Skip to main content

This is Duty Room for Canada. We have a version for your country.

United States
Canada United Kingdom United States
Continue →

Data Processing Agreement

Last updated on April 18, 2026.

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you (the "Controller") and Jon Simpson, trading as Duty Room (the "Processor"). It applies where Duty Room processes personal information on your behalf in the course of providing the Services.

Definitions

"PIPEDA" means the Personal Information Protection and Electronic Documents Act (Canada). Where applicable provincial privacy legislation applies (such as Alberta's PIPA or Quebec's Act respecting the protection of personal information in the private sector), references to PIPEDA include that legislation. "Personal Information" has the meaning given in PIPEDA.

Scope of Processing

We process Personal Information only as necessary to provide the Services. Specifically:

  • Subject matter: Provision of a compliance operations platform.
  • Duration: For as long as you have an active account, plus the post-cancellation retention period described in the Terms.
  • Nature and purpose: Storage, retrieval, organization, and display of operational records you create in the Services.
  • Types of Personal Information: Names, email addresses, job titles, and other contact information of your staff. Operational records may contain personal information at your discretion. You should not store sensitive personal information (such as health or criminal record data) in the Services.
  • Individuals: Your employees, contractors, and other individuals whose information you choose to store in the Services.

Processor Obligations

Duty Room will:

  1. Process Personal Information only on your documented instructions, unless required by law.
  2. Ensure that persons authorized to process Personal Information are subject to appropriate confidentiality obligations.
  3. Implement appropriate technical and organizational measures to protect Personal Information, including encryption in transit and at rest.
  4. Not engage another processor without first notifying you and giving you the opportunity to object, as described in the Sub-processors section below.
  5. Assist you, taking into account the nature of the processing, in responding to individuals exercising their rights under applicable privacy law.
  6. Assist you in meeting your obligations regarding security safeguards and breach notification under PIPEDA and applicable provincial legislation.
  7. At your choice, delete or return all Personal Information after the end of the provision of Services, and delete existing copies unless required by law to retain them. The timelines for deletion are set out in the Terms.
  8. Make available to you information necessary to demonstrate compliance with these obligations.

Breach Notification

If we become aware of a breach of security safeguards affecting your data, we will notify you without undue delay and in any event within 72 hours of becoming aware. The notification will include the nature of the breach, the categories and approximate number of records affected, and the measures taken or proposed to address it.

Sub-processors

The following sub-processors are engaged as of the date of this DPA:

Sub-processor Purpose Location
Amazon Web Services (AWS) Infrastructure and hosting Canada
Postmark (AC PM LLC) Transactional email delivery United States
Sentry (Functional Software, Inc.) Application error monitoring United States

Where sub-processors operate outside Canada, your Personal Information may be accessible to the authorities of those jurisdictions under their applicable laws.

We will notify you by email at least 30 days before adding or replacing a sub-processor. If you object, you may terminate your account in accordance with the Terms.

Contact

For questions about this DPA, contact us at privacy@dutyroom.com.