Data Processing Agreement

Name: TrackLoop
Rating: 5 (5 reviews)
Author: VIRTUALLIFE TECHNOLOGIES INC.

Last Updated: March 3, 2026

1.Parties & Scope

This Data Processing Agreement ("DPA") is entered into between VIRTUALLIFE TECHNOLOGIES INC. ("TrackLoop," "Processor," "we," "us," or "our"), the operator of the TrackLoop order management platform, and the subscribing organization ("Tenant," "Controller," "you," or "your") that has agreed to the TrackLoop Terms of Service.

This DPA supplements and forms part of the Terms of Service and Privacy Policy between TrackLoop and the Tenant. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to matters relating to the processing of Personal Data.

The Tenant acts as the Controller of Personal Data, determining the purposes and means of processing. TrackLoop acts as the Processor, processing Personal Data on behalf of the Controller solely as necessary to provide the TrackLoop platform and related services.

2.Definitions

The following terms have the meanings set forth below when used in this DPA:

Personal Data

Any information relating to an identified or identifiable natural person ("Data Subject"), including but not limited to names, email addresses, phone numbers, physical addresses, and any other data that can be used directly or indirectly to identify a person.

Processing

Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Data Subject

An identified or identifiable natural person whose Personal Data is processed. In the context of TrackLoop, Data Subjects include tenant employees, administrators, and their end customers whose information is entered into the platform.

Sub-Processor

A third-party entity engaged by TrackLoop (the Processor) to assist in the processing of Personal Data on behalf of the Controller. Sub-Processors are bound by data protection obligations consistent with this DPA.

Security Incident

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. This includes both confirmed breaches and suspected incidents under investigation.

3.Processing Details

The following details describe the nature, purpose, and scope of data processing activities carried out by TrackLoop on behalf of the Controller:

Subject Matter: The provision of the TrackLoop order management platform, including order creation, tracking, production workflow management, customer relationship management, invoicing, and related services as described in the Terms of Service.
Duration of Processing: Processing will continue for the duration of the service agreement between TrackLoop and the Tenant, plus any retention period required by applicable law or as specified in the Termination section of this DPA.
Nature of Processing: Automated and manual processing, including collection, storage, retrieval, organization, use, and erasure of Personal Data through the TrackLoop platform. This includes real-time data synchronization, PDF generation, email delivery, and analytics processing.
Purpose of Processing: To provide, maintain, and improve the TrackLoop platform services, including order management, customer communications, document generation, reporting, and any other functionality described in the service agreement.
Types of Personal Data: • Contact information (names, email addresses, phone numbers, physical addresses)
• Order data (order details, product specifications, pricing, delivery information)
• Payment metadata (transaction references, billing addresses; note: full payment card data is processed by Stripe and never stored by TrackLoop)
• Usage data (login timestamps, feature usage, IP addresses, browser information)
Categories of Data Subjects: • Tenant employees and administrators who access and use the TrackLoop platform
• Customers of the Tenant whose information is entered into the platform for order management purposes

4.Security Measures

TrackLoop implements and maintains the following technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage:

Encryption in Transit

All data transmitted between clients and TrackLoop servers is encrypted using TLS 1.3 (Transport Layer Security). This ensures that data cannot be intercepted or tampered with during transmission over public networks.

Encryption at Rest

All stored data is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys). Database backups, file storage, and all persistent data stores employ at-rest encryption to protect against unauthorized physical or logical access.

Access Controls & Tenant Isolation

Role-Based Access Control (RBAC) is enforced at the application layer, ensuring users can only access data within their authorized tenant. Row-Level Security (RLS) policies in the database guarantee strict tenant isolation, preventing cross-tenant data access.

Automated Backups

Automated Supabase database backups are performed on a regular schedule. Backups are encrypted and stored in geographically separate locations to ensure data availability and disaster recovery capability.

Breach Notification Commitment

In the event of a confirmed Security Incident affecting Personal Data, TrackLoop commits to notifying the affected Controller within 72 hours of becoming aware of the incident. Details of our breach notification procedures are outlined in Section 7 of this DPA.

5.Sub-Processors

The Controller provides general authorization for TrackLoop to engage Sub-Processors to assist in providing the platform services. TrackLoop ensures that all Sub-Processors are bound by data protection obligations no less protective than those set forth in this DPA.

We maintain a current list of authorized Sub-Processors at /sub-processors. This list includes the identity, location, and role of each Sub-Processor.

TrackLoop will notify the Controller of any intended changes to Sub-Processors at least 30 days before the new Sub-Processor begins processing Personal Data. The Controller may object to the appointment of a new Sub-Processor by providing written notice within 14 days of receiving notification.

6.Data Subject Rights

TrackLoop will assist the Controller in fulfilling its obligations to respond to Data Subject requests exercising their rights under applicable data protection laws. The following rights are supported:

Right of Access: Data Subjects may request access to their Personal Data. TrackLoop will assist the Controller in responding to such requests within 30 days of receipt.
Right to Rectification: Data Subjects may request correction of inaccurate or incomplete Personal Data. The Controller can update records directly through the TrackLoop platform, or TrackLoop will assist upon request.
Right to Erasure: Data Subjects may request deletion of their Personal Data, subject to any legal retention obligations. TrackLoop will process erasure requests in accordance with the Controller's instructions and applicable law.
Right to Data Portability: Data Subjects may request their Personal Data in a structured, commonly used, and machine-readable format. TrackLoop supports data export in JSON and CSV formats.
Right to Withdraw Consent: Where processing is based on consent, Data Subjects may withdraw their consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

7.Breach Notification

In the event of a confirmed Security Incident that affects Personal Data processed on behalf of the Controller, TrackLoop will:

72-Hour Notification: Notify the Controller without undue delay and no later than 72 hours after becoming aware of the Security Incident, via email to the Controller's designated contact address.
Incident Details: Provide the following information as it becomes available:
- • The nature of the Security Incident, including the categories of data affected
- • The categories and approximate number of Data Subjects affected
- • The likely consequences of the Security Incident
- • The measures taken or proposed to address the Security Incident, including remediation steps
Regulatory Cooperation: Cooperate with the Controller and any applicable regulatory authorities, including the Office of the Privacy Commissioner of Canada (PIPEDA regulator), in the investigation, mitigation, and resolution of the Security Incident.

8.International Transfers

TrackLoop is a Canadian company. Some Personal Data may be processed in the United States through our authorized Sub-Processors (including cloud infrastructure and service providers). Where Personal Data is transferred outside of Canada, TrackLoop ensures that appropriate safeguards are in place:

Standard Contractual Clauses: Where required, TrackLoop uses Standard Contractual Clauses (SCCs) approved by applicable authorities to govern the transfer of Personal Data to countries that may not provide an adequate level of data protection.
Sub-Processor Certifications: Our Sub-Processors maintain industry-recognized security certifications, including SOC 2 Type II and PCI DSS compliance, ensuring that Personal Data is protected to a high standard regardless of processing location.
PIPEDA Compliance: All international transfers comply with the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA), ensuring that Personal Data receives a comparable level of protection when transferred outside of Canada.

9.Audit Rights

TrackLoop recognizes the Controller's right to verify compliance with this DPA. The following audit provisions apply:

Annual Security Attestation: TrackLoop will provide the Controller with a written security attestation on an annual basis, summarizing the technical and organizational measures in place and confirming compliance with this DPA.
Physical Audit Rights: The Controller may conduct or commission a third-party audit of TrackLoop's data processing activities, subject to providing at least 30 days' advance written notice. Audits shall be conducted during normal business hours and shall not unreasonably interfere with TrackLoop's operations.
SOC 2 Type II Reports: TrackLoop accepts SOC 2 Type II audit reports from its Sub-Processors as evidence of compliance with security obligations. These reports are available to the Controller upon request, subject to applicable confidentiality obligations.

10.Termination & Data Return

Upon termination or expiration of the service agreement between TrackLoop and the Controller, the following provisions apply to the handling of Personal Data:

Data Export Period: The Controller has 30 days from the effective date of termination to export their data from the TrackLoop platform or submit a written request for data return. TrackLoop supports data export in JSON and CSV formats.
Data Deletion: Following the 30-day export period, or upon the Controller's written request for deletion, TrackLoop will securely delete all Personal Data from its active systems. Deletion will be completed within 30 days of the request or the expiry of the export period.
Financial Record Retention: Notwithstanding the above, financial records (invoices, payment records, and transaction data) may be retained for up to 7 years as required by the Canada Revenue Agency (CRA) and applicable tax legislation.
Confirmation of Deletion: Upon request, TrackLoop will provide the Controller with written confirmation that all Personal Data has been securely deleted, except for data retained under legal obligations as described above.

11.Contact

For questions or concerns regarding this Data Processing Agreement, or to exercise any rights described herein, please contact our Privacy Officer:

Privacy Officer:: VIRTUALLIFE TECHNOLOGIES INC.
Email:: privacy@trackloop.ca

Related Policies