Data Processing Addendum
(for Urbis Platform)
This Data Processing Addendum (“DPA”) forms part of and is incorporated into the agreement governing Customer use of the Urbis
Platform (the “Agreement”) between:
the customer entity that has entered into the Agreement (“Customer”, “Controller” or “Business”), and
URBIS AI – INTELLIGENT REAL ESTATE SOLUTIONS INC., an Ontario corporation with its principal place of business at 87 Allan Street, Oakville, Ontario, L6J 3M7 (“Urbis”, “Processor”, “Service Provider” or “Contractor”).
Customer and Urbis are referred to individually as a “Party” and together as the “Parties”.
If there is any conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data (as defined below), this DPA will prevail to the extent of the conflict.
This DPA is effective as of the date the Agreement becomes binding on the Parties.
Table of Contents
1. Scope and Application
2. Definitions
3. Role of the Parties
4. Customer Instructions and Responsibilities
5. Urbis Obligations
6. Subprocessors
7. Data Subject Requests
8. CCPA / CPRA Service Provider Terms
9. International Transfers
10. De Identified and Aggregate Data and Model Improvement
11. Audits
12. Relationship to the Agreement
13. Governing Law and Jurisdiction
14. Exhibit B – International Transfers (Reserved)
1. Scope and Application
1.1 This DPA applies to Urbis processing of Customer Personal Data in connection with Urbis provision of the Urbis Platform and related services under the Agreement, where Customer acts as a Controller or Business and Urbis acts as a Processor, Service Provider or Contractor under applicable Data Protection Laws.
1.2 The Parties agree that any processing of Customer Personal Data by Urbis shall be subject to the terms and conditions set out in this DPA in addition to the Agreement.
2. Definitions
2.1 Capitalized terms used but not defined in this DPA have the meanings given in the Agreement.
2.2 “Customer Data” has the meaning given in the Agreement and includes any data, files, documents, information, and content submitted, uploaded, transmitted or otherwise provided by or on behalf of Customer or its Users to the Urbis Platform, which may include Customer Personal Data.
2.3 “Customer Personal Data” means any Personal Data contained in Customer Data that is processed by Urbis on behalf of Customer in the course of providing the Urbis Platform and related services under the Agreement.
2.4 “Data Protection Laws” means all data protection and privacy laws and regulations applicable to a Party in its processing of Customer Personal Data under this DPA. As of the Effective Date, this includes, to the extent applicable to the processing of Customer Personal Data:
a) the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar Canadian provincial legislation, and
b) United States federal and state privacy laws such as the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively, “CCPA/CPRA”).
2.5 “Personal Data” means any information relating to an identified or identifiable natural person and shall be interpreted consistently with applicable Data Protection Laws.
2.6 Terms such as “Processing”, “Processor”, “Controller”, “Business”, “Service Provider”, “Contractor”, “Consumer” and “Personal Data Breach” have the meanings given to them in applicable Data Protection Laws.
2.7 “Standard Contractual Clauses” or “SCCs” means standard contractual clauses or other contractual transfer mechanisms which may be approved by a competent data protection authority for cross border transfers of personal data where required by Data Protection Laws.
2.8 “Subprocessor” means any third party engaged by Urbis to process Customer Personal Data on behalf of Customer in connection with the Urbis Platform.
2.9 “De identified and Aggregate Data” has the meaning given in Section 11.1.
2.10 “Third Party LLM” means any third party AI or foundation model provider used by Urbis to process Customer Data or generate Output, as described in the Agreement.
Return to top
3. Roles of the Parties
3.1 For Customer Personal Data, Customer is the Controller or Business and Urbis acts as Processor, Service Provider and or Contractor, as those terms are used in applicable Data Protection Laws.
3.2 Customer determines the purposes and means of the processing of Customer Personal Data. Urbis will process Customer Personal Data only on behalf of Customer and in accordance with Customer documented instructions as set out in this DPA, the Agreement, and any applicable Order, except where otherwise required by law.
3.3 Nothing in this DPA changes the fact that Urbis may act as an independent Controller with respect to Personal Data it collects and uses for its own purposes, such as contact information for account administrators and marketing contacts, as described in the Urbis Privacy Policy.
4. Customer Instructions and Responsibilities
4.1 Customer instructs Urbis to process Customer Personal Data as necessary to provide the Urbis Platform and related services, to perform Urbis obligations, and to exercise Urbis rights under the Agreement and this DPA.
4.2 Customer is responsible for ensuring that its instructions to Urbis regarding the processing of Customer Personal Data comply with Data Protection Laws, including obtaining all consents and providing all notices required for Urbis to process Customer Personal Data as contemplated by the Agreement and this DPA.
4.3 Customer will not instruct Urbis to process Customer Personal Data in violation of Data Protection Laws. Urbis may inform Customer if, in Urbis opinion, an instruction appears to be unlawful.
4.4 Prohibited Data. Unless expressly agreed in writing, Customer will not submit to the Urbis Platform any Personal Data that:
a) constitutes highly sensitive or special categories of personal data, such as health information, biometric identifiers for the purpose of uniquely identifying an individual, data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or data concerning a person’s sex life or sexual orientation, or
b) is subject to sector specific regulations that impose additional obligations on processors, such as protected health information under HIPAA.
If Customer submits such data in breach of this Section 4.4, Customer is solely responsible for that submission and any resulting obligations, and Urbis will not be responsible for such processing except to the extent required by Data Protection Laws.
Return to top
5. Urbis Obligations
5.1 Documented Instructions. Urbis will process Customer Personal Data only in accordance with Customer documented instructions as described in Section 4.1, except where otherwise required by law. If Urbis is required by law to process Customer Personal Data beyond Customer instructions, Urbis will inform Customer of that requirement before processing, unless the law prohibits such notice.
5.2 Confidentiality. Urbis will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations with respect to such data.
5.3 Security. Urbis will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as further described in Exhibit C to the Agreement or any equivalent security schedule, as updated from time to time. Customer acknowledges that those measures are appropriate in light of the nature of Customer Personal Data and the risks associated with processing.
5.4 Personal Data Breaches. Urbis will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notice may be provided to Customer primary contact or via the Urbis Platform. Where possible, the notice will include information reasonably available to Urbis at the time, including:
a) the nature of the Personal Data Breach,
b) the categories and approximate number of data subjects and records concerned,
c) likely consequences of the breach, and
d) measures taken or proposed to address the breach.
Urbis will take reasonable steps to mitigate the effects of the breach and will cooperate with Customer as reasonably necessary to meet Customer obligations under Data Protection Laws, subject to the limitations and allocation of responsibility in the Agreement.
5.5 Assistance. Taking into account the nature of the processing and the information available to Urbis, Urbis will provide reasonable assistance to Customer, at Customer request and cost, to help Customer:
a) respond to data subject requests to exercise rights under applicable Data Protection Laws, and
b) comply with obligations related to the security of processing, Personal Data Breaches, and privacy impact assessments to the extent required by Data Protection Laws and relating to Customer Personal Data.
5.6 Assistance with Impact Assessments. Taking into account the nature of processing and the information available to Urbis, Urbis will provide reasonable assistance to Customer, at Customer request and cost, with data protection impact assessments and prior consultations with relevant privacy or data protection authorities or regulators, where required under Data Protection Laws and where they relate to Customer Personal Data processed by Urbis.
6. Subprocessors
6.1 Authorization. Customer authorizes Urbis to engage Subprocessors to process Customer Personal Data as reasonably necessary for Urbis to provide the Urbis Platform and related services, subject to the terms of this DPA.
6.2 Subprocessor Obligations. Urbis will enter into written agreements with Subprocessors that impose data protection obligations not materially less protective than those set out in this DPA. Urbis will remain responsible for the performance of its Subprocessors.
6.3 Subprocessor List. Urbis will maintain a list of its current Subprocessors that process Customer Personal Data and will make that list available to Customer upon request.
6.4 Changes to Subprocessors. Urbis may update its Subprocessors from time to time. If Customer reasonably objects to a new Subprocessor on privacy or data protection grounds, Customer may notify Urbis in writing within fifteen (15) days of receiving notice of the new Subprocessor. The Parties will work in good faith to address Customer concerns. If they are unable to agree on a resolution within a reasonable time, either Party may terminate the affected services upon written notice, and Urbis will refund any prepaid, unused fees for the terminated services.
Return to top
7. Data Subject Requests
7.1 Data Subject Requests to Customer. Where a data subject submits a request to Customer to exercise rights under Data Protection Laws, Customer is responsible for responding to that request. Urbis will reasonably assist Customer in responding to data subject requests that relate to Customer Personal Data processed by Urbis, to the extent Customer cannot reasonably fulfill the request without Urbis assistance and subject to Section 5.5.
7.2 Direct Requests to Urbis. If a data subject submits a request to Urbis that relates to Customer Personal Data, Urbis will, where reasonably possible, direct the data subject to submit the request to Customer and will not respond directly except as required by law. If Urbis is required by law to respond directly, it will, where permitted, notify Customer and limit the scope of its response to what is required by law.
8. CCPA / CPRA Service Provider Terms
8.1 To the extent Urbis processes Customer Personal Data that is “Personal Information” of “Consumers” under CCPA/CPRA on behalf of Customer, the Parties agree that Urbis is a “Service Provider” and or “Contractor” to Customer, and Customer is a “Business”, as those terms are defined in CCPA/CPRA.
8.2 Urbis shall not:
a) sell Customer Personal Data as defined in CCPA/CPRA;
b) share Customer Personal Data for cross contextual behavioral advertising;
c) retain, use, or disclose Customer Personal Data for any purposes other than for the specific purpose of performing the services under the Agreement, as permitted by CCPA/CPRA, or as otherwise required by law;
d) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Urbis and Customer; or
e) combine Customer Personal Data with personal information it receives from or on behalf of another person or that it collects from its own interactions with data subjects, except to the extent permitted by CCPA/CPRA for Service Providers or Contractors (for example, to detect data security incidents or to improve or develop Urbis services).
8.3 Urbis certifies that it understands and will comply with the restrictions in this Section 8. Customer is responsible for providing Consumers with any notices required under CCPA/CPRA and for honoring Consumers exercise of rights, with Urbis assistance where required by this DPA.
Return to top
9. International Transfers
9.1 Cross Border Processing. Customer Personal Data may be processed in Canada and the United States, as necessary to provide the Urbis Platform and related services under the Agreement and this DPA.
9.2 Transfers from Other Jurisdictions. As of the Effective Date, Urbis offers the Urbis Platform only to customers established in Canada and the United States and does not anticipate transfers of Customer Personal Data that are subject to the data protection laws of the European Economic Area, the United Kingdom, or Switzerland. If the Parties later agree that Urbis will process Customer Personal Data that is subject to such laws, they will update this DPA, including Exhibit B, to incorporate an appropriate transfer mechanism, which may include Standard Contractual Clauses and any applicable local addenda, before such processing begins.
9.3 Government Access Requests. Urbis has in place technical and organizational measures designed to protect Customer Personal Data from access by public authorities that exceeds what is necessary and proportionate in a democratic society. Where legally permitted, Urbis will notify Customer without undue delay if it receives a legally binding request from a public authority for access to Customer Personal Data. Urbis will review the legality of such requests and, where appropriate, use commercially reasonable efforts to challenge unlawful or disproportionate requests. If, despite such measures, Urbis reasonably concludes that it can no longer meet its obligations under this DPA with respect to Customer Personal Data, it will promptly notify Customer.
10. De Identified and Aggregate Data and Model Improvement
10.1 De identified and Aggregate Data. Urbis may generate and use de identified and or aggregated information derived from Customer Data, including Customer Personal Data (“De identified and Aggregate Data”), provided that such data does not identify Customer, any User, any individual, or any specific property, tenant, or transaction of Customer, and does not reasonably permit reverse engineering to do so. For clarity, all model refinement or tuning performed by Urbis is limited to de-identified forms of Customer Personal Data and is subject to the same non-identification requirements described in this Section.
10.2 Permitted Uses. Urbis may use De identified and Aggregate Data to:
a) operate, maintain, secure, and improve the Urbis Platform,
b) develop new features, models, and analytical capabilities, and
c) conduct internal analytics and business planning.
Urbis will maintain and use such data in a de identified manner and will not attempt to re identify it.
10.3 Relationship to Derived Data. For clarity, some De identified and Aggregate Data described in this Section 10 may constitute “Derived Data” as defined in the Agreement. Any such Derived Data remains subject to the non identification commitments described in the Agreement and this DPA.
10.4 User Feedback and Signals. Urbis may use Customer and User interactions with the Urbis Platform, such as thumbs up or thumbs down signals, query patterns, and usage telemetry, to improve ranking, extraction quality, and other system performance. Where such signals relate to Customer Personal Data, they will be used only:
a) within the Urbis environment,
b) for internal analytics, quality improvement, and model tuning, and
c) without disclosing Customer Personal Data to other customers.
10.5 No Training of Third Party Foundation Models With Customer Personal Data. Urbis will not provide Customer Personal Data to third party foundation model providers for the purpose of training their general purpose foundation models. If Urbis uses Third Party LLMs or other third party AI providers in the Urbis Platform, it will configure and manage those services so that Customer Personal Data is not used by such providers to train their general purpose foundation models. Urbis uses only provider configurations that support this restriction, except where Customer has expressly agreed otherwise in a separate written agreement.
Return to top
11. Audits
11.1 Upon Customer reasonable request, and no more than once in any twelve (12) month period, Urbis will provide Customer with information reasonably necessary to demonstrate Urbis compliance with this DPA, which may include responses to security and privacy questionnaires, copies of independent audit reports or certifications, or other information about its security practices.
11.2 If, after reviewing such information, Customer reasonably believes that additional verification of Urbis compliance is necessary, the Parties will discuss in good faith an appropriate audit scope and approach. Any such audit shall:
a) be at Customer expense,
b) be conducted during normal business hours and in a manner that does not materially interfere with Urbis operations, and
c) be subject to reasonable confidentiality obligations and safety and security requirements.
Urbis may satisfy audit requests by providing third party audit reports and certifications where appropriate.
Return to top
12. Relationship to the Agreement
12.1 This DPA forms part of and is subject to the Agreement. It does not limit or reduce any obligations of Urbis with respect to Customer Data under the Agreement, but applies specifically to Urbis processing of Customer Personal Data on behalf of Customer.
12.2 In the event of any conflict between this DPA and the Agreement with respect to the processing of Customer Personal Data, this DPA will prevail to the extent of the conflict. In all other cases, the Agreement controls.
12.3 Nothing in this DPA shall be construed to limit the limitations of liability or disclaimers of warranties set out in the Agreement, which apply to this DPA to the fullest extent permitted by law.
13. Governing Law and Jurisdiction
13.1 This DPA is governed by, and will be construed in accordance with, the laws and jurisdiction set out in the Agreement. For clarity, as of the Effective Date of this DPA, the governing law is the laws of the Province of Ontario and the federal laws of Canada applicable therein, and the Parties submit to the exclusive jurisdiction of the courts located in Toronto, Ontario, as described in the Agreement.
Exhibit B – International Transfers (Reserved)
As of the Effective Date, Urbis provides the Urbis Platform only to customers established in Canada and the United States and does not rely on Standard Contractual Clauses or other European Union, United Kingdom, or Swiss international data transfer mechanisms for Customer Personal Data.
If the Parties agree in the future that Urbis will process Customer Personal Data that is subject to the data protection laws of the European Economic Area, the United Kingdom, or Switzerland, they will update this Exhibit B to set out the applicable transfer mechanisms, which may include Standard Contractual Clauses and any required local addenda. Until such time, this Exhibit B is reserved and does not apply.
Return to top
Real estate teams are
leveling up. Join them.
Copyright © 2025 Urbis AI – Intelligent Real Estate Solutions Inc. All rights reserved.