Data Processing Agreement (DPA)

Agreement on the processing of data between VIGO ONLINE GROUP and the Partner

Version: 1.0 — Effective upon publication

Last Updated: November 18, 2025

Website: leadfilter.ca

1. Parties to the Agreement

This Data Processing Agreement (“DPA”) is a legally binding document concluded between:

1.1. The Data Controller (“Partner”)

The individual or legal entity that registers an account on leadfilter.ca, creates digital content (“Quizzes”), and determines the purposes and means of processing the personal data collected through said Quizzes.

1.2. The Data Processor (“VIGO” or “LeadFilter”)

VIGO ONLINE GROUP (Sole Proprietorship, BIN: 1000520463)

Address: 2 Robert Speck Pkwy Suite 750, Mississauga, ON L4Z 1H8

Merchant of Record: VIGO acts as the Merchant of Record for the sale of access to the Content but acts as a Data Processor regarding the storage and handling of specific Quiz responses.

2. Subject Matter and Scope

2.1. This DPA governs the processing of Personal Data carried out by VIGO on behalf of the Partner within the scope of the Partner’s use of the Service.

2.2. Scope of Processing: VIGO shall process the data collected by the Partner’s Quizzes (“Lead Data”) solely for the purpose of providing the technical infrastructure (hosting, storage, email delivery) necessary to deliver the Service to the Partner and the End-User (Purchaser).

3. Roles and Responsibilities

3.1. The Partner (Controller) represents and warrants that:

They have a valid legal basis (e.g., Consent or Legitimate Interest) to collect Personal Data from Leads1.
They are solely responsible for the accuracy, quality, and legality of the Personal Data and the means by which it was acquired2.
They will not collect Special Categories of Data (e.g., health, race, political opinions) without explicit, enhanced consent from the Lead, and they assume full liability for such collection3.

3.2. VIGO (Processor) undertakes to:

Process Lead Data only on the documented instructions of the Partner (which include the actions taken by the Partner in the dashboard)4.
Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality5.
Not use Lead Data for its own marketing or advertising purposes6.

4. Categories of Data

4.1. The processing concerns the following categories of Data Subjects:

Leads / Purchasers (individuals who take the Partner’s Quiz).

4.2. The processing concerns the following categories of data:

Identity Data: Name, email address, phone number7.
Quiz Responses: Any information entered by the Lead into the Partner’s form fields.
Technical Data: IP address, browser type, timestamp8.

5. Security Measures

VIGO shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption: Data is encrypted in transit (TLS) and at rest (AES standards).
Access Control: Restriction of access to data to authorized personnel only.
Backups: Regular data backups to ensure availability9.

6. Sub-processors

6.1. The Partner authorizes VIGO to engage the following Sub-processors to carry out specific processing activities10:

Hosting & Infrastructure: AWS (Amazon Web Services), Google Cloud, DigitalOcean.
Email Delivery: SendGrid, Mailgun.
Security & CDN: Cloudflare.
Payment Processing: Stripe (Note: Stripe acts as an independent Controller for financial data, but VIGO uses their infrastructure).

6.2. VIGO shall inform the Partner of any intended changes concerning the addition or replacement of Sub-processors with at least 30 days’ notice (via email or website update).

7. International Data Transfers

7.1. VIGO is headquartered in Canada. Canada has been recognized by the European Commission as providing an adequate level of data protection (Adequacy Decision regarding PIPEDA)11.

7.2. For transfers of data from the EEA/UK to processors outside of Canada or the EEA, VIGO relies on Standard Contractual Clauses (SCCs) or other applicable legal mechanisms12.

8. Data Subject Rights

8.1. The Partner is primarily responsible for responding to requests from Data Subjects (Leads) regarding their rights (Access, Rectification, Erasure)13.

8.2. VIGO will provide reasonable assistance to the Partner to respond to such requests. If a Lead contacts VIGO directly regarding their Quiz data, VIGO will forward the request to the Partner14.

9. Personal Data Breach Notification

9.1. VIGO shall notify the Partner without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting the Partner’s Lead Data15.

9.2. The notification shall describe the nature of the breach, the likely consequences, and the measures taken to address it.

10. Deletion and Return of Data

10.1. VIGO stores Lead Data for as long as the Partner’s account is active16.

10.2. Upon termination of the Service or upon the Partner’s specific request, VIGO shall delete the Lead Data or provide it in a standard export format (JSON/CSV), unless applicable law requires storage of the data17.

10.3. Permanent deletion from backups may take up to 90 days18.

11. Limitation of Liability

11.1. VIGO’s liability under this DPA is limited to the processing of data on behalf of the Partner. VIGO is not liable for the content of the Quizzes or the Partner’s failure to obtain legal consent from Leads.

11.2. The total aggregate liability of VIGO arising out of this DPA is subject to the “Limitation of Liability” section of the Terms of Service (capped at 100 USD or 3 months of fees)19.

12. Governing Law

This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada.

13. Contacts

For inquiries regarding this DPA:

VIGO ONLINE GROUP

Email: support@leadfilter.ca