Data Processing Agreement
Last Updated: February 2, 2026
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
- "Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
- "Controller" means the entity that determines the purposes and means of processing Personal Data (the Customer).
- "Processor" means the entity that processes Personal Data on behalf of the Controller (Canira).
- "Sub-processor" means any third party engaged by the Processor to process Personal Data.
- "Data Subject" means the individual whose Personal Data is processed.
- "GDPR" means the General Data Protection Regulation (EU) 2016/679.
- "UK GDPR" means the GDPR as incorporated into UK law by the Data Protection Act 2018.
2. Scope and Purpose
This DPA applies to the processing of Personal Data by Canira on behalf of the Customer in connection with the provision of the Canira webinar platform services.
The purpose of processing is to provide webinar hosting, video streaming, audience engagement, and related services as described in our Terms of Service.
3. Types of Personal Data Processed
The following categories of Personal Data may be processed:
| Data Category | Data Types | Data Subjects |
|---|---|---|
| Account Data | Name, email, password (hashed), profile picture | Hosts, Attendees |
| Contact Data | Email address, phone number (if provided for SMS) | Hosts, Attendees |
| Webinar Data | Chat messages, poll responses, Q&A content, attendance records | Attendees |
| Technical Data | IP address, browser type, device information | Hosts, Attendees |
| Audio/Visual Data | Video recordings, audio recordings (if enabled) | Hosts, Attendees (if on camera) |
| Payment Data | Billing information (processed by Stripe) | Hosts (subscribers) |
4. Processor Obligations
Canira as the Processor agrees to:
4.1 Processing Instructions
- Process Personal Data only on documented instructions from the Controller
- Inform the Controller if any instruction infringes GDPR or other data protection laws
- Not process Personal Data for any purpose other than providing the Service
4.2 Confidentiality
- Ensure that persons authorized to process Personal Data have committed to confidentiality
- Implement appropriate training for personnel handling Personal Data
4.3 Security Measures
Implement appropriate technical and organizational measures including:
- Encryption of Personal Data in transit and at rest
- Measures to ensure ongoing confidentiality, integrity, and availability
- Regular testing and evaluation of security measures
- Access controls and authentication mechanisms
- Regular security assessments and vulnerability testing
4.4 Sub-processors
- Not engage another processor without prior written authorization from the Controller
- Impose the same data protection obligations on Sub-processors
- Remain liable for Sub-processor compliance
- Maintain an up-to-date list of Sub-processors (see Section 8)
4.5 Data Subject Rights
Assist the Controller in responding to Data Subject requests to exercise their rights under GDPR:
- Right of access
- Right to rectification
- Right to erasure
- Right to restriction of processing
- Right to data portability
- Right to object
4.6 Data Breach Notification
- Notify the Controller without undue delay (within 72 hours) upon becoming aware of a Personal Data breach
- Provide sufficient information to allow the Controller to meet its obligations under GDPR
- Assist the Controller in investigating and mitigating the breach
5. Controller Obligations
The Controller agrees to:
- Ensure lawful basis for processing Personal Data
- Provide clear instructions to the Processor
- Fulfill obligations to Data Subjects regarding their rights
- Maintain records of processing activities
- Ensure compliance with GDPR and applicable data protection laws
6. International Data Transfers
Personal Data may be transferred to and processed in countries outside the EEA/UK. When such transfers occur, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): We use EU Commission-approved SCCs for transfers to third countries without an adequacy decision
- UK Addendum: For transfers from the UK, we use the UK International Data Transfer Addendum to the SCCs
- Adequacy Decisions: Where applicable, we rely on adequacy decisions by the European Commission
You may request a copy of the applicable transfer mechanism by contacting us at dpo@canira.io.
7. Data Retention and Deletion
Upon termination of the Service or upon Controller's request, the Processor will:
- Delete or return all Personal Data to the Controller
- Delete existing copies unless storage is required by applicable law
- Certify deletion upon request
The Processor will complete deletion within 30 days of the request, unless a longer period is required to comply with legal obligations.
8. Sub-processors
The Controller authorizes the use of the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing | USA (SCCs in place) |
| Twilio Inc. | SMS notifications | USA (SCCs in place) |
| Cloudflare, Inc. | Video streaming, CDN, security | USA (SCCs in place) |
| Supabase Inc. | Database hosting | USA (SCCs in place) |
| Resend, Inc. | Email delivery | USA (SCCs in place) |
We will notify Controllers of any intended changes to Sub-processors, giving Controllers the opportunity to object to such changes.
9. Audit Rights
The Controller has the right to audit the Processor's compliance with this DPA:
- Upon reasonable notice (at least 30 days)
- During normal business hours
- Subject to confidentiality obligations
- At the Controller's expense
The Processor will provide necessary information and access to demonstrate compliance with GDPR obligations.
10. Liability
Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of GDPR where such limitation would not be permitted under applicable law.
11. Term and Termination
This DPA remains in effect for the duration of the processing of Personal Data under the Terms of Service. The obligations regarding confidentiality and data protection shall survive termination.
12. Governing Law
This DPA shall be governed by the laws of the jurisdiction specified in the Terms of Service, except that GDPR and UK GDPR shall apply to the extent they govern the processing of Personal Data.
13. Company Information
Canira, Inc. is a Delaware C Corporation incorporated in the State of Delaware, United States. Our registered address is 131 Continental Dr, Suite 305, Newark, DE 19713, US. All references to "Canira" in this Data Processing Agreement refer to Canira, Inc..
14. Contact Information
For questions about this DPA or to exercise data protection rights:
Data Protection Officer
Canira, Inc.
131 Continental Dr, Suite 305
Newark, DE 19713, United States
Email: dpo@canira.io
Website: https://canira.io
For EU residents, you also have the right to lodge a complaint with your local supervisory authority.
15. Amendments
This DPA may be amended to reflect changes in data protection laws or our processing activities. Material changes will be communicated to Controllers with at least 30 days notice. Continued use of the Service after amendments constitutes acceptance.