Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Controller") and Beaver Wood Care Inc. operating as Pitch2Retail ("Operator", "Processor"). It governs the processing of personal data by the Operator on behalf of the Customer in connection with the Pitch2Retail service.
1. Roles & responsibilities
The Customer is the data controller for personal data they upload, generate, or otherwise process through Pitch2Retail (e.g. recipient contact data in audiences, brand profile, sent pitches). Pitch2Retail is the data processor in respect of that data.
For data we collect about the Customer themselves (account email, password hash, billing info), Pitch2Retail is the controller. That processing is governed by our Privacy Policy.
2. Subject matter, duration, nature, purpose
| Field | Detail |
|---|---|
| Subject matter | Provision of the Pitch2Retail outreach platform: contact sourcing, AI pitch generation, email sending, reply intelligence, attribution. |
| Duration | For the duration of the Customer's subscription, plus 30 days for deletion (or longer if required by law). |
| Nature | Storage, retrieval, AI processing, transmission via email. |
| Purpose | Enable B2B outreach campaigns for Customer's brand. |
| Categories of data subjects | (a) Customer's recipient contacts (retail buyers — typically business email + role + company); (b) Customer's own employees / users. |
| Categories of personal data | Names, business email addresses, business phone, role/title, company, company address, LinkedIn URL. |
| Special categories | None. Pitch2Retail must not be used to process special-category data (health, religion, political opinions, biometrics) per Section 9. |
3. Operator's obligations
Operator commits to:
- Process personal data only on Customer's documented instructions (use of the platform = instructions)
- Ensure all personnel with access are bound by confidentiality
- Implement appropriate technical and organizational measures (TOMs) — see Annex 1
- Engage sub-processors only with Customer's general written authorization (Annex 2)
- Assist Customer in fulfilling data subject rights (access, rectification, deletion, portability)
- Notify Customer of personal data breaches within 72 hours of becoming aware
- Delete or return all personal data at end of services, at Customer's choice
- Make available all information necessary to demonstrate compliance, and allow audits (with reasonable notice)
4. International transfers
All Customer data is stored at rest in Canada (DigitalOcean Toronto). For AI features, prompt content is transmitted to Anthropic in the United States. Where required, the parties rely on Standard Contractual Clauses (EU 2021/914, UK Addendum) as the transfer mechanism. The full SCC text is incorporated by reference and available on request.
5. Customer obligations
Customer warrants and represents that:
- It has a lawful basis (consent, legitimate interest, contractual necessity) for the personal data it uploads or generates through the service
- For B2B outreach, it relies on legitimate interest under GDPR Art. 6(1)(f) and CASL s.10(9), and respects opt-outs
- It will not upload special-category data, children's data (under 13/16 depending on jurisdiction), or data acquired through unlawful scraping
- It will comply with all applicable laws including but not limited to GDPR, UK GDPR, CASL, CAN-SPAM, PIPEDA
6. Data subject rights
If a data subject submits a request directly to the Operator, the Operator will forward it to the Customer within 7 days unless the Operator is otherwise obliged to respond directly. The Operator will assist the Customer (at Customer's reasonable expense) in responding within statutory time limits.
7. Sub-processors (Annex 2)
The Customer authorizes the Operator to engage the sub-processors listed in our public sub-processor list. Operator will notify Customer of any new sub-processors via email (at least 14 days in advance), and Customer may object in writing within 14 days of notice; if Operator cannot reasonably accommodate, Customer may terminate the affected service.
8. Security measures (Annex 1)
Detailed at security.html. Summary:
- TLS 1.3 in transit; AES-256 at rest; bcrypt for passwords; AES-256-GCM for API keys/tokens
- Tenant isolation enforced at every API endpoint
- Production access requires SSH key + 2FA + private network
- Backups encrypted, stored in Canada, retained 30 days
- Vulnerability disclosure program (security@pitch2retail.com)
9. Liability and term
This DPA enters into force on the effective date of the Customer's subscription and remains in force as long as Operator processes personal data on Customer's behalf. Liability is governed by the Terms of Service. In the event of conflict between this DPA and the Terms, this DPA prevails for matters of personal data processing.
10. Governing law
British Columbia, Canada. For data subjects in the EU/UK, supervisory authority complaints follow the data subject's home-country DPA.
For a counter-signed PDF version: email hello@pitch2retail.com with your account email. We process Growth+ DPA requests within 5 business days.