Data Processing Addendum

1. Purpose and Scope

This Data Processing Addendum ("DPA") forms part of the agreement ("Principal Agreement") between TechSynergy Corp. ("Processor"), the Ontario corporation that provides the Mobily™ service, and the customer identified on the Order Form or who has otherwise accepted the Terms of Service for the Mobily service ("Controller"). It governs the Processing of Personal Information by TechSynergy Corp. on the Controller's behalf through the Mobily service.

For readability, this DPA refers to the Processor as "Mobily" or "we" where the context is clear. All legal rights and obligations run to TechSynergy Corp. as the contracting legal entity.

Capitalized terms have the meaning given in PIPEDA (Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5) and, where the Controller serves Québec residents, in Act 25 (Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c. 25).

2. Roles of the Parties

For the purpose of this DPA:

• the Controller determines the means and purposes of the Processing of Personal Information submitted to Mobily's services (including URLs, end-user IP addresses, and any personal data embedded in URL parameters);
• the Processor (Mobily) Processes that Personal Information only on the Controller's documented instructions and for the purposes set out in the Principal Agreement.

3. Subject Matter and Duration

The subject matter of the Processing is URL safety scanning, short-link resolution, click logging, business trust profile management (Mobily Verify), and related services. Processing continues for the duration of the Principal Agreement plus any post-termination retention period disclosed in §8.

4. Nature and Purpose of Processing

Mobily Processes Personal Information to:

• scan submitted URLs for phishing, malware, and other threats;
• return a safety verdict and associated metadata to the Controller;
• maintain a 90-day audit log of scan requests for security and billing reconciliation;
• aggregate anonymized usage statistics for internal reporting.

5. Categories of Data Subjects and Personal Information

Data subjects: end-users of the Controller's product whose URLs are submitted to the API, and developers of the Controller who hold API keys.

Categories of Personal Information: IP address of the API caller; any personal data embedded in submitted URLs (e.g., tokens, email addresses in query strings); API key identifiers; timestamps.

6. Controller's Obligations

The Controller warrants that:

• it has a lawful basis under PIPEDA (and, where applicable, Act 25) to submit the Personal Information to Mobily;
• it has provided meaningful consent disclosures to its end-users, identifying Mobily as a Processor;
• it will not submit URLs that it does not have the right to have scanned.

7. Processor's Obligations

Mobily will:

• Process Personal Information only on documented instructions from the Controller;
• ensure that persons authorized to Process Personal Information are bound by confidentiality;
• implement the technical and organizational measures described in §9;
• assist the Controller in responding to data-subject rights requests (access, correction, deletion, portability) as described in §10;
• notify the Controller without undue delay, and in any event within 72 hours, upon becoming aware of a Breach of Security Safeguards affecting the Controller's Personal Information.

8. Retention and Deletion

Scan logs are retained for 90 days and are then purged automatically. The Controller may request earlier deletion via the DELETE /data API endpoint or by email to support. Upon termination of the Principal Agreement, Mobily will delete all Personal Information within 30 days unless longer retention is required by law.

9. Security Measures

• All Personal Information is Processed on infrastructure physically located in Montreal, Canada.
• Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
• Access to production systems is restricted to authorized personnel, enforced via SSH key and MFA.
• IP addresses of end-users are hashed prior to storage where technically feasible.
• Annual third-party penetration testing is performed on the public API surface.

10. Data-Subject Rights Assistance

Mobily provides the following self-serve endpoints available to the Controller on all tiers:

• GET /export — returns all Personal Information associated with the Controller's API key in machine-readable form (PIPEDA data portability);
• DELETE /data — irreversibly erases all Personal Information associated with the Controller's API key (PIPEDA right to erasure / Act 25 right to be forgotten).

11. Sub-Processors

The Controller generally authorizes the use of the sub-processors listed at /legal/sub-processors. Mobily will provide at least 30 days' notice of the addition or replacement of any sub-processor by publishing the update to that page. The Controller may object in writing within that period on reasonable data-protection grounds.

12. Cross-Border Transfers

Personal Information is primarily stored in Canada. Where a sub-processor is located outside of Canada (currently only Google Safe Browsing, queried for the URL being scanned), the transfer is limited to what is strictly necessary for the scanning function and is protected by the sub-processor's contractual commitments.

13. Audit Rights

Upon reasonable written request and no more than once in any twelve-month period, Mobily will make available to the Controller the information necessary to demonstrate compliance with this DPA, including its most recent independent security audit summary. On-site audits may be conducted at the Controller's cost upon 30 days' notice.

14. Governing Law

This DPA is governed by the laws of the Province of Quebec and the federal laws of Canada applicable therein. Disputes will be resolved in the courts of the District of Montreal.

15. Execution

This DPA is deemed accepted by the Controller upon the Controller's acceptance of the Mobily Terms of Service and continued use of a paid tier of the URL Safety API or other Mobily service that Processes Personal Information. A counter-signed copy executed by TechSynergy Corp. is available on request through the contact form.

16. Contracting Entity

TechSynergy Corp. — an Ontario corporation — is the legal entity that provides the Mobily™ service and is the counterparty to this DPA. "Mobily" is the commercial name of one of several services offered by TechSynergy Corp.; it is not a legal entity, registered trade name, or operating name of the corporation. Any notice required under this DPA must name TechSynergy Corp. as the recipient.

This DPA is published in English. A French translation is available on request and is maintained per the Charter of the French Language obligations where the Controller has a business establishment in Québec.