Data Processing Addendum (DPA)

Effective date:

This DPA forms part of the Terms & Conditions or other agreement for services between Protection Ordinateur AS (the Processor) and the client identified in the applicable order or statement of work (the Controller). It reflects the parties’ obligations under applicable data protection laws (including Quebec Law 25, Canada’s PIPEDA, and, where applicable, the GDPR).

1. Scope & Roles

Processor will Process Personal Data on behalf of Controller solely to provide the contracted services (e.g., managed IT, endpoint security, backup & DR, Microsoft 365, networking, helpdesk). Controller determines the purposes and means of Processing; Processor acts on Controller’s documented instructions.

2. Definitions

  • Personal Data: any information relating to an identified or identifiable natural person.
  • Processing: any operation performed on Personal Data (e.g., collection, storage, use, disclosure, deletion).
  • Controller: the entity that determines the purposes and means of Processing.
  • Processor: the entity that Processes Personal Data on behalf of the Controller.
  • Sub‑Processor: a third party engaged by Processor to Process Personal Data.
  • Applicable Law: data protection laws applicable to the parties, including Quebec Law 25, PIPEDA, and, where applicable, the GDPR.

3. Details of Processing

Nature, purpose, categories of Data Subjects and Personal Data, and retention are described in Annex I. Processing continues for the term of the services plus applicable retention periods.

4. Processor Obligations

  • Documented Instructions. Processor will Process Personal Data only on Controller’s written instructions, including with respect to transfers to a third country, unless required by law (in which case Processor will inform Controller unless prohibited).
  • Confidentiality. Processor ensures personnel are bound by confidentiality and receive privacy/security training appropriate to their roles.
  • Assistance. Processor assists Controller with security, breach notifications, DPIAs, and consultations with authorities, taking into account the nature of Processing and information available to Processor.
  • Records. Processor maintains records of Processing as required by Applicable Law.
  • Prohibited Uses. Processor will not sell Personal Data or use it for advertising/marketing unrelated to the services.

5. Security Measures

Processor implements appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, as outlined in Annex II.

6. Sub‑Processors

  • Controller authorizes Processor to use Sub‑Processors for service delivery, subject to written agreements imposing protections no less protective than this DPA.
  • Processor will provide Controller with a current list of core Sub‑Processors on request and notify Controller in advance of material changes. Controller may reasonably object to a new Sub‑Processor on privacy/security grounds; the parties will work in good faith to resolve objections.
  • Processor remains responsible for Sub‑Processor obligations.

7. Data Subject Requests

Where legally required, Processor will notify Controller without undue delay of requests received directly from Data Subjects (e.g., access, correction, deletion) and will not respond except per Controller’s documented instructions. Processor will provide reasonable assistance so Controller can respond within statutory timelines.

8. Breach Notification

Upon becoming aware of a Personal Data Breach in Processor’s environment impacting Controller’s Personal Data, Processor will notify Controller without undue delay and in any event no later than 72 hours after confirmation. The notice will include known details about the nature of the breach, categories/approximate number of Data Subjects and records concerned, likely consequences, measures taken, and a contact point. Processor will promptly take appropriate remedial actions and cooperate with Controller’s reasonable requests.

9. Audits & Reports

  • On request, Processor will make available information necessary to demonstrate compliance (e.g., security summaries, policy extracts, third‑party certifications or test results where available).
  • Controller may conduct an audit no more than once in any 12‑month period (unless required by a supervisory authority or following a material incident), upon 30 days’ notice, during business hours, under confidentiality, and without unreasonable disruption. Each party bears its own costs; Processor may charge reasonable fees for support beyond standard assistance.
  • Processor will remediate material findings within reasonable timeframes.

10. International Transfers

Personal Data may be processed outside the province or country where it was collected. Where required, transfers will rely on appropriate safeguards (e.g., Standard Contractual Clauses (EU 2021/914), contractual protections, or other mechanisms recognized by Applicable Law). On request, Processor will identify the transfer mechanism used for relevant Processing.

11. Return & Deletion

  • Upon service termination or on written request, Processor will return Personal Data to Controller in a commonly used format and/or delete it, unless retention is required by law.
  • Routine backups containing Personal Data will be overwritten per retention schedules; Processor will complete associated deletions within up to 90 days unless a longer period is required by system constraints or law.
  • On request, Processor will provide a deletion confirmation.

12. Precedence, Liability & Miscellaneous

  • Precedence. If there is a conflict between this DPA and the underlying agreement regarding data protection, this DPA controls.
  • Liability. The liability provisions of the underlying agreement apply; however, nothing in this DPA limits liability for willful misconduct or intentional violation of Applicable Law.
  • Governing Law & Venue. As set out in the underlying agreement (typically the laws of Québec and applicable federal laws of Canada).
  • Updates. Processor may update this DPA to reflect legal changes or improved safeguards; material changes will be communicated to Controller.

Annex I – Description of Processing

Controller Your organization as identified in the order/SOW.
Processor Protection Ordinateur AS, Québec City, QC.
Purpose Delivery of managed IT, endpoint security (EDR), backup & disaster recovery, Microsoft 365 administration, networking, monitoring, and helpdesk support.
Categories of Data Subjects Controller’s employees, contractors, administrators; in limited cases, Controller’s customers/suppliers as present in systems under management.
Categories of Personal Data Identification data (name, email, phone), account identifiers, device identifiers, ticket content, telemetry/logs, configuration data, limited business contact details. Special categories are not intended to be processed.
Nature of Processing Collection, storage, access, transmission, backup, monitoring, incident response, restoration, deletion.
Retention For the service term plus operational/legal retention (e.g., tickets/logs per policy; backups per retention schedules agreed in the Order).
Location of Processing Canada and other jurisdictions where authorized Sub‑Processors operate, subject to transfer safeguards.

Annex II – Technical & Organizational Measures

  • Access Control: role‑based access, least privilege, MFA for admin access, unique accounts, session timeouts.
  • Asset & Patch Management: inventory of managed devices; regular patching of OS/apps/firmware; vulnerability remediation.
  • Encryption: TLS for data in transit; encryption at rest for supported platforms and storage targets.
  • Network Security: firewalls/IDS/IPS where applicable; segmentation; secure remote access; logging.
  • Backup & DR: scheduled backups with retention; immutable/off‑site copies where contracted; periodic restore testing.
  • Monitoring & Logging: endpoint/agent health, alerting, audit logs for privileged actions; time sync.
  • Change & Configuration: documented changes, standard baselines, secure configurations, review of access.
  • Personnel Security: confidentiality agreements; background screening per role; security & privacy training.
  • Incident Response: runbooks, escalation procedures, post‑incident reviews and corrective actions.
  • Physical Security: data center controls via vendors; office controls for Processor premises.
  • Supplier Management: due diligence of Sub‑Processors; contractual DPAs; periodic review.

Annex III – Authorized Sub‑Processors (Core)

Vendor Service / Role Primary Region(s)
Microsoft (M365/Azure) Email, identity, collaboration, cloud infrastructure Canada/East; U.S.; EU (as configured)
Remote support tool provider Secure remote assistance (e.g., QuickSupport) Canada/U.S./EU (per vendor)
Backup storage provider Immutable/off‑site object storage and repositories Canada/East; other regions as contracted
Security/EDR platform Endpoint threat detection & response Canada/U.S./EU (per vendor)

Note: The specific vendor list may vary by Controller’s stack. A current list can be provided upon request and updated with notice per Section 6.

Privacy Policy Submit a Privacy Request

Disclaimer: This DPA template is provided for operational clarity and does not constitute legal advice. Controllers should review with their legal counsel.