Data Processing Agreement (DPA)

Effective Date: July 1, 2025
Between:
Client ("Controller") – A user of Get Allan’s services
And
Aplo CFO Inc., operating as Get Allan ("Processor"), a corporation incorporated in Ontario, Canada.
‍Jurisdiction: Ontario, Canada

1. Purpose

This Data Processing Agreement (“DPA”) is entered into between:
The Client ("Controller") – a user of Get Allan’s services,
and
Aplo CFO Inc., operating as Get Allan ("Processor"), a corporation incorporated in Ontario, Canada.

This DPA describes how Aplo CFO Inc., operating as Get Allan (“Get Allan”, “we”, “our”, or “us”) processes Personal Data on behalf of the Client in connection with the services provided under the Terms of Use or any other signed agreement (collectively, the “Agreement”).

This DPA forms part of the legally binding agreement between the parties.

2. Definitions

• “Personal Data”: Any information relating to an identifiable natural person, as defined under applicable data protection laws.
  
  
• “Processing”: Any operation performed on Personal Data, including collection, storage, use, or disclosure.
  
  
• “Data Subject”: An individual whose personal data is processed.
  
  
• “Subprocessor”: Any third party engaged by the Processor to process Personal Data on its behalf.
  
  
• “Applicable Data Protection Laws”: Refers to all laws and regulations governing the protection of Personal Data, including PIPEDA, GDPR (if applicable), and any other local privacy regulations.
  
  

3. Roles and Responsibilities

• The Controller determines the purposes and means of processing Personal Data.
  
  
• The Processor shall process Personal Data only on the documented instructions of the Controller and only to the extent necessary to deliver services.
  
  

4. Nature of Processing

• Subject matter: Provision of forecasting, inventory planning, and financial modeling services.
  
  
• Duration: For the duration of the Agreement.
  
  
• Types of Personal Data: Customer names, email addresses, shipping/billing addresses, purchase history, and any other data accessed through integrations (e.g., Shopify).
  
  
• Categories of Data Subjects: End customers of the Controller, employees or contractors of the Controller, and any other users added to the Controller's account.
  
  

5. Processor Obligations

The Processor shall:

• Only process Personal Data as instructed by the Controller;
  
  
• Implement appropriate technical and organizational measures to protect data against unauthorized or unlawful processing, accidental loss, destruction, or damage;
  
  
• Ensure personnel authorized to process Personal Data are under confidentiality obligations;
  
  
• Assist the Controller, where feasible, in responding to data subject rights requests;
  
  
• Notify the Controller without undue delay upon becoming aware of a data breach;
  
  
• Maintain records of processing activities and make them available upon request;
  
  
• Provide reasonable assistance with data protection impact assessments (DPIAs) or audits, where required by law.
  
  

6. Subprocessing

The Controller authorizes the Processor to engage Subprocessors as needed to provide the services.
A current list of Subprocessors (including Aplo Group Ltd. for development and maintenance services) can be provided upon request.

The Processor will:

• Ensure any Subprocessor is contractually bound by data protection terms no less protective than this DPA;
  
  
• Remain liable for the actions of any Subprocessor.
  
  

7. Data Transfers

Where Personal Data is transferred across borders (e.g., to third countries), the Processor shall:

• Ensure such transfers comply with applicable data protection laws;
  
  
• Use appropriate safeguards such as standard contractual clauses or other mechanisms as permitted by law.
  
  

8. Security Measures

The Processor implements industry-standard technical and organizational measures, including but not limited to:

• Encrypted transmission (TLS/SSL)
  
  
• Secure API keys and access tokens
  
  
• Role-based access control
  
  
• Audit logging and monitoring
  
  
• Regular security assessments
  
  

Details of technical and organizational measures can be made available upon request.

9. Data Subject Requests

The Processor will:

• Promptly notify the Controller of any request received directly from a Data Subject (e.g., access, correction, deletion);
  
  
• Not respond to such requests without the Controller’s instructions unless required by law;
  
  
• Provide reasonable assistance to enable the Controller to respond to such requests.
  
  

10. Breach Notification

In the event of a Personal Data Breach, the Processor shall:

• Notify the Controller without undue delay after becoming aware;
  
  
• Provide information regarding the nature, impact, and mitigation efforts;
  
  
• Cooperate fully in any investigation or regulatory response.
  
  

11. Return or Deletion of Data

Upon termination of the Agreement:

• The Controller may request that all Personal Data be returned or securely deleted;
  
  
• The Processor shall, within a reasonable timeframe, delete or anonymize Personal Data unless retention is required by law.
  
  

12. Audit Rights

The Processor shall make available, upon written request, relevant documentation to demonstrate compliance with this DPA. The Controller may audit the Processor’s compliance with this DPA, provided:

• Reasonable notice is given;
  
  
• Audits are limited to once annually unless required due to a breach or investigation.
  
  

13. Limitation of Liability

Liability under this DPA is subject to the limitations set forth in the main Agreement, unless otherwise required by law.

14. Governing Law

This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein. Disputes arising from or related to this DPA will be subject to the exclusive jurisdiction of the courts in Ontario.

15. Contact

Get Allan.
[Address]
Email: [Email]