<!--
Traceability
- Draft title: Doc 3 — Data Processing Addendum
- Research document: design/legal/research/2026-legal-inventory-research.md (memo reconstructed by Opus 2026-04-22; see § for per-doc clause outline + counsel flags)
- Related source docs: MeetIndi_Master_Spec.md; MeetIndi_Voice.md; MeetIndi_Pricing.md; MeetIndi_Go_To_Market_And_Onboarding_v3.md; MeetIndi_Real_Estate.md
- Key legal citations from research memo: see memo § Doc N anchor + § "Selected external sources" for statute URLs
- Counsel flags touching this file: PRIV-02; PRIV-04; XFER-01; XFER-02; XFER-03; RISK-02
- Linked cross-reference documents: Docs 1, 2, 8
- Notes: Counsel-placeholder DPA drafted Canadian-style (no GDPR/SCC import). Memo § Doc 3 confirms clause order + counsel flags. Counsel review required before execution.
-->

DRAFT — FOR COUNSEL REVIEW

# MeetIndi Data Processing Addendum

This Data Processing Addendum (**DPA**) forms part of and is incorporated into the applicable agreement between **Indigloo Technologies Inc.** (**Indigloo**) and the customer identified in that agreement (**Customer**).

If there is a conflict between this DPA and the main services agreement on a data-processing issue, this DPA controls to the extent of the conflict.

## 1. Scope

1. This DPA applies where Indigloo processes Customer Data on behalf of the Customer in connection with the MeetIndi Services.
2. This DPA does not apply to processing activities where Indigloo acts as an independent organisation for its own business purposes outside the scope of Customer instructions, except to the extent expressly stated in the main agreement or required by law.
3. [COUNSEL REVIEW REQUIRED: confirm the exact scope and whether any Customer segments require a different DPA form or role allocation.]

## 2. Roles

1. The parties acknowledge that the Customer determines the business purposes for which MeetIndi is configured and used within the Customer’s operations.
2. On that basis, the draft assumption used in this DPA is that the Customer acts as the primary organisation responsible for Customer Data within its business context and that Indigloo processes Customer Data on the Customer’s behalf to provide the Services.
3. [COUNSEL REVIEW REQUIRED: confirm the final role-allocation language, including whether “controller / processor”, “organisation / service provider”, or another formulation should be used.]

## 3. Customer Instructions

1. Indigloo will process Customer Data only:
   a. to provide, secure, maintain, support, and improve the Services;
   b. on the Customer’s documented instructions as set out in the agreement, this DPA, the configuration chosen by the Customer, and the Customer’s use of the Services; and
   c. as otherwise required by applicable law.
2. The Customer instructs Indigloo to process Customer Data as reasonably necessary to operate the Services, including call handling, routing, transcription, summarisation, appointment support, integrations, billing support, analytics, security, and troubleshooting.
3. If applicable law requires us to process Customer Data beyond the Customer’s instructions, we will comply with that law and, where legally permitted, notify the Customer.
4. MeetIndi does not use Customer Data or caller data ("Caller Data") to train any AI model.

## 4. Confidentiality

Indigloo will ensure that persons authorised to process Customer Data are subject to confidentiality obligations or an appropriate statutory duty of confidentiality.

## 5. Security Measures

1. Indigloo will implement and maintain reasonable technical and organisational safeguards designed to protect Customer Data against unauthorised access, use, disclosure, alteration, and destruction, taking into account the nature of the processing and the information involved.
2. The currently available product documentation indicates measures such as managed cloud hosting, role-based access, secret management, HTTPS and secure connectivity, webhook-signature validation, structured logging, and tenant-isolation controls.
3. The current draft security schedule is included in Schedule 2.
4. [COUNSEL REVIEW REQUIRED: confirm whether a more prescriptive security schedule, audit-standard commitment, encryption language, or breach-specific cap should be added.]

## 6. Sub-processors

1. The Customer authorises Indigloo to use sub-processors that are reasonably necessary to provide the Services.
2. Indigloo will maintain a list of relevant service providers or sub-processors used in connection with the Services.
3. Indigloo will remain responsible for the performance of its sub-processors to the extent required by applicable law and the agreement set.
4. [COUNSEL REVIEW REQUIRED: confirm the final sub-processor mechanism, including whether customer-directed integrations are excluded, whether notice/objection mechanics are required, and what must appear in the public list.]

## 7. Assistance

Taking into account the nature of the processing and the information available to Indigloo, Indigloo will provide reasonable assistance to the Customer to help the Customer respond to legally valid requests concerning Customer Data and to meet applicable legal obligations relating to security or privacy, to the extent such obligations are relevant to the Services and the assistance is technically reasonable.

[COUNSEL REVIEW REQUIRED: confirm the scope of assistance obligations and whether cost-recovery language is needed.]

## 8. Security Incidents

1. If Indigloo becomes aware of a confirmed Security Incident affecting Customer Data, Indigloo will notify the Customer without undue delay.
2. The notice will include available information reasonably necessary for the Customer to understand the nature of the incident, the affected data or systems, and the steps taken or proposed.
3. Indigloo will use commercially reasonable efforts to contain, investigate, mitigate, and remediate the Security Incident.
4. This clause does not create an admission of fault or a promise of any statutory reporting deadline beyond what applicable law requires.
5. [COUNSEL REVIEW REQUIRED: confirm whether the DPA should include an internal target response SLA and, if so, frame it as an operational target rather than a statutory promise unless the research memo directs otherwise.]

## 9. Return and Deletion

1. On termination or expiry of the Services, the Customer may request return or deletion of Customer Data that remains within the ordinary capabilities of the Services, subject to legal obligations, security controls, backup retention, fraud prevention, audit requirements, and any express retention settings in the agreement set.
2. Indigloo may retain Customer Data as required by law or as reasonably necessary for security, billing, dispute resolution, backup, or immutable audit purposes.
3. [COUNSEL REVIEW REQUIRED: confirm whether the DPA needs a more specific deletion timetable or backup-rotation language.]

## 10. Cross-Border Processing

1. The currently available product documentation indicates that the principal GCP runtime and storage posture is Canada-first, including Toronto for runtime, storage, and database services, and Montréal for Gemini Live inference.
2. Customer Data may also be processed by third-party service providers or customer-authorised integrations in other locations.
3. Customer Data may also be processed in the United States by US-based sub-processors or customer-directed integrations selected by the Customer, including Resend for transactional email.

## 11. Customer-Directed Integrations

1. Where the Customer directs Indigloo to connect to or exchange data with a third-party system such as a CRM, calendar, scheduler, telephony provider, or similar integration, that exchange is performed at the Customer’s direction.
2. Indigloo is not responsible for the independent privacy, security, or operational practices of those third parties beyond Indigloo’s own obligations in transmitting or receiving data under the connection.
3. [COUNSEL REVIEW REQUIRED: confirm whether customer-directed integrations should be expressly excluded from the sub-processor regime or treated differently in the public sub-processor list.]

## 12. Liability and Order of Precedence

1. This DPA is subject to the limitation-of-liability and other risk-allocation terms in the parties’ main agreement unless the parties expressly agree otherwise in writing.
2. The parties intend the main agreement's 12-month fee cap and its carve-outs for privacy, security, and intellectual-property indemnity claims to apply to this DPA unless the parties expressly agree otherwise in writing.

## Schedule 1 — Details of Processing

### A. Subject matter

Provision of the MeetIndi Services, including account onboarding, AI voice call handling, call routing, call summaries and transcripts, dashboard features, optional booking support, SMS continuity, customer-authorised integrations, billing support, and customer support.

### B. Duration

For the term of the applicable agreement and any additional period during which Customer Data is retained in accordance with the agreement, security practices, backup cycles, or applicable law.

### C. Nature of the processing

Collection, recording, storage, organisation, retrieval, consultation, transmission, analysis, summarisation, classification, routing, synchronisation, support, troubleshooting, deletion, and other processing reasonably necessary to provide the Services.

### D. Categories of data subjects

- Customer administrators and users;
- callers, contacts, leads, prospects, and other persons interacting with the Customer through the Services;
- appointment invitees or similar business contacts; and
- support contacts and billing contacts.

### E. Categories of personal information

- names and contact details;
- business profile and account information;
- phone numbers and related call metadata;
- call recordings where enabled;
- transcripts, summaries, notes, routing data, and appointment details;
- CRM, scheduling, or calendar data shared through authorised integrations;
- subscription and billing contact information; and
- usage, device, diagnostic, and security information.

### F. Processing locations

- Canada: Toronto (`northamerica-northeast2`) for primary runtime, storage, database, and Redis services.
- Canada: Montréal (`northamerica-northeast1`) for Gemini Live inference.
- United States: certain sub-processors and customer-directed integrations, including Resend for transactional email.

### G. Named sub-processors evidenced in the current agreement set

- Google Cloud / Vertex AI — hosting, database, storage, Redis, and model inference.
- Twilio — telephony, media streaming, messaging support, and phone numbers.
- Stripe — payments and billing.
- Sentry — error tracking and diagnostics.
- Resend — transactional email.

## Schedule 2 — Draft Security Measures

1. Role-based access and account controls.
2. Managed secret storage rather than checked-in secrets.
3. HTTPS / secure service connectivity.
4. Signature validation for external webhooks where applicable.
5. Managed cloud infrastructure for runtime, database, and storage services.
6. Logging, monitoring, and incident investigation capability.
7. Tenant-isolation and environment-separation controls appropriate to the service architecture.
8. [COUNSEL REVIEW REQUIRED: confirm final wording and add any required encryption, backup, vulnerability-management, access-review, or audit controls.]

## Signature Placeholder

[COUNSEL REVIEW REQUIRED: confirm whether this DPA should include a bilateral signature block, click-through adoption language, or order-form incorporation only.]

## Changelog

- 2026-04-22: Locked founder decisions embedded for no-model-training language, Toronto-primary processing locations, Resend as a named US-based sub-processor, and alignment to the MSA's 12-month liability cap structure.