Data Processing Addendum (DPA)
Last updated: April 29, 2026
This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Underlying Agreement governing Customer’s use of the Services. This DPA applies to PostGrid’s Processing of Customer Data on behalf of Customer in connection with the Services. In the event of any conflict between the Underlying Agreement and this DPA, this DPA will control solely with respect to the Processing of Customer Data.
Capitalized terms not defined herein have the meanings given in the Underlying Agreement.
1. Definitions
For purposes of this DPA:
Customer Data means any personal information included in the data that Customer submits to the Services or otherwise provides to PostGrid as part of receiving the Services.
Data Protection Laws means all applicable Canadian federal and provincial privacy and data protection laws governing the Processing of Customer Data, including the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), and where applicable, substantially similar provincial legislation such as Alberta’s Personal Information Protection Act, British Columbia’s Personal Information Protection Act, and Québec’s Act respecting the protection of personal information in the private sector, as amended from time to time.
Personal Information has the meaning given under applicable Data Protection Laws and generally means information about an identifiable individual.
Process or Processing means any operation performed on Customer Data, including collection, use, storage, transmission, disclosure, or destruction.
2. Roles and Scope
2.1 Roles.
Customer acts as the organization with control over Customer Data. PostGrid acts as a service provider that Processes Customer Data on behalf of Customer in accordance with Customer’s instructions.
2.2 Scope.
This DPA applies only to the Processing of Customer Data necessary for PostGrid to provide the Services and fulfill Customer’s documented instructions under the Underlying Agreement.
2.3 Customer Instructions.
PostGrid will process Customer Data only in accordance with:
- the Underlying Agreement and this DPA;
- Customer’s configuration and use of the Services; and
- additional written instructions provided by Customer and accepted by PostGrid.
PostGrid will notify Customer if PostGrid determines that an instruction violates applicable Data Protection Laws.
2.4 Restricted Data Types.
Customer shall not provide highly sensitive or regulated Personal Information (including health information, biometric data, government-issued identification numbers, or financial account numbers) unless expressly agreed in writing.
Protected Health Information is handled only pursuant to a separate Business Associate Agreement or healthcare addendum, where applicable.
3. Customer Responsibilities
Customer is responsible for:
- ensuring Customer Data is collected and disclosed to PostGrid in compliance with Data Protection Laws;
- obtaining all necessary consents and providing appropriate privacy notices;
- ensuring Customer Data does not violate applicable law or third-party rights;
- determining the lawfulness of its use of the Services; and
- implementing appropriate safeguards within its own systems and integrations.
Customer remains accountable under applicable Data Protection Laws for Personal Information under its control.
4. PostGrid Obligations
4.1 Confidentiality.
PostGrid will ensure that personnel authorized to Process Customer Data are bound by confidentiality obligations.
4.2 Security Measures.
PostGrid will implement and maintain reasonable administrative, technical, and physical safeguards appropriate to the sensitivity of Customer Data, designed to protect against loss, theft, unauthorized access, disclosure, copying, use, or modification, consistent with applicable Data Protection Laws.
These safeguards include, without limitation:
- encryption of Customer Data at rest and in transit;
- role-based access controls and multi-factor authentication;
- network security protections;
- monitoring and incident response procedures;
- vendor risk management processes; and
- regular security assessments and vulnerability testing.
PostGrid maintains SOC 2 Type II attestation and renews such attestation at least annually.
4.3 Use Limitation.
PostGrid will Process Customer Data only:
- to provide and support the Services;
- to maintain and improve the Services; and
- as otherwise permitted under the Underlying Agreement.
PostGrid will not sell, rent, or disclose Customer Data except as required to provide the Services or as required by law.
5. Subprocessors
5.1 Use of Subprocessors.
Customer authorizes PostGrid to engage affiliates and third-party subprocessors to support the performance of the Services.
5.2 Protections.
PostGrid will require subprocessors to be bound by written obligations that are no less protective of Customer Data than those set out in this DPA.
5.3 Subprocessor Information.
PostGrid will provide a list of active subprocessors upon reasonable request and subject to confidentiality obligations.
Customer acknowledges that PostGrid is not required to provide advance notice of new subprocessors and has no approval or objection rights with respect to subprocessors.
6. Cross-Boarder Transfers
Customer acknowledges that PostGrid may Process Customer Data in Canada, the United States, or other jurisdictions where PostGrid or its subprocessors operate.
Customer authorizes such cross-border transfers.
PostGrid will implement reasonable contractual and technical safeguards designed to ensure Customer Data remains protected in accordance with applicable Data Protection Laws.
Customer remains responsible for providing any required notice to individuals regarding cross-border Processing.
7. Personal Data Breaches
7.1 Notification.
If PostGrid confirms a Security Incident involving Customer Data, PostGrid will notify Customer without undue delay and will provide reasonably available information to enable Customer to meet any reporting or notification obligations under Data Protection Laws.
7.2 Cooperation.
PostGrid will take reasonable steps to mitigate the effects of the Security Incident and prevent recurrence.
PostGrid is not required to provide detailed forensic reports except where required by law or reasonably necessary for Customer’s compliance obligations.
8. Data Subject Rights Assistance
To the extent reasonably possible and required by applicable Data Protection Laws, PostGrid will assist Customer in responding to requests from individuals to access, correct, or otherwise exercise their rights in respect of Personal Information.
PostGrid may charge reasonable fees for excessive, repetitive, or unusual requests requiring significant manual effort.
9. Retention and Deletion
Upon termination of the Underlying Agreement or upon Customer’s written request, PostGrid will delete or return Customer Data within thirty (30) days, unless retention is required or permitted by law or necessary for legitimate business purposes such as security, billing, or fraud prevention.
Customer Data retained in backups will be deleted in accordance with PostGrid’s standard backup retention schedule.
This DPA does not restrict PostGrid’s ability to retain or use Aggregated Anonymous Data.
10. Government and Legal Requests
If PostGrid receives a legally binding request for access to Customer Data, PostGrid will notify Customer unless prohibited by law.
11. Audit Rights
Upon reasonable written request and no more than once per year, Customer may request information reasonably necessary to demonstrate PostGrid’s compliance with this DPA.
In lieu of any audits, PostGrid may provide its SOC 2 Type II report or equivalent third-party attestation.
Any audit must: (i) be conducted during normal business hours; (ii) be subject to confidentiality obligations; and (iii) not unreasonably interfere with PostGrid’s operations.
12. Governing Law
This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein, with exclusive jurisdiction in the courts located in Toronto, Ontario, unless the Underlying Agreement specifies otherwise.
13. Changes to this DPA
PostGrid may update this DPA from time to time to reflect changes in applicable Data Protection Laws, regulatory guidance, or processing practices.
Updates will be posted on the Legal Page and will not materially reduce PostGrid’s data protection obligations during an active Subscription Term without reasonable notice.
Customer’s continued use of the Services constitutes acceptance of the updated DPA.
Appendix A – Processing Details
Subject Matter:
Processing of Customer Data necessary to provide the Services.
Nature and Purpose:
Hosting, transmitting, validating, formatting, printing, mailing, and otherwise processing Customer Data as required to provide the Services and fulfill Customer’s instructions.
Categories of Data Subjects:
Customer’s employees, users, clients, customers, and other individuals whose data Customer submits to the Services.
Categories of Personal Information:
Names, mailing addresses, email addresses, contact information, account identifiers, device identifiers, and other Personal Information included in Customer Data.
Sensitive Information:
Not permitted unless expressly agreed in writing.
Duration:
For the term of the Underlying Agreement and any legally required retention period.
