Skip to content

Data Processing Schedule (Annex to Data Processing Addendum)

This Schedule forms Annex 1 to the Data Processing Addendum and must be read together with it.

This Schedule describes the categories of data, purposes, retention, and safeguards relating to ATC TechBridge’s processing of Client data.

Category of Data Examples Purpose of Processing Retention Period Safeguards Lawful Basis (GDPR)
Identity & Access Data Usernames, email addresses, role assignments, MFA status, admin activity logs To administer Microsoft 365 and other identity platforms, enforce security policies, and provide access reviews Generally retained for 30 days after service ends MFA enforced; encrypted in transit and at rest Contract, Legitimate Interests
Device & Endpoint Data Device name, OS version, patch status, endpoint health, AV/EDR telemetry To monitor, secure, and support client endpoints under RMM/AV/EDR tooling Generally retained for 90 days after service ends ATC-owned RMM/AV/EDR stack; least-privilege admin Contract, Legitimate Interests
Backup & Recovery Data Backup job logs, restore reports, backup metadata (not client file content) To validate and evidence backup/restore success Generally retained for 90 days after service ends Encrypted storage; segregated client tenants Contract, Legitimate Interests
Ticketing & Support Data Ticket subject, description, attachments, resolution notes To provide IT support and track issues Retained for up to 1 year after service ends Ticket system access-controlled; data encrypted at rest Contract, Legitimate Interests
Policy & Compliance Artifacts Runbooks, SOPs, configuration baselines, evidence packages To provide compliance readiness, audit evidence, and reporting Retained for up to 1 year after service ends Stored in secured ATC document repository; client-specific segregation Contract, Legal Obligation
Contact Data (business) Business contact name, role, phone/email For account management, communication, invoicing Retained for up to 6 years after service ends CRM access-controlled; no personal email duplication Contract, Legitimate Interests
Personal Health Information (if applicable) Patient identifiers, health info (only if scoped in SOW for Health care clients) To deliver agreed services under Ontario’s Personal Health Information Protection Act (PHIPA) compliance context as an agent of the health information custodian. ATC TechBridge does not access or process patient data in the ordinary course of business; any access is incidental and solely to perform system support and maintenance. As required by PHIPA and other applicable laws; generally retained for 30 days unless otherwise specified PHIPA-compliant safeguards; access restricted to ATC personnel on need-to-know basis Contract, Legal Obligation, Consent (where required)
  • GDPR:
  • ATC TechBridge does not intentionally process sensitive personal information beyond what is necessary to perform contracted services. Special categories of data (such as health information, biometrics, or precise geolocation) are only processed if explicitly scoped in a Statement of Work (SOW) or as required by law.
  • Data subject rights (access, correction, erasure, restriction, portability, objection) are supported under the Data Processing Addendum. Processing is carried out with data protection by design and by default, and records of processing are maintained.
  • Where applicable, data is provided in a structured, commonly used, machine-readable format to support portability. Data subjects also have the right to lodge complaints with supervisory authorities.
  • Controllers remain responsible for managing data subject rights requests, with Processor assisting as described in the Data Processing Addendum.
  • Special categories of personal data (sensitive data) are processed only with explicit consent under GDPR Article 9 or where otherwise required by law.
  • ATC TechBridge does not knowingly process children’s data under age 16 in the EEA without parental consent, consistent with GDPR Article 8.

  • See Section 8 of the Data Processing Addendum for the full list of GDPR rights and obligations.

  • PIPEDA:

  • ATC TechBridge does not intentionally process children’s data under the age of 13 (COPPA compliance).
  • Processing is limited to what is necessary (minimization), with safeguards appropriate to the sensitivity of the information, and data is kept accurate and up-to-date in line with the Personal Information Protection and Electronic Documents Act (PIPEDA) principles.
    • Individuals may request access to personal information through the Controller.
    • ATC TechBridge makes privacy policies available on request, consistent with PIPEDA’s openness principle.

  • Client remains responsible for ensuring lawful collection of personal data before providing it to ATC TechBridge.

  • PHIPA:

  • When supporting health care clients, ATC TechBridge acts as an 'agent' under PHIPA, bound by the custodian’s instructions. We support SaaS environments where PHI may be processed but do not ourselves process patient data except incidentally as required to perform services.

  • As PHIPA agents, ATC TechBridge staff are trained on PHIPA obligations, access is logged, and sub-processors are contractually required to comply with PHIPA. Processor acts only on custodian instructions.

    • Breach notifications specific to PHIPA contexts are provided within 72 hours.
    • ATC TechBridge supports custodians in responding to audits or investigations by the Information and Privacy Commissioner of Ontario.

  • APPI:

  • For Japan’s Act on the Protection of Personal Information (APPI), sensitive information is only processed with consent, records of third-party provisions are maintained for 1–3 years, and necessary and appropriate measures are taken to prevent leakage, loss, or damage of personal data.
    • Records of third-party provisions include recipient, date, and purpose, as required by APPI.
    • Data subjects may request disclosure of third-party provision records via Controller.

  • Data subjects may request correction or deletion of inaccurate personal information via Controller, in accordance with APPI.

  • U.S.:

  • Where U.S. state privacy laws apply (e.g., California Consumer Privacy Act/California Privacy Rights Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA)), ATC TechBridge will assist the Client in fulfilling consumer rights requests, including access, deletion, correction, opt-out of sale/sharing, limiting the use of sensitive personal information, and supporting appeals (including regulator escalation where applicable).
  • ATC TechBridge shall not sell or share personal data, shall not process personal data for cross-context behavioral advertising, and shall not process the personal information of minors aged 13–16 without documented opt-in consent.
  • Consumer rights requests are fulfilled within statutory timelines (generally 45 days, extendable to 90).
  • ATC TechBridge will not discriminate against consumers for exercising their privacy rights.
  • Consumers also have a right to data portability under applicable U.S. state laws.

  • Consumers may limit the use and disclosure of sensitive personal information to purposes permitted by law.

  • General:

  • Sub-processor list is available upon request; breach notifications follow a 72-hour SLA; SOC 2 and ISO 27001 summaries are available upon request under the Data Processing Addendum.
  • Audit rights, business continuity and disaster recovery measures, and continuous breach updates are described in the Data Processing Addendum and apply equally to this Schedule.
  • ATC TechBridge will notify Controller of any regulatory investigation or enforcement action relating to data under this Schedule. Sub-processors that materially breach obligations will be terminated.
  • Retention and deletion obligations apply consistently with the Data Processing Addendum.

U.S. State Privacy Law Compliance

Where U.S. state privacy laws apply (e.g., CCPA/CPRA in California, VCDPA in Virginia, CPA in Colorado, CTDPA in Connecticut, UCPA in Utah), ATC TechBridge will assist the Client in fulfilling consumer rights requests, including access, deletion, correction, opt-out of sale/sharing, limiting the use of sensitive personal information, and supporting appeals (including regulator escalation where applicable). ATC TechBridge shall not sell or share personal data, shall not process personal data for cross-context behavioral advertising, and shall not process the personal information of minors aged 13–16 without documented opt-in consent. Consumer rights requests are fulfilled within statutory timelines (generally 45 days, extendable to 90). ATC TechBridge will not discriminate against consumers for exercising their privacy rights.

Plain Language Summary (Client-Friendly)

ATC TechBridge only collects and uses the minimum data needed to deliver our services. Here’s what that means in practice:

  • User & Access Info: ATC TechBridge sees your usernames and login activity so we can keep accounts secure.
  • Device Info: ATC TechBridge tracks whether computers are updated and protected, but not what you do on them.
  • Backups: ATC TechBridge monitors that your backups are running and can be restored, but does not read your files.
  • Support Tickets: ATC TechBridge retains records of support requests to resolve issues and improve service delivery.
  • Compliance Docs: ATC TechBridge may retain policies or setup documentation created for you, only as long as required to deliver contracted services.
  • Contact Info: ATC TechBridge keeps your business contact details (like email and phone) so we can talk to you and send invoices.
  • Health Data (if applicable): If you’re in health care, ATC TechBridge supports the systems you use to handle patient data. ATC TechBridge does not look at or use patient data ourselves, except incidentally if required to keep your systems running. In those cases, ATC TechBridge follows PHIPA rules as your agent.

How long we keep data: Most technical logs are kept for 30–90 days. Support tickets and compliance records may be kept up to 1 year. Business contact info can be kept up to 6 years after service ends. Health care data is handled under PHIPA, usually no longer than 30 days unless the law requires otherwise.

How we protect it: Everything is encrypted in transit and at rest, accounts use multi-factor authentication, and access is limited to only those who need it.

ATC TechBridge shall not sell or share personal data. Our only use is to deliver and support the services you’ve asked for.