Data Processing Agreement

1. Definitions

For the purposes of this DPA:

• "Personal Information" means any information that, alone or in combination with other information, identifies or could reasonably identify an individual, including parents and children whose information is exchanged through the Platform.
• "Process" or "Processing" means any operation performed on Personal Information, including collection, storage, use, modification, disclosure, transfer, retention, and deletion.
• "Controller" / "Business" / "Joint Controller" refers to the party (or parties) that determines the purposes and means of Processing Personal Information, as those terms are understood under Canadian privacy law (PIPEDA, BC PIPA), applicable U.S. state privacy law (controller, business), and equivalent privacy law.
• "Processor" / "Service Provider" refers to a party that Processes Personal Information on behalf of a Controller or Business, in accordance with that party's instructions and applicable law.
• "Subprocessor" means a third party engaged by a party to Process Personal Information on its behalf.
• "Data Subject" means an individual whose Personal Information is Processed under this DPA, including parents and children.
• "Privacy Law" means PIPEDA, the British Columbia Personal Information Protection Act, applicable U.S. state and federal privacy law (including COPPA), and any other privacy or data protection law applicable to the Processing of Personal Information under this DPA.
• "Security Incident" means any actual or reasonably suspected unauthorized access to, disclosure of, loss of, or alteration of Personal Information.

2. Scope and Roles

2.1 This DPA covers Personal Information about parents and children that is collected, stored, or transmitted through the Platform, including:

• Parent identity and contact information (name, email, phone number, address);
• Child identity and care information (name, date of birth, allergies, medical information, immunization records, emergency contacts, pick-up authorizations, language preferences);
• Application, enrollment, and communication records between parents and Daycares;
• Payment records relating to parent transactions (processed via Stripe).

2.2 Role of the Parties. For Personal Information exchanged through the Platform between ZuKeepr and the Daycare:

• Under Canadian privacy law (including PIPEDA and the British Columbia Personal Information Protection Act), ZuKeepr and the Daycare act as Joint Controllers, with independent obligations to the affected individuals;
• Under applicable U.S. state privacy law, ZuKeepr and the Daycare may each act as a separate "controller" or "business," with shared or coordinated obligations where information is jointly determined;
• The actual role of each party in a specific transaction depends on the applicable Privacy Law in the jurisdiction of the affected Data Subject. The parties will cooperate in good faith to determine and honour the applicable role-based obligations.

2.3 To the extent that the Daycare uses the Platform to store or Process Daycare-controlled records that are not received from parents through ZuKeepr's matching process (for example, internal attendance logs or family files), ZuKeepr acts as a Processor or Service Provider to the Daycare for that data, and the Daycare is the Controller or Business. This DPA's Joint Controller / coordinated-Controller provisions do not apply to that Daycare-controlled data.

3. Each Party's Responsibilities

3.1 ZuKeepr's Responsibilities

ZuKeepr will:

• Collect Personal Information from parents under a valid consent and notice framework, as described in the Privacy Policy and Children's Privacy Notice;
• Process Personal Information only for the purposes set out in those notices and for the operation of the Platform;
• Maintain appropriate physical, technical, and administrative safeguards consistent with Section 5;
• Make Personal Information available to the Daycare only at the appropriate stage of the application or enrollment process (the two-stage model: limited profile at application, full profile at enrollment acceptance);
• Honour parent requests to access, correct, or delete Personal Information collected by ZuKeepr;
• Maintain a current list of Subprocessors, publicly available at zukeepr.com/subprocessors, and disclose material changes as set out in Section 6;
• Notify the Daycare of Security Incidents affecting Personal Information shared with the Daycare, as set out in Section 7.

3.2 Daycare's Responsibilities

The Daycare will:

• Use Personal Information received through the Platform solely for the purpose of providing childcare services to the enrolled family;
• Limit access to Personal Information to staff and contractors who have a legitimate need to know;
• Maintain appropriate physical, technical, and administrative safeguards consistent with Section 5;
• Comply with all applicable Privacy Law, including PIPEDA, the British Columbia Personal Information Protection Act, applicable U.S. state and federal privacy law, and any provincial or jurisdiction-specific childcare records retention requirements;
• Honour parent requests to access, correct, or delete Personal Information held by the Daycare, in coordination with ZuKeepr where appropriate, and subject to the legal retention carveout in Section 10;
• Not disclose Personal Information to any third party except: (a) as required by law; (b) as necessary to provide childcare services (for example, sharing with the child's emergency contact or healthcare provider in a genuine emergency); or (c) with the parent's express consent;
• Notify ZuKeepr of Security Incidents affecting Personal Information received through the Platform, as set out in Section 7.

4. Permitted and Prohibited Processing

4.1 The Daycare may Process Personal Information received through the Platform only for the following purposes:

• Reviewing applications and making enrollment decisions;
• Providing childcare services to enrolled families;
• Communicating with parents about their child's care;
• Maintaining records as required by childcare licensing authorities;
• Complying with legal obligations.

4.2 The Daycare will not:

• Use Personal Information received through the Platform for marketing purposes unrelated to the care of an enrolled child;
• Sell, rent, or trade Personal Information;
• Disclose Personal Information to a competitor of ZuKeepr or use it to attempt to divert parent users to off-Platform services in violation of the Daycare Agreement;
• Process Personal Information about children for advertising, profiling, or behavioural analytics.

5. Security Measures

5.1 Each party will implement and maintain appropriate technical and organizational security measures designed to protect Personal Information against unauthorized access, alteration, disclosure, or destruction. These measures include, at a minimum:

• Encryption of Personal Information in transit (TLS) and at rest where reasonably feasible;
• Access controls limiting access to authorized personnel with a legitimate need;
• Authentication mechanisms (passwords, multi-factor authentication where appropriate);
• Logging and monitoring of access to Personal Information;
• Regular review of security measures and prompt remediation of identified vulnerabilities;
• Staff training on Privacy Law obligations and information-handling practices.

5.2 Each party will keep its security measures up to date with evolving threats and industry best practices. Material changes in security posture that may affect the other party will be communicated reasonably in advance where feasible.

6. Subprocessors

6.1 ZuKeepr maintains a complete, current list of Subprocessors at zukeepr.com/subprocessors, including the name, purpose, data jurisdiction, data categories, and last-updated date for each Subprocessor. By accepting this DPA, the Daycare authorizes ZuKeepr's use of the Subprocessors listed on that page as of the date of acceptance.

6.2 As of the date of this DPA, ZuKeepr's principal Subprocessors are summarized below:

Subprocessor

Purpose

Data Location

Data Handled

Amazon Web Services (AWS)

Cloud infrastructure, file storage (S3)

Canada (ca-central-1)

All Platform data, uploaded files

MongoDB Atlas

Database hosting

Canada Central

Account, application, enrollment, message data

Stripe, Inc.

Payment processing, Stripe Connect

United States

Payment information, transaction records

Vercel

Web application hosting (Next.js front-end)

United States / global edge

HTTP request data, session cookies

Firebase (Google)

Authentication

Google infrastructure

Authentication tokens, sign-in records

Amazon SES + Resend

Email delivery (transactional + admin)

United States

Recipient email address, message content

Microsoft Clarity

Anonymized usage analytics

Microsoft global infrastructure

Aggregated session and interaction data; PII fields masked; child profile, medical, payment, message pages excluded

6.3 ZuKeepr requires Subprocessors to commit, by contract or equivalent, to data protection obligations consistent with this DPA. ZuKeepr remains responsible for the Processing of Personal Information by its Subprocessors.

6.4 ZuKeepr may update the list of Subprocessors from time to time. Material additions will be disclosed by updating the public Subprocessor page and, where the change is material, by email or in-app notice. The Daycare may object to new Subprocessors that materially change the risk profile of the Processing by contacting support@zukeepr.com; if the parties cannot reach a reasonable accommodation, the Daycare may terminate the Daycare Agreement for that reason.

7. Security Incident Notification

7.1 Each party will notify the other party of any Security Incident affecting Personal Information shared between them under this DPA as soon as feasible after becoming aware of the Security Incident and as required by applicable Privacy Law. Each party will use seventy-two (72) hours as an internal operational target for initial notification, recognizing that actual timing depends on the facts of the incident, ongoing investigation needs, and applicable law.

7.2 The notification will, to the extent then known, include:

• A description of the nature of the Security Incident;
• The categories and approximate number of Data Subjects and records affected;
• The likely consequences of the Security Incident;
• The measures taken or proposed to address the Security Incident and mitigate its effects;
• A point of contact for further information.

7.3 Each party will cooperate in good faith to investigate and remediate the Security Incident, including with respect to:

• Notifications to affected Data Subjects, where required by Privacy Law;
• Notifications to regulators, where required by Privacy Law;
• Public communications, where appropriate.

7.4 Each party will maintain reasonable records of Security Incidents affecting Personal Information under this DPA and make those records available to the other party upon reasonable request.

8. Data Subject Requests

8.1 Each party will assist the other in responding to requests from Data Subjects to exercise their rights under Privacy Law, including rights to access, correct, delete, restrict Processing of, or appeal decisions about Personal Information.

8.2 If a Data Subject submits a request to one party that relates to Processing carried out by the other party, the receiving party will forward the request to the appropriate party and notify the Data Subject of the referral.

8.3 Where a Data Subject request requires action by both parties (for example, a deletion request that affects both ZuKeepr's records and the Daycare's records), the parties will coordinate to fulfill the request within the timelines required by Privacy Law, typically thirty (30) days from receipt.

8.4 Each party may charge a reasonable fee for assisting with the other party's response to Data Subject requests only where Privacy Law permits such a fee and where the requested assistance is substantial.

9. International Data Transfers

9.1 ZuKeepr's primary infrastructure is located in Canada. Personal Information may be transferred to, or processed by, Subprocessors located in the United States or other jurisdictions, as identified in Section 6 and at zukeepr.com/subprocessors.

9.2 Where Personal Information is transferred outside of Canada, ZuKeepr takes reasonable steps to ensure the Personal Information remains protected under safeguards comparable to those required by PIPEDA and applicable provincial Privacy Law, including contractual commitments from Subprocessors.

9.3 The Daycare acknowledges that, as a result of these transfers, Personal Information may become subject to lawful access requests by foreign authorities under the laws of the jurisdiction where the Subprocessor is located. This is disclosed to parents in the Privacy Policy.

10. Retention and Deletion

10.1 Each party will retain Personal Information only for as long as necessary for the purposes for which it was collected, as required by Privacy Law, or as required by other applicable law.

10.2 ZuKeepr's retention timelines are set out in the Privacy Policy and Children's Privacy Notice.

10.3 Daycare Retention Subject to Legal Retention Requirements. The Daycare's retention practices for Personal Information received through the Platform must comply with applicable Privacy Law and childcare licensing requirements. The parties acknowledge and agree that childcare and licensing laws in many jurisdictions require Daycares to retain specific records (including health and immunization records, attendance logs, incident reports, and other operational records) for periods of several years, regardless of an individual parent's request for deletion.

This legal retention requirement is a recognized and prominent exception to deletion obligations under this DPA and applicable Privacy Law. Where a parent requests deletion of Personal Information held by the Daycare, the Daycare will:

• Delete or anonymize the Personal Information to the extent not subject to a legal retention requirement;
• Where retention is required by law, limit Processing of the retained information to the legally required purpose, restrict access, and delete the information once the legal retention period expires;
• Inform the parent (directly or through ZuKeepr) of the legal retention obligation and the expected end of the retention period.

10.4 On termination of the Daycare Agreement, the Daycare will, within a reasonable period, securely delete or anonymize Personal Information received through the Platform, except for records the Daycare is required to retain by applicable law.

11. Audit and Demonstrable Compliance

11.1 Each party will, on reasonable request from the other party and no more than once per twelve (12) month period (except in the event of a Security Incident), provide reasonable information about its data protection practices relevant to this DPA. This may include security policies, summary results of internal or external audits, certifications, or written responses to specific reasonable questions.

11.2 Audits or inspections that require on-site access or that exceed reasonable information exchange must be agreed in advance and conducted in a manner that does not unreasonably disrupt the audited party's business.

12. Liability

12.1 The liability of the parties under this DPA is governed by the liability provisions of the Daycare Agreement, including any liability caps and exclusions, except that nothing in those provisions limits a party's liability for direct breaches of Privacy Law for which liability cannot be limited under applicable law.

13. Term and Termination

13.1 This DPA takes effect on the date the Daycare accepts the Daycare Agreement, and remains in force for as long as ZuKeepr Processes Personal Information about parents and children on behalf of, or in joint controllership / coordinated controllership with, the Daycare.

13.2 On termination of the Daycare Agreement, this DPA terminates concurrently, except that Sections 5 (Security Measures), 7 (Security Incident Notification), 10 (Retention and Deletion), and 12 (Liability) survive to the extent necessary to address Personal Information retained, lawfully held, or subject to ongoing legal obligations.

14. Updates to This DPA

14.1 ZuKeepr may update this DPA from time to time to reflect changes in Subprocessors, Privacy Law, or our data protection practices. Material changes will be communicated to Daycares via email or in-app notice at least thirty (30) days before they take effect.

14.2 Continued use of the Platform after the effective date of an updated DPA constitutes acceptance of the updated terms. A Daycare that does not agree to a material update may terminate the Daycare Agreement before the effective date in accordance with the Daycare Agreement's termination provisions.

15. Governing Law

This DPA is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein, consistent with the Daycare Agreement's governing law provision.

16. Contact

Questions about this DPA or data protection practices can be sent to:

ZuKeepr Inc.

914 Graythorpe Place, Victoria, British Columbia, Canada

support@zukeepr.com

zukeepr.com

─────────────────────────────────────────────────────────────────────────