← Back
BrokerPath
BrokerPath
Ontario's brokerage operating system
Template version — this document is an industry-standard SaaS template adapted for Ontario brokerages and is pending legal review. Use of BrokerPath is offered subject to its terms; if you require finalized legal documents before signing, contact legal@brokerpath.ca.

Data Processing Addendum

Effective: April 29, 2026

This Data Processing Addendum (“DPA”) supplements the Terms of Service between BrokerPath and the Customer brokerage. It describes how BrokerPath processes personal information on the Customer's behalf when the Customer is the controller of that information under PIPEDA and applicable Ontario law.

1. Definitions

  • Personal Information — information about an identifiable individual within the meaning of PIPEDA.
  • Process — any operation performed on Personal Information, including collecting, storing, accessing, transmitting, or deleting it.
  • Sub-processor — a third party engaged by BrokerPath to process Personal Information on the Customer's behalf.
  • Customer Data — data the Customer or its users submit to the Service, which may include Personal Information about agents, parties to a transaction, and third-party representatives.

2. Roles

With respect to Customer Data, the Customer is the controller and BrokerPath is the processor. BrokerPath will process Personal Information only on the Customer's documented instructions, which include the Terms of Service, this DPA, and the configuration of the Service through its standard interfaces.

3. Categories of data and individuals

  • Categories of individuals: the Customer's brokers, administrators, agents, accountants, and parties to real-estate transactions (buyers, sellers, lawyers, co-operating brokerages, referral sources).
  • Categories of Personal Information: identifiers (name, email), contact and address details, account credentials (hashed), commission and payment data, FINTRAC verification records, deal-related documents.
  • Sensitivity: some Personal Information is regulated (FINTRAC ID records, financial information). The parties acknowledge the heightened sensitivity and apply corresponding safeguards.

4. Purpose and duration

BrokerPath processes Personal Information solely to provide the Service to the Customer, to meet legal and regulatory obligations, and to maintain the security and integrity of the platform. Processing continues for as long as the Customer maintains an active subscription, plus the retention tail described in section 10.

5. Confidentiality

BrokerPath ensures that personnel authorized to process Personal Information are bound by appropriate confidentiality obligations, and limits access to those who require it to perform their duties.

6. Security

BrokerPath implements technical and organizational measures appropriate to the risk, including: TLS 1.3 in transit; encryption at rest at the storage layer; argon2id password hashing; mandatory two-factor authentication for privileged roles; row-level-security policies enforcing per-tenant isolation; an append-only, hash-chained audit log of privileged actions; least-privilege access controls; and rate-limiting of authentication endpoints. Specific controls are summarized on our Trust & Security page.

7. Sub-processors

The Customer authorizes BrokerPath to engage Sub-processors to provide the Service. Each Sub-processor is bound by written terms imposing data-protection obligations no less protective than this DPA. BrokerPath is responsible for the acts and omissions of its Sub-processors. The current list of Sub-processors is:

  • Vercel Inc. — application hosting (United States).
  • Neon Inc. — managed PostgreSQL database (Canadian region where available).
  • Vercel Blob — document and signature storage (United States).
  • Resend — transactional email delivery (United States).
  • Mapbox Inc. — address autocomplete (United States).
  • Stripe Inc. — subscription billing (United States and Canada). BrokerPath does not store full card numbers; Stripe is the controller of payment-card data.

BrokerPath will notify the Customer at least 30 days before adding or replacing a Sub-processor. The Customer may object on reasonable grounds; the parties will work in good faith to address the objection, and absent resolution the Customer may terminate the affected portion of the Service for convenience.

8. Cross-border transfers

Some Sub-processors process Personal Information outside Canada. BrokerPath relies on contractual safeguards with each Sub-processor and on the Customer's consent to such transfers in accordance with PIPEDA. The Customer is responsible for providing appropriate notice of cross-border processing to the individuals whose information it submits to the Service.

9. Individual rights

BrokerPath will, taking into account the nature of the processing, provide reasonable assistance through appropriate technical and organizational measures to enable the Customer to respond to requests from individuals to access, correct, or delete their Personal Information. Where an individual contacts BrokerPath directly, we will refer the request to the Customer.

10. Retention and deletion

On termination of the Customer's subscription, BrokerPath will make Customer Data available for export for 30 days. Thereafter, we will delete or de-identify Customer Data, except for records we are required to retain by law (notably RECO real-estate trust-record retention rules) and audit-log entries retained for the integrity of the platform.

11. Incident notification

BrokerPath will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a confirmed breach of security leading to the unauthorized destruction, loss, alteration, disclosure of, or access to Customer Personal Information. The notice will include known information sufficient to enable the Customer to meet its own breach-notification obligations under PIPEDA.

12. Audit

BrokerPath will respond to reasonable Customer requests for information necessary to demonstrate compliance with this DPA, including by providing summaries of internal security assessments and Sub-processor attestations. Where the Customer reasonably requires further audit, the parties will agree on scope, timing, and confidentiality. The audit must not unreasonably interfere with BrokerPath's operations or other customers' data.

13. Order of precedence

In the event of a conflict between this DPA and the Terms of Service with respect to the processing of Personal Information, this DPA prevails.

14. Contact

Questions about this DPA? Email privacy@brokerpath.ca.

Privacy PolicyTerms of ServiceData Processing AddendumAcceptable Use Policy

Questions? legal@brokerpath.ca