Legal
Data Protection Addendum
Effective Date: May 22, 2026 · Last Updated: May 22, 2026
This DPA forms part of the CATAAM Terms of Service between TheMarkups Canada Inc. and the Customer. It applies wherever CATAAM processes Personal Data on the Customer's behalf.
1. Definitions
For the purposes of this Data Protection Addendum ("DPA"), the following terms have the meanings given below. Terms not defined here carry the meaning given in the CATAAM Terms of Service.
- Controller — the natural or legal person who determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA, the Customer is the Controller.
- Processor — a natural or legal person who processes Personal Data on behalf of a Controller. For the purposes of this DPA, TheMarkups Canada Inc. (operating as CATAAM) is the Processor.
- Personal Data — any information relating to an identified or identifiable natural person ("Data Subject"), including names, email addresses, IP addresses, and any other data the Customer uploads to or generates within the Service.
- Processing — any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.
- Sub-processor — any third party engaged by the Processor to carry out Processing activities on behalf of the Controller.
- Data Subject — an identified or identifiable natural person whose Personal Data is processed under this DPA.
- Applicable Data Protection Law — all applicable laws and regulations relating to the processing of Personal Data, including but not limited to the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial equivalents, and any other applicable national data protection legislation.
- Standard Contractual Clauses ("SCCs") — the European Commission's standard contractual clauses for the transfer of Personal Data to third countries, as adopted by Commission Implementing Decision (EU) 2021/914.
- Security Incident — any confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Roles and Scope
This DPA applies to all Processing of Personal Data carried out by CATAAM as Processor in the course of providing the Service to the Customer as Controller. The Customer is responsible for the lawfulness of all Personal Data it submits to the Service, including ensuring it has a valid legal basis for processing under Applicable Data Protection Law.
Where CATAAM processes Personal Data for its own purposes (e.g. account administration, billing, platform security), it acts as a Controller and such processing is governed by the Privacy Policy rather than this DPA.
3. Details of Processing
The following describes the Processing activities carried out under this DPA:
| Element | Details |
|---|---|
| Subject matter | Provision of the CATAAM GRC, iASM, and BAS platform to the Customer |
| Duration | For the term of the Customer's subscription, plus any post-termination retention period described in Section 11 |
| Nature of processing | Collection, storage, retrieval, analysis, display, export, and deletion of Customer Data uploaded to or generated by the Service |
| Purpose of processing | Enabling the Customer to manage compliance evidence, audit tests, security findings, and related workflows; automated evidence harvesting from connected integrations |
| Types of Personal Data | Names; email addresses; job titles; IP addresses; access logs; audit evidence documents; integration credentials (encrypted at rest); any other Personal Data included in Customer-uploaded files or evidence |
| Categories of Data Subjects | Customer's employees, contractors, auditors, clients (for Partner accounts), and any natural persons referenced in compliance evidence submitted to the Service |
4. Processor Obligations
CATAAM shall, as Processor:
- Process Personal Data only on documented instructions from the Customer, including those set out in this DPA and the Terms of Service, unless required to do so by applicable law (in which case CATAAM will inform the Customer before processing, unless prohibited from doing so).
- Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
- Implement and maintain the technical and organisational security measures described in Section 8.
- Assist the Customer, at the Customer's cost, in responding to Data Subject requests exercising rights under Applicable Data Protection Law, including access, rectification, erasure, restriction, portability, and objection.
- Notify the Customer without undue delay (and in any event within 72 hours of becoming aware) of any confirmed Security Incident affecting Personal Data processed under this DPA.
- Make available to the Customer all information necessary to demonstrate compliance with this DPA and contribute to audits as described in Section 10.
- At the Customer's election, delete or return all Personal Data upon termination of the Service, subject to Section 11.
- Not sell, rent, or disclose Personal Data to any third party for their own commercial purposes.
5. Customer Obligations
The Customer shall, as Controller:
- Ensure it has a valid legal basis for processing each category of Personal Data submitted to the Service under Applicable Data Protection Law.
- Provide CATAAM with all instructions necessary to perform the Processing, and ensure those instructions are lawful.
- Respond promptly to Data Subject requests that CATAAM escalates, and provide CATAAM with any direction needed to fulfil those requests.
- Ensure its use of the Service complies with the Acceptable Use Policy and all Applicable Data Protection Law.
- Maintain appropriate records of processing activities as required by Article 30 GDPR or equivalent obligations.
6. Sub-processors
The Customer grants CATAAM general authorisation to engage Sub-processors for the purpose of providing the Service. CATAAM's current list of Sub-processors is maintained at cataam.com/legal/sub-processors and includes:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, storage, and infrastructure | Canada (ca-central-1 primary); US failover |
| Stripe | Payment processing and billing | United States |
| SendGrid (Twilio) | Transactional email delivery | United States |
| Atlassian (Forge) | Jira integration compute (Forge serverless) | Atlassian cloud (global) |
CATAAM will inform the Customer of any intended addition or replacement of Sub-processors by updating the sub-processor list and notifying the Customer by email at least 14 days before the change takes effect. The Customer may object to a new Sub-processor within that period by contacting privacy@themarkups.com. If the parties cannot resolve the objection, the Customer may terminate the affected part of the Service without penalty.
CATAAM ensures that each Sub-processor is bound by data protection obligations at least equivalent to those in this DPA.
7. Data Subject Rights
Where CATAAM receives a request directly from a Data Subject exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection), CATAAM will promptly forward that request to the Customer. CATAAM will not respond to such requests on the Customer's behalf without explicit written instruction.
CATAAM provides the following mechanisms to assist the Customer in fulfilling Data Subject rights:
- Customer admins may export all Customer Data from the platform at any time via the Settings → Data Export function.
- Customer admins may permanently delete user accounts and associated Personal Data via the Settings → Members panel.
- Customers may submit a deletion request to privacy@themarkups.com for data not accessible through the self-service interface.
8. Technical and Organisational Security Measures
CATAAM implements the following measures to protect Personal Data processed under this DPA:
| Category | Measure |
|---|---|
| Encryption at rest | AES-256 encryption for all Customer Data stored on AWS (RDS, S3) |
| Encryption in transit | TLS 1.2+ enforced for all API and web connections; HSTS enabled |
| Access control | Role-based access control (RBAC) with least-privilege; multi-factor authentication enforced for all CATAAM staff |
| Credential storage | Integration secrets (API keys, webhook secrets) stored as encrypted secrets; never logged in plaintext |
| Network security | VPC isolation; private subnets for databases; WAF and DDoS protection at edge |
| Vulnerability management | Continuous dependency scanning; quarterly penetration testing; ASM monitoring of production endpoints |
| Incident response | Documented Security Incident Response Plan; on-call rotation; 72-hour Customer notification SLA |
| Backups | Automated daily encrypted backups retained for 30 days; cross-region replication for disaster recovery |
| Audit logging | Immutable audit logs for all privileged access and data operations, retained for 12 months |
| Vendor risk | Annual security review of all Sub-processors; contractual security obligations flowed down |
CATAAM reviews and updates these measures on at least an annual basis and following any material change to infrastructure or threat landscape.
9. International Data Transfers
CATAAM's primary infrastructure is located in Canada (AWS ca-central-1), which the European Commission has recognised as providing an adequate level of protection for Personal Data under GDPR Article 45.
Where Personal Data is transferred to Sub-processors located in countries without an adequacy decision (e.g., the United States), CATAAM ensures such transfers are protected by Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914, or an equivalent approved transfer mechanism.
For transfers from the UK, CATAAM relies on the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as applicable.
Upon request, CATAAM will provide the Customer with copies of the SCCs in place with relevant Sub-processors. Contact privacy@themarkups.com.
10. Audit Rights
CATAAM will make available to the Customer, upon written request, all information reasonably necessary to demonstrate CATAAM's compliance with this DPA, including:
- Summary results of third-party security audits or penetration tests (subject to confidentiality redaction)
- SOC 2 Type II report, where available
- Responses to standard security questionnaires (SIG, CAIQ, or equivalent)
If the Customer requires an on-site or technical audit beyond the above, the parties must agree on scope, timing, and cost in advance. Audits must be conducted with reasonable notice (not less than 30 days), during business hours, and without unreasonably disrupting CATAAM's operations. The Customer bears the cost of any such audit unless the audit reveals a material breach of this DPA.
11. Data Return and Deletion
Upon expiry or termination of the Customer's subscription, CATAAM will:
- Retain Customer Data in a read-only state for 90 days to allow the Customer to export their data.
- Permanently delete all Customer Personal Data from production systems within 30 days after the retention period ends.
- Delete Customer Data from backup systems within 90 days of the deletion from production (the cycle time of backup rotation).
- Upon written request, provide the Customer with a written confirmation of deletion.
CATAAM may retain anonymised, aggregated data derived from Customer Data (which cannot be used to identify any individual) for product improvement purposes after deletion.
CATAAM may also retain certain data where required by applicable law (e.g., financial records under tax law), in which case CATAAM will inform the Customer of the categories and duration of such retention.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the CATAAM Terms of Service. Nothing in this DPA limits either party's liability for death or personal injury caused by negligence, fraud, or any other liability that cannot be limited under applicable law.
Where a Supervisory Authority imposes a fine or administrative sanction arising from a breach of Applicable Data Protection Law, the party responsible for that breach shall bear the cost of such sanction.
13. Term and Termination
This DPA takes effect on the date the Customer first accepts the CATAAM Terms of Service (or, for existing customers, on the DPA Effective Date above) and remains in force for as long as CATAAM processes Personal Data on the Customer's behalf.
This DPA automatically terminates when the underlying Terms of Service terminate, except that obligations relating to data deletion, confidentiality, and audit rights survive termination for the periods specified above.
14. Governing Law
This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada, without regard to conflict of law principles — consistent with the governing law of the Terms of Service.
Notwithstanding the above, where the Customer is subject to GDPR or UK GDPR and a dispute arises in connection with those obligations, the parties agree that the courts of England and Wales shall have non-exclusive jurisdiction over such dispute.
15. Contact
Questions about this DPA, data subject requests, or requests for audit documentation should be directed to:
TheMarkups Canada Inc.
Kitchener, Ontario, Canada
Email: privacy@themarkups.com