FNi+
PIPEDA Compliant

Data Processing Agreement

How FNi+ processes personal information on behalf of automobile dealerships under Canadian federal and provincial privacy legislation, including PIPEDA and applicable provincial privacy laws.

Effective June 4, 2026Last Updated: June 4, 2026

Data Processing Agreement

How FNi+ processes Personal Information on behalf of automobile dealerships

1. Purpose and Scope

This Data Processing Agreement ("DPA") forms part of and is incorporated into the FNi+ Terms of Service between FNi+ Technologies Inc., or its successor in interest ("Service Provider"), and the automobile dealership, dealership group, or other organization that subscribes to or uses the Services ("Dealership").

This DPA governs the Processing of Personal Information by Service Provider in connection with the FNi+ platform and related services provided to Dealership. It applies to Personal Information relating to Applicants, Co-Applicants, Dealership personnel, Authorized Users, and other individuals whose Personal Information is submitted to, collected through, generated by, or otherwise Processed through the Services.

This DPA is intended to establish contractual safeguards for Personal Information Processed by Service Provider on behalf of Dealership and to allocate responsibility between the parties for privacy, security, retention, individual rights, and related data protection matters.

2. Geographic Scope

The Services are currently offered to Dealerships located in Canadian provinces other than Quebec. Service Provider does not represent that the Services meet the requirements of Quebec private-sector privacy legislation. Dealership represents that it will not use the Services for Dealership locations in Quebec unless Service Provider has agreed in writing to extend the Services to those operations under a separate written addendum.

If Dealership wishes to use the Services in Quebec or in any jurisdiction outside Canada, the parties will negotiate in good faith a separate addendum addressing any additional privacy, data protection, localization, consumer protection, language, regulatory, or other requirements applicable to that jurisdiction.

3. Definitions

  • "Applicable Privacy Laws" means all Canadian federal, provincial, and territorial privacy, data protection, consumer reporting, credit application, electronic records, breach notification, and related laws applicable to the Processing of Personal Information under this DPA.
  • "Authorized User" means any Finance Manager, Director, administrator, employee, contractor, representative, or other individual authorized by Dealership to access or use the Services.
  • "Applicant" means an individual who submits or is the subject of a credit application or related workflow through the Services in connection with a potential vehicle purchase, lease, financing, insurance, or related transaction.
  • "Co-Applicant" means an individual who submits or is the subject of a joint credit application or related workflow alongside an Applicant.
  • "Dealership Data" means all data, records, documents, information, files, content, and materials submitted to, generated through, or Processed by the Services on behalf of Dealership, including Personal Information.
  • "Controller" means the party that determines the purposes for which and the means by which Personal Information is Processed, to the extent that such terminology is applicable under Applicable Privacy Laws or under a future data protection framework adopted by the parties.
  • "De-identified Data" means information that has been modified so that it does not identify, and cannot reasonably be used to identify, an individual, whether alone or in combination with other information reasonably available to Service Provider.
  • "Personal Information" means information about an identifiable individual, including any information treated as personal information, personal data, or equivalent information under Applicable Privacy Laws.
  • "Processing" means any operation or set of operations performed on Personal Information, including collection, receipt, recording, organization, structuring, storage, hosting, retrieval, access, use, disclosure, transmission, transfer, alteration, correction, deletion, return, destruction, or other handling.
  • "Processor" means a party that Processes Personal Information on behalf of and on the instructions of a Controller, to the extent that such terminology is applicable under Applicable Privacy Laws or under a future data protection framework adopted by the parties.
  • "Security Incident" means any actual or reasonably suspected unauthorized access to, acquisition of, disclosure of, loss of, or compromise of Personal Information Processed by Service Provider under this DPA, or any other breach of Service Provider security safeguards affecting such Personal Information.
  • "Services" means the FNi+ platform and all related software, tools, workflows, APIs, electronic signature functionality, credit application management, Applicant verification, document generation, analytics, Dealership dashboard functionality, support, maintenance, and related services provided by Service Provider under the Terms.
  • "Subprocessor" means a third party engaged by Service Provider to Process Personal Information in connection with the Services.

4. Roles of the Parties

As between the parties, Dealership is responsible for determining the purposes for which Personal Information is collected, used, disclosed, retained, and otherwise Processed through the Services. Dealership is the Controller of Personal Information Processed through the Services, to the extent that Controller terminology is applicable.

Service Provider Processes Personal Information as a service provider to Dealership and in accordance with Dealership’s documented instructions, the Terms, this DPA, the Privacy Policy, the applicable Purchase Order, and the configuration and ordinary operation of the Services. To the extent Processor terminology is applicable, Service Provider acts as Processor to Dealership.

For clarity, Service Provider is not the Controller of Applicant or Co-Applicant Personal Information merely because the Services collect limited platform usage, interaction, product category interest, engagement, or similar analytics information in connection with the Services. Such information is Processed to provide, secure, support, maintain, troubleshoot, analyze, and improve the Services, subject to the limitations set out in this DPA and the Terms.

Service Provider will not use Personal Information for any purpose other than to provide, maintain, secure, support, troubleshoot, improve, and develop the Services, comply with the Terms and this DPA, comply with Applicable Laws, or as otherwise expressly authorized by Dealership in writing.

Service Provider will inform Dealership if, in Service Provider’s reasonable opinion, an instruction from Dealership would require Service Provider to Process Personal Information in a manner that violates Applicable Privacy Laws or this DPA.

5. Dealership Responsibilities

Dealership is responsible for its own compliance with Applicable Privacy Laws and for the lawful collection, use, disclosure, submission, retention, and other Processing of Personal Information through the Services. Without limiting the foregoing, Dealership is responsible for:

  • providing all required privacy notices, disclosures, consents, authorizations, and other communications to Applicants, Co-Applicants, Dealership personnel, Authorized Users, and other individuals whose Personal Information is Processed through the Services, and where Dealership has its own privacy policies, separately obtaining individuals’ consent to such policies and the collection of personal information;
  • ensuring that Personal Information submitted to or collected through the Services is accurate, complete, current, and collected for lawful purposes;
  • obtaining all consents and authorizations required for credit applications, hard credit inquiries, lender submissions, credit bureau submissions, electronic records, electronic signatures, identity verification, and any related financing, insurance, F&I product, or vehicle transaction workflow;
  • ensuring that any Personal Information submitted by Dealership personnel on behalf of an Applicant, Co-Applicant, or other individual has been provided with the consent, knowledge and authority of that individual, in each case in accordance with the privacy policies of Dealership and Service Provider;
  • configuring and administering Authorized User access, permissions, roles, and account status in a manner appropriate to the sensitivity of Personal Information available through the Services;
  • ensuring that Authorized Users use the Services only for authorized Dealership F&I operations and in accordance with the Terms, this DPA, Dealership policies, and Applicable Laws;
  • responding to requests, complaints, and inquiries from individuals and regulators except to the extent Service Provider is required by Applicable Privacy Laws to respond directly; and
  • ensuring that Dealership’s own retention, export, use, disclosure, and deletion of Personal Information outside the Services complies with Applicable Privacy Laws.

6. Service Provider Obligations

Service Provider will:

  • Process Personal Information only in accordance with this DPA, the Terms, the Privacy Policy, Dealership’s documented instructions, and the ordinary operation and configuration of the Services;
  • use commercially reasonable efforts to ensure that Personal Information is accessed only by personnel and Subprocessors who require access to perform services for Service Provider or Dealership;
  • not sell Personal Information or disclose Personal Information to third parties for their independent marketing purposes;
  • not use Applicant or Co-Applicant Personal Information to make, influence, or inform credit, lending, financing, insurance, or eligibility decisions;
  • not use directly identifying credit application information, Social Insurance Numbers, banking information, income information, or credit history disclosures for cross-Dealership analytics or platform improvement;
  • provide reasonable assistance to Dealership in connection with Dealership’s obligations under Applicable Privacy Laws, taking into account the nature of the Services and the information available to Service Provider;
  • maintain appropriate safeguards as described in this DPA; and
  • notify Dealership of Security Incidents in accordance with this DPA.

7. Confidentiality and Personnel Access

Service Provider will ensure that its employees, contractors, representatives, and personnel who access Personal Information are subject to confidentiality obligations no less protective than those set out in the Terms and are authorized to access Personal Information only as reasonably necessary to provide, secure, support, maintain, troubleshoot, improve, or administer the Services.

Service Provider will take reasonable steps to ensure that personnel with access to Personal Information receive appropriate instructions regarding the confidential and secure handling of Personal Information, having regard to their roles and the nature and sensitivity of the information.

8. Personal Information Processed

The following categories of Personal Information may be Processed through the Services on behalf of Dealership:

CategoryExamples
Applicant and Co-Applicant identity and contact informationName, date of birth, marital status, dependants, email address, phone number, and residential address.
Financial and employment informationEmployment details, income, housing costs, banking information, credit history disclosures, and related credit application details.
Sensitive identifiersSocial Insurance Number and similar identifiers, where collected for credit bureau or lender submission purposes.
Vehicle and transaction informationVehicle details, deal type, trade-in information, financing parameters, lender submission details, and related F&I workflow information.
Electronic records and signaturesSignature image data, signed documents, consent records, IP address, device information, authentication information, timestamps, and execution records.
Platform usage and engagement informationStep completion timing, section views, scroll activity, time spent on sections, product category interest selections, dashboard activity, document generation records, and related platform activity logs.
Dealership account and Authorized User informationNames, business email addresses, business phone numbers, job titles, Dealership, Organization, user roles, permission levels, login activity, support requests, and account status.
Security and diagnostic informationIP addresses, device information, session records, authentication events, audit logs, error reports, and security event logs.

9. Analytics, De-identified Data, and Platform Improvement

The Services may collect limited platform usage, interaction, engagement, product category interest, completion pattern, and similar analytics information in order to provide the Services to Dealership, support Dealership F&I workflows, maintain and troubleshoot the platform, improve user experience, develop new features, and understand general platform performance.

Service Provider may use De-identified Data and aggregated information for service improvement, internal research, quality assurance, benchmarking, product development, and related business purposes, provided that such information does not identify an individual Applicant, Co-Applicant or Authorized User unless Dealership has expressly agreed otherwise in writing.

Service Provider will not use analytics, engagement, or interaction information to make, influence, or inform any credit, lending, financing, insurance, or eligibility decision about an Applicant or Co-Applicant. Service Provider will not sell, lease, or disclose analytics information to third parties for their independent marketing purposes.

Nothing in this DPA restricts Service Provider from using information that is not Personal Information, including De-identified Data, aggregated information, technical performance data, statistical information, and learnings derived from operation of the Services, provided that Service Provider complies with the confidentiality obligations in the Terms and does not re-identify individuals except as required to provide the Services, investigate security issues, comply with Applicable Laws, or as otherwise permitted by Dealership in writing.

10. Security Safeguards

Service Provider will maintain reasonable physical, technical, and organizational safeguards designed to protect Personal Information against unauthorized access, collection, use, disclosure, copying, modification, disposal, loss, or similar risks, having regard to the sensitivity of the information and the nature of the Services.

Service Provider’s safeguards may include, as applicable:

  • encryption of sensitive information at rest, including encryption of sensitive identifiers before storage;
  • encryption in transit using HTTPS/TLS or comparable secure transport protocols;
  • multi-tenant data isolation and controls designed to limit Dealership access to its own records;
  • role-based access controls and permission management for Authorized Users;
  • user authentication, session management, idle timeouts, inactivity expiry, and duration limits;
  • audit logging and monitoring of security-relevant events;
  • access logging for highly sensitive data where technically available;
  • application security controls designed to address common web application risks;
  • backup, recovery, and availability controls appropriate to the nature of the Services; and
  • administrative controls, personnel confidentiality obligations, and internal access restrictions.

Service Provider may update its safeguards from time to time to address changes in technology, threats, business operations, Subprocessors, and industry practices, provided that such updates do not materially reduce the overall level of protection for Personal Information.

Dealership acknowledges that no system or transmission method is completely secure. Service Provider does not guarantee that unauthorized access, use, disclosure, or loss will never occur.

11. Subprocessors

Dealership authorizes Service Provider to engage Subprocessors to support the delivery, hosting, security, maintenance, billing, communication, monitoring, and operation of the Services. Service Provider remains responsible to Dealership for the performance of its Subprocessors to the extent they Process Personal Information on behalf of Service Provider in connection with the Services.

Service Provider will require Subprocessors that Process Personal Information to be subject to written obligations that are materially protective of Personal Information, having regard to the nature of the services provided by the Subprocessor and the Personal Information Processed.

The following categories of Subprocessors may Process Personal Information in connection with the Services:

Subprocessor categoryPrimary processing locationPurpose
Cloud database, authentication, and file storage providersCanadaDatabase hosting, user authentication, and file storage.
Application hosting and content delivery providersUnited States or other disclosed jurisdictionsApplication hosting, content delivery, performance, and availability.
SMS delivery providersUnited States or other disclosed jurisdictionsSMS verification and related transactional messaging.
Email delivery providersUnited States or other disclosed jurisdictionsTransactional email delivery and service communications.
Payment processing providersUnited States or other disclosed jurisdictionsSubscription billing for Dealership accounts.
Error monitoring, security, and diagnostics providersUnited States or other disclosed jurisdictionsApplication stability, error monitoring, diagnostics, and security support, with Personal Information minimized where reasonably practicable.

A current list of material Subprocessors, including corporate identities and relevant processing locations, will be made available to Dealership upon written request.

Subprocessor Changes

Service Provider may engage, replace, or remove Subprocessors from time to time in connection with the provision, maintenance, security, support, or improvement of the Services. Service Provider is not required to obtain Dealership’s prior approval before engaging, replacing, or removing a Subprocessor.

Service Provider will remain responsible for the performance of its Subprocessors to the extent they process Personal Information on behalf of Service Provider in connection with the Services, and will require each such Subprocessor to be subject to contractual obligations that are materially protective of Personal Information, having regard to the nature of the Services provided by that Subprocessor and the sensitivity of the Personal Information processed.

Service Provider may provide notice of material changes to its Subprocessors by email, in-platform notice, posting to a designated web page, or another reasonable means. If Dealership has concerns regarding a Subprocessor change, Dealership may contact Service Provider, and the parties will discuss the concern in good faith. Service Provider is not required to modify its Subprocessor arrangements unless required by applicable law or expressly agreed by Service Provider in writing.

12. Cross-Border Processing

Personal Information is primarily stored in Canada. Certain Personal Information may be accessed or Processed in the United States or other jurisdictions by Service Provider, its personnel, or Subprocessors as reasonably necessary to provide, support, secure, maintain, troubleshoot, improve, bill for, or administer the Services.

Service Provider will use contractual, technical, and organizational safeguards intended to protect Personal Information when it is Processed outside Canada. Dealership acknowledges that Personal Information Processed outside Canada may be subject to lawful access by courts, law enforcement, regulatory, national security, or governmental authorities in the jurisdiction where the information is Processed.

Service Provider will inform Dealership of any material change to the jurisdictions in which Personal Information is stored or materially Processed where required by this DPA or Applicable Privacy Laws.

13. Security Incidents and Breach Assistance

If Service Provider becomes aware of a Security Incident involving Personal Information Processed under this DPA, Service Provider will notify Dealership without unreasonable delay and, where feasible, within forty-eight (48) hours after becoming aware of the Security Incident.

Service Provider’s notice will include, to the extent reasonably available at the time of notice:

  • a description of the nature of the Security Incident;
  • the categories of Personal Information affected;
  • the approximate number or categories of affected individuals, where known;
  • the measures taken or proposed to contain, investigate, and remediate the Security Incident;
  • any recommended steps for Dealership to mitigate risk to affected individuals; and
  • a contact point for further information.

Service Provider will take reasonable steps to contain, investigate, and remediate the Security Incident and will reasonably cooperate with Dealership in connection with Dealership’s assessment, investigation, record-keeping, regulatory reporting, and individual notification obligations under Applicable Privacy Laws.

Dealership is responsible for determining whether notice to affected individuals, regulators, lenders, credit bureaus, financing partners, insurers, F&I product providers, or other third parties is required, except to the extent Applicable Privacy Laws require Service Provider to notify a party directly. Service Provider will not make public statements identifying Dealership in connection with a Security Incident without Dealership’s prior consent unless required by Applicable Laws.

Service Provider will maintain records of Security Incidents as required by Applicable Laws and its internal security policies.

14. Individual Rights and Privacy Requests

Dealership is responsible for responding to requests, complaints, and inquiries from individuals regarding Personal Information Processed through the Services, including requests for access, correction, deletion, withdrawal of consent, information about use or disclosure, and similar privacy rights requests, except to the extent Service Provider is required by Applicable Privacy Laws to respond directly.

If Service Provider receives a request from an Applicant, Co-Applicant, Authorized User, Dealership personnel member, regulator, or other individual regarding Personal Information Processed on behalf of Dealership, Service Provider may redirect the request to Dealership or notify Dealership of the request, unless prohibited by Applicable Laws.

Service Provider will provide reasonable assistance to Dealership, taking into account the nature of the Services and the information available to Service Provider, to help Dealership respond to individual rights requests and privacy complaints. Dealership acknowledges that Service Provider may be unable to delete, correct, or restrict Personal Information that has already been exported, downloaded, submitted to a lender, credit bureau, financing partner, insurer, F&I product provider, or otherwise Processed outside the Services by Dealership or a third party.

15. Retention, Return, and Deletion

Service Provider will retain Personal Information in accordance with the retention periods described in the Privacy Policy, except where a different retention period is required or permitted under the Terms, this DPA, applicable law, or the documented instructions of Dealership.

During the term of the Services, Service Provider will make reasonable functionality available for Dealership to access, export, correct, or delete Personal Information within the Services, subject to the configuration and functionality of the platform.

Upon termination or expiry of the Terms, Service Provider will make Dealership’s Personal Information available for export for the period specified in the Terms, unless otherwise agreed in writing. After the applicable export period, Service Provider may delete or de-identify Personal Information from active systems in accordance with its standard deletion practices, the Privacy Policy, this DPA, and applicable law.

Service Provider may retain Personal Information to the extent required or permitted by applicable law, or as reasonably necessary for legal, regulatory, tax, audit, billing, security, fraud prevention, backup, disaster recovery, dispute resolution, or enforcement purposes. Any retained Personal Information remains subject to the confidentiality, security, and use restrictions in this DPA for as long as it is retained.

Service Provider is not responsible for deleting or retrieving Personal Information that has already been transmitted to Dealership, lenders, credit bureaus, financing partners, insurers, F&I product providers, or other third parties at Dealership’s instruction or through Dealership’s use of the Services.

16. Audit and Assurance

Service Provider will make available to Dealership information reasonably necessary to demonstrate Service Provider’s compliance with this DPA, subject to the confidentiality, security, legal privilege, trade secret, and third-party confidentiality obligations of Service Provider and its other clients.

Dealership may request reasonable information about Service Provider’s privacy and security practices, safeguards, Subprocessors, and Security Incident handling no more than once per calendar year, unless a Security Incident or documented material concern justifies additional requests. Service Provider may satisfy such requests through written responses, security summaries, policies, diagrams, questionnaires, third-party reports, or other reasonable assurance materials, as determined by Service Provider having regard to the nature of the request and the sensitivity of the information requested.

If a Security Incident affects Dealership’s Personal Information, or if Dealership has a documented and reasonable basis to believe that Service Provider is materially non-compliant with this DPA, Dealership may request an audit of Service Provider’s compliance with this DPA. Any audit will be subject to the following conditions:

  • Dealership must provide reasonable prior written notice and describe the scope and basis for the audit request;
  • the audit must be conducted during normal business hours and in a manner that does not unreasonably interfere with Service Provider’s operations or compromise the security, confidentiality, or availability of the Services;
  • the audit must be limited to matters reasonably related to the Security Incident or documented material concern;
  • any auditor must be a qualified independent third party subject to confidentiality obligations acceptable to Service Provider, unless the parties agree otherwise;
  • the audit must not permit access to the Personal Information, Confidential Information, systems, or environments of other clients;
  • Dealership is responsible for the costs of the audit unless the audit reveals material non-compliance by Service Provider, in which case Service Provider will reimburse Dealership for reasonable audit costs proportionate to the non-compliance; and
  • all audit materials, findings, reports, and communications will be treated as Confidential Information of Service Provider.

Service Provider may implement additional routine compliance summaries, assurance reports, certifications, or third-party attestations in the future, but nothing in this DPA requires Service Provider to obtain or maintain any specific certification or attestation unless expressly agreed in a separate written agreement.

17. Cooperation with Regulatory Matters

Each party will reasonably cooperate with the other party in connection with privacy regulator inquiries, investigations, orders, or complaints relating to Personal Information Processed under this DPA, to the extent such cooperation is reasonably necessary and legally permitted.

Dealership is responsible for communications with regulators regarding Dealership’s collection, use, disclosure, retention, and other Processing of Personal Information, except to the extent Applicable Laws require Service Provider to communicate directly with a regulator or the matter relates solely to Service Provider’s systems, safeguards, or independent legal obligations.

18. Liability

Each party’s liability under this DPA is governed by the limitation of liability, exclusion of damages, indemnity, data and privacy claims cap, and related liability provisions set out in the dealership-facing FNi+ Terms of Service to which this DPA is attached or incorporated, including any Purchase Order or other written agreement that modifies those provisions.

Nothing in this DPA expands Service Provider’s liability beyond the liability caps and exclusions set out in the Terms, except to the extent such limitation is prohibited by Applicable Laws.

19. Term and Termination

This DPA takes effect when Dealership accepts or becomes bound by the Terms and remains in effect for so long as Service Provider Processes Personal Information on behalf of Dealership.

The obligations in this DPA relating to confidentiality, security, retention, deletion, return, audit, liability, and protection of Personal Information survive termination or expiry of the Terms for so long as Service Provider retains Personal Information Processed on behalf of Dealership.

20. Order of Precedence

If there is a conflict between this DPA and the Terms, this DPA prevails solely with respect to the Processing and protection of Personal Information. The Terms prevail with respect to all other matters, including payment, subscription, intellectual property, disclaimers, liability caps, indemnity, dispute resolution, governing law, and general commercial terms.

If there is a conflict between this DPA and a Purchase Order or other written agreement signed by both parties, the more specific provision governing the relevant subject matter will prevail, unless the written agreement expressly states a different order of precedence.

21. General Provisions

This DPA is governed by and construed in accordance with the laws specified in the Terms.

This DPA may be amended only in accordance with the amendment provisions of the Terms or by a written instrument signed by both parties. Service Provider may update this DPA from time to time to reflect changes in Applicable Laws, industry practices, Subprocessors, security practices, or Processing practices, provided that such updates do not materially reduce the protections afforded to Personal Information under this DPA.

Capitalized terms used but not defined in this DPA have the meanings given to them in the Terms.

22. Contact

Privacy and data protection inquiries:

FNi+ Technologies Inc.

support@fniplus.ai