1. Background and scope
This Data Processing Addendum ("DPA") is entered into between Nova System Inc. ("Nova System", "Processor") and the Firm identified in an Order Form or sign-up flow ("Customer", "Controller") and forms part of the Master Subscription Agreement ("MSA"). In the event of a conflict between the MSA and this DPA in respect of personal information, this DPA prevails.
This DPA applies to Nova System's processing of personal information that the Customer or its Authorized Users submit to, store in, or transmit through the Meridian platform (the "Personal Data"). It addresses obligations under the Personal Information Protection and Electronic Documents Act of Canada ("PIPEDA"), the British Columbia Personal Information Protection Act ("BC PIPA"), the Quebec Act to modernize legislative provisions as regards the protection of personal information ("Law 25"), the EU General Data Protection Regulation 2016/679 ("GDPR"), the United Kingdom GDPR ("UK GDPR"), the California Consumer Privacy Act, as amended ("CCPA"), and other applicable privacy laws ("Data Protection Laws").
2. Definitions
Capitalized terms used but not defined have the meanings given in the MSA or in the applicable Data Protection Law. "Controller", "Processor", "Data Subject", "Personal Data Breach", "Processing", "Special Categories of Personal Data", "Service Provider", and similar terms have the meanings ascribed by the applicable Data Protection Law.
3. Roles of the parties
The Customer is the Controller (or, where the Customer is itself a processor, the controller's processor) for Personal Data submitted to the Service. Nova System is the Processor and, with respect to its sub-processors, the controller for engaging them. Each party will comply with its obligations under the applicable Data Protection Laws.
4. Scope and details of processing
| Item | Description |
|---|---|
| Subject matter | Provision of the Meridian platform, including the Polaris desktop, the Aurora mobile companion, the Island Bar widget, and related services. |
| Duration | The Subscription Term, plus the retention window described in the MSA and this DPA. |
| Nature and purpose | Storing, organizing, retrieving, consulting, using, disclosing, transmitting, combining, and erasing Personal Data to deliver the Service to the Customer. |
| Categories of Data Subjects | Authorized Users of the Firm; Firm Clients (immigration applicants, sponsors, employers); third parties identified in Firm Client matters (family members, references, employers, agents); visitors to a Firm's website who interact with the Island Bar. |
| Categories of Personal Data | Identification (name, date of birth, contact), citizenship and immigration status, travel and residence history, education and employment history, family relationships, communication content, documents and identifiers contained in immigration files, financial information necessary to support cases, photos and signatures, and other case-related personal information that the Firm chooses to upload. |
| Special categories | Where the Firm chooses to upload them, the categories may include data revealing health, biometric identifiers in identity documents, criminal record information related to admissibility, and information revealing racial or ethnic origin or religion to the extent reflected in passports, visas, and adjudicator decisions. |
| Frequency | Continuous during the Subscription Term. |
5. Customer instructions
Nova System will process Personal Data only on the documented instructions of the Customer, including transfers, unless required to do otherwise by law (in which case Nova System will inform the Customer of the legal requirement before processing, unless prohibited by law). The MSA, this DPA, the Customer's configuration of the Service, and the Customer's use of the Service together constitute the Customer's documented instructions. Nova System will inform the Customer if, in its opinion, an instruction infringes a Data Protection Law.
6. Personnel and confidentiality
Nova System ensures that its personnel authorized to process Personal Data are (a) committed to confidentiality under contract or statute, (b) trained on data protection requirements appropriate to their role, and (c) granted access on a least-privilege, need-to-know basis.
7. Security
Nova System implements and maintains technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Measures include those summarized in the Security Overview and Annex 2 to this DPA, including encryption in transit, encryption at rest, identity and access management, audit logging, network protections, application security, vulnerability management, secure development practices, backup and disaster recovery, and incident response.
8. Sub-processors
8.1 Authorization
The Customer authorizes Nova System to engage sub-processors to provide the Service. The current sub-processor list is maintained at /legal/sub-processors.
8.2 New sub-processors
Nova System will provide at least thirty days' advance notice of any new sub-processor by updating the sub-processor page and, where the Customer has subscribed to notifications, by email. The Customer may object on reasonable grounds related to data protection by emailing privacy@thenovasystem.com within the notice period. If Nova System cannot reasonably accommodate the objection, the Customer may terminate the affected portion of the Service for cause and receive a pro-rated refund of pre-paid unused fees.
8.3 Sub-processor obligations
Nova System imposes on each sub-processor written obligations no less protective than those in this DPA. Nova System remains liable to the Customer for the acts and omissions of its sub-processors to the same extent as for its own acts and omissions.
9. Assistance to the Customer
Taking into account the nature of the processing, Nova System will assist the Customer in fulfilling its obligations under Data Protection Laws, including:
- responding to requests from Data Subjects exercising their rights;
- conducting data protection impact assessments and prior consultations with supervisory authorities;
- notifying Personal Data Breaches as set out in Section 10; and
- providing information needed to demonstrate compliance with Article 28 of the GDPR (or equivalent provisions under other Data Protection Laws).
Nova System may charge a reasonable fee for assistance that is beyond what is contemplated by ordinary Service use, on prior notice to the Customer.
10. Personal Data Breach
Nova System will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to be taken. Information may be provided in phases as it becomes available. The Customer remains responsible for any notification to Data Subjects and to regulators, with Nova System's assistance.
11. Data Subject requests
Where Nova System receives a request from a Data Subject relating to Personal Data we process for the Customer, we will not respond directly unless required by law. We will, without undue delay, forward the request to the Customer and, on the Customer's instruction, assist in responding.
12. International transfers
Personal Data may be transferred to and processed in jurisdictions outside Canada, the EEA, and the UK. Where required by Data Protection Laws, Nova System uses appropriate safeguards, including:
- EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two for controller-to-processor or Module Three for processor-to-processor), incorporated by reference and completed as set out in Annex 1.
- UK International Data Transfer Addendum to the EU SCCs.
- Swiss Federal Data Protection and Information Commissioner guidance for transfers originating in Switzerland.
- Internal cross-border policies reflecting PIPEDA and BC PIPA guidance.
Where the parties also enter into a separate transfer mechanism (for example, a country-specific data transfer agreement), that mechanism prevails over this section to the extent of any conflict on transfers.
13. Audit rights
Nova System will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports and attestations described in the Compliance Attestations page. The Customer may, on reasonable prior notice and no more than once per year (except in the event of a material Personal Data Breach), request a written response to a security questionnaire. On-site audits are reserved for circumstances mandated by Data Protection Law or by a supervisory authority and are subject to confidentiality and reasonable scoping to avoid disruption to the Service.
14. Deletion and return
On termination or expiration of the Subscription Term, the Customer may export Personal Data through the Service. After the thirty-day grace period described in the MSA, Nova System will delete or anonymize Personal Data, except (a) backup copies which roll over within the retention window described in the Security Overview, (b) Personal Data we are required by law to retain, and (c) aggregated or de-identified information that does not identify any Data Subject. Nova System will, on request, certify deletion in writing.
15. Liability
The liability of each party under this DPA is subject to the limitation of liability provisions of the MSA. To the extent permitted by Data Protection Law, the parties agree that the cap and exclusions of the MSA apply in aggregate to claims under both the MSA and this DPA.
16. Conflict and order of precedence
In case of conflict between the MSA and this DPA in respect of Personal Data, this DPA prevails. In case of conflict between this DPA and the Standard Contractual Clauses incorporated into Annex 1, the Standard Contractual Clauses prevail. All other provisions of the MSA remain in full force and effect.
17. Term
This DPA takes effect on the same date as the MSA and remains in effect for as long as Nova System processes Personal Data on behalf of the Customer. Sections that by their nature should survive (including international transfer safeguards, audit, return and deletion, and liability) will survive termination.
18. Notices and contact
Privacy contact for Nova System: privacy@thenovasystem.com. Notices under the Standard Contractual Clauses or any country-specific transfer mechanism should be sent to the same address with a copy to legal@thenovasystem.com.
Annex 1 — Transfer mechanisms
A. Parties
Data exporter: the Customer identified in the Order Form. Data importer: Nova System Inc. Activities: as described in Section 4. Roles: Module Two (Controller to Processor) where the Customer is a controller; Module Three (Processor to Processor) where the Customer is itself a processor.
B. Description of transfer
See Section 4 of this DPA for the categories of Data Subjects, categories of Personal Data, frequency, retention, and competent supervisory authority. Sensitive data: only as the Customer chooses to upload, with the restrictions defined by case-related immigration matters.
C. Competent supervisory authority
For transfers governed by the EU SCCs, the supervisory authority of the Member State of the Customer's lead establishment or, if none, of the Member State in which the Data Subjects are located.
D. UK Addendum
The parties incorporate the UK International Data Transfer Addendum, Version B1.0. The information in Tables 1, 2, and 3 of the Addendum is drawn from this DPA. The parties select "neither party" for the option in Table 4 (parties that may terminate the Addendum where the Approved Addendum changes).
Annex 2 — Technical and organizational measures (summary)
- Identity and access — least-privilege access, role-based access controls, mandatory multi-factor authentication for administrative access, periodic access reviews.
- Encryption — TLS in transit (current industry minimums), authenticated encryption at rest for stored Personal Data, customer-supplied keys not currently offered for general accounts.
- Network and infrastructure — segmented production network, deny-by-default ingress, denial-of-service mitigations, web application firewall, edge rate limiting.
- Application security — secure development lifecycle, code review, dependency scanning, secret scanning, static and dynamic analysis where applicable, vulnerability triage.
- Logging and monitoring — security-relevant events logged, log integrity protected, alerting on anomalous events, audit trails of administrative actions.
- Vulnerability management — scheduled patching, expedited response for critical vulnerabilities, coordinated disclosure program.
- Personnel — background checks where lawful, confidentiality undertakings, security training, formal off-boarding.
- Sub-processor governance — diligence on engagement, contractual flow-down of obligations, periodic review.
- Incident response — documented runbooks, customer notification within the timeframe required by the DPA.
- Backups and resilience — encrypted backups, retention aligned to the recovery objectives, disaster recovery testing.
- Data lifecycle — documented retention and deletion schedules, secure decommissioning of storage media.