This DPA forms part of the Enterprise Terms of Service.
1. Roles
- Client acts as Data Controller.
- Company acts as Data Processor.
2. Processing Scope
The Company processes personal data solely to provide the Services.
Types of data may include:
- Chat messages
- Uploaded documents
- Contact information voluntarily submitted
- Technical metadata
3. Data Residency
Primary infrastructure is hosted in Canada. Certain AI inference services may involve cross-border processing.
4. Subprocessors
The Company may engage subprocessors for:
- Cloud infrastructure
- AI model inference
- Monitoring and logging
All subprocessors are contractually bound to confidentiality and data protection obligations.
5. Security Measures
- TLS encryption in transit
- Logical tenant isolation
- Access control enforcement
- Rate limiting and abuse detection
- Regular system monitoring
6. Breach Notification
The Company shall notify Client without undue delay upon becoming aware of a confirmed security incident involving Client Data.
7. Data Subject Rights
The Company shall assist Client in responding to data access or deletion requests where technically feasible.
8. Data Deletion
Upon termination, Client Data shall be deleted within a reasonable timeframe unless legally required to retain it.
9. PIPEDA Alignment
The Company designs its controls to align with the principles of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), but does not claim formal certification.