Last modified: May 12, 2025

This Data Processing Agreement (“DPA”) supplements the Regystra Terms of Service and applies where the Customer is a legal entity and acts as a data controller of personal data collected through the Regystra platform.

1. Definitions

• Customer: The organization that controls end-user data and determines its purposes.
• Regystra: Ciotech Inc. (doing business as Regystra), acting as the data processor.
• Personal Data: Any information relating to an identified or identifiable natural person.
• Applicable Privacy Laws: Includes Quebec’s Law 25, Canada's PIPEDA, the EU GDPR, and any similar laws that apply to Customer’s operations.

2. Roles and Responsibilities

• Customer is the data controller and retains full ownership and responsibility for the Personal Data collected through its Regystra portal.
• Regystra acts as a data processor, processing Personal Data only on behalf of the Customer and in accordance with this Agreement and applicable laws.

3. Purpose of Processing

Regystra processes Personal Data solely for the purposes of providing and improving the Regystra platform and related services, including registration workflows, messaging, reporting, and integrations (e.g., Stripe, HubSpot).

4. Data Categories

Personal Data processed may include, but is not limited to:

• First name, last name
• Date of birth, gender
• Height, weight (where required by Customer)
• Postal code or city
• Team, event, or participation-related metadata

5. Data Hosting and Transfers

• All customer data is hosted using secure, industry-recognized cloud infrastructure providers in Canada and the United States.
• No cross-border transfers of Personal Data occur without Customer’s consent.

6. Subprocessors

Regystra uses vetted subprocessors for infrastructure and service delivery, including but not limited to:

• Cloud infrastructure providers (e.g., AWS, Azure, or equivalent) for application hosting and data storage
• Stripe (payment processing)
• HubSpot (CRM)
• Quickbooks (accounting)
• Twilio (SMS)
• Hotel Integration Providers (e.g., Amadeus, Sabre, or equivalent)

Customers may request an up-to-date list of subprocessors at any time.

7. Security Measures

Regystra implements administrative, technical, and organizational security measures including:

• Encrypted data storage at rest and in transit
• Daily incremental backups
• Access controls and role-based permissions
• Monitoring and vulnerability patching

8. Data Subject Rights

• Customer is responsible for responding to data subject requests (e.g., access, correction, deletion).
• Regystra will assist the Customer in fulfilling such requests, where technically feasible.

9. Breach Notification

In the event of a data breach affecting Customer Personal Data, Regystra shall notify the Customer within 72 hours of becoming aware, provide all relevant breach details, and assist in remediation as required by law.

10. Deletion or Return of Data

• Upon termination of the agreement, Customer may request deletion of all Personal Data.
• Regystra will delete the data from production systems and backups within a commercially reasonable time, subject to any legal obligations.

11. Audit and Compliance

Upon written request, Regystra will provide information necessary to demonstrate compliance with this DPA. Customer may request a security audit summary or evidence of certifications where applicable.

12. Priority and Modifications

In the event of a conflict between this DPA and the Terms of Service, this DPA shall take precedence with respect to data protection obligations. Regystra may update this DPA to reflect legal changes or improved security practices. All material changes will be communicated in advance.

For further information, please contact info [at] regystra.com