This Data Processing Agreement ("DPA") is incorporated into and forms part of the agreement between Atlas Restaurant Management Systems Inc., doing business as "Actual" ("Actual"), and the Customer, consisting of the Terms of Service, any applicable Order Form, and any applicable Purchase Terms (collectively, the "Agreement"). "Customer" has the meaning given to it in the Terms of Service. Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement.
This DPA governs the processing of Personal Information by Actual on behalf of the Customer in connection with the Customer's use of the Actual Services and the Actual Platform.
For the purposes of this DPA, the parties acknowledge that:
1.1.
The Customer is the Controller of Personal Information and determines the purposes and means of processing Personal Information about its Permitted Users.
1.2.
Actual is the Processor of Personal Information and processes such Personal Information on behalf of the Customer solely as described in this DPA and the Agreement.
2.1.
“Personal Information” means any information about an identifiable individual as defined under PIPEDA and applicable provincial privacy legislation.
2.2.
“Processing” means any collection, use, storage, disclosure, retention, or disposal of personal information.
2.3.
“Permitted Users” means an individual whose personal information is processed under this DPA, including employees, contractors, and staff members of the Controller.
2.4.
“Sub-Processor” means any third party engaged by Actual to process personal information on behalf of the Controller.
2.5.
“Applicable Privacy Law” means PIPEDA and any other applicable Canadian federal or provincial privacy legislation in force from time to time.
| Element |
Description |
| Subject matter |
Provision of the Actual Services |
| Duration |
For the term of the Agreement, plus any applicable legal retention period |
| Nature of processing |
Collection, storage, use, disclosure, and deletion of personal information |
| Purpose |
Payroll processing, tip calculation and distribution, scheduling, operations management, payment disbursement, and related services |
| Categories of personal information |
Names, contact details, employment information, compensation and tip data, banking and direct deposit information, Social Insurance Numbers (payroll only), scheduling and attendance data, identity verification data (disbursement accounts), user activity logs |
| Categories of data subjects |
Employees, contractors, and staff members of the Controller |
Actual will:
4.1.
Follow Controller instructions. Process personal information only on documented instructions from the Controller, as set out in the Agreement and this DPA, unless required otherwise by applicable law.
4.2.
Limit access. Ensure access to personal information is limited to personnel who require it to deliver the services, and that such personnel are bound by appropriate confidentiality obligations.
4.3.
Implement security measures. Maintain technical and organizational security measures appropriate to the sensitivity of the personal information, including those described in the Actual Privacy Policy.
4.4.
Assist with data subject rights. Provide reasonable assistance to the Controller in responding to requests from data subjects exercising their rights under Applicable Privacy Law, taking into account the nature of the processing.
4.5.
Notify of breaches. Actual will notify the Controller of personal information breaches without undue delay and in any event within 72 hours. The notification will include information reasonably available to Actual at the time of notification
4.6.
Retention and Deletion. Actual retains personal information for up to seven (7) years, or for such a longer period as is required by law. On termination of the Agreement, Actual will return or delete personal information at the Controller's written request, except where retention is required by law or is necessary to establish, exercise, or defend legal claims. Aggregated Data is not subject to this Section
The Controller will:
5.1.
Ensure lawful collection. Collect personal information from data subjects in compliance with Applicable Privacy Law, including providing appropriate notice and obtaining any required consent before submitting data to the Actual platform. This includes informing employees that their personal information including SINs, banking details, and identity verification data may be shared with Actual and its authorized sub-processors for payroll and disbursement purposes.
5.2.
Maintain accuracy. Take reasonable steps to ensure that personal information submitted to Actual is accurate and up to date.
5.3.
Limit submissions. Submit only the personal information necessary for the services described in the Agreement.
5.4.
Handle data subject requests. Respond to data subject requests regarding personal information held by the Controller, and coordinate with Actual where Actual’s assistance is required.
5.5.
The Customer will indemnify Actual for any losses, penalties, or regulatory actions arising from Actual's processing of Personal Information in accordance with the Customer's instructions where those instructions violate Applicable Privacy Law, except to the extent Actual knew or should have known that the instruction was unlawful.
6.
Authorized Sub-Processors
The Controller grants Actual general authorization to engage sub-processors for the purposes described in this DPA, as updated from time to time.
6.1.
Sub-processor requirements. Actual enters into a written agreement with each sub-processor that includes data protection obligations appropriate for the nature of the processing and consistent with Applicable Privacy Law. Actual remains responsible for the acts and omissions of its sub-processors in relation to the processing of Personal Information under this DPA, subject to the limitations of liability in the Agreement.
The current list of authorized sub-processors including entity name, jurisdiction, purpose, and categories of data processed is available upon written request to legal@onactual.com. Actual maintains this list and makes it available at any time upon request.
Where personal information is transferred to a sub-processor or processed outside Canada, Actual ensures equivalent protections are in place through contractual safeguards consistent with PIPEDA’s accountability requirements.
Confidentiality obligations with respect to Personal Information and other confidential information exchanged under this DPA are governed by Section 7 of the Agreement.
This DPA is effective for the duration of the Agreement and terminates automatically upon its expiry or termination, subject to post-termination obligations under Section 4.6. Actual’s liability under this DPA is subject to the limitation of liability provisions in the Agreement which are incorporated herein by reference.
In the event of any conflict between this DPA and the Agreement with respect to the processing of personal information, this DPA governs. In all other respects, the Agreement continues to apply.
Actual may update this DPA to reflect changes in Applicable Privacy Law or sub-processor arrangements. Material changes will be communicated with reasonable notice. Continued use of the Actual platform following notice constitutes acceptance.
This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein. The Parties will initiate any action related to this DPA exclusively in the courts sitting in Toronto, Ontario, and irrevocably attorn to that jurisdiction.
Privacy Officer, Actual
Atlas Restaurant Management Systems Inc. d/b/a Actual
Email: legal@onactual.com