Privacy Policy

1.1 About This Policy

This Privacy Policy explains how CONNECTed Academia Inc. ("we," "us," or "our") collects, uses, discloses, and protects your personal information when you use our CONNECT and CONNECTed services. We collect information you provide directly, such as your name, email address, institutional affiliation, and academic transcripts, to provide transfer analysis services that help you understand how your academic credits may apply at other post-secondary institutions. We store your information securely in Canada using Microsoft cloud services, and we do not sell your personal information. You have rights under Canadian privacy law to access, correct, and request deletion of your information, subject to certain exceptions. This summary is provided for convenience only; the full terms of this Privacy Policy govern your use of our services. For complete details, please review the full Privacy Policy below.

This Privacy Policy (this "Policy") describes the privacy practices of CONNECTed Academia Inc., a corporation incorporated under the laws of Ontario, Canada, with respect to the collection, use, disclosure, retention, and protection of personal information through our services, including our web-based platform known as "CONNECT" (for student users) and "CONNECTed" (for institutional users), our websites, mobile applications (if any), and any related services, features, content, or applications offered by us (collectively, the "Services").

1.2 Scope of This Policy

This Policy applies to all personal information we collect, use, or disclose in connection with the Services, regardless of the medium or format through which you interact with us. This Policy applies to individuals who create accounts, upload transcripts, use transfer analysis features, communicate with us, or otherwise access or use the Services. This Policy also applies to prospective users who submit inquiries or request information about the Services.

1.3 Relationship to Other Agreements

This Policy is incorporated by reference into our Terms of Use our Terms of Use, which are made available through the Services (including via the website footer or in-app settings) and any other agreements governing your use of the Services. To the extent of any conflict between this Policy and the Terms of Use, the Terms of Use shall govern with respect to matters of contract interpretation, liability, and dispute resolution, while this Policy shall govern with respect to the collection, use, and disclosure of personal information.

1.4 Important Notice Regarding Nature of Services

CONNECTed Academia Inc. is a private company providing informational services to support students in understanding potential transfer pathways between post-secondary institutions. We are not a post-secondary institution, an accreditation body, a government agency, or an official registrar. The outputs, reports, analyses, and recommendations generated through the Services are informational in nature and do not constitute official transfer credit decisions, academic assessments, or binding determinations of any kind. All final decisions regarding the recognition, acceptance, or application of transfer credits remain solely within the authority and discretion of the relevant post-secondary institution to which you seek admission or transfer. You should verify all information and outputs with the appropriate institutional authorities before making academic or financial decisions.

1.5 Official Domain and Service Locations

Our official public-facing domain is https://connectedu.ca. The Services may also be accessible through subdomains, institution-specific links, or third-party distribution channels (for example, institutional single sign-on portals or app stores) that point to our Services. Where a third-party channel links to the Services, this Policy continues to apply to Personal Information processed by us through the Services. To avoid phishing or spoofing, we encourage you to access the Services through our official domain or a link provided by a verified Institution.

1.6 Service Context, Licensing Models, and Who Pays

CONNECTed Academia Inc. operates the Services under multiple commercial models that may evolve as we grow. In some cases, an Institution may license CONNECTed (including through a pilot, trial, subscription, or other licensing arrangement), and Student Users transferring to or engaging with that Institution may be able to access certain features (such as transfer mapping tools, calculators, or other student supports) without paying fees directly to us. In other cases—particularly where the Institution a student is seeking to engage with has not licensed or enabled CONNECTed access—the Student User may purchase access to certain Services or features directly. The pricing model that applies to you will be disclosed at the point of use (for example, within the Services, during checkout, or through institutional onboarding materials). Regardless of who pays, we apply the privacy practices described in this Policy to Personal Information processed by us.

1.7 Startup Stage, Product Evolution, and Enterprise-Grade Practices

As a growing educational technology company, we may introduce new features, refine workflows, and adjust technical implementations over time (for example, changing how transcripts are parsed, how equivalency mappings are displayed, or how institutions configure access). We design these changes to be consistent with the privacy principles described in this Policy. Where we introduce a material new purpose for processing Personal Information, we will seek additional consent where required by law or provide additional notice as described in Section 18.

3.1 Federal Privacy Law

CONNECTed Academia Inc. is subject to the Personal Information Protection and Electronic Documents Act ("PIPEDA"), Canada's federal private-sector privacy statute, which applies to the collection, use, and disclosure of personal information in the course of commercial activities. PIPEDA establishes ten fair information principles that govern how organisations must handle personal information: Accountability, Identifying Purposes, Consent, Limiting Collection, Limiting Use, Disclosure and Retention, Accuracy, Safeguards, Openness, Individual Access, and Challenging Compliance.

3.2 Provincial Privacy Law

As of the effective date of this Policy, Ontario does not have a general private-sector privacy statute that has been declared substantially similar to PIPEDA for the purposes of commercial activities conducted by organisations such as CONNECTed Academia Inc. Accordingly, PIPEDA serves as the primary baseline for our privacy practices in Ontario. Certain Ontario statutes may apply in specific contexts, such as provincial consumer protection legislation or sector-specific rules, and we comply with all Applicable Privacy Laws that apply to our operations.

3.3 Commitment to Privacy Principles

We are committed to complying with PIPEDA and the generally accepted privacy principles embedded therein. Our practices are designed to: (a) obtain meaningful consent for the collection, use, and disclosure of personal information; (b) limit the collection of personal information to what is necessary for identified purposes; (c) limit the use, disclosure, and retention of personal information to identified purposes; (d) implement appropriate safeguards to protect personal information; (e) permit individuals to access their personal information and request corrections; (f) maintain accuracy of personal information; (g) be open and transparent about our privacy practices; and (h) provide mechanisms for individuals to challenge our compliance.

4.1 Categories of Personal Information

We collect personal information in several categories, as described in this Section 4. The specific information collected may vary depending on how you interact with the Services, whether you are a Student User or Institutional User, and the features you use.

4.2 Account and Registration Information

When you create an Account, we collect the following personal information directly from you:

(a) Full Legal Name. We collect your full legal name as it appears on your academic records for the purposes of Account creation, identity verification, and to accurately associate your transcript data with your Account.

(b) Email Address. We collect your email address as your primary contact method for Account authentication, Service communications, customer support, and, where you have provided consent, optional notifications regarding the Services.

(c) Institution You Attend. We collect the name of the post-secondary institution you currently attend or most recently attended in order to identify the source of your academic records and to apply appropriate transfer analysis logic.

(d) Start Date of Attendance. We collect the date on which you commenced your studies at your institution, or the academic term and year of commencement, to contextualise your academic history and to apply time-sensitive policies or equivalencies where relevant.

(e) Program of Study. We collect information about the academic program or credential you are pursuing (such as diploma, bachelor's degree, or certificate), including the program name and credential type, to support transfer analysis and program mapping.

4.3 Transcript and Academic Information

When you use the transfer analysis features of the Services, we collect the following information from academic transcripts you upload:

(a) Transcript Files. We collect the transcript document itself, which you upload in electronic format (such as PDF or image file). The transcript serves as the source material for extraction and analysis.

(b) Academic Content Extracted from Transcripts. From the uploaded transcript, we primarily extract and process the following academic content:

• Course codes and course numbers;
• Course titles and descriptions;
• Credit values (credit hours or units);
• Grades, marks, or grade point averages;
• Term or semester designations;
• Year of course completion;
• Academic standing or status notations (where relevant to transfer analysis).

(c) City of Residence (Derived from Address Information). Transcripts may contain home address information. In order to identify the city or municipality in which you reside, our systems extract and process the full address as it appears on the transcript; however, we store only the city or municipality portion of the address. We do not store, retain, or use your full address, including street address, postal code, province, or any other granular location identifiers. The city information is stored solely for the purpose of understanding geographic demand patterns and informing decisions about where to prioritise future pilots, prototypes, or service expansions. To be clear: we extract the full address during processing to accurately identify the city, but we discard all address components other than the city immediately after extraction and do not retain them in any form.

4.4 Sensitive Personal Information That May Appear on Transcripts

Academic transcripts may contain sensitive personal information beyond academic content. We wish to be transparent about the types of sensitive information that may be present and our approach to such information:

(a) Home Address. As noted in Section 4.3(c) above, transcripts may include your home address. We extract the full address solely for the purpose of identifying and storing the city or municipality. We do not store, retain, or use any other component of your address, including street address, postal code, or province. All address information other than the city is discarded immediately after the city is identified and is not retained in our systems.

(b) Date of Birth. Transcripts may include your date of birth. We do not intentionally use date of birth for any purpose other than as it may incidentally appear in uploaded transcript files.

(c) Student Numbers or Identification Numbers. Transcripts may include institutional student identification numbers. Such numbers may be incidentally captured as part of the transcript file but are not used by us for any operational purpose beyond storage of the transcript record.

(d) Social Insurance Number (SIN) or Similar Government Identifiers. In rare cases, particularly with older or non-standard transcripts, a Social Insurance Number or similar government-issued identifier may appear on a transcript. We do not need, request, or intentionally collect Social Insurance Numbers or equivalent identifiers. We strongly recommend that you redact any Social Insurance Number or government-issued identifier from your transcript before uploading. If a SIN or similar identifier is inadvertently uploaded, we will take reasonable steps to delete or redact it upon becoming aware, but we cannot guarantee automatic detection given the software's primary objective is to identify and extract academic material.

(e) Other Sensitive Information. Transcripts may contain other information we do not require, such as notations regarding academic accommodations, disciplinary matters, or medical withdrawals. We do not use such information for any purpose and recommend that you redact any information you do not wish to share.

4.5 Information You Provide Through Communications

When you communicate with us through the Services, email, or other channels, we collect the information you provide, including:

(a) Support requests, inquiries, and feedback;

(b) Correspondence content and attachments;

(c) Information necessary to respond to your inquiry or resolve your issue.

4.6 Automatically Collected Technical Information

When you access or use the Services, we may automatically collect certain technical information, including:

(a) Device Information. Information about the device you use to access the Services, such as device type, operating system, and browser type.

(b) Log Data. Server logs and similar records that may include your IP address, access times, pages viewed, actions taken within the Services, and referring URLs.

(c) Cookies and Similar Technologies. Information collected through cookies, web beacons, and similar technologies, as further described in Section 13 of this Policy.

4.7 Information We Do Not Collect

We do not intentionally collect the following categories of information, and we ask that you do not provide such information except as strictly necessary:

(a) Social Insurance Numbers (SIN) or equivalent government-issued identifiers;

(b) Financial account numbers, credit card numbers, or payment information (unless collected through a separate payment processor in accordance with a separate privacy notice);

(c) Health information unrelated to academic records;

(d) Criminal record information;

(e) Biometric data.

4.8 Bulk Transfers, Institutional Data Files, and Data Migration

In addition to individual, user-entered data and uploads, we may process information provided in bulk by Institutions or other authorized partners. Bulk information may be provided to support onboarding, migration from legacy processes, pilot programs, operational administration, analytics, or transfer-credit workflows. Depending on the deployment, such information may include student rosters, institutional identifiers, program or course catalogs, equivalency tables, historical transfer rules, or datasets that include academic records. Bulk datasets may be delivered through Microsoft-based environments (for example, Microsoft 365 tools, secure file sharing, or Azure-based transfers) and may take various formats, including CSV files, Excel spreadsheets, PDFs, images, structured exports, or other file types. We treat bulk datasets as confidential, apply access controls and security safeguards described in this Policy, and process such data only for authorized purposes in accordance with this Policy and any applicable Institutional Agreement.

4.9 Transaction, Subscription, and Billing Metadata

Where fees are paid to us (by a Student User or by an Institution), we may collect and retain records of the transaction for accounting, tax, fraud prevention, and customer support purposes. These records may include the name of the payer, billing contact information, transaction identifiers, the Services purchased, payment status, timestamps, receipts, and communications related to the transaction. Payment card numbers and similar payment credentials are typically handled by third-party payment processors (see Section 10), and we seek to avoid storing complete payment card details in our systems.

4.10 Marketing Preferences and Engagement Data

If you choose to receive marketing communications or if such communications are permitted under applicable law, we may maintain records of your preferences (for example, whether you have opted in or opted out, and the date of such preference). We may also collect limited engagement data for communications (for example, whether an email was delivered or opened) where permitted by law and consistent with our practices in Section 5 and Section 13.

4.11 Data Minimization, Document Recognition, and Unneeded Identifiers

Academic documents uploaded for transfer planning, including transcripts, may contain information beyond what is necessary to provide the Services, such as institutional student numbers, internal document identifiers, administrative markings, signatures, or other identifiers printed on the document. Our objective is to extract and retain only the information that is reasonably necessary to provide the Services, generate Outputs, support account functionality, and facilitate user-requested sharing workflows.

In practical terms, our document-recognition and parsing processes may temporarily process the full document content in order to identify fields that are relevant to the Services. However, we are designed to store and use structured data fields that are relevant to transfer planning and related workflows, and we do not intentionally retain unneeded identifiers as part of the structured data stored for ongoing use. Where feasible, we may also implement technical measures to limit the capture or retention of information that is not needed.

We also discourage users and institutional partners from providing government-issued identifiers (such as provincial identifiers or other government numbers) unless a particular workflow requires it, the parties have documented the requirement contractually, and appropriate safeguards have been implemented. Where a workflow does not require such identifiers, we strive to operate the Services without collecting or storing them.

5.1 Overview of Purposes

We collect and use personal information for the specific purposes identified in this Section 5. We limit our collection to what is necessary for these purposes and do not use personal information for purposes beyond those identified without obtaining your consent, except as permitted or required by Applicable Privacy Laws.

5.2 Transfer Analysis and Generation of Outputs

The primary purpose for which we collect personal information is to provide transfer analysis services. This includes:

(a) Transcript Processing and Extraction. We process uploaded transcripts using automated systems to extract academic content, including course codes, titles, credits, grades, and temporal information, which serves as the foundation for transfer analysis.

(b) Course Equivalency Analysis. We use extracted transcript data to identify potential course equivalencies between your current or previous institution and target institutions, drawing upon equivalency databases, institutional policies, and calendar requirements.

(c) Program Mapping and Credit Application. We use your academic information to generate analyses of how your completed coursework may apply toward specific program requirements at target institutions, including identification of satisfied requirements, remaining requirements, and optimisation of credit placement.

(d) Generation of Reports and Outputs. We use your personal information to generate personalised reports, dashboards, spreadsheets, and other outputs that present the results of transfer analysis in an accessible format.

(e) Strategic Planning Features. We use your information to power features that help you identify courses you might take at your current institution to maximise future transferability or to fill gaps identified in the transfer analysis.

(f) GPA Calculation and Academic Planning. We use your academic information to provide supplementary tools such as GPA calculators, grade projections, and academic planning features that support your educational goals.

5.3 Customer Support and Troubleshooting

We use personal information to provide customer support and troubleshooting assistance, including:

(a) Responding to inquiries, questions, and support requests submitted through the Services, email, or other communication channels;

(b) Investigating and resolving technical issues, errors, or complaints related to your use of the Services;

(c) Communicating with you regarding your Account, including service announcements, updates, and responses to your requests;

(d) Retaining records of support interactions to ensure continuity and quality of support.

5.4 Fraud Prevention and Security Monitoring

We use personal information to protect the security and integrity of the Services and to prevent fraudulent, unauthorised, or illegal activity, including:

(a) Monitoring for suspicious activity, unauthorised access attempts, and potential security threats;

(b) Detecting and preventing fraud, abuse, or violations of our Terms of Use;

(c) Verifying user identity in connection with Account access, password resets, and sensitive requests;

(d) Investigating potential security incidents and taking appropriate remedial action;

(e) Maintaining audit logs and records necessary to demonstrate compliance with security obligations.

5.5 Service Improvement and Quality Assurance

We use personal information to improve the quality, accuracy, and functionality of the Services, including:

(a) Evaluating and improving the accuracy of automated transcript extraction processes, including identification and correction of extraction errors;

(b) Testing and refining algorithms for course equivalency matching, credit optimisation, and program mapping;

(c) Analysing patterns in user interactions to improve user experience and interface design;

(d) Conducting internal research and development to enhance Service features and capabilities;

(e) Soliciting and incorporating user feedback to address pain points and improve satisfaction.

Where possible, we use de-identified or aggregated data for service improvement purposes to minimise the use of identifiable personal information.

5.6 Analytics and Demand Analysis

We use personal information, preferably in aggregated or de-identified form, for analytics purposes, including:

(a) Understanding geographic patterns of demand by analysing city-level location data derived from transcript addresses, which informs decisions regarding where to prioritise future pilots, prototypes, and service expansions;

(b) Analysing usage patterns, feature adoption, and user behaviour to inform product development and resource allocation;

(c) Generating aggregated statistics and reports regarding Service usage that do not identify individual users;

(d) Evaluating the effectiveness of the Services in supporting user goals.

We prefer to conduct analytics using aggregated or de-identified data wherever reasonably possible. Where analytics require identifiable personal information, we limit such use to what is necessary for the identified purpose.

5.7 Legal Compliance, Dispute Resolution, and Enforcement

We use personal information as necessary to comply with legal obligations, resolve disputes, and enforce our agreements, including:

(a) Complying with applicable laws, regulations, and legal processes, including responding to lawful requests from governmental authorities;

(b) Enforcing our Terms of Use our Terms of Use, which are made available through the Services (including via the website footer or in-app settings) and other agreements governing your use of the Services;

(c) Investigating and addressing alleged violations of our policies or applicable laws;

(d) Establishing, exercising, or defending legal claims, including in connection with disputes regarding the accuracy of outputs or the use of the Services;

(e) Protecting our rights, property, or safety, or the rights, property, or safety of our users or others;

(f) Retaining records necessary to demonstrate compliance with legal and contractual obligations.

5.8 Communication Regarding the Services

We use your contact information to communicate with you regarding the Services, including:

(a) Transactional communications, such as Account confirmations, password resets, and notifications regarding your use of the Services;

(b) Service-related announcements, such as scheduled maintenance, changes to features, or updates to this Policy;

(c) Where you have provided consent, optional communications such as newsletters, tips, or information about new features.

You may opt out of optional marketing communications at any time by following the unsubscribe instructions in such communications or by contacting us as described in Section 21.

5.9 Payments, Checkout, and Billing Administration

Where payment is required to access certain Services, we use Personal Information to administer checkout, validate eligibility for discounts or institution-sponsored access, provide receipts, address payment disputes, detect fraud, and comply with accounting and tax requirements. If we use a third-party payment processor, your payment information may be collected directly by that processor and used in accordance with the processor’s own privacy notice. We may receive limited payment-related confirmation details (for example, payment status and transaction identifiers) to fulfill and support your purchase.

5.10 Institutional Sponsorship and Student Access Management

When an Institution licenses CONNECTed and offers student access to certain features without direct student payment, we may use Personal Information to verify eligibility for institution-sponsored access (for example, confirming that a student is transferring to or associated with the Institution), to administer feature entitlements, and to provide the Institution with aggregated insights or administrative information consistent with the authorized institutional workflow. We do not disclose student Personal Information to an Institution beyond what is necessary for the workflow, what the student authorizes, or what is otherwise permitted by law and an Institutional Agreement.

5.11 Bulk Data Operations and Quality Assurance

Where Institutions provide bulk datasets, we may use that information to configure institutional settings, validate data consistency, test import procedures, resolve data quality issues, and support institutional reporting functions. We may also create De-identified Data or aggregated statistics from bulk datasets for internal product improvement and quality assurance, consistent with Section 11 of this Policy.

6.1 Knowledge and Consent

We collect, use, and disclose personal information only with your knowledge and consent, except where permitted or required by Applicable Privacy Laws without consent. By creating an Account, uploading a transcript, or otherwise providing personal information through the Services, you consent to the collection, use, and disclosure of your personal information as described in this Policy.

6.2 Forms of Consent

Consent may be express or implied, depending on the sensitivity of the information and the reasonable expectations of the individual. For sensitive personal information, we rely on express consent. For less sensitive information collected in the context of an ongoing relationship, consent may be implied from your actions, such as your decision to upload a transcript after reading this Policy.

6.3 Consent at Time of Collection

At or before the time of collection, we identify the purposes for which personal information is being collected. This Policy serves as notice of those purposes. Where we collect personal information for a new purpose not previously identified, we will seek your consent before using the information for the new purpose, unless the new use is permitted without consent under Applicable Privacy Laws.

6.4 Withdrawal of Consent

You may withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice. To withdraw consent, please contact us as described in Section 21 of this Policy. We will inform you of the implications of withdrawing consent, which may include our inability to provide some or all of the Services to you. Withdrawal of consent does not affect the lawfulness of processing that occurred prior to the withdrawal.

6.5 Deemed Consent for Necessary Uses

By using the Services, you are deemed to consent to the collection, use, and disclosure of personal information that is necessary to provide the Services you have requested, including transcript processing, transfer analysis, and generation of outputs. If you do not consent to these necessary uses, you should not use the Services.

7.1 Collection Limited to Identified Purposes

We limit the collection of personal information to that which is necessary for the purposes identified in this Policy. We do not collect personal information indiscriminately or beyond what is required to provide the Services, support our legitimate business operations, and comply with legal obligations.

7.2 Fair and Lawful Means

We collect personal information by fair and lawful means. We collect information directly from you when you provide it voluntarily, such as through Account registration and transcript uploads. We may also collect information automatically through your use of the Services, as described in Section 4.6.

7.3 Redaction Recommendation

We strongly recommend that you redact any information from your transcript that is not necessary for transfer analysis before uploading, including but not limited to Social Insurance Numbers, and any other information you prefer not to share. You may leave your city visible if you are comfortable with us retaining city-level location information for analytical purposes. We are not responsible for personal information you voluntarily provide that exceeds what is necessary for the Services.

7.4 Data Minimisation

We practise data minimisation by retaining the least amount of sensitive personal information necessary to achieve our purposes. For example, while our systems extract the full address from your transcript during processing in order to accurately identify the city, we store only the city and immediately discard all other address components, including street address, postal code, and province. Similarly, we do not use or rely upon Social Insurance Numbers or dates of birth even if incidentally present in uploaded transcripts. This approach ensures that we retain only the information necessary for our identified purposes while minimising the retention of sensitive data.

8.1 General Approach to Disclosure

We do not sell personal information. We do not rent personal information. We do not disclose personal information to third parties for their independent advertising or marketing purposes. We disclose personal information only in the circumstances described in this Section 8, and only to the extent reasonably necessary for the applicable purpose.

8.2 Service Providers, Sub-processors, and Platform Vendors

We engage third-party service providers to perform functions on our behalf. These providers process personal information as our service providers or sub-processors, subject to contractual confidentiality and security obligations. The categories of service providers we use can include the following.

(a) Cloud Infrastructure and Hosting. We use Microsoft cloud services (including Microsoft Azure and related Microsoft services) to host and operate the Services, store data, support identity and access management, and provide operational tooling. Microsoft may process personal information on our behalf as part of providing cloud infrastructure and associated services, subject to Microsoft’s contractual commitments and data protection terms.

(b) Productivity, Email, and Communications Tools. We use Microsoft 365 and Outlook-based tools for operational communications, customer support workflows, and business administration. Depending on the configuration and the nature of communications, these tools may process personal information such as your contact details, communications content, and message metadata.

(c) Payment Processing. Where you purchase Services that require payment, payments are processed through our payment processor, Stripe. We generally do not receive or store full payment card numbers. Stripe may process payment and billing information on its own systems in order to provide payment processing services, and Stripe’s handling of payment information is governed by Stripe’s own policies and contractual terms. We receive limited information necessary to administer your transaction, such as the Services purchased, payment status, timestamps, transaction identifiers, and billing contact details.

(d) Analytics and Measurement. We may use analytics providers, such as Google Analytics, to understand how the Services are used, to maintain and improve the Services, and to measure performance. These services may collect device and usage information (for example, pages visited, approximate location derived from IP address, and browser information) and may set or read cookies or similar technologies, as described in Section 13.

We also use Google reCAPTCHA to help protect the Services from automated abuse, credential stuffing, and other fraudulent or malicious activity. reCAPTCHA may collect device and usage signals and may set or read cookies or similar technologies for security purposes. Google’s use of information collected through reCAPTCHA is governed by Google’s privacy policy and terms.

In addition to the Google services we use today (such as Google Analytics and reCAPTCHA), we may use other Google services in the future, such as Google Workspace for business operations and collaboration or Google Cloud services for hosting, storage, analytics, or other capabilities as our Services mature. Where Google services are used, we implement safeguards such as contractual confidentiality and security obligations, and we will update this Policy where required.

(e) Other Service Providers. We may engage additional service providers for security tooling, customer support systems, compliance operations, and related business functions. We require such providers to maintain appropriate privacy and security protections consistent with the sensitivity of the data and the services they provide.

8.3 Institutional Partners and Transfer Workflows

Depending on how you use the Services and whether you are interacting with an Institutional Deployment, personal information may be shared with an institution you attend, intend to attend, or are transferring to, where such sharing is necessary to facilitate transfer-related workflows, deliver the Services you request, comply with an Institutional Agreement, or implement your instructions. For example, if you choose to send, export, or submit a transcript, course documentation, or Outputs to an institution through the Services, we will share that information as part of completing your request. Where an institution provides data to us (for example, equivalency tables, program requirements, or policy documents) or uses the Services for institutional workflows, processing may occur under contract terms between the Company and the institution, including any data processing addendum where applicable.

8.4 Legal, Regulatory, and Public Authority Disclosures

We may disclose personal information where required or permitted by Applicable Privacy Laws, including in response to lawful requests by public authorities (including national security or law enforcement requests), to comply with subpoenas, court orders, or other legal process, to protect our rights or the rights of others, and to investigate or respond to suspected fraud, security incidents, or unlawful activity. Where legally permitted, we will take reasonable steps to notify affected users or institutional partners of such requests.

8.5 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, personal information may be disclosed to advisors, counterparties, and other participants as part of due diligence and transaction completion. Any such disclosure will be subject to appropriate confidentiality obligations. If a transaction closes, personal information may be transferred to the successor entity, subject to this Policy and any updated privacy notice provided to you.

8.6 De-identified and Aggregated Information

We may disclose or publish de-identified or aggregated information that cannot reasonably be used to identify you, for purposes such as product improvement, service analytics, and reporting. We do not attempt to re-identify de-identified information except where required for permitted security or fraud-prevention purposes or where legally allowed.

8.7 No Sale of Personal Information

For clarity, we do not sell personal information as that concept is commonly understood in privacy laws, and we do not share personal information for cross-context behavioural advertising purposes unrelated to the Services.

9.1 General Location of Storage and Processing

CONNECTED Academia Inc. operates from Canada and primarily serves Canadian post-secondary institutions, with an objective focus on Ontario. We host and operate the Services using third-party platform vendors, including Microsoft cloud services. Personal information may be stored and processed in Canada and, depending on system configuration, redundancy, support operations, service provider architecture, and the particular Services used, may also be stored or processed in other jurisdictions, including the United States.

9.2 Cross-Border Transfers and Safeguards

When personal information is processed outside your province, territory, or country of residence, it may be subject to the laws of the jurisdiction where it is processed and may be accessible to law enforcement and national security authorities in that jurisdiction, in accordance with applicable law. We implement safeguards designed to protect personal information when using service providers, including contractual commitments regarding confidentiality, data protection, and security, as well as measures designed to minimize the data shared where feasible and appropriate.

9.3 Institutional Requirements and Deployment Configuration

Some institutional partners may request particular data residency or processing restrictions. Where commercially reasonable and technically feasible, we may work with institutional partners to document and implement deployment configurations consistent with institutional requirements. However, the availability of specific residency configurations can depend on the services used, the vendor environment, and the scope of integration requested, and may require an Institutional Agreement and/or a data processing addendum.

9.4 Transparency and Updates

We will make reasonable efforts to describe material changes to our storage and processing posture in updates to this Policy or through other communications. You may request additional information regarding cross-border processing by contacting us as described in Section 21 of this Policy.

9.5 Users Outside Canada

If you are located outside of Canada, you acknowledge that your personal information may be processed in Canada and other jurisdictions depending on configuration. You also acknowledge that certain privacy rights and regulatory frameworks may differ by jurisdiction.

10.1 Retention Principles

Under PIPEDA, personal information shall be retained only as long as necessary for the fulfilment of the purposes for which it was collected. We have designed our retention practices to balance our legitimate operational needs with the principle of limiting retention.

10.2 Operational Rationale for Retention

Our transfer analysis services provide outputs and reports based on the transcript and academic information you provide. To support our Services effectively, we may need to retain personal information for extended periods for the following reasons:

(a) To allow you to retrieve, review, and use your transfer analysis outputs over time as you progress through your academic planning;

(b) To investigate and respond to inquiries, complaints, or disputes regarding the accuracy of outputs or the processing of your transcript, which may arise months or years after initial processing;

(c) To provide continuity of service if you return to use the Services after a period of inactivity;

(d) To maintain records necessary to defend against legal claims or demonstrate compliance with legal or contractual obligations, which may have limitation periods extending several years.

10.3 Retention Approach

We have adopted the following retention approach to balance operational needs with PIPEDA's retention principles:

(a) Active Account Retention. While your Account remains active, we retain your personal information, including uploaded transcripts, extracted academic data, and generated outputs, to provide you with ongoing access to the Services and your historical analyses. An Account is considered active if you have logged in or engaged with the Services within the preceding thirty-six (36) months.

(b) Inactive Account Retention. If your Account becomes inactive (no login or engagement for thirty-six (36) consecutive months), we will notify you at the email address associated with your Account and provide you with an opportunity to reactivate your Account or request deletion of your personal information. If we receive no response within sixty (60) days of such notice, we may proceed to delete or de-identify your personal information, subject to paragraphs (d) and (e) below.

(c) User-Requested Deletion. You may request deletion of your personal information at any time by contacting us as described in Section 21 of this Policy. Upon receiving a verified deletion request, we will delete your personal information in accordance with Section 12.6 of this Policy, subject to paragraphs (d) and (e) below.

(d) Retention for Legal and Compliance Purposes. Notwithstanding the foregoing, we may retain personal information for longer periods where necessary to comply with legal obligations, resolve disputes, enforce our agreements, establish or defend legal claims, or fulfil other legitimate purposes permitted by Applicable Privacy Laws. In Ontario, the basic limitation period for commencing most civil proceedings is two (2) years from the date a claim is discovered, with an ultimate limitation period of fifteen (15) years. Accordingly, we may retain certain personal information for up to seven (7) years following your last interaction with the Services, or longer where specific legal proceedings, regulatory investigations, or disputes are ongoing or reasonably anticipated. Such retained information will be restricted from ordinary processing and used only for the purpose for which it was retained.

(e) Retention of De-identified or Aggregated Data. We may retain de-identified or aggregated data derived from your personal information indefinitely for research, analytics, service improvement, and statistical purposes, provided such data does not reasonably identify you.

10.4 Secure Destruction

When personal information is no longer required for the purposes for which it was collected and no legal basis exists for continued retention, we will destroy, erase, or render the information anonymous using secure methods appropriate to the sensitivity of the information.

10.5 Retention of Transcripts and Source Documents

Uploaded transcript files present particular retention considerations. We retain transcript files to enable us to investigate and respond to disputes regarding the accuracy of our extraction and analysis processes. If you request deletion of your personal information, we will delete your transcript files, subject to our right to retain information necessary for legal compliance or dispute resolution as described in Section 10.3(d).

11.1 Commitment to Security

We are committed to protecting personal information against unauthorised access, disclosure, copying, use, modification, or destruction. We have implemented administrative, technical, and physical safeguards proportionate to the sensitivity of the personal information we hold.

11.2 Administrative Safeguards

Our administrative safeguards include:

(a) Personnel Training. Personnel with access to personal information receive training on privacy and security responsibilities and are required to acknowledge confidentiality obligations.

(b) Access Controls and Least Privilege. Access to personal information is restricted to personnel who require such access to perform their job functions, consistent with the principle of least privilege.

(c) Confidentiality Agreements. Employees, contractors, and service providers with access to personal information are bound by confidentiality obligations.

(d) Policies and Procedures. We maintain written policies and procedures governing the handling of personal information, including access management, incident response, and data retention.

11.3 Technical Safeguards

Our technical safeguards include:

(a) Encryption. We use encryption to protect personal information in transit between your device and our servers using industry-standard protocols (such as TLS). We also employ encryption at rest for stored personal information where appropriate and supported by our infrastructure.

(b) Authentication. We require authentication to access user Accounts and implement measures such as password requirements and session management to protect Account security.

(c) Logging and Monitoring. We maintain logs of access to systems containing personal information and monitor for suspicious or unauthorised activity.

(d) Secure Development Practices. We incorporate security considerations into our software development processes and conduct periodic reviews of our systems.

(e) Vulnerability Management. We monitor for security vulnerabilities and apply patches and updates in a timely manner.

11.4 Physical Safeguards

Our physical safeguards include reliance on the physical security measures implemented by our cloud infrastructure provider, Microsoft, which maintains data centres with industry-standard physical access controls, environmental protections, and monitoring.

11.5 No Guarantee of Absolute Security

While we implement safeguards designed to protect personal information, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of personal information, and you use the Services at your own risk. We will notify you of any breach of security affecting your personal information in accordance with Section 15 of this Policy.

11.6 Your Role in Security

You play an important role in protecting your personal information. You are responsible for maintaining the confidentiality of your Account credentials and for any activity that occurs under your Account. Please notify us immediately at connect-edu.ca@outlook.com if you become aware of any unauthorised access to or use of your Account.

11.4 Security Program Governance and Continuous Improvement

We maintain a security program that is designed to protect the confidentiality, integrity, and availability of the Services and personal information. Our security program includes governance measures such as defined security roles and responsibilities, access management and least-privilege practices, security awareness and training, risk assessment and risk treatment processes, secure development practices, vendor risk considerations, and incident response procedures. Because CONNECT is a developing service and we continue to enhance features and operational controls, security controls may evolve over time as the product matures.

11.5 Alignment with Recognized Frameworks; SOC 2 and ISO/IEC 27001

Many enterprise and educational institutions evaluate service providers using recognized assurance frameworks such as SOC 2 and ISO/IEC 27001. We design our security controls to align with widely recognized industry expectations, including the AICPA Trust Services Criteria (commonly assessed through SOC 2 examinations) and the domains and requirements associated with ISO/IEC 27001 information security management systems, to the extent appropriate for our size, risk profile, and operational maturity. Where we obtain relevant third-party assurance reports or certifications in the future, we may make them available to institutional customers under appropriate confidentiality terms.

As part of our security maturity roadmap, we intend to pursue a SOC 2 Type I examination within approximately the next eighteen (18) months. The timing, scope, and availability of any assurance materials can depend on operational readiness, the defined audit scope, and third-party auditor availability, and therefore should not be interpreted as a guarantee of certification by a particular date.

11.6 Cloud Security and Shared Responsibility

We rely on reputable cloud platform vendors, including Microsoft cloud services, for key infrastructure capabilities. Cloud services operate under a shared responsibility model in which the cloud provider is responsible for the security of the underlying cloud infrastructure, while we are responsible for configuring, operating, and securing our applications, identities, and data handling practices within that infrastructure. We implement configuration controls and operational procedures intended to support secure deployment and reduce misconfiguration risk.

11.7 Logging, Monitoring, and Audit Trails

We use logging and monitoring designed to support service reliability, security investigation, incident response, troubleshooting, and fraud prevention. We continue to enhance audit logging and reporting capabilities as the Services mature. In CONNECTed (institutional) contexts, audit trails may be used to support institutional governance, to help trace configuration changes, and to support integrity and accountability in workflows, subject to privacy, security, and contractual constraints.

11.8 Security Information Requests and Procurement Due Diligence

Institutional procurement processes may require security questionnaires, policy summaries, and documentation regarding controls. Where appropriate and subject to confidentiality and security restrictions, we may provide reasonable information to institutional partners to support their due diligence processes. We do not provide information that would compromise the security of the Services or disclose sensitive implementation details.

12.1 Overview of Rights

Under PIPEDA and our commitment to privacy principles, you have certain rights with respect to your personal information. This Section 12 describes those rights and how to exercise them.

12.2 Right of Access

You have the right to request access to the personal information we hold about you. Upon receiving a verified access request, we will provide you with information about the existence, use, and disclosure of your personal information and, where reasonably possible, access to the information itself. We may provide access in the form of a summary of the information rather than the actual documents, where appropriate.

12.3 Right to Correction

You have the right to request correction of personal information we hold about you that is inaccurate or incomplete. Upon receiving a verified correction request with supporting information, we will correct the information or annotate our records with your position if we disagree that a correction is warranted. Where we have disclosed inaccurate information to third parties, we will notify them of the correction where feasible and appropriate.

12.4 Right to Withdraw Consent

As described in Section 6.4, you have the right to withdraw your consent to the collection, use, or disclosure of your personal information at any time, subject to legal or contractual restrictions and reasonable notice. We will inform you of the implications of withdrawing consent.

12.5 Right to Request Deletion

You have the right to request deletion (also referred to as erasure) of your personal information. Upon receiving a verified deletion request, we will delete personal information that is no longer necessary for the purposes for which it was collected and for which we have no other legal basis to retain. See Section 12.6 for details on the deletion process.

12.6 Deletion Process and Exceptions

When you request deletion of your personal information:

(a) We will delete your Account and associated profile information;

(b) We will delete uploaded transcript files;

(c) We will delete extracted academic data and generated outputs associated with your Account;

(d) We will delete or de-identify communications and support records, unless retention is necessary for legal purposes.

Exceptions to Deletion: We may retain certain personal information after a deletion request in the following circumstances:

(i) Where retention is required by Applicable Privacy Laws or other legal obligations;

(ii) Where retention is necessary for the establishment, exercise, or defence of legal claims or disputes;

(iii) Where retention is necessary to investigate, prevent, or address fraud, security incidents, or violations of our Terms of Use;

(iv) Where retention is necessary to complete a transaction or provide a service you requested;

(v) Where the information has been de-identified and no longer constitutes personal information.

We will inform you if any exceptions apply to your deletion request.

12.7 Identity Verification

To protect your personal information, we may require you to verify your identity before we process access, correction, or deletion requests. Verification methods may include confirmation of Account credentials, verification of information associated with your Account, or, where appropriate, submission of identity documentation. We will not collect more personal information than necessary to verify your identity.

12.8 Response Timeline

We will respond to your requests within a reasonable time, and in any event within thirty (30) days of receiving your request, unless an extension is necessary due to the complexity of the request or the volume of requests received. If an extension is required, we will notify you of the extension and the reasons for it within the initial thirty (30) day period. If we are unable to respond within thirty (30) days, we will respond as soon as reasonably practicable, and in any event within such timeline as is consistent with Applicable Privacy Laws.

12.9 How to Submit a Request

To exercise any of your rights under this Policy, please contact us at:

Email: connect-edu.ca@outlook.com

Please include sufficient information to identify yourself and to enable us to locate your personal information, as well as a description of the right you wish to exercise and any supporting information relevant to your request.

12.10 No Fee for Ordinary Requests

We do not charge a fee for responding to ordinary access, correction, or deletion requests. If your request is manifestly unfounded, excessive, or repetitive, we may charge a reasonable fee reflective of the administrative costs of responding or may decline the request, in accordance with Applicable Privacy Laws.

12.11 Right to Complain

If you are dissatisfied with our response to your request or have concerns about our privacy practices, you have the right to file a complaint with us and, if not resolved to your satisfaction, with the Office of the Privacy Commissioner of Canada. See Section 12.12 for information on filing a complaint.

12.12 Filing a Complaint

Internal Complaint: You may file a privacy complaint with us by contacting us at connect-edu.ca@outlook.com. We will investigate your complaint and respond within a reasonable time.

Complaint to the Office of the Privacy Commissioner of Canada: If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada:

Office of the Privacy Commissioner of Canada 30 Victoria Street Gatineau, Quebec K1A 1H3 Toll-free: 1-800-282-1376 Website: www.priv.gc.ca

13.1 Overview of Cookies and Tracking Technologies

This Section 13 describes our use of cookies and similar tracking technologies on the Services. A "cookie" is a small text file that is placed on your device (computer, smartphone, tablet, or other internet-enabled device) when you visit a website or use an online service. Cookies enable the website or service to recognise your device, remember your preferences, and collect information about your browsing behaviour. In addition to cookies, we may use other tracking technologies such as web beacons (also known as pixel tags or clear GIFs), local storage objects, and similar technologies that serve comparable functions.

13.2 Legal Basis for Use of Cookies

Under PIPEDA and Canadian privacy principles, the use of cookies and similar technologies that collect personal information requires either consent or reliance on an exception to the consent requirement. For cookies that are strictly necessary for the operation of the Services, we rely on implied consent arising from your use of the Services. For cookies that are not strictly necessary, including analytics and marketing cookies, we obtain your consent through a cookie consent mechanism presented when you first access the Services, which allows you to accept or decline non-essential cookies.

13.3 Categories of Cookies We Use

We use, or may use, the following categories of cookies on the Services:

(a) Strictly Necessary Cookies.

Strictly necessary cookies are essential for the operation of the Services and enable core functionality such as security, network management, account authentication, and accessibility. These cookies are necessary to provide the Services you have requested and cannot be disabled without impairing the basic functionality of the Services. Strictly necessary cookies do not require your consent under Canadian privacy law, as they are essential for the performance of a service you have requested.

Examples of strictly necessary cookies include:

• Session cookies that maintain your logged-in state as you navigate the Services;
• Security cookies that detect authentication abuses and protect user data from unauthorised parties;
• Load-balancing cookies that distribute traffic to the Services across multiple servers to ensure availability;
• Cookies that remember your cookie consent preferences.

(b) Performance and Analytics Cookies.

Performance and analytics cookies collect information about how visitors use the Services, including which pages are visited most frequently, how long visitors spend on each page, how visitors navigate through the Services, and whether visitors encounter error messages. The information collected by these cookies is aggregated and used to improve the functioning, usability, and performance of the Services. Performance and analytics cookies may be set by us or by third-party analytics providers we engage.

We use Google Analytics, a web analytics service provided by Google LLC ("Google"), to collect and analyse information about use of the Services. Google Analytics uses cookies to collect information such as how often users visit the Services, what pages they visit, how long they spend on each page, and what other sites they visited prior to accessing the Services. We use this information to improve the Services and to understand user behaviour and preferences.

Information collected by Google Analytics cookies includes:

• Pages visited and actions taken within the Services;
• Time spent on pages and duration of sessions;
• Referring URLs and how you arrived at the Services;
• General geographic location (city or region level, derived from IP address);
• Browser type, operating system, device type, and screen resolution;
• Anonymised or pseudonymised user identifiers.

Google Analytics operates using first-party cookies set by the Services, which transmit information to Google servers. Google may use this information in accordance with Google's Privacy Policy, available at https://policies.google.com/privacy. Google may also transfer this information to third parties where required by law or where such third parties process information on Google's behalf. Google Analytics data may be processed on servers located outside of Canada, including in the United States.

We have implemented the following measures to enhance privacy protections in connection with our use of Google Analytics:

• IP Anonymisation: We have enabled IP anonymisation (also known as IP masking) in Google Analytics, which truncates the last portion of users' IP addresses before storage, reducing the identifiability of individual users.
• Data Retention Settings: We have configured Google Analytics to retain user-level and event-level data for the minimum period necessary for our analytics purposes.
• Advertising Features Disabled: We do not use Google Analytics advertising features, remarketing, or demographic and interest reporting.
• Data Processing Agreement: We have entered into a data processing agreement with Google governing the processing of personal information through Google Analytics.

(c) Functionality Cookies.

Functionality cookies allow the Services to remember choices you make and provide enhanced, more personalised features. These cookies may remember your preferences, such as language settings, display preferences, or region selection, and tailor the Services accordingly. Functionality cookies may be set by us or by third-party providers whose services we have integrated into the Services.

Examples of functionality cookies include:

• Cookies that remember your language or regional preferences;
• Cookies that remember display settings or accessibility preferences;
• Cookies that remember your username (but not your password) for convenience at login.

(d) Marketing and Advertising Cookies.

As of the effective date of this Policy, we do not use marketing or advertising cookies on the Services. We do not serve targeted advertisements, engage in behavioural advertising, or use cookies to track users across third-party websites for advertising purposes.

If we introduce marketing or advertising cookies in the future, we will update this Policy and our Cookie Policy our Cookie Policy, if separately posted through the Services to describe such cookies, the purposes for which they are used, and the choices available to you. We will obtain your consent before placing any marketing or advertising cookies on your device.

13.4 Third-Party Cookies

Some cookies on the Services are set by third parties rather than by us. These third-party cookies are placed by service providers we engage to perform functions on our behalf or to provide services integrated into the Services. Third-party cookies are governed by the privacy policies of the respective third parties.

The primary third-party cookies used on the Services are:

(a) Google Analytics Cookies. As described in Section 13.3(b), we use Google Analytics for performance and analytics purposes. Google Analytics sets the following cookies:

• _ga: Used to distinguish users. Expires after twenty-four (24) months.
• ga[property-id]: Used to persist session state. Expires after twenty-four (24) months.
• _gid: Used to distinguish users. Expires after twenty-four (24) hours.
• _gat: Used to throttle request rate. Expires after one (1) minute.

The specific cookies set by Google Analytics may change over time as Google updates its services. For the most current information about Google Analytics cookies, please refer to Google's documentation.

13.5 Your Cookie Choices and Controls

You have several options for managing cookies and controlling how cookies are used on your device:

(a) Cookie Consent Mechanism.

When you first access the Services, you may be presented with a cookie consent banner or similar mechanism that allows you to accept or decline non-essential cookies. You can change your cookie preferences at any time by accessing the cookie settings link in the footer of the Services or by contacting us at connect-edu.ca@outlook.com.

(b) Browser Settings.

Most web browsers allow you to control cookies through their settings. You can typically configure your browser to:

• Accept all cookies;
• Reject all cookies;
• Accept only certain cookies (such as first-party cookies but not third-party cookies);
• Alert you when a cookie is being placed so you can decide whether to accept it;
• Delete cookies that have already been placed on your device.

The method for accessing cookie settings varies by browser. Common browsers include:

• Google Chrome: Settings > Privacy and Security > Cookies and other site data
• Mozilla Firefox: Settings > Privacy & Security > Cookies and Site Data
• Apple Safari: Preferences > Privacy > Manage Website Data
• Microsoft Edge: Settings > Cookies and site permissions > Manage and delete cookies and site data

Please note that if you choose to block or delete cookies, some features of the Services may not function properly, and your user experience may be impaired.

(c) Google Analytics Opt-Out.

You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on, available at https://tools.google.com/dlpage/gaoptout. This add-on prevents the Google Analytics JavaScript from sharing information with Google Analytics about visit activity. Alternatively, you may opt out by declining analytics cookies through our cookie consent mechanism.

(d) Do Not Track Signals.

Some browsers include a "Do Not Track" (DNT) feature that sends a signal to websites indicating that you do not wish to be tracked. There is currently no universally accepted standard for how websites should respond to DNT signals. As of the effective date of this Policy, the Services do not respond to DNT signals. If a standard for responding to DNT signals is adopted that we are required to follow, we will update this Policy accordingly.

13.6 Web Beacons and Similar Technologies

In addition to cookies, we may use web beacons (also known as pixel tags, clear GIFs, or tracking pixels) on the Services and in emails we send. A web beacon is a small, transparent image file that is embedded in a web page or email and is used to track whether a page has been viewed or an email has been opened. Web beacons may be used in conjunction with cookies to collect information about your interactions with the Services and our email communications.

Web beacons may collect information such as:

• Whether an email was opened and when;
• Whether links in an email were clicked;
• The IP address of the device used to view the email;
• The type of browser, email client, and operating system used.

You can disable web beacons in emails by configuring your email client to not automatically load images in emails, although this may affect the display of images and formatting in legitimate emails.

13.7 Local Storage and Session Storage

We may use local storage (including HTML5 local storage) and session storage technologies to store information locally on your device. Local storage is similar to cookies but can store larger amounts of data and persists until explicitly deleted. Session storage is similar but is cleared when you close your browser. We use local storage and session storage for purposes such as:

• Storing user preferences and settings;
• Caching data to improve performance;
• Maintaining session state during your use of the Services.

You can clear local storage and session storage through your browser settings, typically in the same area where you manage cookies.

13.8 Updates to Cookie Practices

Our use of cookies and tracking technologies may change over time as we introduce new features, engage new service providers, or respond to changes in technology or legal requirements. We will update this Section 13 and our Cookie Policy our Cookie Policy, if separately posted through the Services to reflect any material changes to our cookie practices. We encourage you to review this Section 13 and our Cookie Policy periodically.

13.9 Cookie Policy

For more detailed information about the specific cookies we use, their purposes, durations, and providers, please refer to our Cookie Policy our Cookie Policy, if separately posted through the Services. The Cookie Policy provides a comprehensive list of cookies used on the Services and is updated as our cookie practices evolve.

13.10 Contact Us Regarding Cookies

If you have questions about our use of cookies or tracking technologies, or if you wish to change your cookie preferences, please contact us at connect-edu.ca@outlook.com.

14.1 Minimum Age Requirement

The Services are designed for post-secondary contexts and are not intended for children. Consistent with our Terms of Use, you must be at least sixteen (16) years of age and possess the legal capacity to enter into a binding contract under the laws of your jurisdiction of residence in order to use the Services. By creating an Account or using the Services, you represent and warrant that you meet these requirements.

14.2 Users Under the Age of Majority

If you are under the age of majority in your province or territory of residence but meet the minimum age threshold described above, you acknowledge that post-secondary students may lawfully use educational services. However, we strongly encourage you to discuss your use of the Services with a parent, guardian, or trusted adult, particularly before making any academic or financial decisions based on Outputs.

14.3 Prohibition on Use by Individuals Under 16

If you are under sixteen (16) years of age, you are prohibited from accessing or using the Services. We do not knowingly collect Personal Information from individuals under 16. If we learn that we have collected Personal Information from an individual under 16, we will take steps to delete that information promptly, unless we are required or permitted by law to retain it.

14.4 Proof of Age and Capacity; Account Enforcement

We may request proof of age or capacity at any time and may suspend or terminate Accounts that fail to comply with this Section 14 or the Terms of Use. In institutional deployments, an Institution may also impose additional eligibility requirements or onboarding steps consistent with its own policies and applicable law.

15.1 Breach of Security Safeguards

Under PIPEDA, a "breach of security safeguards" means the loss of, unauthorised access to, or unauthorised disclosure of personal information resulting from a breach of an organisation's security safeguards or from a failure to establish those safeguards.

15.2 Notification to Individuals

If we experience a breach of security safeguards involving personal information under our control and it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual, we will notify the affected individual(s) of the breach as soon as feasible. Notification will include information about the breach, the types of personal information involved, and steps the individual can take to reduce the risk of harm or mitigate that harm.

15.3 Report to the Office of the Privacy Commissioner of Canada

Where notification to individuals is required under Section 15.2, we will also report the breach to the Office of the Privacy Commissioner of Canada as soon as feasible. The report will contain information about the circumstances of the breach and the steps we have taken in response.

15.4 Breach Records

We maintain records of all breaches of security safeguards involving personal information under our control, regardless of whether notification is required. Such records are maintained for a period of at least twenty-four (24) months and are available to the Office of the Privacy Commissioner of Canada upon request.

15.5 Assessment of Risk

In determining whether a breach creates a real risk of significant harm, we consider the sensitivity of the personal information involved, the probability that the information has been or will be misused, and any other relevant factor.

15.5 Notification Timing and Enterprise Context

We will notify affected individuals and, where applicable, institutional partners without undue delay where notification is required by Applicable Privacy Laws or where we determine that notification is appropriate in light of the circumstances. Because the scope and complexity of an incident may vary, initial notifications may provide limited information and may be followed by updated communications as investigations proceed. As part of our security program maturity roadmap, we intend to implement processes designed to support notification to institutional partners within a forty-eight (48) hour target after confirmation of a Security Incident involving institutional data, recognizing that this target is aspirational and may be adjusted in specific circumstances or by contract.

15.6 Institutional Deployments

Where personal information is processed on behalf of an institutional customer under an Institutional Agreement, additional contractual incident notification provisions may apply. In the event of a Security Incident affecting information processed under an Institutional Deployment, we will cooperate with the institution to support its legal obligations, subject to legal constraints and confidentiality requirements.

16.1 Decision-Support Nature of Outputs

The Services may generate outputs, recommendations, equivalency suggestions, pathway information, or other materials (“Outputs”) based on information you provide (including transcript data and course information), Institution Data, and logic implemented within the Services. Unless expressly stated in an Institutional Agreement, Outputs are informational and decision-support in nature. Outputs do not constitute official transfer credit decisions, admission decisions, academic standing decisions, or other official determinations by an institution.

16.2 Sources of Variability and Limitations

The quality of Outputs can be affected by factors such as transcript formats, document quality, institutional policy changes, incomplete or outdated information, differences in institutional conventions, and the availability and accuracy of course descriptions or program requirements. We take reasonable steps to improve extraction quality and mapping reliability, but we cannot guarantee that Outputs will be accurate, complete, or current for all institutions, programs, or time periods.

16.3 Automated Processing and AI/ML Techniques

Certain features of the Services may involve automated processing, including extraction of structured information from documents, normalization of course attributes, matching logic that compares coursework to institutional rules, and ranking or presentation of candidate pathways or equivalencies. Some components may incorporate machine learning techniques or algorithmic methods intended to improve document parsing and the reliability of suggestions. We design these features to support user understanding and to reduce administrative burden, but they remain subject to limitations and should be reviewed in context.

16.4 Human Oversight and Review

Where Outputs are used in contexts with academic or financial consequences, appropriate human review is important. Users should exercise judgment and verify critical information. Institutional customers should implement governance and review practices consistent with their academic policies and regulatory obligations. The Company does not require, and does not support, a deployment model in which institutional decisions are made solely by automated processing without appropriate human oversight.

16.5 Transparency, Explanations, and Protection of Proprietary Information

We aim to provide transparency about the categories of data we use, the purposes of processing, and the nature of automated features. At the same time, the specific technical design of our internal models, scoring logic, and implementation details are proprietary to the Company and may also be security-sensitive. Accordingly, we may limit the level of technical detail we disclose where disclosure would compromise intellectual property, reveal security controls, or create misuse risk. Where feasible and appropriate, we may provide user-facing explanations or contextual indicators to help interpret Outputs without exposing sensitive implementation details.

16.6 Use of Data to Improve the Services

We may use de-identified and aggregated information, usage telemetry, and error reports to improve service reliability, document extraction quality, and product performance. We do not use identifiable institutional personal information to train third-party general-purpose models for unrelated products without permission. Where an institutional customer requires additional restrictions on improvement use, those restrictions may be documented in an Institutional Agreement or data processing addendum.

16.7 Evolving AI Regulations and Governance Practices

Regulatory expectations for automated decision-making and AI systems are evolving in Canada and internationally. We monitor relevant legal developments and, where required or appropriate, implement proportionate governance practices such as documentation of intended use, testing and validation, monitoring for reliability and bias risks, and mechanisms to correct errors. The scope and form of such governance practices may evolve over time as the Services mature and as regulatory guidance becomes more specific.

17.1 Third-Party Websites and Services

The Services may contain links to third-party websites, applications, or services that are not owned or controlled by CONNECTed Academia Inc. This Policy does not apply to such third-party services. We encourage you to review the privacy policies of any third-party services you access.

17.2 No Responsibility for Third Parties

We are not responsible for the privacy practices, content, or security of third-party websites or services. Access to third-party services is at your own risk.

18.1 Right to Modify

We may modify this Policy from time to time to reflect changes in our privacy practices, the Services, or Applicable Privacy Laws. We reserve the right to update, revise, or replace this Policy at our discretion.

18.2 Notice of Material Changes

If we make material changes to this Policy, we will provide notice through reasonable means, such as posting a prominent notice within the Services, sending an email to the address associated with your Account, or other means appropriate under the circumstances. Material changes include changes that significantly affect the collection, use, or disclosure of personal information, changes to your rights under the Policy, or changes required by Applicable Privacy Laws.

18.3 Effective Date of Changes

The effective date of any changes will be indicated at the top of the revised Policy. Your continued use of the Services after the effective date of a revised Policy constitutes your acceptance of the revised terms. If you do not agree to the revised Policy, you should discontinue use of the Services and, if desired, request deletion of your personal information.

18.4 Review of Policy

We encourage you to review this Policy periodically to stay informed about our privacy practices.

19.1 Relationship to Terms of Use and Institutional Agreements

This Policy describes our Personal Information practices. Disputes relating to your access to or use of the Services (including disputes relating to the Services’ features, Outputs, fees, or service availability) are governed by the dispute resolution provisions in our Terms of Use and, where applicable, any Institutional Agreement. Those provisions may include arbitration requirements and a class action waiver to the extent permitted by law.

19.2 Governing Law

Unless otherwise provided in an Institutional Agreement or required by applicable law, our privacy practices and this Policy are generally governed by the laws of Ontario, Canada, and the federal laws of Canada applicable therein. Nothing in this Policy limits any rights you may have under applicable privacy law, including the right to file a complaint with a privacy regulator.

20.1 Institutional Deployments and Roles

The Company offers student-facing Services (“CONNECT”) and may offer institution-facing services (“CONNECTed”) to post-secondary institutions or similar entities under an Institutional Agreement. In an Institutional Deployment, an institution typically determines the purposes and means of processing for institutional workflows and configurations. In such cases, the institution may act as the controller (or equivalent responsible organization) and the Company may act as a service provider or processor processing institutional personal information on the institution’s behalf.

20.2 Data Processing Addendum and Procurement Requirements

Institutional partners may require a data processing addendum, privacy schedule, security exhibit, or similar contract terms. Where applicable, the Company may provide an institutional data processing addendum (“DPA”) that describes processing roles, permitted processing purposes, security safeguards, sub-processor governance, incident response cooperation, and deletion or return of institutional data. For Institutional Deployments, the DPA and the Institutional Agreement govern the Company’s processing of institutional personal information to the extent they apply.

20.3 Institutional Data Inputs, Bulk Files, and Integrations

Institutional Deployments may involve the processing of data provided by an institution in bulk (for example, rosters, equivalency tables, policy documents, program requirements, course catalogs, articulation agreements, and historical mapping information), as well as student-provided documents and communications within institutional workflows. Such data may be provided in a variety of formats, including CSV, Excel, PDF, DOCX, JSON, image files, or other structured or unstructured formats. The Company processes such information for the purposes described in the Institutional Agreement and to provide the institutional features of the Services.

20.4 Student Accounts in Institutional Contexts

A Student may interact with CONNECT independently, or through an institution’s sponsored access or Institutional Deployment. In institutional contexts, certain information may be made available to the institution to support institutional workflows, subject to the student’s choices, institutional policies, and the applicable contract terms. Institutions may have their own privacy notices and student-facing policies governing institutional processing. Where an institution requests deletion or return of institutional data, such requests are addressed through institutional contract terms and applicable law.

20.5 Deployment Model

The Company provides the Services as a cloud-hosted service. The Company does not offer an institution-hosted deployment model as a default offering. Integrations may be supported where agreed, but the Company does not require deep embedding into an institution’s internal infrastructure as a condition of providing the Services.

20.6 Security Information and Assurance Materials for Institutions

Institutions may request security documentation, risk assessment responses, or assurance materials as part of procurement. Subject to confidentiality and security constraints, the Company may provide reasonable information to support due diligence, including summaries of security controls, descriptions of technical and organizational measures, and, where available, third-party assurance artifacts. The Company may decline to provide information that would compromise security or disclose proprietary implementation details.

21.1 Privacy Inquiries and Requests

If you have questions about this Policy, wish to exercise your rights under this Policy, or have concerns about our privacy practices, please contact us at:

CONNECTed Academia Inc.

Privacy Inquiries

Email: connect-edu.ca@outlook.com

21.2 Response Commitment

We are committed to addressing your privacy inquiries and requests in a timely and respectful manner. We will acknowledge receipt of your inquiry and respond substantively within the timelines described in Section 12.8 of this Policy.

21.3 Accountability

CONNECTed Academia Inc. is responsible for personal information under its control. We have designated an individual to be accountable for our compliance with this Policy and Applicable Privacy Laws. Inquiries regarding our privacy practices may be directed to the contact information above.

21.4 How to Route Requests Efficiently

To help us route requests efficiently, please email our Data Protection Officer at connect-edu.ca@outlook.com and include a clear subject line. Examples include: “PRIVACY REQUEST – ACCESS,” “PRIVACY REQUEST – CORRECTION,” “PRIVACY REQUEST – DELETION,” “PRIVACY REQUEST – WITHDRAW CONSENT,” or “PRIVACY REQUEST – QUESTION.” We may request additional information to verify your identity and to confirm the scope of your request before responding.

22.1 Informational Purpose

This Privacy Policy is provided for informational purposes to describe the privacy practices of CONNECTed Academia Inc. in connection with the Services. This Policy is not a contract and does not create any legal rights or obligations beyond those imposed by Applicable Privacy Laws.

22.2 Not Legal Advice

This Policy does not constitute legal advice. Privacy law is complex and subject to change. The information in this Policy may not reflect the most current legal developments or may not apply to your specific circumstances.

22.3 Review by Counsel

CONNECTed Academia Inc. recommends that users with questions or concerns about privacy and data protection consult with qualified legal counsel in their jurisdiction. This Policy should be reviewed by legal counsel to ensure compliance with all Applicable Privacy Laws before publication and use.

22.4 No Warranty

This Policy is provided "as is" without warranty of any kind, express or implied. CONNECTed Academia Inc. disclaims all warranties with respect to the completeness, accuracy, or legal sufficiency of this Policy.

END OF PRIVACY POLICY

1. INCORPORATION, PURPOSE, AND ORDER OF PRECEDENCE

This Institutional Data Processing Addendum (this “DPA”) forms part of each written agreement between CONNECTed Academia Inc. (the “Company”) and a post-secondary educational institution, college, university, consortium, or similar organization (the “Institution”) that governs the Institution’s access to and use of the institution-facing CONNECTed services and related features (the “Services”), including any order form, pilot agreement, trial agreement, subscription agreement, or master services agreement (each, an “Institutional Agreement”).

This DPA is designed to address common institutional procurement and compliance requirements by describing the parties’ respective privacy roles, documenting permitted processing purposes, establishing baseline confidentiality and security requirements, and setting out cooperation mechanisms for incident response and data subject requests.

If there is a conflict between this DPA and the Institutional Agreement, this DPA governs with respect to the processing, confidentiality, and security obligations applicable to Institutional Personal Information, unless the Institutional Agreement expressly states that a specific provision overrides this DPA. Any additional negotiated data protection or security terms in the Institutional Agreement supplement this DPA for the relevant scope.

2. DEFINITIONS

For purposes of this DPA, the following definitions apply.

"Applicable Privacy Laws" means all privacy, data protection, cybersecurity, and related laws and regulations applicable to the processing of Personal Information under the Institutional Agreement. Depending on context, this may include Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial private-sector privacy laws, and provincial public-sector or education-sector laws applicable to the Institution. If the Institution operates or serves individuals in other jurisdictions, Applicable Privacy Laws may also include other legal frameworks that apply based on the Institution’s obligations and the location of individuals whose information is processed.

"Institutional Deployment" means a deployment, pilot, trial, implementation, or institutional use of the Services pursuant to an Institutional Agreement, including any institution-configured instances, institution-branded experiences, institutional workflows, and integrations enabled for institutional purposes.

"Institution Data" means course catalogs, academic calendars, policy documents, articulation agreements, equivalency tables, program requirements, and other institutional data made available to the Company for configuration or operation of the Services, whether provided directly, via integration, or through other authorized means.

"Institutional Personal Information" means Personal Information that the Institution provides to or makes available for processing by the Company, or that is otherwise processed by the Company on behalf of the Institution, in connection with an Institutional Deployment. Institutional Personal Information may include student academic records and related metadata (including transcripts, course histories, grades, credits, and supporting documentation), institutional identifiers, roster information, communications within institutional workflows, and audit and workflow metadata associated with institutional functions.

"Personal Information" means information about an identifiable individual, or equivalent term under Applicable Privacy Laws (including “personal data”).

"Process" or "Processing" means any operation performed on Personal Information, whether by automated means or otherwise, including collection, use, storage, organization, structuring, adaptation, retrieval, consultation, disclosure, transmission, combination, de-identification, analysis, or deletion.

"Security Incident" means a confirmed incident involving unauthorized access to, or acquisition, disclosure, alteration, loss, or destruction of Institutional Personal Information within the Company’s systems, or any event that materially compromises the confidentiality, integrity, or availability of Institutional Personal Information within the Company’s systems.

"Sub-processor" means a third-party service provider engaged by the Company to process Institutional Personal Information on the Company’s behalf, subject to written confidentiality and security obligations.

"Student" means an individual whose information is processed in connection with the Services, including prospective or current post-secondary students and transfer students.

3. ROLES OF THE PARTIES AND SCOPE

3.1 Institution as Controller; Company as Processor

For Institutional Deployments, the Institution typically determines the purposes and means of processing Institutional Personal Information within its institutional workflows and configurations. Accordingly, for the processing activities described in Annex 1, the Institution acts as the controller (or the organization with analogous responsibility under Applicable Privacy Laws) and the Company acts as a processor or service provider processing Institutional Personal Information on the Institution’s behalf.

3.2 Company as Independent Controller for Certain Data

The Company may process certain information as an independent controller where necessary to operate its business and maintain security, such as business contact information of Institutional Users, billing or procurement contact information, and security logs and fraud-prevention records. Such processing is governed by the Company’s public Privacy Policy and is not subject to this DPA to the extent it falls outside the scope of processing on the Institution’s behalf.

3.3 Purpose Limitation

The Company will not materially expand the purposes for processing Institutional Personal Information beyond those described in Annex 1 except with the Institution’s documented instructions, a written amendment, or another lawful basis under Applicable Privacy Laws.

3.4 No Sale of Institutional Personal Information

The Company does not sell Institutional Personal Information and does not process Institutional Personal Information for advertising profiling purposes unrelated to the Services.

3.5 Deployment Model; No Institution-Hosted Offering

The Services are provided as a cloud-hosted service operated by the Company using third-party cloud infrastructure. The Company does not offer an institution-hosted deployment model as a default offering. Integrations may be supported where agreed, but the Company does not require deep embedding into an institution’s internal infrastructure as a condition of providing the Services.

4. COMPANY OBLIGATIONS WHEN PROCESSING ON BEHALF OF THE INSTITUTION

4.1 Documented Instructions

The Company will process Institutional Personal Information only on documented instructions from the Institution, including instructions set out in the Institutional Agreement, this DPA, and configuration choices made by authorized Institutional Users within the Services. If the Company reasonably believes that an instruction violates Applicable Privacy Laws, the Company will promptly notify the Institution and will not implement the instruction unless the parties agree on a compliant alternative.

4.2 Confidentiality

The Company will ensure that personnel who have access to Institutional Personal Information are subject to confidentiality obligations consistent with this DPA, whether through contractual obligations, statutory obligations, or professional duties, and that access is limited to personnel with a need-to-know to provide and secure the Services.

4.3 Security Measures

The Company will implement and maintain appropriate technical and organizational measures designed to protect Institutional Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Institutional Personal Information. The Company’s security measures are summarized in Annex 2 and may evolve as threats, technologies, and the Services mature.

4.4 Assistance and Compliance Support

Taking into account the nature of the processing and information available to the Company, the Company will provide reasonable assistance to the Institution in meeting its compliance obligations in relation to processing under this DPA, including assistance with privacy impact assessments or threat risk assessments where required by the Institution’s policies or Applicable Privacy Laws, subject to confidentiality and security restrictions and commercially reasonable limits.

4.5 Data Quality and Institutional Responsibilities

The Institution is responsible for ensuring that it has authority and a lawful basis to provide Institutional Personal Information to the Company, and for ensuring the accuracy, completeness, and currency of the information it provides. The Company does not control the underlying accuracy of institutional records.

4.6 Records of Processing

To the extent required under Applicable Privacy Laws for processors or service providers, the Company will maintain appropriate internal records of categories of processing activities performed on behalf of Institutions consistent with this DPA.

5. SUB-PROCESSORS

5.1 Authorization and Flow-Down Obligations

The Institution authorizes the Company to engage Sub-processors to process Institutional Personal Information on the Company’s behalf, provided the Company enters into a written agreement with each Sub-processor that imposes confidentiality and security obligations no less protective than those in this DPA for the relevant processing.

5.2 Sub-processor Categories and Current Platform Vendors

As of the publication date of this DPA, the Company uses Microsoft cloud services (including Microsoft Azure and related Microsoft services) for core hosting, operations, identity and access support, and productivity tooling, and may use certain Google services (such as Google Analytics) for measurement and service improvement. Where the Company provides paid services to Students directly, the Company uses Stripe as a payment processor; Stripe may process payment and billing information in its own systems to provide payment processing services. The Company may use additional vendors for security tooling, support systems, and other operational functions. The Company will implement contractual protections and security expectations for Sub-processors consistent with this DPA.

5.3 Notice and Objection

Where commercially reasonable, the Company will provide the Institution with advance notice of material changes to Sub-processors used to process Institutional Personal Information. If the Institution has a reasonable and documented objection based on Applicable Privacy Laws or a demonstrated security risk, the parties will work in good faith to address the objection, which may include providing additional information, implementing additional safeguards, or, where feasible, offering an alternative approach for the impacted processing.

6. SECURITY ASSURANCE, FRAMEWORK ALIGNMENT, AND ROADMAP

6.1 Security Program

The Company maintains a security program designed to protect the confidentiality, integrity, and availability of the Services and Institutional Personal Information. The security program includes governance measures such as defined security roles and responsibilities, access management, security awareness training, secure development practices, vulnerability management, logging and monitoring, and security incident response procedures. The Company’s security controls may evolve as the Services mature.

6.2 Alignment with SOC 2 and ISO/IEC 27001

Institutions commonly rely on independent assurance frameworks such as SOC 2 and ISO/IEC 27001 to evaluate service providers’ security practices. The Company designs its security program to align with widely recognized industry expectations, including the AICPA Trust Services Criteria used in SOC 2 examinations and the domains and requirements associated with ISO/IEC 27001 information security management systems, to the extent appropriate for the Company’s size, risk profile, and operational maturity. Where the Company obtains relevant third-party assurance reports or certifications in the future, it may make them available to institutional customers under appropriate confidentiality terms.

6.3 Planned SOC 2 Type I

As part of its security maturity roadmap, the Company intends to pursue a SOC 2 Type I examination within approximately the next eighteen (18) months. The timing and scope of any such examination may vary based on operational readiness and auditor availability, and should not be interpreted as a guaranteed certification date.

6.4 Shared Responsibility

The Company relies on reputable cloud platform vendors, including Microsoft cloud services, for underlying infrastructure. Such platforms operate under a shared responsibility model in which the cloud provider is responsible for security of the underlying infrastructure, while the Company is responsible for securing its application configuration, identities, and data handling practices.

6.5 Audit Trails and Logging Maturity

The Company maintains logging and monitoring designed to support security investigations, incident response, and reliability. The Company is actively developing enhanced audit logging and reporting capabilities for institutional workflows as part of its product maturity roadmap.

7. SECURITY INCIDENTS AND NOTIFICATION

7.1 Incident Response

The Company maintains incident response procedures designed to identify, investigate, contain, and remediate Security Incidents. The Company will take reasonable steps to mitigate the effects of a Security Incident and reduce the risk of recurrence.

7.2 Notification Standard

The Company will notify the Institution without undue delay after becoming aware of a confirmed Security Incident involving Institutional Personal Information. Because incident scope and complexity may vary, initial notifications may include limited information and will be supplemented as additional information becomes available.

7.3 Target Timing (Roadmap)

As part of its security maturity roadmap, the Company intends to implement processes designed to support notification within a forty-eight (48) hour target after confirmation of a Security Incident, recognizing that this target is aspirational and may be adjusted in specific circumstances or by contract.

7.4 Content and Cooperation

To the extent information is available and permitted by law, the Company’s notification will describe the nature of the Security Incident, the categories of Institutional Personal Information affected, and the measures taken or proposed to address it. The Company will cooperate with the Institution’s reasonable requests for information needed for the Institution to meet its legal obligations, including regulatory notifications and communications to affected individuals.

7.5 Institution Responsibilities

The Institution is responsible for determining whether notices to regulators, affected individuals, or other third parties are required under Applicable Privacy Laws for Institutional Personal Information, and for issuing such notices unless the parties agree otherwise in writing.

8. DATA SUBJECT REQUESTS AND REGULATORY INQUIRIES

8.1 Assistance with Requests

To the extent required by Applicable Privacy Laws, the Company will provide reasonable assistance to the Institution in responding to requests from Students or other individuals to access, correct, delete, or otherwise exercise rights regarding Institutional Personal Information processed under this DPA. If the Company receives such a request directly, the Company will direct the requester to the Institution where appropriate unless otherwise required by law.

8.2 Regulatory Inquiries

If the Company receives a complaint or inquiry from a privacy regulator relating to processing under this DPA, the Company will notify the Institution to the extent legally permitted and will reasonably cooperate with the Institution’s efforts to respond.

9. DATA RESIDENCY AND CROSS-BORDER PROCESSING

9.1 General Approach

The Company operates from Canada and primarily serves Canadian institutions, with the Services hosted using Microsoft cloud services and other vendors. Institutional Personal Information may be stored and processed in Canada and, depending on configuration, redundancy, vendor operations, and the services used, may also be stored or processed in other jurisdictions, including the United States.

9.2 Safeguards and Transparency

The Company implements safeguards designed to protect Institutional Personal Information when using vendors and cross-border processing, including contractual protections and minimization where feasible. The Institution acknowledges that cross-border processing may subject data to foreign laws and lawful access by public authorities.

9.3 Government Requests

If the Company receives a legally binding request from a public authority for disclosure of Institutional Personal Information, the Company will, to the extent legally permitted, notify the Institution and provide an opportunity to seek protective measures. The Company will disclose only the minimum amount required by law.

9.4 International Transfer Mechanisms (Where Applicable)

If Applicable Privacy Laws require additional contractual mechanisms for cross-border transfers (for example, in respect of data originating in the European Economic Area or the United Kingdom), the parties will cooperate in good faith to implement appropriate transfer mechanisms in the Institutional Agreement or an addendum, taking into account the nature of the processing and the jurisdictions involved.

10. RETURN, DELETION, AND END OF SERVICES

10.1 Return or Deletion

Upon termination or expiration of the Institutional Agreement, the Company will, at the Institution’s written option, return Institutional Personal Information to the Institution or delete it within a commercially reasonable period, except to the extent retention is required by law or is necessary for legitimate purposes such as security logging, dispute resolution, or backup integrity.

10.2 Backups and Residual Copies

Deletion may occur from active systems first, with removal from backups occurring on backup rotation schedules. The Company may retain residual copies to the extent technically necessary, provided such copies remain protected and are not used for other purposes.

10.3 Student Accounts

Where Students maintain independent CONNECT accounts outside an Institutional Deployment, those accounts are governed by the Company’s public Terms of Use and Privacy Policy. Where institutional access is provided under an Institutional Deployment, the parties may document how student accounts, entitlements, and institutional records will be handled upon termination in the Institutional Agreement.

11. AUDIT, DUE DILIGENCE, AND INFORMATION RIGHTS

11.1 Security Documentation

Subject to confidentiality and security restrictions, the Company may make available information reasonably necessary for the Institution to assess the Company’s compliance with this DPA, such as security questionnaires, summaries of controls, or available third-party audit reports or certifications where any exist.

11.2 Audit Approach

Unless otherwise agreed in writing, audit rights under this DPA are satisfied through review of documentation, reasonable written responses to questionnaires, and, where appropriate, a mutually agreed remote meeting to address follow-up questions. On-site audits, penetration testing requests, or source code reviews are not permitted unless expressly agreed in writing and subject to strict controls to protect confidentiality, operational stability, and security.

12. AUTOMATED PROCESSING, AI/ML FEATURES, AND RESPONSIBLE USE

12.1 Automated Processing Activities

The Services may use automated processing to parse transcripts and other documents, extract and normalize course information, ingest and structure institutional policies and rules, and generate Outputs that support transfer planning and institutional workflows. Some components may incorporate machine learning techniques or algorithmic methods intended to improve extraction quality or ranking of candidate pathways or equivalencies.

12.2 Decision Support; Institutional Authority

The Institution retains authority for official academic and administrative determinations. Unless the Institutional Agreement expressly provides otherwise, Outputs are informational and do not constitute official transfer credit determinations. The Institution is responsible for configuring CONNECTed to reflect its policies and for applying appropriate human oversight within its processes.

12.3 Improvement Use and Protection of Proprietary Information

The Company may use de-identified and aggregated data, usage telemetry, and error reports to improve reliability and accuracy of automated processing. The Company will not use identifiable Institutional Personal Information to train third-party general-purpose models for unrelated products without the Institution’s permission. The Company may limit the level of technical detail disclosed about internal models where disclosure would compromise intellectual property or create security risk; however, the Company will provide sufficient functional transparency to support appropriate governance and responsible use.

12.4 Evolving AI Regulations

The Company monitors legal and regulatory developments relating to automated decision-making and AI. Where features are subject to additional requirements, the Company may implement additional documentation, transparency, and oversight controls proportionate to risk.

13. U.S. EDUCATION RECORDS (WHERE APPLICABLE)

Where an Institution is subject to the U.S. Family Educational Rights and Privacy Act (FERPA), the parties intend the Company to be treated as a “school official” or service provider with a legitimate educational interest to the extent permitted by FERPA and consistent with the Institutional Agreement. The Company will use education records only for the purposes of providing the Services and as otherwise permitted by Applicable Privacy Laws and the Institutional Agreement.

14. GENERAL TERMS

14.1 Confidentiality

Institutional Personal Information is confidential information of the Institution. The Company will protect Institutional Personal Information as confidential and will not disclose it except as permitted by this DPA, the Institutional Agreement, or applicable law.

14.2 No Third-Party Beneficiaries

This DPA does not create rights for any third party.

14.3 Severability

If any provision of this DPA is held unenforceable, the remaining provisions remain in effect.

14.4 Governing Law

Unless the Institutional Agreement provides otherwise, this DPA is governed by the laws of Ontario, Canada and the federal laws of Canada applicable therein, without regard to conflict of laws principles.

14.5 Updates

The Company may publish updated versions of this DPA to reflect changes in law, technology, or Services. For an existing Institutional Agreement, an updated DPA applies only if incorporated by reference through renewal, amendment, or other written agreement, unless otherwise provided in the Institutional Agreement.

ANNEX 1: DETAILS OF PROCESSING

Subject Matter. Provision and operation of the Services in support of institutional transfer and mobility workflows, including transcript intake and parsing, equivalency mapping, transfer pathway presentation, institutional dashboards, authorized communications, and reporting.

Duration. Processing occurs for the term of the Institutional Agreement and any reasonable post-termination period necessary for return or deletion, backups, dispute resolution, or lawful retention.

Nature of Processing. Collection, storage, structuring, extraction and normalization from documents, analysis, matching and mapping logic, generation of Outputs, display to authorized users, transmission at the direction of the Institution, logging for security and troubleshooting, and deletion.

Purpose of Processing. Providing the Services, supporting transfer evaluation workflows, enabling student planning tools and institutional advising where configured, maintaining security and integrity, providing customer support, producing operational metrics, and producing de-identified insights as permitted.

Categories of Data Subjects. Students, applicants, prospective transfer students, Institutional Users, academic advisers, registrars, faculty or staff involved in transfer evaluation, and institutional contacts.

Categories of Personal Information. Names, contact details, institutional identifiers, program or department information, course histories, grades and credits, transcripts and course documents, uploaded syllabi or outlines, communications and messages within the Services, usage logs, and workflow metadata. Bulk datasets may be provided in formats such as CSV, Excel, PDF, DOCX, JSON, image files, or other structured or unstructured formats.

Sensitive Context. Academic records and transcripts may be sensitive in context. The Services are intended to function without unnecessary sensitive identifiers, and the parties should avoid inclusion of government-issued identifiers unless specifically required for an agreed workflow and documented in the Institutional Agreement.

ANNEX 2: SECURITY MEASURES

The Company implements and maintains measures designed to protect Institutional Personal Information. Such measures may include access controls and authentication practices, least privilege principles, encryption in transit and, where feasible, encryption at rest for Company-managed environments, logging and monitoring, secure development and change management practices, vulnerability management and patching processes, backups and recovery planning, and incident response procedures. Specific measures may evolve over time as the Services mature and as threats and technologies change.

ANNEX 3: SUB-PROCESSOR CATEGORIES

As of the publication date of this DPA, common sub-processor categories include: Microsoft cloud services (hosting, infrastructure, and productivity tooling), Google services for analytics or measurement (where enabled), and Stripe for payment processing for student-paid services (where applicable). The Company will maintain contractual protections with Sub-processors and will provide notice of material changes where commercially reasonable.

1. PURPOSE AND AUDIENCE

This Security & Trust Summary is intended to support institutional procurement and risk review processes for CONNECT and CONNECTed. It provides a high-level description of security governance and technical measures. This document is not a representation that any specific certification has been obtained unless explicitly stated in a signed agreement, and it does not disclose proprietary or security-sensitive implementation details.

2. DEPLOYMENT MODEL AND SHARED RESPONSIBILITY

The Services are provided as a cloud-hosted service operated by CONNECTed Academia Inc. using third-party cloud infrastructure, including Microsoft cloud services. Cloud services operate under a shared responsibility model in which the cloud provider is responsible for the security of the underlying cloud infrastructure, while the Company is responsible for securing its application configuration, identities, and data handling practices.

3. SECURITY GOVERNANCE

The Company maintains security governance practices that can include defined security roles and responsibilities, documented policies and standards, security awareness practices, access management, risk assessment and treatment processes, and incident response procedures. Controls evolve as the Services mature and as threats and technologies change.

4. ACCESS CONTROL AND IDENTITY MANAGEMENT

The Company applies access controls designed to limit access to systems and data based on role and need-to-know. Administrative access is restricted and monitored. Authentication controls are used to reduce the risk of unauthorized access. For CONNECTed institutional use, audit trails may be used to support governance and integrity of institutional workflows.

5. ENCRYPTION AND SECURE TRANSMISSION

The Company uses encryption in transit using industry standard protocols. Where feasible, encryption at rest is used for stored data within Company-managed environments. Key management practices may leverage cloud provider capabilities and access controls.

6. SECURE DEVELOPMENT AND CHANGE MANAGEMENT

The Company employs development practices intended to reduce vulnerabilities, which may include code review practices, dependency awareness, testing approaches appropriate for the service, and controlled deployment processes. The Company maintains a vulnerability management process to track and remediate identified issues based on severity and operational risk.

7. LOGGING, MONITORING, AND INCIDENT RESPONSE

The Company maintains logging and monitoring designed to support security investigations, incident response, troubleshooting, and reliability. Incident response procedures are designed to identify, investigate, contain, and remediate security incidents. Notification obligations for institutional deployments are addressed contractually, and the Company intends to mature processes designed to support a forty-eight (48) hour notification target after confirmation of a security incident involving institutional data, recognizing that timing can depend on incident complexity and contractual requirements.

8. FRAMEWORK ALIGNMENT AND ROADMAP

Many enterprise customers evaluate service providers using frameworks such as SOC 2 and ISO/IEC 27001. The Company designs its security program to align with recognized industry expectations, including the AICPA Trust Services Criteria and the domains and requirements associated with ISO/IEC 27001, to the extent appropriate for the Company’s size and risk profile. As part of its security maturity roadmap, the Company intends to pursue a SOC 2 Type I examination within approximately the next eighteen (18) months.

9. DATA RESIDENCY AND CROSS-BORDER PROCESSING

The Company operates from Canada and primarily serves Canadian institutions, with an objective focus on Ontario. Data may be stored and processed in Canada and, depending on configuration and vendor operations, may also be stored or processed in other jurisdictions, including the United States. The Company implements contractual and technical safeguards appropriate to the risk profile of the processing.

10. PROCUREMENT MATERIALS

Subject to confidentiality and security constraints, the Company may provide additional information to institutional partners to support due diligence processes, including security questionnaires, summaries of controls, and descriptions of technical and organizational measures.