Data processing agreement.

In this DPA: "blankit" means Blankit Health Inc.; "Customer" (also "you," "your," "the firm") means the firm, advisor, MGA, or organization that subscribes to the Service; "Customer Personal Information" means personal information within Customer Data that blankit processes on the Customer's behalf, including information about the Customer's plan-sponsor clients and their plan members. "Personal information," "processing," "confidentiality incident," and "person in charge of the protection of personal information" have the meanings given in PIPEDA and the Quebec Act respecting the protection of personal information in the private sector ("Law 25").

With respect to Customer Personal Information, the Customer is the controller (the party that determines the purposes and means of processing) and blankit is the processor (the party that processes on the controller's behalf and on its documented instructions). For information about the advisors and firm staff who use the product directly, blankit is the controller; that processing is governed by our Privacy policy, not by this DPA.

blankit will process Customer Personal Information only: (a) to provide, secure, and maintain the Service as described in the Terms; (b) on the Customer's documented instructions, which include the Terms, this DPA, the configuration choices the Customer makes in the product, and the workflows the Customer initiates (renewal analysis, booklet comparison, employee summaries, the plan-member chatbot, and similar); and (c) as required by Canadian law, in which case blankit will inform the Customer of the requirement before processing unless the law prohibits it.

The nature and purpose of the processing, the categories of data subjects, the categories of personal information, and the duration are described in Schedule 1 below. If blankit believes an instruction infringes PIPEDA, Law 25, or other applicable law, it will inform the Customer without undue delay.

blankit does not sell Customer Personal Information, does not use it for advertising, and does not use it to train any artificial-intelligence or machine-learning model. Customer Personal Information sent to AI sub-processors is used only to return a result for the Customer's own request and is not retained by the model provider for training (see Schedule 1 and /sub-processors).

blankit ensures that every person it authorizes to process Customer Personal Information is bound by an obligation of confidentiality (whether by contract of employment or otherwise) and processes that information only as needed to perform their role. Access is granted on a least-privilege basis and is removed when no longer required.

blankit maintains administrative, technical, and physical safeguards appropriate to the sensitivity of Customer Personal Information, including:

• Encryption in transit (TLS 1.2 or higher at the load balancer) and at rest (database, object storage, and secrets manager).
• Tenant isolation enforced at the database query layer, so one firm cannot read another firm's data even in the event of an application error.
• Two-factor authentication available for every account and required for administrative roles.
• Centralized, tamper-evident audit logging of privileged actions.
• Daily encrypted backups held in the same Canadian region as the primary data.
• A read-only, name-masked, time-boxed, audit-logged operator access path for support — described at Trust & security.

blankit may update its security measures as the Service evolves, provided the protection does not materially decrease. The operational detail behind these controls is published at /trust.

The application, all Customer Data at rest, the database, object storage, and all backups are hosted inside AWS Canada (Montreal — ca-central-1). blankit will not relocate Customer Data at rest outside Canada without first updating /sub-processors and notifying subscribing firms under §6.

A limited set of operational paths involve processing outside Canada, each under contractual safeguards and each disclosed in Schedule 1 and on /sub-processors. The most significant is AI inference: as of 2026-05-15, AWS no longer accepts on-demand invocation of current Claude models from a single region, so inference is invoked through an AWS cross-region inference profile and may run in a region outside Canada (in practice, a US region) under the AWS Customer Agreement and AWS DPA. blankit will adopt a Canada-only inference profile as soon as AWS publishes one.

The Customer authorizes blankit to engage the sub-processors listed at /sub-processorsto process Customer Personal Information. blankit imposes data-protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible to the Customer for each sub-processor's performance.

blankit will notify subscribing firms at least 30 days before adding or replacing a sub-processor in the production data path, by email to the firm's billing and security contact and by updating /sub-processors. A firm that reasonably objects on data-protection grounds within that window may terminate the affected portion of the subscription without penalty as its exclusive remedy.

Taking into account the nature of the processing, blankit will assist the Customer with appropriate technical and organizational measures, insofar as possible, to:

• Respond to requests from individuals to exercise their rights of access, correction, deletion, portability, and withdrawal of consent — including through the self-serve export tooling and the subject-access-request form blankit provides on firm-branded surfaces.
• Meet the Customer's own confidentiality-incident notification and record-keeping obligations under §8.
• Carry out any privacy impact assessment the Customer is required to perform in connection with the Service, and any prior consultation with a regulator arising from it.

Where an individual sends a rights request directly to blankit concerning Customer Personal Information, blankit will not respond substantively but will, without undue delay, refer the individual to the Customer (the controller) and notify the Customer of the request.

blankit maintains a register of confidentiality incidents involving personal information, as required by Law 25. On becoming aware of a confidentiality incident affecting Customer Personal Information — including loss, unauthorized access, use, or disclosure — blankit will notify the affected firm's billing and security contact without delay, and in any event within 72 hours of confirmation.

The notification will describe, to the extent then known, the nature of the incident, the categories and approximate volume of personal information and individuals affected, the likely consequences, and the measures taken or proposed to address it and mitigate harm. blankit will cooperate reasonably with the Customer's assessment of whether the incident presents a risk of serious injury and with any notification the Customer must make to affected individuals, the Commission d'accès à l'information du Québec, the Office of the Privacy Commissioner of Canada, or other regulators. blankit will not notify the Customer's plan sponsors or plan members directly except at the Customer's written request or where required by law.

blankit will make available to the Customer the information reasonably necessary to demonstrate compliance with this DPA, including the disclosures published at /trust and /sub-processors, its Records of Processing Activities summary, and responses to a reasonable security questionnaire no more than once per 12 months (or more often following a confidentiality incident or at a regulator's direction).

Where a documentary review is insufficient to satisfy a Customer's regulatory audit obligation, the parties will agree in advance on the scope, timing, and cost of any further audit. Audits must occur during business hours, on reasonable prior notice, must not compromise the confidentiality or security of other customers, and are conducted at the requesting Customer's expense.

During the subscription, the Customer may export its Customer Data through self-serve export at any time. On termination or expiry of the subscription, the Customer may export Customer Data for 30 days. blankit will then delete Customer Personal Information from production systems and, in the ordinary course, from encrypted backups within 90 days of termination, except where retention is required by law (for example, billing records retained for Canadian tax purposes) — in which case the information remains subject to this DPA for as long as it is retained.

Specific retention periods for each category of information are set out in our Privacy policy.

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Terms, which apply to all claims under the Terms and this DPA together. This DPA takes effect when the Customer first uses the Service and continues for as long as blankit processes Customer Personal Information.

This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable there, consistent with the Terms of service. If any provision is held unenforceable, the remaining provisions remain in effect. In the event of a conflict between this DPA and the Terms regarding the processing of personal information, this DPA prevails; in all other respects, the Terms prevail.