Enterprise Data Processing Addendum

1. Purpose and Scope

This Enterprise Data Processing Addendum ("DPA") forms part of the agreement between AITWIRE and Customer (the "Agreement") where AITWIRE processes personal information on behalf of Customer in connection with the Service.

This DPA is intended for enterprise or regulated customers that require processor-style contractual commitments. It should be attached to or incorporated into an order form, master services agreement, or terms of service for the relevant customer account.

This DPA is intended to support compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial privacy legislation, and, where applicable to Customer's operations, the General Data Protection Regulation (GDPR) and other international privacy frameworks.

2. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Agreement.

• "Covered Personal Information" means personal information that: (a) is submitted to or connected with the Service by or on behalf of Customer; (b) is processed by AITWIRE on Customer's behalf in connection with the Service; and (c) identifies or could reasonably be used to identify a natural person.
• "Data Subject" means an identifiable natural person whose Covered Personal Information is processed under this DPA.
• "Security Incident" means a confirmed unauthorized access to, disclosure of, acquisition of, or loss of Covered Personal Information in AITWIRE's custody or control.
• "Subprocessor" means a third party engaged by AITWIRE to process Covered Personal Information on Customer's behalf in connection with the Service.

3. Roles of the Parties

Customer determines the purposes and means of processing Covered Personal Information submitted to or connected with the Service. AITWIRE processes Covered Personal Information on Customer's documented instructions, subject to applicable law and this DPA.

For clarity, Account Data (as defined in the Agreement) that AITWIRE processes for its own administrative, billing, and security purposes is not Covered Personal Information under this DPA.

4. Customer Instructions

AITWIRE will process Covered Personal Information only on Customer's documented instructions, including as necessary to provide, secure, support, and improve the Service, unless otherwise required by applicable law.

If AITWIRE is legally required to process Covered Personal Information for another purpose, it will notify Customer before doing so unless prohibited by law.

The Agreement and this DPA, together with Customer's configuration of the Service, constitute Customer's initial documented instructions.

5. Confidentiality

AITWIRE will ensure that personnel authorized to process Covered Personal Information:

• (a) are subject to appropriate confidentiality obligations (contractual or statutory);
• (b) receive access to Covered Personal Information only on a need-to-know basis; and
• (c) are informed of the confidential nature of the data and the obligations under this DPA.

6. Security Measures

AITWIRE will maintain reasonable administrative, technical, and organizational safeguards appropriate to the nature of the Covered Personal Information and the risks presented by the processing. Security measures include, as applicable:

• Encryption: Encryption of data in transit (TLS 1.2 or higher) and encryption at rest where supported by the hosting platform.
• Access controls: Role-based access controls, multi-factor authentication for administrative access, and least-privilege principles.
• Authentication: Secure authentication mechanisms for user and service-to-service access.
• Logging and monitoring: Audit logging of access to Covered Personal Information, security event monitoring, and anomaly detection.
• Vulnerability management: Regular vulnerability scanning, dependency updates, and timely patching of known vulnerabilities.
• Incident response: Documented incident response procedures, including identification, containment, investigation, and notification steps.
• Backup and recovery: Regular backups with tested recovery procedures.
• Personnel security: Background checks where legally permitted and appropriate, security awareness training, and access revocation upon personnel departure.

AITWIRE may update security measures from time to time to reflect changes in technology, risk landscape, and best practices, provided that such updates do not materially reduce the overall level of protection.

7. Subprocessors

AITWIRE may use Subprocessors to assist in providing the Service. AITWIRE will:

• (a) maintain a list of current Subprocessors, available upon Customer request or published at a URL communicated to Customer;
• (b) provide Customer with at least thirty (30) days' advance notice before adding or replacing a Subprocessor that processes Covered Personal Information, by email or through a mechanism agreed with Customer;
• (c) impose written obligations on each Subprocessor that are no less protective in all material respects than the obligations set out in this DPA insofar as they apply to the relevant processing activities; and
• (d) remain responsible for the acts and omissions of its Subprocessors to the same extent as if AITWIRE had performed those acts itself.

If Customer reasonably objects to a new Subprocessor within fifteen (15) days of receiving notice, the parties will discuss the objection in good faith. If the objection cannot be resolved, Customer may terminate the affected portion of the Service without penalty by providing written notice within thirty (30) days of the Subprocessor change.

8. Assistance

Taking into account the nature of the processing and the information available to AITWIRE, AITWIRE will provide reasonable assistance to Customer in:

• (a) responding to Data Subject access, correction, deletion, portability, and objection requests, to the extent AITWIRE's systems permit;
• (b) conducting privacy impact assessments or data protection impact assessments where required by applicable law;
• (c) responding to security inquiries from regulators or auditors; and
• (d) fulfilling Customer's obligations under applicable privacy law.

Assistance beyond what is routine may be subject to reasonable cost recovery at AITWIRE's then-current professional services rates, agreed in advance.

9. Security Incidents and Breach Handling

AITWIRE will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a confirmed Security Incident involving Covered Personal Information in AITWIRE's custody or control.

The notification will include, to the extent reasonably available at the time:

• (a) a description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected;
• (b) the likely consequences of the Security Incident;
• (c) the measures taken or proposed to address the Security Incident, including mitigation measures; and
• (d) a contact point for further information.

AITWIRE will provide supplementary information as it becomes available during the investigation. AITWIRE will cooperate with Customer's assessment, notification, and remediation obligations to the extent reasonably practicable.

10. Return or Deletion

Upon termination of the applicable services, AITWIRE will, at Customer's written election and subject to legal retention obligations:

• (a) make Covered Personal Information available for export in a commonly used, machine-readable format for a period of thirty (30) days following termination; and
• (b) after the export period, delete or destroy Covered Personal Information within AITWIRE's systems, except where retention is required by law, necessary for dispute resolution or enforcement, or reasonably required for secure backup rotation for a limited period not to exceed ninety (90) days.

AITWIRE will provide written confirmation of deletion upon Customer's request.

11. Audit and Records

AITWIRE will:

• (a) maintain records reasonably sufficient to demonstrate compliance with this DPA;
• (b) make available information reasonably necessary to confirm compliance, subject to confidentiality, security, and proportionality safeguards; and
• (c) permit and contribute to audits conducted by Customer or an independent auditor appointed by Customer, subject to the following conditions:

• Audits are limited to no more than once annually unless a Security Incident or material non-compliance justifies an additional review.
• Customer provides at least thirty (30) days' advance written notice.
• Audits are conducted during normal business hours with minimal disruption.
• The auditor is bound by confidentiality obligations acceptable to AITWIRE.
• Audit scope is limited to AITWIRE's processing of Covered Personal Information under this DPA.

Where AITWIRE has obtained a relevant third-party audit report or certification (such as SOC 2 Type II), AITWIRE may provide such report in satisfaction of an audit request, provided it addresses the matters of concern.

12. Cross-Border Processing

Customer acknowledges that AITWIRE and its Subprocessors may process Covered Personal Information in Canada and other jurisdictions where they operate, including through Cloudflare's global edge network.

Where required by applicable law, the parties will cooperate in adopting supplementary contractual or transfer mechanisms that are reasonably appropriate to the circumstances, including:

• (a) Standard Contractual Clauses approved by the European Commission, if applicable to GDPR-regulated transfers;
• (b) adequacy determinations recognized by the relevant authority; or
• (c) other lawful transfer mechanisms as agreed by the parties.

Canada is recognized as providing an adequate level of data protection by the European Commission for transfers from the EEA.

13. PIPEDA-Specific Provisions

To the extent PIPEDA applies to the processing of Covered Personal Information:

• (a) AITWIRE acknowledges its obligations as a processor under PIPEDA's accountability principle and will process Covered Personal Information in a manner consistent with Customer's purposes;
• (b) AITWIRE will cooperate with Customer in responding to complaints filed with the Office of the Privacy Commissioner of Canada;
• (c) AITWIRE will support Customer's obligation to be transparent about the use of service providers in its own privacy policies and notices; and
• (d) AITWIRE will take reasonable steps to ensure that Covered Personal Information transferred to a Subprocessor is protected by contractual or other means.

14. Precedence

If there is a conflict between this DPA and the Agreement, this DPA governs to the extent of the conflict with respect to the processing of Covered Personal Information.

15. Term and Survival

This DPA takes effect on the date it is incorporated into the Agreement and remains in effect for the duration of AITWIRE's processing of Covered Personal Information on Customer's behalf.

Sections 5 (Confidentiality), 9 (Security Incidents), 10 (Return or Deletion), 11 (Audit and Records), and 14 (Precedence) survive termination of this DPA for as long as AITWIRE retains any Covered Personal Information.

Schedule A — Processing Details

Contact

For questions about this Data Processing Addendum, please contact us at legal@aitwire.com or visit our contact page.