Data Processing Agreement

The User organization ("Controller"), whether acting as a Provider (trades firm, referred to as "Supplier" on the Platform) or as a Seeker (construction contractor, referred to as "Client" on the Platform), is the Controller with respect to the Personal Information of its own personnel, workers, business contacts, and any other Data Subjects whose Personal Information the Controller introduces to or stores on the Platform.

As Controller, the User organization independently determines the purposes for which, and the means by which, Personal Information is processed. The Controller's decisions include, without limitation: which workers to onboard onto the Platform; which jobs to post or accept; which individuals are assigned to specific engagements; and what communications are sent using the Platform's messaging features.

The Controller is independently and solely responsible for: (a) ensuring it has an appropriate legal basis for processing under applicable law before submitting any Personal Information to the Platform; (b) providing required privacy notices to Data Subjects in accordance with PIPEDA and Quebec Law 25; (c) responding to Data Subject rights requests in accordance with applicable law; (d) complying with all applicable privacy obligations in its role as Controller; and (e) ensuring the accuracy, completeness, and currency of the Personal Information it submits to the Platform.

The Controller acknowledges that Crewd, in its role as Processor, does not verify the lawfulness of the Controller's instructions and relies entirely on the Controller's representations and warranties regarding its legal authority to process the Personal Information it submits to the Platform.

Crewd Inc. acts as the Processor, processing Personal Information solely on behalf of, under the authority of, and pursuant to the documented instructions of the Controller. Crewd's role as a Passive Computing Service means that Crewd provides the technical infrastructure, algorithms, and operational support required to fulfill the Controller's instructions, but does not exercise independent judgment over the ultimate purpose of the processing.

As Processor, Crewd shall: (a) process Personal Information only on documented instructions from the Controller, including for cross-border data transfers, unless required to do so by applicable law; (b) ensure that personnel authorized to process Personal Information are bound by confidentiality obligations; (c) implement appropriate technical and organizational security measures as described in Section 5 of this DPA; (d) respect the conditions for engaging Sub-processors as set forth in Section 7 of this DPA; (e) assist the Controller in ensuring compliance with Data Subject rights obligations; (f) assist the Controller in ensuring compliance with security, breach notification, privacy impact assessment, and prior consultation obligations; (g) delete or return all Personal Information to the Controller at the end of the provision of services; and (h) make available to the Controller all information necessary to demonstrate compliance with this DPA.

Where Crewd processes Personal Information for its own purposes beyond those strictly necessary to provide the Platform services (such as for fraud prevention, anti-circumvention monitoring, aggregated analytics, or legal compliance), Crewd acts as an independent Controller for such processing, and such processing is governed by Crewd's Privacy Policy rather than this DPA.

In limited and specific circumstances, Crewd and the Controller may be considered joint controllers with respect to certain processing activities. Such circumstances include, without limitation: (a) fraud prevention and anti-circumvention monitoring, where both parties share an interest in detecting and preventing off-platform hiring in breach of the Non-Circumvention provisions of the Master Terms of Service; (b) regulatory reporting obligations, where both parties are independently required to retain and disclose the same Personal Information to the same authority (e.g., CRA, Revenu Québec, CNESST, WSIB); and (c) dispute resolution proceedings initiated by or against either party, where both parties require access to and retention of the same Personal Information.

In joint controller scenarios, both Crewd and the Controller are independently responsible for complying with applicable privacy law with respect to their own processing activities. The parties agree to cooperate in good faith to establish and document, by separate written arrangement if necessary, the respective responsibilities of each party for compliance with applicable privacy obligations in joint controller scenarios, including in particular obligations regarding the provision of privacy notices to Data Subjects.

Regardless of any joint controller arrangement, Data Subjects may exercise their rights against either party. Each party agrees to promptly refer to the other any Data Subject requests that relate to the other party's processing activities.

In the event that Crewd becomes aware of a Personal Information Breach involving Personal Information processed under this DPA, Crewd shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of the Breach. Where notification cannot be provided within 72 hours, Crewd shall provide the information available at the time of initial notification and supplement the notification with additional information as it becomes available.

Notification to the Controller will be provided by email to the primary account email address on file, with the email subject line clearly indicating a data breach notification. Controllers are responsible for ensuring that their primary account email address is current and monitored. Crewd additionally maintains a DPA contact at privacy@crewd.ai for escalations and follow-up inquiries.

Following notification of the Controller, the respective regulatory notification obligations are as follows: (a) under Quebec Law 25, Article 3.5, where a breach presents a "real risk of serious injury" to affected Data Subjects, Crewd (or the Controller, depending on the role in the breach) is required to notify the Commission d'accès à l'information (CAI) and affected individuals; (b) under PIPEDA, where a breach presents a "real risk of significant harm" to affected individuals, the responsible organization is required to notify the Office of the Privacy Commissioner of Canada (OPC) as soon as feasible and to notify affected individuals directly; (c) the parties shall cooperate in good faith to determine who bears the primary notification obligation in each scenario based on their respective roles and the circumstances of the breach.

Where Crewd determines that a Breach requires notification of the CAI or OPC under applicable law and the Controller is the primary notifying party, Crewd will provide the Controller with all information in its possession that is relevant to the notification obligations. Where Crewd is the primary notifying party under applicable law, Crewd will notify regulators and inform the Controller simultaneously.

Crewd shall provide the Controller with at least thirty (30) days' prior written notice of any intended changes to the list of authorized Sub-processors, including additions of new Sub-processors and replacements of existing Sub-processors. Notice shall be provided by email to the Controller's primary account email address and shall include: (a) the name and jurisdiction of the proposed new or replacement Sub-processor; (b) a description of the processing activities to be delegated to the Sub-processor; (c) the categories of Personal Information to be processed; and (d) the data protection safeguards in place or to be implemented.

The Controller may object to a proposed Sub-processor change by providing written notice of objection to privacy@crewd.ai within fifteen (15) days of receipt of the change notice. The objection notice must specify the legitimate data protection grounds on which the Controller objects. Crewd shall not engage the proposed Sub-processor until the Controller's objection has been resolved.

Upon receipt of a written objection, the parties shall engage in good-faith discussion for a period of up to fifteen (15) additional days to attempt to resolve the objection. If the objection cannot be resolved to the Controller's reasonable satisfaction within such period, the Controller may, as its sole remedy, terminate the specific Platform services that rely on the contested Sub-processor upon written notice. General objections without specified data protection grounds, or objections to Sub-processors that have been authorized by the Controller under a prior version of this DPA without objection, shall not constitute valid grounds for termination.

Silence following the receipt of a change notice (i.e., failure to object within the 15-day objection period) shall constitute the Controller's deemed consent to the proposed Sub-processor change.

The Controller acknowledges that the Services require Crewd to transfer Personal Information to and process Personal Information in the United States of America, where Crewd's primary Sub-processors (Clerk, Convex, Stripe, Vercel, Twilio, and Google) operate their core infrastructure. The parties recognize that the United States does not benefit from an adequacy determination issued by the Privacy Commissioner of Canada or the Commission d'accès à l'information du Québec as of the effective date of this DPA.

To provide an appropriate level of protection for Personal Information transferred to the United States and other jurisdictions without adequacy determinations, Crewd relies on the following transfer mechanisms: (a) Standard Contractual Clauses (SCCs): the 2021 EU Standard Contractual Clauses (as issued by the European Commission on June 4, 2021) are incorporated by reference into the data processing agreements with each applicable Sub-processor, adapted as necessary to reflect the requirements of Canadian law (PIPEDA and Quebec Law 25) as the law of the exporting jurisdiction; (b) Contractual safeguards: data processing agreements with all Sub-processors include contractual provisions addressing the specific requirements of Quebec Law 25 regarding cross-border transfers, including obligations of equivalent protection; (c) Binding Corporate Rules (BCRs): for Stripe, transfers are additionally governed by Stripe's BCRs approved by applicable supervisory authorities.

Transfer Impact Assessments (TIAs) have been conducted by Crewd for each US-based Sub-processor. The TIAs evaluated: (a) the legal framework applicable in the destination country with respect to government access to Personal Information; (b) the practical effectiveness of the transfer mechanism in light of the legal framework; and (c) the supplementary technical and organizational measures implemented to address identified risks. The TIA findings and the supplementary measures implemented are described in Section 8.2 of this DPA. TIA documentation is available for review by the Controller upon written request under appropriate confidentiality obligations.

The Controller has the right to conduct audits of Crewd's data processing activities under this DPA, including physical or virtual inspections of relevant facilities, systems, and records, to verify Crewd's compliance with the obligations set forth in this DPA and with applicable data protection law. This right of audit is a fundamental component of the Controller's accountability obligations under PIPEDA and Quebec Law 25.

Audits may be conducted by: (a) the Controller's own personnel with appropriate data protection expertise; or (b) an independent third-party auditor appointed by the Controller and acceptable to Crewd (acting reasonably), provided that such auditor is bound by written confidentiality obligations at least as stringent as those set forth in this DPA prior to being granted access to Crewd's systems or information.

Crewd shall cooperate with audits by: (a) providing the Controller's auditors with reasonable access to relevant documentation, policies, procedures, records, and certifications; (b) making relevant Crewd personnel available for reasonable interview; (c) providing access to relevant technical systems and infrastructure to the extent technically feasible and consistent with Crewd's security obligations to other customers; and (d) providing written responses to reasonable audit questionnaires within a mutually agreed timeframe.

Under normal circumstances, the Controller may conduct one (1) formal audit per calendar year. The Controller shall provide Crewd with at least thirty (30) days' prior written notice of its intention to conduct an audit, specifying the scope, timing, and proposed audit methodology. The parties shall cooperate in good faith to schedule the audit at a mutually convenient time and in a manner that minimizes disruption to Crewd's operations and to the operations of other Crewd customers.

The Controller may conduct additional audits (beyond the one annual audit permitted under normal circumstances) in the following circumstances: (a) following a confirmed Personal Information Breach affecting the Controller's data, where the audit is reasonably limited in scope to the circumstances of the Breach; or (b) where the Controller has a reasonable and documented basis (not mere speculation) to suspect material non-compliance by Crewd with the obligations of this DPA. In such cases, Crewd shall respond to the audit request in good faith and propose a timeline that balances the Controller's legitimate audit needs with Crewd's operational requirements.

The Controller acknowledges that Crewd may, in lieu of granting access to its own systems and records, provide the Controller with copies of relevant certifications, attestations, and audit reports from independent third-party security auditors (such as SOC 2 Type II reports), where such reports cover the scope of the requested audit. The Controller may review such reports to satisfy its audit obligations, subject to applicable confidentiality obligations.

Upon expiry or termination of the Master Terms of Service for any reason, and upon written request by the Controller submitted to privacy@crewd.ai within sixty (60) calendar days of the termination date, Crewd shall, at the Controller's election: (a) return all Personal Information processed under this DPA in a structured, commonly used, and machine-readable format (JSON), delivered to the Controller via a secure download link or encrypted transfer; or (b) securely and permanently delete or destroy all Personal Information processed under this DPA, including all copies held by Crewd on its own systems and, to the extent technically feasible, by its Sub-processors (subject to the Sub-processors' own legal retention obligations).

If the Controller does not submit a written election within sixty (60) calendar days of the termination date, Crewd shall proceed with secure deletion of the Controller's Personal Information.

Deletion or return shall be completed within ninety (90) calendar days of the Controller's election or, if no election is made, within ninety (90) calendar days of the end of the sixty-day election period. Crewd shall use commercially reasonable efforts to cause its Sub-processors to delete or return Personal Information within the same timeframe, subject to the Sub-processors' own contractual and legal obligations.

Notwithstanding the above deletion obligations, Crewd is authorized to retain Personal Information to the extent and for the duration required by applicable law, including: (a) financial and tax records, which must be retained for the fiscal year in which they arose plus seven (7) years, as required by the Income Tax Act (Canada) and the Tax Administration Act (Quebec); (b) construction project records, which must be retained for a minimum of seven (7) years to align with applicable limitation periods for construction defect claims and regulatory audit requirements; (c) records required for the defence of pending or reasonably anticipated legal claims, for the duration of the limitation period applicable to such claims; and (d) records required for compliance with any regulatory order, government investigation, or legal process served on Crewd. Personal Information retained solely pursuant to this paragraph shall be segregated from active processing systems, marked as archived, and accessed only for the specific permitted purposes.

Crewd shall not use Personal Information retained pursuant to the mandatory retention exceptions in paragraph (p4) above for any purpose other than the specific legal compliance purpose for which it is retained. Such retained information shall remain subject to the security obligations of this DPA.

Crewd shall be liable to the Controller for any material damage, loss, or harm (including administrative fines, regulatory penalties, and reasonable legal costs) caused to the Controller as a direct result of Crewd's breach of its obligations under this DPA or under applicable data protection law, to the extent of Crewd's direct fault. Crewd's liability under this Section 12 is in addition to, and not in substitution for, any liability that Crewd may have under the Master Terms of Service.

For the avoidance of doubt, Crewd shall not be liable for damage arising from: (a) the Controller's breach of its own obligations under this DPA or applicable privacy law; (b) processing carried out by the Controller or by any third party not engaged by Crewd; (c) processing carried out by Crewd in compliance with a documented instruction from the Controller that is subsequently determined to be unlawful, provided Crewd notified the Controller of the potential unlawfulness of the instruction prior to processing; (d) unavoidable security incidents arising from circumstances beyond Crewd's reasonable control, including zero-day exploits for which no patch was available at the time of the incident, provided Crewd applied commercially reasonable security practices; or (e) indirect, consequential, speculative, or punitive damages.

The allocation of liability between joint controllers (as described in Section 2.3 of this DPA) shall be determined in accordance with applicable law. Where a supervisory authority, court, or tribunal determines the respective liability of the parties in a joint controller scenario, that determination shall be binding on the parties.

Crewd's aggregate total liability to the Controller under or in connection with this DPA (whether arising in contract, tort, statutory duty, or otherwise) shall not exceed, in any twelve-month rolling period, an amount equal to the aggregate fees paid by the Controller to Crewd in the twelve (12) calendar months immediately preceding the date on which the claim first arose. This liability cap is consistent with, and subject to, the general limitation of liability provisions set forth in the Master Terms of Service.

The liability cap in paragraph (p1) shall not apply to: (a) liability for Crewd's fraud or willful misconduct; (b) liability for death or personal injury caused by Crewd's negligence; or (c) any other liability that cannot be excluded or limited under applicable law. Nothing in this DPA shall be construed as an attempt to exclude or limit Crewd's liability in circumstances where such exclusion or limitation is prohibited by mandatory provisions of applicable law.