Data Processing Addendum

This Addendum applies when CourtStairs processes personal information within Customer Data on behalf of a business Customer. For that data, the Customer is the controller (the organization responsible for it) and CourtStairs is the processor (service provider). The Customer is responsible for having a lawful basis and any required consents.

We process Customer Data only to provide and support the service, and only on the Customer’s documented instructions (including these Terms and the Privacy Policy), for as long as the agreement lasts.

We do not use Customer Data to train public AI models, and our AI providers are contractually barred from doing so.

Our staff and contractors who handle Customer Data are bound by confidentiality obligations.

We use technical and organizational safeguards, including encryption in transit and at rest, row-level access controls so each customer reaches only its own data, least-privilege access, logging, and regular reviews.

We use vetted sub-processors to run the service: Supabase (database and authentication), Vercel (hosting and analytics), Stripe (payments), Retell (voice calls), and AI model providers (Google, OpenAI, and Anthropic). Each is bound by data-protection terms. We will give notice of new sub-processors and let you object on reasonable grounds.

Core data is hosted in Canada. Some processing (AI providers and voice calls) may occur in the United States or elsewhere. Before transferring personal information outside Quebec, we assess the transfer and rely on contractual and technical safeguards, in line with Law 25.

We will reasonably help you respond to access, correction, and deletion requests, carry out privacy impact assessments, and meet your obligations under Quebec Law 25 and PIPEDA.

We will notify you without undue delay after we become aware of a confidentiality incident affecting your Customer Data, with the information you need to meet your own reporting duties.

On termination, we delete or return Customer Data on the schedule in our Privacy Policy (within 30 days of account closure), except records we must keep by law.

On reasonable request, we will provide the information needed to show our compliance with this Addendum and support a reasonable audit, subject to confidentiality.

This Addendum forms part of the Terms of Service. If it conflicts with the Terms on the handling of Customer Data, this Addendum prevails for that data.