure backup/restore processes;
secure software development lifecycle (SDLC).
6.2 Personnel Access.
PaymentEvolution limits access to Personnel with a legitimate operational need and ensures they are subject to confidentiality agreements and privacy training.
6.3 Third-Party Subprocessors.
PaymentEvolution may use vetted cloud service providers, payment processors, and infrastructure vendors, and will impose contractual obligations equivalent to this DPA. A list of subprocessors is available to Client on request.
7. Requests from Individuals and Authorities
7.1 Data Subject Requests.
If PaymentEvolution receives a request for access, correction, or deletion directly from an individual, PaymentEvolution will:
refer the requester to Client, and
notify Client promptly.
7.2 Client Cooperation.
PaymentEvolution will assist Client in responding to lawful requests within reasonable timelines.
7.3 Law Enforcement or Foreign Demands.
If PaymentEvolution receives a demand for disclosure (including a Conflicting Foreign Order):
PaymentEvolution will notify Client unless prohibited by law;
the parties will seek protections or review by a Canadian court;
PaymentEvolution will only disclose Personal Information when legally compelled under Canadian law.
8. Accuracy, Correction, and Retention
8.1 Accuracy.
PaymentEvolution will make reasonable efforts to maintain accurate Personal Information where it collects or updates such data on behalf of Client.
8.2 Retention.
PaymentEvolution retains Records as required to deliver the Services or comply with legal obligations (e.g., CRA, employment standards). Client may request destruction when legally permitted.
8.3 Secure Destruction.
Upon termination or written instruction, PaymentEvolution will securely delete or return Personal Information, unless retention is required by law.
9. Breach Notification
9.1 Notification.
PaymentEvolution will notify Client without undue delay of any incident involving:
unauthorized access,
disclosure,
loss,
modification, or
other breach
of Personal Information.
9.2 Cooperation.
PaymentEvolution will assist with:
investigation and remediation;
regulatory notifications;
incident reports; and
communications as required by Applicable Privacy Law.
10. De-Identified & Aggregated Data
10.1 PaymentEvolution Rights.
PaymentEvolution may create and use De-Identified Data for:
analytics,
machine learning models,
system improvement,
troubleshooting,
benchmarking,
research and development,
reporting,
enhancing accuracy and performance of the Services.
10.2 Ownership.
De-Identified Data is PaymentEvolution’s property and no longer subject to this DPA.
10.3 Non-Reidentification.
PaymentEvolution will not reidentify De-Identified Data unless required for security, fraud detection, or legal compliance.
11. Subcontractors
PaymentEvolution may use subcontractors and subprocessors to support the Services. PaymentEvolution ensures:
written contracts with privacy and security obligations;
appropriate oversight;
equivalent protections to those in this DPA.
PaymentEvolution remains responsible for subcontractor compliance.
12. Client Responsibilities
Client must:
obtain all required consents and notices;
provide accurate data;
follow privacy and employment laws;
configure access controls appropriately;
not misuse the Services in a way that violates privacy law.
PaymentEvolution is not responsible for Client’s incorrect configuration or unlawful data submissions.
13. Audit and Oversight
13.1 Regulator Assistance.
PaymentEvolution will reasonably cooperate with inquiries from Canadian privacy regulators relating to Services performed for Client.
13.2 Client Audit Rights.
Upon reasonable notice and subject to confidentiality and security requirements, PaymentEvolution will provide:
summaries of third-party audits (e.g., SOC 2),
security documentation,
privacy policies,
incident summaries.
14. Termination and Survival
14.1 Termination Rights.
A material breach of this DPA gives Client the right to terminate the underlying Agreement if uncured within 30 days, subject to the MSA.
14.2 Survival.
PaymentEvolution’s obligations continue until all Personal Information is returned or deleted, except where retention is legally required.
15. General Provisions
This DPA may be disclosed where required by privacy law.
If any provision conflicts with privacy law, the law prevails.
If any provision conflicts with the Agreement, this DPA controls.
This DPA does not limit PaymentEvolution’s rights to retain or use De-Identified Data.