Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the VoteAlly Terms of Service (the “Agreement”) between NekoTech Ventures Inc. (DBA VoteAlly) (“VoteAlly,” “Processor,” “we”) and the organization customer (“Controller,” “you”). This DPA applies to the extent VoteAlly processes Personal Data on your behalf as part of providing the Service.

Business address:
7070E Farrell Rd SE, #811
Calgary, AB T2H 0T2
Canada

If there is a conflict between this DPA and the Agreement regarding Personal Data processing, this DPA controls.

1. Definitions

• “Personal Data”: Information relating to an identified or identifiable natural person processed by VoteAlly on your behalf as part of Customer Data (e.g., voter names, email addresses, phone numbers (if used), member IDs, participation records).
• “Customer Data”: As defined in the Agreement.
• “Data Protection Laws”: Applicable privacy and data protection laws and regulations, including (as applicable) GDPR/UK GDPR, PIPEDA, Alberta PIPA, CCPA/CPRA, and similar laws.
• “Processing”: Any operation performed on Personal Data (e.g., collection, storage, use, disclosure, deletion).
• “Sub-processor”: A third-party engaged by VoteAlly to assist in processing Personal Data.

Terms not defined here have the meanings in the Agreement.

2. Roles and Scope

2.1 Processor vs Controller

• Controller: You are the Controller of Personal Data included in Customer Data (including voter lists and participation records) that you upload or otherwise provide to the Service.
• Processor: VoteAlly is the Processor of such Personal Data when we process it on your behalf to provide the Service.
• Independent controller: VoteAlly is an independent controller of personal information relating to administering our relationship with you (e.g., Organization Admin account data, billing and invoicing, security, fraud prevention, and compliance).

2.2 Subject Matter, Nature, and Purpose of Processing

VoteAlly processes Personal Data to provide the Service, including to:

• host and operate voting sessions and related workflows;
• authenticate and provide access to authorized users;
• send transactional notices (e.g., voting links, receipts);
• compute results and provide exports and reports;
• secure the Service, prevent abuse, and provide support.

2.3 Duration

VoteAlly will process Personal Data for the term of the Agreement, and thereafter as necessary to comply with this DPA and the Agreement, including retention and deletion provisions.

3. Controller Obligations

You represent and warrant that:

• you have all rights, lawful bases, and required notices/consents to provide Personal Data to VoteAlly and instruct VoteAlly to process it;
• your instructions comply with Data Protection Laws;
• you will not provide Sensitive IDs such as SIN, SSN, passport numbers, driver's license numbers, or similar government-issued identifiers to VoteAlly.

You are responsible for responding to data subject requests unless Data Protection Laws require VoteAlly to respond directly.

4. Processor Obligations

VoteAlly will:

1. process Personal Data only on your documented instructions, including as needed to provide the Service under the Agreement, unless required by law (in which case we will inform you to the extent permitted);
2. ensure persons authorized to process Personal Data are bound by confidentiality obligations;
3. implement appropriate technical and organizational measures to protect Personal Data (see Section 7);
4. assist you in responding to data subject rights requests and in meeting obligations regarding security, breach notification, and impact assessments, taking into account the nature of processing and information available to VoteAlly;
5. make available information reasonably necessary to demonstrate compliance with this DPA.

5. Sub-processors

5.1 Authorization

You provide general authorization for VoteAlly to engage Sub-processors to process Personal Data to provide the Service.

5.2 List and Updates

VoteAlly maintains a list of Sub-processors at: /legal/subprocessors (the “Subprocessor List”).

We may update Sub-processors over time. If we add or replace a Sub-processor in a manner that materially impacts Processing, we will provide notice via the Service or by email.

5.3 Objection

If you reasonably object to a new Sub-processor on data protection grounds, you may notify us within 10 days of the notice. We will work with you in good faith to address the objection (e.g., by providing additional information, offering an alternative where commercially reasonable, or allowing you to terminate the affected Service portion). Termination will be your sole remedy if no resolution is feasible.

6. International Transfers

Personal Data may be processed in the United States and other jurisdictions where VoteAlly or its Sub-processors operate. Where required by Data Protection Laws, VoteAlly will implement appropriate safeguards for cross-border transfers (e.g., contractual protections).

7. Security Measures

VoteAlly implements administrative, technical, and organizational security measures designed to protect Personal Data against unauthorized access, loss, alteration, and disclosure. These measures include, as applicable:

• encryption in transit (TLS);
• encryption for ballot content at rest (AES-256-GCM);
• access controls and authentication (e.g., role-based access, MFA for administrative access where enabled);
• logging and monitoring for administrative actions;
• rate limiting and abuse prevention measures.

You are responsible for configuring the Service appropriately (including user roles, access permissions, and retention choices) and securing your own systems and credentials.

8. Data Subject Requests

Taking into account the nature of processing, VoteAlly will provide reasonable assistance to help you fulfill data subject requests (access, correction, deletion, portability) relating to Personal Data in Customer Data. Where feasible, you can address many requests using self-service features (exports, edits, purge). If you require additional assistance, contact [email protected].

9. Breach Notification

VoteAlly will notify you without undue delay after becoming aware of a personal data breach affecting Personal Data in Customer Data, and will provide information reasonably necessary to help you meet breach notification obligations under Data Protection Laws, taking into account information available to VoteAlly.

10. Deletion and Return of Personal Data

VoteAlly will delete or anonymize Personal Data in Customer Data in accordance with the Service's retention functionality and the Agreement, including:

• automated scrubbing of voter identifiers after a default retention period following Session end; and
• early purge functionality for ended Sessions where available.

Upon termination of the Agreement, VoteAlly will delete or anonymize Personal Data in Customer Data within a reasonable time, unless retention is required by law or necessary for legitimate business purposes (e.g., security, fraud prevention, billing records). Ballots may be retained in encrypted/tally-token form after PII scrubbing as described in the Agreement and Privacy Policy.

11. Audits and Compliance

Upon written request, VoteAlly will provide reasonable information to demonstrate compliance with this DPA. Where required by Data Protection Laws, and subject to confidentiality and security requirements, the parties may agree on a reasonable audit mechanism. Any audit will:

• be limited to once per 12-month period unless a material incident occurs;
• be conducted during normal business hours with reasonable advance notice; and
• not unreasonably interfere with VoteAlly's operations or compromise security or other customers' data.

12. Liability

Liability under this DPA is subject to the limitations of liability and other terms in the Agreement, except to the extent prohibited by applicable law.

13. Contact

Privacy and DPA questions: [email protected]