Data Processing Agreement

1. Parties & Definitions

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement, Order Form, or Terms of Service ("Principal Agreement") between MigrationFox Inc., a Canadian federal corporation with registered office at 186 Zachary Cres, Oakville, ON L6H 7C3 ("Processor", "MigrationFox", "we") and the customer entity identified in the Principal Agreement ("Controller", "Customer", "you").

Definitions.

• "Personal Data", "Processing", "Data Subject", "Controller", "Processor", "Sub-Processor" have the meanings given in the GDPR.
• "Customer Data" means any data, including Personal Data, that Customer or its end-users submit, transfer, or expose to MigrationFox through use of the service.
• "Sub-Processor" means any third party engaged by MigrationFox to Process Customer Data, as listed in Schedule B.

2. Roles

Customer is the Controller of Customer Data. MigrationFox is the Processor and acts only on Customer's documented instructions. Each party is independently responsible for its own compliance with applicable data protection law (GDPR, UK GDPR, PIPEDA, CCPA, and equivalent regimes).

3. Scope, Subject Matter, and Duration

Subject matter: Processing of Customer Data by MigrationFox to perform cloud migration, governance assessment, and related services as defined in the Principal Agreement.

Nature and purpose: reading source platform contents, transferring file/email/chat data to a destination platform, generating governance reports, storing operational metadata, and supporting Customer's administrators.

Categories of Data Subjects: Customer's employees, contractors, partners, end-users, and any individuals whose data is contained in the source platform Customer instructs MigrationFox to process.

Categories of Personal Data: as determined by Customer's source platform contents — typically file metadata (paths, owners, timestamps), file content, mail headers and bodies, chat messages, calendar events, contact records, identity directory data (names, email addresses, group memberships), and audit log entries.

Duration: for the term of the Principal Agreement plus any documented retention period under Section 9 below.

4. Customer Instructions

MigrationFox processes Customer Data only on Customer's documented instructions, including: (a) instructions embedded in the Principal Agreement and this DPA; (b) configuration choices made by Customer's administrators in the MigrationFox dashboard; and (c) any additional written instructions Customer provides.

If MigrationFox believes an instruction violates applicable law, MigrationFox will notify Customer (unless prohibited by law) and may suspend processing of the affected data until the instruction is amended or withdrawn.

5. Confidentiality

MigrationFox ensures that personnel authorized to process Customer Data are bound by confidentiality obligations (employment contract or written undertaking) covering at minimum the duration of their engagement and for a reasonable period thereafter.

6. Security Measures

MigrationFox implements appropriate technical and organizational measures to protect Customer Data, summarized in Schedule A. Highlights:

• AES-256 encryption at rest for stored credentials and audit logs
• TLS 1.2+ enforced in transit on all API endpoints and file transfers
• Argon2id password hashing; multi-factor authentication for all customer accounts
• JWT session tokens scoped to a single tenant and role
• Tenant-isolated database queries and audit logs
• Direct streaming of file content from source to destination — file content is not retained on MigrationFox servers after migration completes
• Migration worker hosted in Toronto, Canada (Oracle Cloud Canada Southeast)

Schedule A may be updated from time to time to reflect security improvements; updates will not materially decrease the level of protection.

7. Sub-Processors

Customer authorizes MigrationFox to engage the Sub-Processors listed in Schedule B. Each Sub-Processor is bound by a written contract imposing obligations equivalent to those in this DPA.

Notice of changes. MigrationFox will provide at least 30 days' advance notice by email to Customer's designated contact before adding or replacing a Sub-Processor that processes Customer Data.

If Customer reasonably objects to a new Sub-Processor on grounds related to data protection, the parties will discuss in good faith. If no resolution is reached within 30 days, Customer may terminate the affected service component for cause.

8. Data Subject Rights

Taking into account the nature of the processing, MigrationFox provides reasonable assistance to Customer in fulfilling Customer's obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection). MigrationFox forwards any Data Subject request received directly to Customer's designated contact within 5 business days unless required otherwise by law.

9. Data Retention & Deletion

During the term: file content is not retained after migration completes. Operational metadata (file paths, sizes, success/failure status, audit logs) is retained per the configurable retention policy in the Customer's tenant settings.

On termination: within 30 days of termination of the Principal Agreement, MigrationFox will delete all Customer Data and OAuth tokens from production systems, except as required to be retained by law (financial records, tax obligations, ongoing legal claims).

Backup retention: deleted Customer Data may persist in encrypted backups for up to 35 days before scheduled rotation overwrites them. Backups are not used for any purpose other than disaster recovery.

10. International Transfers

MigrationFox Inc. is a Canadian entity operating under PIPEDA. Customer Data may be transferred internationally between Canada (worker), United States (API and metadata), and the Customer's chosen source/destination platforms. For transfers from the European Economic Area, United Kingdom, or Switzerland to a third country, the parties incorporate by reference the Standard Contractual Clauses (Module 2: Controller to Processor) approved by the European Commission Implementing Decision (EU) 2021/914, with the populated Annex provided on request.

Canada is recognized by the European Commission as providing adequate protection for personal data (Adequacy Decision 2002/2/EC).

11. Personal Data Breach Notification

MigrationFox notifies Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data breach affecting Customer Data. The notification includes a description of the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and the measures taken or proposed.

12. Audit Rights

Customer may verify MigrationFox's compliance with this DPA by reviewing: (a) the most recent independent audit reports made available by MigrationFox (e.g. SOC 2 Type 1/2, ISO 27001) once obtained; (b) responses to a reasonable security questionnaire (no more than once per 12 months unless triggered by a breach); and (c) the public Trust Center documentation.

On-site audits may be performed by Customer or a mutually-agreed independent third-party auditor with reasonable advance notice (no less than 30 days), subject to confidentiality obligations and at Customer's expense, no more than once per 12 months unless required by a regulator.

13. Liability & Indemnification

Liability arising under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Principal Agreement.

14. Order of Precedence

In the event of conflict between this DPA and the Principal Agreement, this DPA prevails with respect to Processing of Personal Data. Standard Contractual Clauses, where incorporated, prevail over both.

15. Term & Termination

This DPA is effective as of the effective date of the Principal Agreement and remains in effect until the Principal Agreement is terminated and Customer Data has been deleted or returned in accordance with Section 9.

16. Governing Law

This DPA is governed by the laws of the Province of Ontario, Canada, without regard to conflict-of-laws principles. Where Customer is established in the European Economic Area or United Kingdom and a mandatory provision of local law applies to the Processing, that provision prevails to the extent required.

Schedule A — Technical and Organizational Security Measures

• Access control: role-based access (RBAC) with the principle of least privilege. SSO supported. MFA required for all production access.
• Encryption: AES-256 at rest, TLS 1.2+ in transit. Credentials use a separate per-tenant key envelope.
• Network controls: private VPCs, security groups, no direct database access from the public internet.
• Vulnerability management: automated dependency scanning, security patches applied within agreed SLAs based on severity.
• Logging and monitoring: tenant-scoped audit logs, error tracking via Sentry, alerting on suspicious activity patterns.
• Personnel: background checks, confidentiality agreements, security awareness training.
• Backup and recovery: encrypted automated backups with documented restore procedures.
• Physical security: production data resides in SOC 2 Type 2 audited cloud facilities (Oracle Cloud, Railway, Vercel).

Schedule B — Approved Sub-Processors

Current Sub-Processors are listed and maintained at migrationfox.com/legal/security. Updates are notified per Section 7.

Schedule C — Authorized Customer Contacts

Customer's designated privacy / security contacts (to be completed at execution):

• Primary: ____________________________
• Email: ______________________________
• Backup: _____________________________