This Data Processing Addendum (the “DPA”) forms part of the Mortgage360 Terms of Service and governs Mortgage360’s processing of personal information that you (the “Customer”) upload to or generate within the Mortgage360 platform on behalf of borrowers, applicants, investors, and other individuals (collectively, “Customer Personal Information”). Where this DPA conflicts with the main Terms in respect of Customer Personal Information, this DPA controls.

This DPA is intended to satisfy our obligations under Canada’s PIPEDA and Quebec Law 25, and to function as a controller-to-processor agreement under Article 28 of the EU and UK General Data Protection Regulation (“GDPR”) where applicable.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms or in PIPEDA, Quebec Law 25, GDPR, CCPA / CPRA, or other applicable privacy law. For the avoidance of doubt:

Controller means the party that determines the purposes and means of processing — generally the Customer for Customer Personal Information.
Processor means the party that processes personal information on behalf of the Controller — Mortgage360 with respect to Customer Personal Information.
Sub-processor means a third party engaged by Mortgage360 to process Customer Personal Information.
Personal Information means information about an identifiable individual, including borrower applicant data, document content, identifiers, contact information, financial data, employment data, KYC artefacts, AML risk ratings, and any equivalent term under applicable law.

2. Roles, scope, and instructions

The Customer is the Controller of Customer Personal Information. Mortgage360 is the Processor acting on the Customer’s documented instructions. The documented instructions consist of:

The Terms of Service and this DPA
The Customer’s order form and configuration of the Services
Customer use of the platform’s features within their documented scope (deal management, document storage, AI assistant invocation, lender submission, reporting)
Any subsequent written instructions reasonably consistent with the above

Mortgage360 will inform the Customer if, in our opinion, an instruction infringes applicable privacy law, and we may decline that instruction. We will process Customer Personal Information only for the duration and purposes required to deliver the Services and to comply with our own legal obligations.

3. Categories of personal information and data subjects

The categories of personal information Mortgage360 processes on behalf of the Customer typically include:

Borrower / applicant identifiers (name, date of birth, photo ID details, SIN where collected, address, contact information)
Financial information (income, assets, liabilities, credit-bureau data where pulled, banking transaction extracts where uploaded)
Employment information (employer, role, tenure, T4 or NOA details where uploaded)
Property information (target address, valuation, type, MLS data where integrated)
KYC / KYB / AML information (verification artefacts, risk ratings, beneficial ownership records, adverse media findings)
Communication records (in-platform messages, emails, SMS, call recordings where enabled)
Investor and MIC member records (for lender / MIC tenants)
Audit and access metadata

The categories of data subjects include: mortgage applicants, co-applicants, guarantors, co-signers, beneficial owners of corporate borrowers, MIC investors and members, third-party contacts (lawyers, appraisers, lenders), and platform users (broker / agent staff).

4. Confidentiality and personnel

Every Mortgage360 employee or contractor with access to Customer Personal Information is bound by a written confidentiality obligation that survives termination of their engagement, has completed identity verification and a Canadian criminal background check, has completed annual security and privacy training, and has access on a least-privileged, role-based basis subject to continuous audit logging.

5. Security measures (technical and organizational)

Mortgage360 maintains administrative, technical, and physical safeguards designed to protect Customer Personal Information against unauthorized or unlawful processing, accidental loss, destruction, or damage. These include:

Encryption: AES-256-GCM at rest, TLS 1.3 in transit, customer-managed key options for enterprise tenants
Authentication: mandatory multi-factor authentication on all human accounts; step-up MFA on privileged operations; SAML SSO for enterprise tenants
Access control: least-privileged role-based access, tenant-level isolation, audit logging of all privileged operations
Network: private VPCs per environment, web application firewall, DDoS protection, intrusion detection
Vulnerability management: continuous automated scanning, quarterly third-party penetration testing, responsible disclosure program, monthly patch cadence
SDLC: mandatory code review, automated security testing in CI, dependency scanning, secrets scanning, signed releases
Operations: 24/7 on-call coverage, <30 minute initial response on Severity 1, defined runbooks
Audit: annual SOC 2 Type II audit (report available to qualifying customers under NDA); annual penetration test report
Business continuity: automated backups every 24 hours, cross-region replication, tested DR plan with documented RPO and RTO

Mortgage360 will not materially reduce the level of protection of these measures during the term.

6. Sub-processors

The Customer authorizes Mortgage360 to engage the sub-processors listed below to process Customer Personal Information. Each sub-processor is bound by a written contract that imposes data-protection obligations no less protective than those in this DPA.

Sub-processor	Purpose	Processing location	Transfer mechanism (where applicable)
Amazon Web Services Canada	Primary hosting, storage, and database for Canadian tenants	Canada (ca-central-1)	N/A (in-region)
Amazon Web Services US / EU	Hosting for tenants electing US or EU data residency	US (us-east-1, us-west-2) or EU (eu-central-1)	SCCs for EU → non-adequate transfers; PIPEDA-compliant DPA
Vercel Inc.	Edge delivery / CDN for marketing site and dashboard	Global edge network (TLS termination + caching)	SCCs / PIPEDA DPA
Anthropic, PBC	AI model inference for Harvey assistants	United States	SCCs / PIPEDA DPA; no model training on Customer Personal Information
Twilio Inc.	SMS and voice messaging where enabled by Customer	United States	SCCs / PIPEDA DPA
SendGrid (Twilio)	Transactional email	United States	SCCs / PIPEDA DPA
Stripe Inc.	Subscription billing and payment processing	United States and Canada	SCCs; Stripe acts as independent controller for payment processing
Sentry (Functional Software Inc.)	Error monitoring and observability	United States	SCCs / PIPEDA DPA; PII scrubbing applied at ingest
Equifax Canada / TransUnion Canada	Credit bureau retrieval where authorized by borrower	Canada	Acts as independent processor / controller under bureau’s terms
Filogix (Newton Connectivity Systems)	Lender connectivity and Origin integration where authorized	Canada	Independent controller / processor under Filogix terms

The current list is also available at all times on this page. We may update this list to add, remove, or substitute sub-processors. For material additions (a new category of sub-processor, or a sub-processor that processes a substantially new category of Customer Personal Information), we will give the Customer at least 30 days’ prior notice via in-product banner and email to the Customer’s billing contact.

If the Customer reasonably objects to a new sub-processor on data-protection grounds during the 30-day notice period, the Customer may terminate the affected portion of the Services and receive a pro-rata refund of unused prepaid fees for that portion.

7. International data transfers

By default, Customer Personal Information is stored in Canada. Where the Customer elects another residency region (US or EU) in the order form, or where processing necessarily occurs outside the elected region (notably AI assistant inference and certain communication services), Mortgage360 ensures the transfer is supported by an appropriate legal mechanism:

For transfers to countries deemed adequate by the European Commission or under PIPEDA principles, the adequacy decision supports the transfer
For other transfers from the EU/EEA / UK, the European Commission’s Standard Contractual Clauses (Module Two: controller-to-processor; Module Three: processor-to-sub-processor as applicable) and the UK International Data Transfer Addendum apply
For transfers from Quebec, we conduct privacy impact assessments before transfer as required by Quebec Law 25
Supplementary measures include encryption in transit and at rest, access logging, and contractual restrictions on government data requests

8. Data subject requests

Where Mortgage360 receives a request from a data subject relating to Customer Personal Information (access, correction, deletion, restriction, portability, objection to automated decision-making, or withdrawal of consent), we will:

Promptly notify the Customer of the request and not respond directly to the data subject ourselves, except to confirm receipt and direct the data subject to the Customer’s organization
Provide reasonable assistance to enable the Customer to respond, including by making available self-service tooling for export, redaction, deletion, and consent management
Provide additional assistance on a reasonable-cost basis where the request cannot be satisfied via self-service tooling

9. Personal information breach notification

Mortgage360 maintains a documented incident response program. In the event of a Personal Information breach (a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Information), Mortgage360 will:

Notify the Customer’s designated security contact (or absent that, billing contact) within 72 hours of confirming the breach
Include in that notification: the nature of the breach, categories and approximate volume of personal information affected, likely consequences, mitigation steps taken or proposed, and a point of contact for follow-up
Cooperate with the Customer’s breach-notification obligations to data subjects and regulators
Maintain a breach record per applicable retention requirements

This obligation does not require the Customer to report a breach that does not meet the legal threshold under PIPEDA, GDPR, or other applicable law — that determination remains with the Customer as Controller.

10. Audit and assurance

Mortgage360 undergoes an annual SOC 2 Type II audit performed by an independent CPA firm. The SOC 2 Type II report is made available to qualifying enterprise Customers under NDA on request via [email protected].

The Customer may, no more than once per twelve-month period and at the Customer’s expense, conduct an audit of Mortgage360’s compliance with this DPA, subject to: reasonable advance written notice (at least 60 days), use of a mutually agreed independent auditor bound by confidentiality, conduct during business hours, and avoiding material disruption of Mortgage360’s operations or other customers’ data. The SOC 2 Type II report is accepted as fulfilling the audit obligation absent specific cause to require an on-site audit.

11. Return and deletion of customer personal information

On termination or expiry of the Services, the Customer may export Customer Personal Information via Mortgage360’s standard export tooling during a 30-day post-termination export window. After the export window, Mortgage360 will delete Customer Personal Information from active systems within 30 days, and from backups within an additional 90 days as backup cycles expire. The exception is audit log data, which is retained for 7 years to support FSRA, FINTRAC, and equivalent regulator standards, in de-identified or anonymized form where possible.

12. Cross-border investigatory requests

If Mortgage360 receives a binding legal request from a government authority (court order, subpoena, lawful production demand) seeking Customer Personal Information, we will:

Where lawful, give the affected Customer prompt notice and a reasonable opportunity to seek a protective order
Where prohibited from notifying the Customer, take reasonable steps to challenge overbroad requests and to seek to lawfully notify the Customer at the earliest permitted time
Disclose only the minimum personal information legally required
Publish an annual transparency report summarizing the volume and categories of government requests received

13. AI assistant processing

The Customer may invoke Mortgage360’s AI assistants (Harvey) in connection with the Services. When invoked, the relevant context (such as deal data, document content, or borrower information) is sent to the AI sub-processor (currently Anthropic, PBC) for inference and returned to the platform. Mortgage360 contractually prohibits the AI sub-processor from using Customer Personal Information for model training. AI assistant outputs are recommendations, not regulated decisions; the Customer retains responsibility for licensed human review of regulated outputs.

14. Governing law and conflicts

This DPA is governed by the laws of Ontario, Canada and the federal laws of Canada applicable in Ontario. In the event of conflict between this DPA and the Terms, this DPA controls for processing of Customer Personal Information. In the event of conflict between this DPA and Standard Contractual Clauses or other transfer instruments incorporated by reference, those instruments control as to their subject matter.

15. Contact

DPA questions and trust requests: [email protected]
Privacy: [email protected]
Security incidents: [email protected]
Data Protection Officer: [email protected]