Data Processing Agreement
Between RateGuard Pro Inc. ("Processor") and the subscribing brokerage ("Controller")
Effective May 3, 2026 · Version 1.1
1. Definitions
"Personal Information" means information about an identifiable individual as defined under PIPEDA, including client names, contact details, mortgage balances, rates, terms, maturity dates, lender names, and property types.
"Controller" means the mortgage brokerage that uploads, manages, and owns the client data processed through RateGuard Pro.
"Processor" means RateGuard Pro Inc., which processes Personal Information on behalf of the Controller.
"Sub-processor" means a third-party service engaged by the Processor to assist in processing Personal Information.
2. Scope and Purpose of Processing
The Processor processes Personal Information solely to provide the following services to the Controller:
- Mortgage portfolio analysis, opportunity identification, and client prioritization
- Automated email communications sent on behalf of the Controller to the Controller's clients
- PDF report generation (renewal, refinance, economics) delivered to the Controller and their clients
- CRM data synchronization from the Controller's connected CRM (Finmo, Velocity, or CSV upload)
- Rate monitoring and penalty calculation services
The Processor does not process Personal Information for any purpose other than providing the subscribed services.
3. Categories of Personal Information
| Category | Examples | Source |
|---|---|---|
| Identity | Client full name, co-borrower name | CRM sync or CSV upload |
| Contact | Email address, phone number, mailing address | CRM sync or CSV upload |
| Mortgage details | Balance, rate, term, amortization, maturity date, lender, property type, LTV | CRM sync or CSV upload |
| Interaction data | Email open/click events, portal actions taken by the Controller | Platform-generated |
Excluded data: The Processor does not collect or store social insurance numbers (SINs), banking credentials, credit scores, income verification documents, or government-issued identification.
4. Controller Obligations
The Controller is responsible for:
- Ensuring they have lawful authority to share client Personal Information with the Processor, including obtaining any required consent under applicable privacy legislation.
- Accuracy of the data uploaded to the platform.
- Complying with CASL requirements for commercial electronic messages sent through the platform, including maintaining consent records for their client communications.
- Notifying the Processor promptly if a client exercises their right to access, correct, or delete their Personal Information.
5. Processor Obligations
The Processor commits to:
- Purpose limitation: Processing Personal Information only for the purposes described in Section 2 and only on documented instructions from the Controller.
- Confidentiality: Ensuring that the platform administrator with access to Personal Information is bound by confidentiality obligations.
- Security: Implementing and maintaining the technical and organizational measures described at rateguardpro.ca/security, including encrypted managed infrastructure, HTTPS, tenant-scoped access controls, brute force protection, and administrative API action allowlists.
- No cross-tenant access: The Processor will not aggregate, combine, or cross-reference one Controller's data with another Controller's data for any purpose.
- No monetization: The Processor will not sell, license, rent, or share Personal Information with third parties for marketing, advertising, or analytics purposes.
- Sub-processor transparency: Maintaining a current sub-processor register at rateguardpro.ca/subprocessors and notifying the Controller of material changes.
- Assistance with rights requests: Assisting the Controller in responding to data subject access, correction, or deletion requests within 10 business days.
6. Data Residency
The primary database is hosted in AWS ca-central-1 (Montreal, Canada) via Supabase. Client mortgage data is stored and processed in Canada. Application hosting on Vercel's edge network may serve cached application assets from global CDN nodes, but mortgage client data is fetched from the Canadian region at runtime and is not cached at edge locations.
7. Sub-processors
The following sub-processors are engaged to deliver the service. Each has been evaluated for security posture and has a Data Processing Agreement or equivalent contractual commitment in place:
| Sub-processor | Purpose | Certifications |
|---|---|---|
| Supabase | Database, authentication, file storage | SOC 2, DPA (March 2026) |
| Vercel | Application hosting, edge functions | SOC 2, Standard DPA |
| Stripe | Subscription billing | PCI DSS Level 1, SOC 2, DPA |
| Resend | Email delivery | SOC 2, DPA |
| OpenAI | AI assistant (opt-in only) | SOC 2, Zero retention API, DPA |
| Google Cloud | Vision OCR for rate sheet extraction | SOC 2, ISO 27001, DPA |
A current public copy of this list is maintained at rateguardpro.ca/subprocessors. The Processor will notify the Controller at least 14 days in advance before engaging a new sub-processor that will handle Personal Information. The Controller may object by contacting the Processor in writing.
8. Breach Notification
In the event of a breach of security involving Personal Information under the Processor's control:
- The Processor will notify the affected Controller(s) without unreasonable delay, and in any case within 72 hours of becoming aware of the breach.
- The notification will include: the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach.
- The Processor will cooperate with the Controller in meeting the Controller's obligations under PIPEDA s.10.1 (notification to the Privacy Commissioner) and any applicable provincial legislation.
- The Processor maintains a breach register as required by PIPEDA s.10.3, retained for a minimum of 24 months.
9. Data Retention and Deletion
- During subscription: Personal Information is retained for the duration of the Controller's active subscription and is available for export at any time.
- Post-cancellation: Personal Information is retained for a limited wind-down period after cancellation to allow for reactivation or final export. Deletion is targeted within 90 days, subject to legal retention, backup, security, and operational requirements.
- On request: The Controller may request immediate deletion at any time by contacting jeff@rateguardpro.ca. Deletion will be completed within 30 days and confirmed in writing.
10. Data Portability
The Controller may export their complete dataset at any time through the platform's built-in export functionality. Exports are provided in standard CSV format. The Processor will assist with bulk exports on request at no additional charge.
11. Audit Rights
The Controller (or their designated third-party auditor) may, upon 14 days written notice, request evidence of the Processor's compliance with this Agreement. The Processor will provide:
- Confirmation of current security measures in place
- Sub-processor list with current DPA status
- Breach register excerpts relevant to the Controller (if any)
- Evidence of data deletion upon request
On-site audits are not applicable as the Processor does not maintain physical infrastructure. Infrastructure audit reports (SOC 2) from sub-processors are available upon request.
12. Term and Termination
This Agreement is effective from the date the Controller begins using RateGuard Pro and continues for the duration of the subscription. Upon termination, the data retention and deletion provisions in Section 9 apply. Sections 5 (Processor Obligations), 8 (Breach Notification), and 9 (Data Retention) survive termination.
13. Governing Law
This Agreement is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, including PIPEDA. For Controllers operating in Quebec, the provisions of Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25) apply in addition to PIPEDA where they impose stricter requirements.
14. Contact
RateGuard Pro - Privacy Officer
Jeff Mudrick
jeff@rateguardpro.ca
For questions about this Agreement, data access requests, or to report a security concern.