DATA PROCESSING ADDENDUM (DPA)
Effective Date: June 11, 2026 · Version 0.1
This Addendum forms part of the GBP Manager Terms and Conditions (“Agreement”) between Streamlite Technologies of Chilliwack, British Columbia, Canada (“Streamlite”, “we”) and the subscribing business (“Customer”, “you”).
1. Roles and Scope
1.1 For Personal Information processed through GBP Manager, Customer is the organization with control of the Personal Information (controller) and Streamlite acts as a service provider / processor on Customer’s behalf, within the meaning of PIPEDA’s accountability principle (Principle 4.1.3), BC PIPA, and, where applicable, the Quebec Act respecting the protection of personal information in the private sector as amended by Law 25.
1.2 This DPA covers the following categories of Personal Information (“Customer Data”):
| Category | Data subjects | Fields | Source |
|---|---|---|---|
| Review data | Customer’s end-clients (Google reviewers) | Publicly posted reviewer display name, review text, rating, date | Google Business Profile data services (see Agreement §8) |
| Lead data | Prospective end-clients of Customer | Name, email, phone, message content | Forms submitted to Customer’s lead capture |
| Review-request recipients | Customer’s end-clients | Name, email address, consent certification timestamp, suppression (unsubscribe) status | Entered by Customer in the dashboard |
| Account data | Customer’s authorized users | Name, business email, business details | Provided at signup/onboarding |
1.3 Streamlite processes Customer Data solely to provide the services described in the Agreement (review monitoring and AI draft responses, posting drafts, review requests, audits, and reporting) and for no other purpose. Streamlite does not sell Customer Data and does not use it to train its own or third-party AI models.
2. Customer Instructions
Streamlite will process Customer Data only on Customer’s documented instructions, which consist of the Agreement, this DPA, and Customer’s configuration and approval actions in the dashboard (e.g., approving an AI-drafted reply, submitting a review request). Streamlite will notify Customer if, in its opinion, an instruction conflicts with applicable Canadian privacy law.
3. Subprocessors
3.1 Customer grants general authorization to the subprocessors listed below. Streamlite will give at least 30 days’ notice (by email to the account owner) before adding or replacing a subprocessor; Customer may object on reasonable data-protection grounds and, if unresolved, terminate the affected service with a pro-rata refund of prepaid fees.
| Subprocessor | Function | Data location |
|---|---|---|
| Supabase (on AWS) | Primary database and authentication | Canada (ca-central-1) |
| Railway | Application hosting (Next.js app and automation engine) | United States |
| Stripe | Payment processing (Customer billing data only; no end-client data) | United States |
| Resend | Transactional email delivery (approval emails, reports, review requests) | United States |
| OpenRouter | AI model routing (review text and business details sent for draft generation; currently routed to Google Gemini) | United States |
| Google LLC (Google APIs) | Business profile, places, and map data retrieval | United States |
| Apify | Public web data collection (temporary bridge; scheduled for replacement by direct Google Business Profile API access) | European Union / United States |
3.2 Streamlite imposes data-protection obligations on each subprocessor that provide a comparable level of protection to this DPA, and remains responsible to Customer for subprocessor performance.
3.3 Cross-border note: the primary database is in Canada; the subprocessors marked United States/EU process data outside Canada and may be subject to the laws of those jurisdictions. Customers established in Quebec should review Section 9.
4. Security Measures
Streamlite implements and maintains, at minimum: TLS encryption in transit; encryption at rest in the primary database; row-level security policies isolating each Customer’s tenant data; role-based access (service-role credentials restricted to backend automation); secrets management via environment configuration (no credentials in source code); access limited to personnel with a need to know; and periodic security review of changes affecting data access.
5. Confidentiality
Streamlite ensures that any person it authorizes to process Customer Data is bound by confidentiality obligations and will not use Customer Data for any purpose other than performing the Agreement.
6. Data Retention and Deletion
6.1 Google-sourced content: content obtained from Google APIs is retained for no more than 30 calendar days, consistent with Streamlite’s Privacy Policy, except for derived, non-Google metrics (scores, deltas, counts) which Streamlite computes and retains for historical reporting.
6.2 Other Customer Data (leads, review-request records, account data) is retained for the duration of the subscription. Suppression-list entries (unsubscribes) are retained indefinitely as required by CASL compliance.
6.3 On termination, Streamlite will delete or anonymize Customer Data within 60 days, except (a) records retained to meet legal obligations (tax, CASL suppression), and (b) backups, which expire on their normal cycle. Customer may request export of its data in a structured, commonly used format before deletion.
7. Breach Notification
Streamlite will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a confirmed breach of security safeguards affecting Customer Data, providing the nature of the breach, affected data categories, likely consequences, and remediation steps. The parties acknowledge that statutory reporting (to the OPC under PIPEDA, or to the CAI and affected individuals under Law 25 where there is a risk of serious injury/harm) is primarily Customer’s obligation as controller; Streamlite will provide reasonable assistance. Streamlite maintains an internal record of all breaches affecting Customer Data.
8. Assistance with Individual Rights
Streamlite will, within 10 business days of request, assist Customer in responding to access, correction, deletion, withdrawal-of-consent, and (for Quebec) portability requests from individuals whose Personal Information is in Customer Data. Requests received directly by Streamlite from end-clients will be forwarded to Customer without undue delay.
9. Quebec Law 25 and PIPEDA Provisions
Where Customer is subject to the Quebec Act (Law 25), the parties agree, per section 18.3 of that Act, that Streamlite shall: (a) apply the security measures in Section 4 to ensure confidentiality; (b) use Customer Data only to perform the Agreement and not keep it after the Agreement ends, subject to Section 6; (c) notify Customer without delay of any violation or attempted violation of any confidentiality obligation; and (d) allow Customer to conduct verification of confidentiality compliance per Section 10. Customer acknowledges it is responsible for conducting any privacy impact assessment (EFVP) required for communicating Personal Information outside Quebec, and Streamlite will provide the information reasonably necessary (this DPA, the subprocessor table, and Section 4) to support it.
10. Audit (Reasonable Verification)
No more than once per 12 months, on 30 days’ written notice, Customer may verify Streamlite’s compliance with this DPA by (a) reviewing Streamlite’s written security and subprocessor documentation, and (b) submitting reasonable written questions, which Streamlite will answer within 20 business days. On-site or technical audits are not included given the service’s multi-tenant architecture, except where required by a privacy regulator with jurisdiction, in which case scope, timing, and costs will be agreed in advance and Customer bears its own costs.
11. Liability and Order of Precedence
This DPA is subject to the limitations of liability in the Agreement (§12). In case of conflict between this DPA and the Agreement regarding the processing of Personal Information, this DPA prevails.
12. Contact
Questions about this Addendum may be directed to:
Streamlite Technologies
Chilliwack, British Columbia, Canada
Email: info@streamlite.ca