Data Processing Addendum
Last updated: 2026-04-27 · Forms part of the Terms of Service for customers who require a DPA.
1. Roles
Under privacy laws (PIPEDA, GDPR, CCPA), you are the data controller for the personal data you upload to or generate through the service (your customers, their invoices, etc.). Kaizen Shift Inc. is the data processor acting on your instructions.
2. Subject matter and duration
We process personal data on your behalf for the duration of your account, plus up to 30 days after termination for backup/archive cleanup. Processing activities are limited to operating the service as described in our Terms and Privacy Policy.
3. Categories of data and data subjects
- Data subjects: your customers (the people you invoice), your team members (other users of your account), and you
- Categories: contact info (name, email, phone, address), financial info (invoice amounts, payment status), business activity (proposals, line items, notes)
4. Sub-processors
We use the following sub-processors. By using the service, you authorize their use:
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel, Inc. | Application hosting + edge network | USA |
| Supabase, Inc. | Database, authentication, real-time | USA / EU |
| Stripe, Inc. | Payment processing | USA |
| Anthropic, PBC | AI text generation | USA |
| Intuit, Inc. | QuickBooks sync (only if you connect) | USA |
| HighLevel, Inc. | GoHighLevel CRM sync (only if you connect) | USA |
| Google LLC | Gmail API for email delivery | USA |
We'll notify customers of new sub-processors at least 30 days before they start processing data. If you object, you may terminate the agreement before that date.
5. Security measures
We implement appropriate technical and organizational measures, including:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption at rest (Supabase + Vercel Blob)
- Row-Level Security policies enforcing tenant isolation in the database
- Service-role access to data restricted to server-side functions; no client-side access to other tenants' data
- Audit logging of operator-side impersonation sessions
- Principle of least privilege for staff access (currently a single administrator: Scott Curtis)
6. Data subject rights
If a data subject contacts us directly, we'll forward the request to you (the controller) and assist where reasonable. You're responsible for responding within the timeframes required by law (e.g., 30 days under GDPR).
7. Breach notification
If we discover a personal data breach affecting your data, we'll notify you without undue delay (target: within 48 hours), with the information you need to satisfy your own notification obligations.
8. International transfers
Sub-processors may transfer data outside Canada. Where required (EU/UK customers), we'll execute Standard Contractual Clauses with sub-processors that are not in adequacy-decision jurisdictions.
9. Audits
You may request, no more than once per 12 months, a summary of our security measures and a recent third-party assessment if available. On-site audits require advance written agreement and are at the customer's expense.
10. Return and deletion
On termination, you can export your data for 30 days. After that, we permanently delete personal data, except as needed to comply with law (e.g., financial records subject to retention requirements).
11. Order of precedence
If this DPA conflicts with the Terms of Service, this DPA controls for matters of personal data processing. Otherwise the Terms govern.
12. Contact
Data protection contact: scott@kaizenshift.com. Mail: Kaizen Shift Inc., 10238 103 St NW, Edmonton AB, Canada.