Legal

Data Processing Addendum

Last Updated: March 26, 2026

1. Scope

This Data Processing Addendum ("DPA") forms part of the agreement between Ontario Engineering Solutions Inc., doing business as FieldWorks ("FieldWorks," "Processor," "we," "us," or "our"), and the customer entity using the Service ("Customer," "Controller," or "Business").

This DPA applies to the extent FieldWorks processes Personal Data on behalf of Customer in connection with the FieldWorks Service.

2. Definitions

In this DPA:

  • Customer Data means data submitted to or generated within the Service by or for Customer.
  • Data Protection Law means privacy and data protection laws applicable to the Processing under the parties' agreement, including, where applicable, PIPEDA, GDPR, UK GDPR, and applicable US state privacy laws.
  • Personal Data means information relating to an identified or identifiable individual, or similar protected information regulated by Data Protection Law.
  • Process and related terms such as "Processing" have the meanings given by applicable Data Protection Law.

3. Nature of Processing

FieldWorks provides a hosted construction management platform for project coordination, deficiencies, submittals, file handling, user management, audit logs, billing administration, and external collaboration.

FieldWorks processes Personal Data only:

  • to provide, secure, support, and improve the Service;
  • on documented instructions from Customer, including through Customer's use of the Service and configuration choices; and
  • as otherwise required by applicable law.

If FieldWorks believes an instruction violates applicable law, we may notify Customer and suspend the affected Processing to the extent reasonably necessary.

4. Subject Matter, Duration, and Categories

Subject Matter

The Processing covered by this DPA concerns Personal Data included in Customer Data and related operational metadata processed through the Service.

Duration

This DPA remains in effect for as long as FieldWorks processes Personal Data on Customer's behalf under the parties' agreement.

Categories of Data Subjects

Depending on Customer's use of the Service, data subjects may include:

  • Customer personnel, administrators, and authorized users
  • project members and assignees
  • external collaborators or share-link recipients
  • customer billing contacts
  • support contacts and business representatives

Categories of Personal Data

Depending on Customer's use of the Service, Personal Data may include:

  • account and profile data
  • organization and role data
  • project and workflow records
  • comments, attachments, and other uploaded content
  • audit and access log data
  • billing and subscription metadata
  • external share-link access data

Customer controls the categories of Personal Data it submits to the Service.

5. Customer Responsibilities

Customer is responsible for:

  • having a valid legal basis to collect and disclose Personal Data to FieldWorks;
  • providing any notices and obtaining any consents required by Data Protection Law;
  • determining whether the Service is appropriate for the nature of the Personal Data Customer chooses to Process through it;
  • using the Service and configuring external sharing in a lawful manner; and
  • responding to data subject requests where Customer is the controller or business, except to the extent FieldWorks is required to assist under this DPA.

6. Confidentiality

FieldWorks will ensure that personnel authorized to Process Personal Data are subject to appropriate confidentiality obligations.

7. Security Measures

FieldWorks will implement and maintain reasonable administrative, technical, and organizational safeguards designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

These safeguards include measures appropriate to the Service, such as:

  • access controls and role-based permissions
  • encryption in transit
  • credential protections and hashed passwords
  • logging and monitoring
  • customer data segregation within the Service
  • controlled service-provider access

8. Subprocessors

Customer authorizes FieldWorks to engage subprocessors to support delivery of the Service. FieldWorks will maintain a public subprocessor list describing key subprocessors used for the Service.

FieldWorks will:

  • impose data protection obligations on subprocessors appropriate to the services they perform; and
  • remain responsible for its subprocessors' Processing to the extent required by applicable law and the parties' agreement.

9. International Transfers

Customer authorizes FieldWorks and its subprocessors to Process Personal Data in Canada, the United States, and other jurisdictions where FieldWorks or its subprocessors operate, subject to appropriate safeguards required by Data Protection Law.

Where required, FieldWorks will use transfer mechanisms such as contractual protections, standard contractual clauses, or other recognized safeguards.

10. Assistance With Data Subject Requests

Taking into account the nature of the Processing, FieldWorks will provide reasonable assistance to Customer to help Customer respond to requests from data subjects to exercise rights under applicable Data Protection Law, to the extent Customer cannot fulfill the request through the Service itself.

If FieldWorks receives a data subject request relating to Customer Data and Customer is the appropriate controller or business, FieldWorks may direct the requester to Customer or notify Customer, unless prohibited by law.

11. Assistance With Compliance

Taking into account the nature of the Processing and the information available to FieldWorks, FieldWorks will provide reasonable assistance to Customer regarding:

  • security obligations
  • breach notification obligations
  • data protection impact assessments where required and reasonably necessary
  • regulator or supervisory authority inquiries relating to the Processing covered by this DPA

12. Security Incidents

If FieldWorks becomes aware of a confirmed Security Incident affecting Personal Data Processed on Customer's behalf, FieldWorks will:

  • notify Customer without undue delay;
  • provide information reasonably available to us about the nature of the incident and the steps being taken; and
  • take reasonable steps to contain, investigate, and remediate the incident.

FieldWorks' notification of a Security Incident is not an admission of fault or liability.

13. Deletion and Return

Upon termination or expiration of the parties' agreement, FieldWorks will delete or return Customer Data in accordance with the parties' agreement, Customer's documented instructions, applicable law, and FieldWorks' documented retention and backup practices.

FieldWorks may retain limited information where required by law, for security, backup integrity, dispute resolution, fraud prevention, or the establishment, exercise, or defense of legal claims.

14. Audits and Information Requests

FieldWorks will make available information reasonably necessary to demonstrate compliance with this DPA, taking into account the nature of the Service and the confidentiality and security of other customers' information.

If Customer reasonably requires additional information for a legitimate compliance review, the parties will work in good faith on a reasonable process that protects confidential information, system security, and other customers.

15. Conflict

If there is a conflict between this DPA and the parties' main agreement with respect to Processing of Personal Data, this DPA controls to the extent of that conflict.

16. Contact

For privacy or data processing questions, contact:

Ontario Engineering Solutions Inc.
FieldWorks Privacy
21 Duke Street
St. Catharines, Ontario
Canada
support@fieldworkshq.com