Data Processing Agreement

Effective date: March 23, 2026 · Version 1.0

Controller

Your Municipality. Owns all governance data. Determines the purpose and means of processing.

Processor

LUMINARYX™. Processes data only on your instructions, solely to provide the platform.

Sub-Processors

AWS, Stripe, DeepL, Microsoft 365. Each bound by a sub-processor DPA.

Plain-language summary: Your municipality is the controller. You own your data. LUMINARYX™ is the processor. We only touch your data to run the platform. Everything stays in Canada. We cannot sell it, train AI on it, or use it for anything beyond your service. You can audit us, export your data any time, and get it all back within 90 days of leaving.

1. Scope and Relationship

This Data Processing Agreement ("DPA") governs the processing of municipality data by 17691190 Canada Inc., operating as LUMINARYX™ ("LUMINARYX", "Processor"), on behalf of the subscribing municipal organization ("Municipality", "Controller").

This DPA is incorporated by reference into the LUMINARYX™ Master Service Agreement ("MSA"). In the event of conflict between this DPA and the MSA on data protection matters, the provision more protective of municipality data prevails.

LUMINARYX™ processes municipality data solely in its capacity as a data processor, acting on the documented instructions of the Municipality. The Municipality, as data controller, determines the purpose and means of processing.

This DPA is designed to assist municipalities in meeting their obligations under applicable Canadian privacy legislation, including PIPEDA, BC's FOIPPA, Ontario's Municipal Freedom of Information and Protection of Privacy Act (MFIPPA), and Quebec's Law 25.

2. Data Ownership

Municipality Data is and remains the exclusive property of the Municipality. LUMINARYX™ acquires no rights, title, or interest in Municipality Data by virtue of processing it.

2.1 What constitutes Municipality Data

AI governance decisions, risk evaluations, and policy documents
Vendor and contractor assessments submitted through the contractor portal
Equity impact assessments and regulatory compliance records
Approval workflow submissions, notes, and justifications
Hash-chained audit trail entries and HMAC-verified records
User account information for municipal staff and authorized users
Platform configuration settings and customizations

2.2 Personal information within Municipality Data

To the extent Municipality Data includes personal information about identifiable individuals (such as municipal staff names, email addresses, or role information), LUMINARYX™ processes such personal information solely as required to provide the platform. The Municipality is responsible for ensuring that its collection and use of personal information through the platform complies with applicable privacy legislation.

3. How LUMINARYX™ Processes Your Data

LUMINARYX™ processes Municipality Data only:

As necessary to provide, maintain, and support the LUMINARYX™ platform under the MSA;
In accordance with the documented instructions of the Municipality;
As required by applicable Canadian law, in which case LUMINARYX™ will notify the Municipality before processing unless legally prohibited from doing so.

Category	Examples	Purpose
Governance records	AI decisions, risk scores, policy documents	Core platform functionality
User account data	Name, work email, role, MFA state	Authentication and access control
Audit trail data	Timestamped actions, approvals, HMAC hashes	Governance integrity and accountability
Vendor/contractor data	Assessments, portal submissions	Contractor portal feature
Configuration data	Decision areas, workflow settings, frameworks	Platform customization
Billing contact data	Invoice contact name and email	Subscription management

4. Canadian Data Residency

All Municipality Data is stored, processed, and backed up exclusively within Canada, in AWS ca-central-1 (Montreal). This applies to primary storage, backups, disaster recovery, monitoring, and all sub-processor activities. Municipality Data is never transmitted outside Canada.

LUMINARYX™ will not permit Municipality Data to be transmitted to, stored in, or accessed from any jurisdiction outside Canada under any circumstances, including for technical support, disaster recovery, or administrative purposes.

LUMINARYX™ maintains documentation of all data storage locations, including backup and disaster recovery sites, and will provide this documentation to the Municipality upon written request.

5. Security Measures

Control	Implementation
Encryption at rest	AES-256 for all database storage
Encryption in transit	TLS 1.3 or higher for all data transmission
Audit trail integrity	Hash-chained SHA-256 HMAC, append-only, tamper-evident
Authentication	MFA required by default for all platform users
Access control	Role-based with separation of duties enforced at workflow level
Session management	Fail-closed Redis token management; per-IP and per-email rate limiting
Logging and monitoring	Structured JSON logging; all access to municipality data logged
Infrastructure	AWS ca-central-1; PostgreSQL; regular patching and vulnerability management
Personnel	All personnel with data access bound by confidentiality obligations

6. Sub-Processors

Sub-Processor	Role	Data Processed	Location
Amazon Web Services	Cloud infrastructure and database hosting	All Municipality Data	Canada
Stripe	Payment processing	Billing contact name, email, card data (never stored by LUMINARYX™)	Canada
DeepL	Document translation (EN/FR)	Document content submitted for translation only	Canada
Microsoft 365	Transactional and operational email	Email address, email content for notifications	Canada

6.1 New sub-processors

LUMINARYX™ will notify the Municipality at least 30 days before engaging any new sub-processor. The Municipality may object within 14 days. If the objection cannot be resolved, the Municipality may terminate its Subscription with a pro-rata refund.

6.2 Sub-processor liability

LUMINARYX™ remains fully liable to the Municipality for the acts and omissions of its sub-processors to the same extent as if LUMINARYX™ had performed the processing directly.

7. Prohibited Activities

LUMINARYX™ will never:

Sell, license, share, or disclose Municipality Data to any third party for any purpose
Use Municipality Data for LUMINARYX™ own business purposes, marketing, or analytics beyond aggregate platform improvement
Train artificial intelligence or machine learning models using Municipality Data
Aggregate Municipality Data with data from other sources for commercial purposes
Access Municipality Data except as necessary to provide the platform
Disclose Municipality Data to law enforcement without a valid Canadian court order and prior notification to the Municipality (unless legally prohibited)
Transfer, replicate, or permit access to Municipality Data from outside Canada
Modify or delete audit trail entries

8. Breach Notification

In the event of a confirmed or reasonably suspected security incident affecting Municipality Data, LUMINARYX™ will:

Notify the Municipality's designated contact within 72 hours of confirmed discovery, by email and phone;
Include in the initial notification: the nature of the incident, the categories and approximate number of records affected, likely consequences, and immediate measures taken;
Provide a full written incident report within 14 days of initial notification;
Cooperate fully with any Municipality-initiated investigation and preserve all relevant evidence;
Assist the Municipality in meeting any breach notification obligations to the Office of the Privacy Commissioner of Canada or applicable provincial regulator.

Sub-processors are contractually required to notify LUMINARYX™ of any suspected breach within 24 hours, ensuring LUMINARYX™ can meet its 72-hour commitment to municipalities.

9. Audit Rights

The Municipality (or an independent third-party auditor) has the right to conduct audits and inspections to verify LUMINARYX™ compliance with this DPA. Audit scope may include:

Review of security policies, procedures, and access controls
Verification of data residency compliance and storage locations
Review of sub-processor agreements and compliance records
Assessment of breach notification procedures and incident history

The Municipality will provide at least 30 days' written notice before an audit (except in the case of a suspected breach). Audits will be conducted during normal business hours with reasonable effort to minimize disruption.

As an alternative, LUMINARYX™ may provide current SOC 2 Type II reports, penetration test results, or equivalent third-party certifications where available.

10. Data Subject Rights Assistance

Where Municipality Data includes personal information about individuals who exercise rights under PIPEDA or applicable provincial privacy legislation, LUMINARYX™ will:

Provide the Municipality with reasonable technical assistance to respond to such requests, including data retrieval and export tools;
Redirect any data subject requests received directly by LUMINARYX™ to the Municipality promptly;
Not respond to data subject requests independently without the Municipality's written authorization.

11. Data Return and Deletion

11.1 Export during subscription

The Municipality may export all Municipality Data at any time using the platform's built-in export tools, in open machine-readable formats (JSON, CSV, or XML) at no additional cost.

11.2 Upon termination

LUMINARYX™ will make all Municipality Data available for export for 90 days following the termination date, at no additional cost.
Following confirmed receipt of export, or at the expiry of the 90-day window, LUMINARYX™ will permanently and irreversibly delete all Municipality Data within 30 days.
LUMINARYX™ will provide written certification of deletion upon request.
If any Canadian law requires LUMINARYX™ to retain specific data beyond the deletion timeline, LUMINARYX™ will identify the specific data, the legal basis, and the expected retention period.

11.3 Audit trail exception

Audit trail entries subject to mandatory retention under applicable Canadian law or that form part of a live legal proceeding or regulatory investigation will be retained for the applicable statutory period, even following termination.

12. Term and Termination

This DPA remains in effect for the duration of the MSA and for so long as LUMINARYX™ retains any Municipality Data.

The Municipality may terminate this DPA immediately upon written notice if LUMINARYX™ commits a material breach of its data protection obligations and fails to cure within 15 days of written notice. In such case, the Municipality is entitled to a pro-rata refund.

Sections 2 (Data Ownership), 7 (Prohibited Activities), 8 (Breach Notification), 11 (Data Return and Deletion), and 13 (Governing Law) survive termination.

13. Governing Law

This DPA is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein, without regard to conflict of laws principles.

14. Contact

For questions about this DPA, data residency verification, audit requests, or breach notifications:

Joy Guyot, Privacy Officer and Founder
17691190 Canada Inc. (LUMINARYX™)
privacy@luminaryx.ca

We will acknowledge all written DPA inquiries within 5 business days and respond fully within 30 days.