Data Processing Addendum

This Data Processing Addendum ("DPA") is incorporated into and forms part of the agreement between GlamFlow Inc. ("GlamFlow" or "Processor") and the customer entity ("Customer" or "Controller") for the use of the GlamFlow Service.

This DPA applies where GlamFlow processes personal data on behalf of the Customer in connection with providing the Service.

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Sub-processor" means any third party engaged by GlamFlow to process Personal Data on behalf of the Customer.

"Applicable Data Protection Law" means all applicable data protection and privacy laws, including PIPEDA (Canada), GDPR (EU/UK), CCPA (California), and any other relevant legislation.

GlamFlow processes Personal Data solely to provide the Service as described in the applicable subscription agreement and as instructed by the Customer. GlamFlow will not process Personal Data for any other purpose without the Customer's prior written consent.

The categories of Personal Data processed may include: client contact information, appointment records, health and treatment notes (if entered by the Customer), billing records, and staff information.

The Customer represents and warrants that: (a) it has a valid legal basis for processing the Personal Data; (b) it has provided all required notices to data subjects; (c) it has obtained any necessary consents; (d) its instructions to GlamFlow comply with Applicable Data Protection Law.

GlamFlow will: (a) process Personal Data only in accordance with the Customer's documented instructions; (b) ensure that personnel authorized to process Personal Data are bound by confidentiality obligations; (c) implement appropriate technical and organizational security measures; (d) assist the Customer in fulfilling data subject rights requests; (e) notify the Customer without undue delay upon becoming aware of a Personal Data breach.

GlamFlow may engage Sub-processors to assist in providing the Service. GlamFlow will: (a) maintain a list of Sub-processors available upon request; (b) provide at least 30 days' notice before adding or changing Sub-processors; (c) impose data protection obligations on Sub-processors equivalent to those in this DPA.

The Customer may object to a new Sub-processor by notifying GlamFlow in writing within the notice period.

GlamFlow primarily processes data in Canada. Where Personal Data is transferred outside the Customer's jurisdiction, GlamFlow will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (for EEA/UK data) or other approved transfer mechanisms.

GlamFlow implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction, including: encryption in transit and at rest, access controls, regular penetration testing, and employee security training.

Upon termination of the Service, GlamFlow will, at the Customer's written request, return or delete all Personal Data within 90 days, unless applicable law requires longer retention.

GlamFlow will provide the Customer with information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits conducted by the Customer or a qualified third-party auditor, subject to reasonable advance notice and confidentiality obligations.

For data protection inquiries, please contact: [email protected].