Anima

Data Processing Addendum

Version 1.1 · Effective May 7, 2026

This Data Processing Addendum (“DPA”) supplements the Anima Terms of Service between you (“Customer”, “controller”) and Anima Crescens (“Anima”, “processor”) and applies whenever Anima processes Personal Data on Customer’s behalf in connection with the Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

1. Definitions

  • Personal Data means information relating to an identified or identifiable natural person processed by Anima on Customer’s behalf.
  • Data Subject means the individual to whom Personal Data relates (e.g. tenants, contractors, staff).
  • Sub-processor means any third party engaged by Anima to process Personal Data.
  • Applicable Data Protection Law means PIPEDA, PIPA (BC), CASL, GDPR, UK GDPR, and any other privacy law applicable to a given processing activity.

2. Roles & Subject Matter

Customer is the controller of Personal Data flowing through its connected mailbox, calendar, and spreadsheets and through records Customer uploads. Anima processes such Personal Data solely as a processor on Customer’s instructions, which include the Terms of Service and Customer’s use of the Service’s features. Anima will not process Personal Data for any other purpose without Customer’s prior written consent or as required by law.

3. Duration & Categories

  • Duration: for the term of the Terms of Service plus any wind-down period under Section 11.
  • Nature & purpose: AI-assisted email triage, draft authoring, ticketing, scheduling, record-keeping, and analytics, as described in the Service.
  • Categories of Data Subjects: Customer’s staff, tenants, contractors, suppliers, and other correspondents.
  • Categories of Personal Data: name, email address, phone, postal address, unit/property identifiers, lease and payment details, message content, attachments, scheduling information.

Personal Data of the natural person who signs up for and administers Customer’s account (including authentication credentials, the signer’s legal name and title, age affirmation, and the IP address and user-agent captured at each consent event) is collected and processed by Anima as controller under the Privacy Policy, not as processor under this DPA.

4. Customer Instructions

Customer’s configuration of the Service (including which mailboxes and calendars are connected, what data is uploaded, and which features are enabled) constitutes Customer’s documented instructions to Anima. Anima will inform Customer if, in its opinion, an instruction violates Applicable Data Protection Law.

5. Confidentiality

Anima will ensure that personnel authorized to process Personal Data are bound by confidentiality obligations and processed only on a need-to-know basis.

6. Security

Anima implements appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures include:

  • TLS 1.2+ in transit;
  • encryption at rest for OAuth tokens and database backups;
  • row-level security policies on multi-tenant tables;
  • role-based access control with principle-of-least-privilege scopes;
  • audit logging of administrative actions;
  • bot-mitigation challenges on account creation;
  • vendor security reviews of sub-processors.

7. Sub-processors

Customer authorizes Anima to engage the sub-processors listed in the Privacy Policy. Anima will (a) impose data-protection obligations on each sub-processor materially equivalent to those in this DPA, and (b) remain liable for the acts and omissions of its sub-processors. Anima will provide notice (via the Privacy Policy update or in-app notice) before adding or replacing a sub-processor. Customer may object to a new sub-processor on reasonable data-protection grounds within 30 days; if the objection cannot be resolved, Customer may terminate the affected portion of the Service.

8. Data Subject Requests

Anima will, taking into account the nature of the processing, provide Customer with reasonable assistance (through self-service tools where available, otherwise on written request) to enable Customer to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Law. Customer is the primary point of contact for its Data Subjects.

9. Personal Data Breach

Anima will notify Customer without undue delay and in any event within 72 hours after becoming aware of a confirmed Personal Data breach affecting Customer Data, providing all information reasonably required for Customer to meet its own notification obligations.

10. International Transfers

Anima may transfer and process Personal Data outside Customer’s country of residence as described in the Privacy Policy. Where required, Anima will rely on Standard Contractual Clauses or other lawful transfer mechanisms.

11. Return or Deletion

On termination of the Terms of Service, Anima will, at Customer’s choice, delete or return all Personal Data in Anima’s possession within 30 days, except for copies required by law or held in routine encrypted backups (which will be deleted on the regular backup-rotation schedule).

12. Audits

Anima will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written notice (and no more than once per 12 months unless required by a supervisory authority or following a breach), Anima will respond to a written security questionnaire from Customer. Customer must treat Anima’s responses as confidential.

13. Liability

Each party’s liability under this DPA is subject to the limitation of liability set out in the Terms of Service.

14. Order of Precedence

If there is any conflict between this DPA and the Terms of Service regarding the processing of Personal Data, this DPA controls. All other terms remain unchanged.

15. Contact

Data-protection inquiries: email animacrescens@gmail.com.