Ultimia Ultimia Beta

Data Processing Addendum

Effective date: March 10, 2026

Effective Date: March 10, 2026
Last Updated: March 10, 2026

This Data Processing Addendum ("DPA") forms part of and is incorporated into the Ultimia Terms and Conditions and/or any master services agreement or order form between Customer and Ultimia (the "Agreement").

1. Parties and Scope

This DPA is entered into by and between:

  • Customer (as defined in the Agreement); and
  • Ultimia Inc. (Canada) and/or Ultimia LLC (Montana, United States), as the applicable Contracting Entity under the Agreement ("Ultimia").

This DPA applies where Ultimia processes Customer Personal Data on behalf of Customer in connection with the Services.

2. Definitions

For this DPA:

  • "Controller," "Processor," "Business," "Service Provider," and equivalent terms have the meanings under applicable privacy laws.
  • "Customer Personal Data" means personal data provided by or on behalf of Customer and processed by Ultimia solely to provide the Services.
  • "Data Subject Request" means a request from an individual to exercise rights under applicable privacy law.
  • "Subprocessor" means a third party engaged by Ultimia to process Customer Personal Data.
  • "Security Incident" means unauthorized access to, or unauthorized acquisition, disclosure, alteration, loss, or destruction of Customer Personal Data in Ultimia systems.

3. Roles of the Parties

  • Customer acts as controller/business for Customer Personal Data submitted to the Services, unless otherwise agreed.
  • Ultimia acts as processor/service provider for that data.
  • Each party will comply with obligations applicable to its role.

4. Processing Instructions and Purpose Limitation

Ultimia will process Customer Personal Data:

  • only on documented instructions from Customer;
  • only for the purposes of providing, securing, supporting, and improving the Services as permitted by the Agreement;
  • only for lawful and documented processing activities.

Customer instructions are documented through the Agreement, in-product configuration, support requests, and other written instructions accepted by Ultimia.

5. Confidentiality

Ultimia will ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate privacy/security training relevant to their role.

6. Security Measures

Ultimia will implement and maintain reasonable administrative, technical, and organizational safeguards appropriate to risk, including controls for:

  • access control and authentication;
  • secure transmission and storage;
  • logging and monitoring;
  • vulnerability and incident management;
  • backup and business continuity practices;
  • data minimization and role-based access.

A baseline security control summary is included in Schedule B.

7. Subprocessors

Customer authorizes Ultimia to use Subprocessors to provide the Services.

Ultimia will:

  • impose data protection obligations on Subprocessors consistent with this DPA;
  • remain responsible for Subprocessor performance to the extent required by law and contract;
  • maintain and provide, on request, a current list of material Subprocessor categories and key Subprocessors;
  • provide at least 15 days' advance notice of a new material Subprocessor where reasonably practicable.

7.1 Objection Process

If Customer reasonably objects to a new material Subprocessor on documented privacy/security grounds, Customer must notify Ultimia during the notice period.

The parties will work in good faith to resolve the objection. If unresolved, Ultimia may offer a commercially reasonable alternative or Customer may terminate affected Services without penalty for the unused prepaid portion of those affected Services.

8. Cross-Border Data Transfers

Customer acknowledges Customer Personal Data may be processed in Canada, the United States, and other jurisdictions where Subprocessors operate.

Ultimia will use contractual and organizational safeguards reasonably designed to protect transferred data in accordance with applicable law.

Where required by law for specific jurisdictions, the parties will implement a recognized transfer mechanism (for example, standard contractual clauses or equivalent legal transfer terms).

9. Assistance with Data Subject Requests

To the extent required by law and taking into account processing nature, Ultimia will provide reasonable assistance for Customer to respond to Data Subject Requests.

If Ultimia receives a Data Subject Request directly relating to Customer Personal Data, Ultimia may redirect the request to Customer unless legally prohibited.

10. Assistance with Compliance

Ultimia will provide reasonable assistance, taking into account processing nature and available information, for Customer obligations related to:

  • security of processing;
  • breach notifications;
  • privacy impact assessments and prior consultation where required.

11. Security Incident Notification

Ultimia will notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Customer Personal Data processed by Ultimia.

Notice will include available information reasonably necessary for Customer's legal notifications and response, such as:

  • incident nature and affected data categories (if known);
  • likely consequences (if known);
  • mitigation and remediation measures taken or proposed.

12. Return and Deletion

Upon termination or expiration of the Agreement, Ultimia will delete or return Customer Personal Data in accordance with the Agreement and applicable law, subject to:

  • retention required by law;
  • reasonable backup lifecycle and restoration constraints;
  • security and fraud-prevention retention needs.

13. Audit and Information Rights

Upon reasonable request and subject to confidentiality safeguards, Ultimia will provide information reasonably necessary to demonstrate compliance with this DPA.

Any audit rights are subject to reasonable scope, timing, frequency, and security controls, and must avoid disruption to Ultimia systems and other customers.

14. CCPA/CPRA and Similar U.S. State Terms

Where applicable, Ultimia will not:

  • sell Customer Personal Data;
  • share Customer Personal Data for cross-context behavioral advertising;
  • retain, use, or disclose Customer Personal Data outside the direct business relationship except as permitted by law and the Agreement.

Ultimia may process Customer Personal Data for business purposes permitted by law, including security, fraud prevention, service operation, and debugging.

15. Limitation of Liability

Liability under this DPA is subject to liability limitations and exclusions in the Agreement, unless prohibited by applicable law.

16. Order of Precedence

If there is a conflict between this DPA and the Agreement, this DPA governs for data protection matters only.

17. Governing Law

Governing law and venue follow the Agreement, unless mandatory law requires otherwise.

18. Contact

Privacy contact for DPA matters:

Schedule A: Processing Details

This Schedule A forms part of the DPA and may be updated by Order Form or documented product configuration.

A1. Subject Matter

Processing required to provide Ultimia SaaS services, membership/subscription functionality, credits usage workflows, support, security, and related operations.

A2. Duration

For the term of the Agreement plus limited retention periods described in the Agreement, Privacy Policy, and this DPA.

A3. Nature and Purpose of Processing

  • account provisioning and authentication;
  • workspace/project collaboration features;
  • document/content processing and AI-assisted generation requested by Customer;
  • billing, subscription, and credit usage operations;
  • support, fraud prevention, abuse prevention, and security operations.

A4. Categories of Data Subjects

May include:

  • Customer account users;
  • Customer employees/contractors;
  • Customer clients, contacts, interview participants, and other individuals whose data Customer submits.

A5. Categories of Personal Data

May include:

  • identifiers and account data (name, email, role, auth metadata);
  • organization/workspace/project data;
  • communications/support content;
  • uploaded content and generated outputs;
  • transaction and billing metadata;
  • technical and security log data.

A6. Sensitive Data

Customer must not submit regulated/sensitive categories unless explicitly supported and contractually authorized. If submitted, Customer is responsible for lawful basis and notices/consents.

Schedule B: Security Control Summary (Baseline)

Ultimia's baseline controls include, at minimum:

  • least-privilege access control and credential governance;
  • encryption in transit and at rest where technically appropriate;
  • logging and monitoring for security-relevant events;
  • vulnerability management and patching workflows;
  • secure backup and recovery procedures;
  • incident response procedures with escalation and communication channels.

Schedule C: Subprocessor List and Change Process

Ultimia maintains an internal Subprocessor register and can provide current material Subprocessors on request.

Any customer-specific subprocessor restrictions must be documented in writing in an Order Form or addendum.