Legal
Data Processing Agreement
Last updated: May 17, 2026
What this is. This is Fervor Studio's standard Data Processing Agreement (DPA) template, drafted to the mandatory elements of GDPR Article 28 with equivalent provisions of PIPEDA, Quebec Law 25, and CCPA noted in context. It governs engagements where Fervor handles personal information about a client's own end-customers on the client's behalf — for example, a Booked by Design build where leads flow through forms we configure, an email-automation setup where the client supplies a contact list, or analytics work where we are tasked to interpret data the client controls.
When this applies. The DPA is incorporated by reference into Fervor client work orders for engagements that involve personal-information processing. Either party can request that the DPA be countersigned as a separate executed document — many client compliance teams ask for this and we accommodate.
What this is NOT. This is not a DPA for the visitor data Fervor collects through fervorstudio.ca itself — that data is covered by our Privacy Policy, where Fervor is the controller, not a processor.
1. Parties and Roles
This DPA is between Fervor Group Inc. ("Fervor," "we," or "Processor") and the client identified in the underlying work order or service agreement (the "Client" or "Controller"). The Client is the controller of the personal information processed under this DPA; Fervor is the processor.
Where the engagement involves data subjects in California, Fervor acts as a "service provider" within the meaning of CCPA/CPRA. Where the engagement involves data subjects in Canada, Fervor acts as a third party to which personal information has been transferred for processing under PIPEDA's accountability principle (Principle 1, Schedule 1).
2. Subject Matter, Nature, Purpose, and Duration
Subject matter. Personal information about the Client's end-customers and prospective customers, supplied to Fervor or generated through Fervor-configured systems in the course of conversion-optimization, web-build, email-automation, or analytics engagements.
Nature of the processing. Collection (through forms Fervor builds), storage (in databases and SaaS platforms Fervor configures on the Client's behalf), transmission (between the Client's systems and the SaaS platforms used), and analysis (where the engagement includes analytics interpretation).
Purpose of the processing. The specific purposes described in the underlying work order — typically, generating qualified leads for the Client's business, automating follow-up communications the Client has consented to send, or producing analytics insights to improve the Client's marketing.
Duration. For the duration of the underlying engagement plus 30 days following termination for the purposes of returning or deleting data under Section 9.
3. Types of Personal Data and Categories of Data Subjects
Types of personal data. Names, email addresses, phone numbers, postal addresses, IP addresses, device and browser information, geolocation data derived from IP, referrer and campaign attribution data, and any other personal information the Client supplies or that is collected through Fervor-configured forms or analytics.
Special categories. The standard engagement does not involve special categories of personal data (health, financial, biometric, criminal-conviction, or other Article 9 GDPR categories). If a specific engagement would require us to handle special-category data, that engagement requires a separate written amendment to this DPA.
Categories of data subjects. The Client's prospective customers, current customers, and (where applicable) past customers.
4. Fervor's Obligations as Processor
Fervor will:
- Process on documented instructions only. We process personal information only on the Client's documented instructions, including with regard to transfers of personal information to a third country, unless required to do otherwise by Canadian law or another applicable law. Where such a legal requirement applies, we will inform the Client before processing unless that law prohibits the disclosure.
- Ensure confidentiality. Every person at Fervor authorized to process personal information under this DPA is bound by a written confidentiality commitment as a condition of their engagement.
- Implement appropriate security measures. We implement reasonable technical and organizational measures consistent with Article 32 GDPR and PIPEDA's safeguards principle. These include encryption in transit (HTTPS), access controls (role-based authorization), security-event logging on production systems, and rate limiting on public endpoints. A more detailed description is available on request.
- Engage sub-processors only under conditions. See Section 5 below.
- Assist with data-subject rights requests. We assist the Client, by appropriate technical and organizational measures, in responding to access, correction, deletion, portability, objection, and other data-subject rights requests under the applicable regime (PIPEDA, Quebec Law 25, GDPR, CCPA, or equivalent).
- Assist with breach notification and security obligations. We assist the Client with the obligations under Articles 32 to 36 GDPR (security, breach notification, breach communication, impact assessments, and prior consultation) and the equivalent obligations under PIPEDA and Quebec Law 25. Where we discover a breach of security safeguards affecting personal information processed under this DPA, we notify the Client without undue delay and provide the information needed for the Client to meet its own notification obligations.
- Return or delete data after the engagement. See Section 9.
- Make available the information needed to demonstrate compliance. On reasonable written request, we provide the Client with the information necessary to demonstrate compliance with this DPA and permit the compliance verification reviews described in Section 8.
5. Sub-Processors
The Client gives general authorization for Fervor to engage sub-processors in the delivery of the engagement, subject to the conditions in this Section.
Current sub-processors. Fervor's standard sub-processor list — Cloudflare (hosting and database), Stripe (payment processing, where applicable), Brevo (email delivery), Google (analytics and PageSpeed Insights), Microsoft (Clarity, where consented), Cal.com (scheduling), Storyblok (content management) — is documented in our Privacy Policy under Third-Party Services and Sub-Processors. The list there is the authoritative current list.
Changes to the sub-processor list. If we propose to add or replace a sub-processor that will materially affect the processing of the Client's personal information, we will notify the Client in advance. The Client may object on reasonable grounds within 30 days of notification, in which case Fervor and the Client will work in good faith to find an alternative solution. If no alternative is feasible, either party may terminate the affected portion of the engagement with prior written notice.
Sub-processor obligations. Each sub-processor is bound by a written contract that imposes data-protection obligations substantially equivalent to those imposed on Fervor under this DPA. Fervor remains fully liable to the Client for the performance of each sub-processor's obligations.
6. International Data Transfers
Fervor is established in Canada and the European Commission has issued an adequacy decision for Canadian commercial organizations under Article 45 GDPR, which means transfers from the EEA or UK to Fervor do not require additional safeguards. Where sub-processors process data outside Canada and outside an adequacy-recognized jurisdiction, those sub-processors maintain Standard Contractual Clauses (Article 46 GDPR) or rely on the EU–US Data Privacy Framework as applicable.
7. Data-Subject Rights Assistance
If a data subject contacts Fervor directly with a rights request relating to data processed on the Client's behalf, Fervor will not respond directly. We will inform the Client of the request promptly and assist the Client in fulfilling it within the timeline applicable to the data subject's jurisdiction.
8. Compliance Verification and Records
Fervor maintains records of processing activities sufficient to demonstrate compliance with this DPA. On reasonable written notice (typically 30 days) and not more often than once per calendar year (more often if required by a regulator or in response to a security incident), the Client or its appointed reviewer may request the information needed to verify Fervor's compliance with this DPA. Compliance reviews are conducted in a way that minimizes disruption to Fervor's operations and the operations of other clients. Fervor may satisfy these obligations through documentary evidence, third-party attestations, or sub-processor compliance reports where reasonable. This Section is intended to satisfy the verification requirement in GDPR Article 28(3)(h).
9. Return or Deletion of Data
On termination of the engagement, and at the Client's choice, Fervor will return all personal information processed under this DPA to the Client in a structured, commonly used technological format, or delete it. The Client must communicate its choice within 30 days of termination; absent that communication, Fervor will delete the data. Personal information that Fervor is required by law to retain (for example, breach records subject to PIPEDA's 24-month minimum retention) will be retained for the legally required period and then deleted.
10. Breach Notification
On becoming aware of a breach of security safeguards affecting personal information processed under this DPA, Fervor will notify the Client without undue delay — generally within 48 hours of discovery — and will provide the information necessary for the Client to meet its own notification obligations to regulators and data subjects. Fervor's breach-response protocol, including the PIPEDA "real risk of significant harm" assessment and the GDPR Article 33 72-hour timeline, is described in our Privacy Policy under Breach Notification Protocol.
11. Liability
Each party is liable to the other for damages caused by its breach of this DPA, subject to the liability cap in the underlying work order or service agreement. Where both parties contributed to the harm, liability is apportioned accordingly.
12. Conflict and Order of Precedence
In the event of a conflict between this DPA and any other agreement between Fervor and the Client, this DPA prevails on matters of personal-information processing. The remainder of the underlying agreement continues to govern other matters.
13. Governing Law
This DPA is governed by the laws of the Province of Alberta and the federal laws of Canada applicable therein. Where the underlying engagement is governed by a different jurisdiction's law, the parties may agree in writing to align this DPA with that law.
Requesting an Executed Copy
To request a countersigned version of this DPA for your records, or to discuss amendments specific to your engagement (special-category data, sector-specific obligations, particular sub-processor restrictions), email nenyi@fervorstudio.ca.