Skip to content

Data Processing Addendum (DPA)

This Data Processing Addendum ("Addendum") forms part of the agreement between [Client Name] ("Controller") and [Service Provider Name] ("Processor") (collectively, the "Parties") and is effective as of [Effective Date].

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person as defined under applicable data protection laws.
  • Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means.
  • Controller: The entity that determines the purposes and means of the Processing of Personal Data.
  • Processor: The entity that Processes Personal Data on behalf of the Controller.
  • Sub-processor: Any Processor engaged by the Processor who agrees to receive from the Processor Personal Data exclusively intended for Processing activities to be carried out on behalf of the Controller.

2. Subject Matter and Duration of Processing

The subject matter of the Processing is the Personal Data provided by the Controller to the Processor for the purpose of [describe purpose, e.g., provision of services].

The duration of the Processing shall be for the term of the underlying agreement between the Parties unless otherwise agreed.

The details of the categories of Personal Data, Data Subjects, and purposes of Processing are further described in the Data Processing Schedule (Annex 1), which forms an integral part of this Addendum.

Retention of Personal Data shall follow the categories and durations set forth in the Data Processing Schedule (Annex 1).

Retention and deletion obligations shall be interpreted consistently with the Data Processing Schedule (Annex 1).

3. Nature and Purpose of Processing

The Processor shall Process Personal Data solely for the purpose of delivering the contracted services described in the Master Services Agreement and related Statements of Work, including IT support, managed services, security monitoring, compliance assistance, and other consulting services as agreed, and in accordance with the Controller’s documented instructions.

For Japan (APPI), the Processor specifies purposes of use in detail (e.g., endpoint monitoring, support tickets, backup metadata, compliance reporting) and obtains consent before processing sensitive personal information.

Where sensitive personal information is processed, the Controller is responsible for obtaining consent, and the Processor shall maintain records of disclosures in accordance with APPI.

Processor shall implement necessary and appropriate measures to prevent leakage, loss, or damage of personal data under APPI.

Processor shall retain records of third-party provisions in accordance with APPI statutory requirements, including after termination of processing where applicable.

Processor shall disclose records of third-party provisions without delay when instructed by Controller, in accordance with APPI Article 33.

4. Types of Personal Data and Categories of Data Subjects

  • Types of Personal Data: identity and access data (usernames, email addresses, role assignments), device and endpoint data (device name, OS version, patch status, endpoint telemetry), backup and recovery data (metadata, logs), ticketing and support data (ticket content, attachments, resolution notes), policy and compliance artifacts (runbooks, SOPs, evidence), business contact data (names, roles, phone/email), and personal health information where explicitly scoped in a Health care Statement of Work.
  • Categories of Data Subjects: client employees and contractors, end users supported under managed services, client business contacts, and patients (only where Health care services under PHIPA are in scope).

4A. Canadian Health Data (PHIPA)

Where the Controller is a health information custodian under Ontario’s Personal Health Information Protection Act (PHIPA), ATC TechBridge acknowledges it acts as an “agent” of the custodian. ATC TechBridge provides IT and managed services for environments where personal health information (PHI) is processed, but does not access or process patient data in the ordinary course of business. Any access is incidental and solely to perform system support and maintenance. As an agent, ATC TechBridge shall collect, use, disclose, retain, and dispose of PHI only on the instructions of the custodian and in compliance with PHIPA.

Processor staff are trained on PHIPA obligations, and any sub-processors are contractually required to comply with PHIPA. Processor will not respond to patient access requests directly but will direct such requests to the custodian.

Processor shall maintain logs of PHI access events and make them available to the Controller upon request. Processor shall support the Controller in responding to investigations, audits, or information requests by the Information and Privacy Commissioner of Ontario.

Processor shall act only on documented instructions of the custodian and not from any third party.

5. Obligations of the Processor

The Processor agrees to:

  • Process Personal Data only on documented instructions from the Controller.
  • Ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality.
  • Processor shall inform Controller without undue delay if it believes an instruction infringes applicable data protection law.
  • Processor shall ensure all authorized persons are subject to confidentiality agreements or statutory duties of confidentiality.
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
  • Assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws.
  • Processor shall assist the Controller in meeting statutory timeframes for data subject rights responses.
  • Notify the Controller without undue delay after becoming aware of a Personal Data breach.
  • Delete or return all Personal Data to the Controller at the end of the provision of services relating to Processing.
  • Processor shall provide certification of destruction or return of Personal Data upon request.
  • Make available to the Controller all information necessary to demonstrate compliance with this Addendum and allow for audits and inspections.
  • Processor shall cooperate with supervisory authorities in audits or inspections relating to Processing.
  • Processor shall assist Controller in demonstrating compliance with GDPR Article 5(2) (accountability principle).
  • Processor shall notify Controller without undue delay of any regulatory investigation or enforcement action relating to Processing under this Addendum.
  • Processor shall notify Controller without undue delay if it receives any legally binding request (e.g., subpoena, court order, government demand) for disclosure of Personal Data, unless legally prohibited.
  • Maintain records of processing activities and support the Controller in responding to inquiries from supervisory authorities.
  • Processor shall also assist the Controller in maintaining and demonstrating its Records of Processing Activities under GDPR Article 30.
  • Upon termination, Processor shall make available to Controller all records of processing related to the services.
  • Only collect personal data necessary for identified purposes as set out in this Addendum and Annex.
  • Processor shall only process special categories of Personal Data as defined under GDPR Article 9 with the Controller’s documented instructions and where explicit consent or another lawful basis applies.
  • Upon request, provide the Controller with policies and practices supporting compliance with PIPEDA.
  • Processor shall support Controller in addressing challenges to compliance under PIPEDA.
  • Processor shall not knowingly process Personal Data of children under age 16 in the EEA without verifiable parental consent, consistent with GDPR Article 8.
  • Processor shall support Controller in addressing individual challenges to compliance under PIPEDA.
  • Processor shall notify Controller of any incident impacting compliance with PIPEDA.
  • Upon request, provide the Controller with the most recent certifications or summaries of audits (e.g., SOC 2, ISO 27001) and information about policies and practices to support compliance with applicable data protection laws, including PIPEDA.
  • Audits may be conducted once annually on reasonable notice, or more frequently if required by law, regulator, or in the event of a security incident.
  • Processor shall assist Controller in carrying out Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities.
  • Processor shall, upon request, support Controller’s participation in approved certification or Code of Conduct schemes under GDPR Article 42.
  • Processor shall respond to Controller requests under this Addendum without undue delay and within 10 business days unless otherwise required by law.
  • Processor shall maintain and test business continuity and disaster recovery plans appropriate to the services.
  • Processor shall implement data protection by design and by default as appropriate under GDPR Article 25.
  • Processor shall provide annual certification of compliance with this Addendum upon Controller’s request.

Controller remains accountable for Personal Data handled by Processor, consistent with PIPEDA Principle 4.1.

6. Use of Sub-processors

The Processor shall not engage any Sub-processor without prior specific or general written authorization of the Controller. Where general authorization is given, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors.

The Processor shall ensure that Sub-processors are bound by data protection obligations equivalent to those set out in this Addendum.

Processor shall ensure that Sub-processor contracts impose the same data protection obligations as this Addendum, and shall terminate the engagement of any Sub-processor that materially breaches its obligations.

The Processor will provide the Controller with an up-to-date list of Sub-processors upon request and will notify the Controller of material changes as required by law or contract.

Processor shall provide the sub-processor list within 5 business days of Controller’s request.

Where Sub-processors are engaged in environments involving PHI, the Processor will notify the Controller of any intended changes.

Processor shall ensure a comparable level of protection is maintained when using subprocessors outside Canada.

Processor shall support Controller in meeting any obligations to notify individuals of cross-border transfers of their personal data.

Where Sub-processors are engaged in Japan, Processor shall ensure they comply with APPI requirements.

7. International Data Transfers

The Processor shall not transfer Personal Data outside of Canada or the European Economic Area (EEA) unless the Controller has given prior written consent and appropriate safeguards are in place. Transfers to Canada rely on the European Commission's adequacy decision. For transfers outside Canada or the EEA, the Processor shall ensure appropriate safeguards such as Standard Contractual Clauses (SCCs), executed using the applicable module (Controller→Processor or Processor→Processor), Binding Corporate Rules (BCRs), or other lawful mechanisms are in place in accordance with applicable data protection laws.

Processor shall also assist the Controller in maintaining documentation necessary to demonstrate compliance with international transfer requirements.

Processor shall not provide personal data to third parties without Controller’s prior written instruction.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable data protection laws, including but not limited to access, correction, deletion, restriction, portability, and objection. Data Subjects may also lodge a complaint with a supervisory authority, and Processor shall support the Controller in facilitating this right.

9. Security Measures

The Processor shall implement and maintain appropriate technical and organizational security measures, including but not limited to:

  • Pseudonymization and encryption of Personal Data.
  • Ensuring confidentiality, integrity, availability, and resilience of processing systems.
  • Regular testing and evaluation of the effectiveness of security measures.

Processor’s safeguards will be appropriate to the sensitivity of the personal information processed.

Processor’s safeguards are implemented in accordance with PIPEDA Schedule 1, Principle 7 – Safeguards.

10. Data Breach Notification

The Processor shall notify the Controller without undue delay and, where feasible, no later than 72 hours upon becoming aware of a Personal Data breach affecting the Personal Data processed under this Addendum.

The notification shall include, where known: the nature of the incident, categories of data and data subjects affected, likely consequences, and measures taken or proposed to mitigate adverse effects.

Personal Data shall be deleted or returned within 30 days of contract termination, unless otherwise required by law.

Processor shall provide continuous updates to the Controller regarding the breach investigation and mitigation efforts without undue delay until resolution.

11. Liability

Each Party shall be liable for any damages arising from its breach of this Addendum in accordance with applicable laws and the terms of the underlying agreement.

Liability under this Addendum shall also be subject to the limitations and exclusions set forth in the underlying agreement between the Parties, except where restricted by applicable law.

11A. Compliance with U.S. State Laws

The Processor shall assist the Controller in fulfilling its obligations under applicable U.S. state privacy laws, including but not limited to the CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), and UCPA (Utah). This includes supporting data portability requests up to twice in a 12‑month period at no charge, limiting use of sensitive personal information to disclosed purposes, and supporting appeals and regulator escalation as required by applicable law.

Processor shall assist Controller in honoring consumer deletion requests within statutory timeframes under applicable U.S. state privacy laws. Processor shall not process the personal information of minors (ages 13–16) for sale or sharing without documented opt-in consent from the Controller.

Processor shall support Controller in fulfilling consumer rights requests (access, deletion, correction) within statutory deadlines, generally 45 days unless otherwise extended by law.

Processor shall not discriminate against individuals for exercising their privacy rights. Processor shall not combine personal information it receives as a service provider with information from other sources, except as permitted by applicable law.

Processor shall assist Controller in documenting reasons for denial of consumer requests, where applicable under U.S. state privacy laws.

Processor shall not sell or share personal information as defined under the CPRA and similar U.S. state privacy laws.

Processor shall not use Personal Data for cross-context behavioral advertising as defined under applicable U.S. state privacy laws.

12. Governing Law and Jurisdiction

This Addendum shall be governed by and construed in accordance with the laws of Ontario, Canada. Any disputes arising out of or in connection with this Addendum shall be subject to the exclusive jurisdiction of the courts of Ontario, Canada.

IN WITNESS WHEREOF, the Parties have executed this Data Processing Addendum as of the Effective Date.

[Client Name] ATC TechBridge

By: ___ By: ___

Name: ___ Name: ___

Title: _____ Title: ___

Date: _____ Date: ____