Data Processing Agreement (EU)

Last Updated: Nov 14, 2025
Company: StoragePilot Ltd (“StoragePilot”, “we”, “us”, or “our”)
Registered Office: Vancouver, British Columbia, Canada
Website: https://www.storagepilot.ai

This Data Processing Agreement (“DPA”) forms part of and is incorporated by reference into StoragePilot’s Terms and Conditions. It governs StoragePilot’s processing of personal data on behalf of customers located in the European Union (“EU”) and the United Kingdom (“UK”) in accordance with the General Data Protection Regulation (GDPR).

The customer acts as the Data Controller, and StoragePilot acts as the Data Processor.

1. Scope and Roles

This DPA applies when StoragePilot processes personal data on behalf of the Controller while providing the Services. StoragePilot will process personal data only:

• For the purpose of delivering and improving the Services
• According to the Controller’s documented instructions
• As permitted by applicable laws

No ownership of personal data is transferred.

2. Compliance with GDPR

StoragePilot complies with the obligations of a Data Processor under the GDPR, including:

• Implementing appropriate technical and organizational measures
• Assisting the Controller with data subject requests
• Maintaining security appropriate to risk
• Supporting breach notifications

The Controller is responsible for ensuring lawful access to and use of the Services, including providing all required notices to data subjects.

3. Data Processing Instructions

StoragePilot will process personal data solely to:

• Operate, maintain, and enhance the Services
• Provide customer support
• Ensure security, logging, and fraud prevention
• Comply with legal obligations

StoragePilot will not:

• Sell personal data
• Process personal data for advertising
• Use personal data for purposes other than those listed above

4. Categories of Data Subjects and Data

The following outlines high-level categories processed:

• Individuals storing items in a facility (tenants)
• Staff and administrators granted access to the platform
• Prospective customers submitting reservation or inquiry information

See Appendix 1 for explicit categories of personal data processed.

5. Subprocessors

StoragePilot uses subprocessors to support the Services.
The Controller grants general authorization for StoragePilot to engage subprocessors.

StoragePilot will:

• Maintain an up-to-date list of subprocessors
• Ensure subprocessors provide adequate privacy and security
• Enter into written agreements imposing equivalent obligations

Current subprocessors are listed in the GDPR & Data Residency Overview.

6. International Transfers & SCCs

Personal data is stored and processed in Canada (AWS ca-central-1).

For transfers from the EU/UK to Canada, StoragePilot relies on:

• 2021 Standard Contractual Clauses (SCCs)
  (Commission Implementing Decision (EU) 2021/914)

StoragePilot processes data only per Controller instructions and employs appropriate safeguards.

EU Representative

Under Article 27(2)(a), StoragePilot does not require an EU representative since processing is low-risk, occasional, and not large-scale.

7. Security Measures

StoragePilot maintains industry-standard security, including:

• Encryption in transit (TLS 1.2+)
• Encryption at rest (AWS-managed)
• Access controls and audit logging
• Firewall and network protections
• Secure backups stored in Canada
• Internal policies and limited personnel access

8. Breach Notification

In the event of a personal data breach affecting the Controller’s data, StoragePilot will:

• Notify the Controller without undue delay and within 72 hours
• Provide known details on nature, scope, and impact
• Support the Controller’s regulatory or notification obligations

9. Data Subject Requests

StoragePilot will assist the Controller in fulfilling:

• Access requests
• Rectification
• Erasure
• Restriction
• Portability

StoragePilot will not respond directly to data subjects unless instructed by the Controller.

10. Audits

The Controller may perform remote audits by reviewing:

• Policies
• Security documentation
• Penetration test summaries
• Architecture overviews

StoragePilot has not yet undergone independent audits due to its early-stage status.

No on-site audits are permitted.

11. Data Retention and Deletion

Personal data is retained for the duration of the subscription and then according to StoragePilot’s standard retention schedule.

Upon termination:

• Data exports may be requested for 3 months
• Customer data is retained for up to 12 months for audit, billing, and security purposes
• Data is permanently deleted thereafter, except where legally required

12. Liability

The parties agree that StoragePilot’s liability under this DPA is subject to the limitation of liability set out in the Terms and Conditions.
This limits StoragePilot’s total liability to the fees paid in the 30 days preceding the event giving rise to the claim.

13. Term and Termination

This DPA remains in effect for as long as StoragePilot processes personal data on behalf of the Controller.

Upon termination of the Services, StoragePilot will:

• Cease processing except for retention obligations
• Provide data export (upon request)
• Delete remaining personal data per Section 11

Appendix 1 — Explicit Categories of Personal Data Processed

StoragePilot processes the following personal data on behalf of Controllers:

Tenant Data

• Name
• Email
• Phone number
• Postal address
• Unit number and lease details
• Move-in / move-out dates
• Delinquency status
• Notes and facility-added metadata

Communications & Interaction

• SMS messages
• Email messages
• AI chat interactions
• Voice transcripts and call logs
• Reservation inquiries

Access & Activity

• Gate access codes
• Access attempt logs
• Successful/failed entry events
• IP addresses (metadata)

User Accounts (Staff/Admins)

• Name
• Email
• Role/permissions
• Login activity logs

Payment Metadata

• Stripe customer IDs
• Invoice records
• Billing history
  (no PCI data—Stripe holds all card information)

Appendix 2 — Standard Contractual Clauses (SCCs)

The SCCs referenced in Section 6 are incorporated by reference in accordance with:

Commission Implementing Decision (EU) 2021/914 of 4 June 2021
(Modules 2 and 3 as applicable)

These SCCs apply automatically to any EU personal data transferred to Canada.