Data Processing Agreement
> This document has not been reviewed or approved by counsel. Aletheos is not currently accepting paid subscriptions on these terms. Any account created during this draft window is non-binding under Canadian contract law. Final binding terms will be published after Ontario-licensed legal review.
> This document has been drafted from standard templates. It has NOT been reviewed by legal counsel. DO NOT publish or enforce until a Canadian lawyer (Ontario-licensed) has reviewed, amended, and approved. > Last drafted: 2026-04-19
Data Processing Agreement (DPA)
Company: Aletheos Technologies Inc., an Ontario corporation with its registered office at 4005 Don Mills Road, Toronto, ON M2H 3J9, Canada (hereinafter "Aletheos" or "Processor") Jurisdiction: Province of Ontario, Canada Effective Date: [TO BE SET BY LAWYER UPON APPROVAL] Version: DRAFT-1.0
Preamble
This Data Processing Agreement ("DPA") is entered into between Aletheos ("Processor") and the business customer ("Controller") as part of the Controller's subscription to the Aletheos platform.
This DPA is supplemental to and incorporated into the Terms of Sale and Subscription Agreement. In the event of conflict between this DPA and those documents, this DPA prevails with respect to data protection matters.
This DPA is designed to comply with: (a) GDPR — Regulation (EU) 2016/679 (General Data Protection Regulation), Article 28; (b) PIPEDA — Personal Information Protection and Electronic Documents Act (Canada, S.C. 2000, c. 5); (c) CCPA/CPRA — California Consumer Privacy Act and California Privacy Rights Act, to the extent applicable; (d) Other applicable privacy legislation of the jurisdictions from which the Controller's data subjects reside.
1. Definitions
1.1 "Controller" means the business customer that determines the purposes and means of processing personal data, and that engages Aletheos as a processor.
1.2 "Processor" means Aletheos, which processes personal data on behalf of the Controller.
1.3 "Personal Data" means any information relating to an identified or identifiable natural person ("data subject"), as defined under applicable privacy law, including GDPR Article 4(1) and PIPEDA.
1.4 "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, and destruction.
1.5 "Sub-Processor" means any third-party processor engaged by Aletheos to process Personal Data on behalf of the Controller.
1.6 "Security Incident" means any actual or reasonably suspected breach, unauthorized access, disclosure, loss, or destruction of Personal Data.
1.7 "Services" means the Aletheos platform services as defined in the Subscription Agreement.
2. Scope and Subject Matter of Processing
2.1 Subject Matter. Aletheos processes Personal Data to provide the Services to the Controller, including: AI model PII scanning, data broker erasure request management, dark web monitoring, DLP, and OSINT analysis.
2.2 Duration. Processing continues for the duration of the Controller's subscription and terminates upon termination or expiry of the subscription, subject to section 11 (Data Retention and Deletion).
2.3 Nature and Purpose of Processing. Aletheos processes Personal Data solely for the purpose of delivering the Services contracted by the Controller and for no other purpose, unless required by applicable law.
2.4 Instruction-Based Processing. Aletheos processes Personal Data only on documented instructions from the Controller, as set out in this DPA, the Terms of Sale, and any other written configuration or instruction provided by the Controller through the platform.
3. Categories of Data Subjects and Personal Data
3.1 Data Subjects. The categories of data subjects whose Personal Data may be processed include: (a) The Controller's employees, contractors, and agents (in DLP and internal monitoring use cases); (b) Customers of the Controller (in data broker and AI scanning use cases); (c) Third-party individuals identified in dark web monitoring results; (d) Individuals whose PII appears in AI model outputs scanned on behalf of the Controller.
3.2 Categories of Personal Data. The following categories of Personal Data may be processed under this DPA:
| Category | Examples |
|---|---|
| Contact identifiers | Full name, email address, phone number, postal address |
| Online identifiers | IP addresses, usernames, account IDs |
| Financial data | Partial credit card numbers, transaction references |
| Government-issued identifiers | Social insurance numbers, passport numbers (where surfaced in AI model/data broker scans) |
| Sensitive personal data | Health information, login credentials (where surfaced in dark web monitoring) |
| Professional information | Job titles, employer name |
3.3 Sensitive Data. Aletheos does not intentionally seek to process special categories of data (e.g., biometric, health, racial or ethnic origin) as its primary function. Where such data is surfaced incidentally during AI model or dark web scans, Aletheos will treat it with heightened security controls.
4. Controller Obligations
4.1 The Controller represents and warrants that: (a) It has a lawful basis under applicable privacy law (including GDPR Article 6) for providing Personal Data to Aletheos and for the processing described in this DPA; (b) It has obtained all necessary consents, authorizations, and permissions from data subjects whose Personal Data it submits to the platform; (c) It will comply with its own obligations under GDPR, PIPEDA, CCPA, and other applicable laws as the data controller; (d) Its use of the Services complies with the Acceptable Use Policy.
4.2 The Controller is responsible for the accuracy, quality, and legality of Personal Data it submits to the platform.
5. Processor Obligations
5.1 Aletheos will: (a) Process Personal Data only on the Controller's documented instructions and in accordance with this DPA, unless required to process for other purposes by applicable law; (b) Ensure that all Aletheos personnel authorized to process Personal Data are bound by appropriate confidentiality obligations; (c) Implement and maintain the security measures described in section 8; (d) Notify the Controller of any Security Incident as described in section 9; (e) Assist the Controller, to the extent reasonably practicable, in fulfilling its obligations to respond to data subject rights requests (access, erasure, portability, objection) under applicable law; (f) Not disclose Personal Data to any third party except Sub-Processors listed in Schedule A, unless required by law; (g) Promptly notify the Controller if, in Aletheos's assessment, an instruction from the Controller would violate applicable privacy law.
6. Sub-Processors
6.1 Authorization. The Controller grants Aletheos general authorization to engage Sub-Processors, subject to the conditions in this section.
6.2 Current Sub-Processors. As of the effective date, Aletheos engages the following Sub-Processors to process Personal Data on behalf of Controllers. This list constitutes Schedule A to this DPA.
Schedule A — Sub-Processor List
| Sub-Processor | Country of Processing | Purpose | Privacy/DPA Reference |
|---|---|---|---|
| Supabase, Inc. (hosted on AWS US-East-2) | United States | Primary database storage (PostgreSQL), authentication | [https://supabase.com/privacy] |
| Railway Corp. | United States | Application hosting and runtime | [https://railway.app/legal/privacy] |
| Stripe, Inc. | United States | Payment processing and billing | [https://stripe.com/en-ca/privacy] |
| SendGrid (Twilio) | United States | Transactional and marketing email delivery | [https://www.twilio.com/en-us/legal/privacy] |
| Cloudflare, Inc. | United States | CDN, DDoS protection, DNS | [https://www.cloudflare.com/privacypolicy/] |
| Groq, Inc. | United States | AI inference (LLM processing) | [https://groq.com/privacy-policy/] |
| Anthropic PBC | United States | AI inference (Claude models) | [https://www.anthropic.com/privacy] |
| OpenAI, LLC | United States | AI inference (GPT models) | [https://openai.com/policies/privacy-policy] |
| Together AI, Inc. | United States | AI inference (open-source models) | [https://www.together.ai/privacy] |
| Kaggle (Google LLC) | United States | Dataset access for model analysis | [https://www.kaggle.com/privacy] |
| Hugging Face, Inc. | United States | Model hosting and AI model scanning | [https://huggingface.co/privacy] |
| Hostinger International Ltd. | [Confirm jurisdiction] | Website hosting (VPS) | [https://www.hostinger.com/privacy-policy] |
6.3 New Sub-Processors. Aletheos will notify the Controller at least 30 days before engaging a new Sub-Processor or making a material change to an existing Sub-Processor. Notification will be via email to the Controller's account email address and/or through a changelog at [https://aletheos.tech/legal/sub-processors].
6.4 Controller's Right to Object. Within 15 days of receiving notice of a new Sub-Processor, the Controller may object in writing to legal@aletheos.tech, stating specific reasons related to data protection. If the parties cannot resolve the objection, the Controller may terminate the affected portion of the Services without penalty, with a pro-rata refund.
6.5 Sub-Processor Contracts. Aletheos will impose data protection obligations on Sub-Processors that are equivalent to those in this DPA, in particular regarding instructions, security, confidentiality, and audit rights.
7. Cross-Border Data Transfers
7.1 All Sub-Processors listed in Schedule A are located in the United States. Personal Data processed under this DPA is therefore transferred outside Canada and, where applicable, outside the European Economic Area ("EEA").
7.2 For GDPR purposes: Where Personal Data originates from the EEA and is transferred to Sub-Processors in the United States, Aletheos relies on: (a) EU Standard Contractual Clauses (SCCs) where entered into with Sub-Processors; or (b) any applicable adequacy decision or derogation. [LAWYER NOTE: Confirm current SCCs are in place with each Sub-Processor before publishing. Post-Schrems II, SCCs must be accompanied by a Transfer Impact Assessment.]
7.3 For PIPEDA purposes: By executing this DPA (or by accepting the Terms of Sale where this DPA is incorporated), the Controller acknowledges and consents to the transfer of Personal Data to the United States. Aletheos remains accountable under PIPEDA for Personal Data transferred to Sub-Processors and requires Sub-Processors to provide equivalent protection.
7.4 Transfer Impact Assessment. [LAWYER NOTE: A formal Transfer Impact Assessment may be required before publishing. Insert reference here once completed.]
8. Security Measures
8.1 Aletheos implements and maintains the following technical and organizational security measures to protect Personal Data:
Technical Measures: (a) Encryption at rest: all Personal Data stored in Supabase/PostgreSQL is encrypted at rest using AES-256 (or equivalent); (b) Encryption in transit: all data transmitted between clients and Aletheos systems is encrypted using TLS 1.2 or higher; (c) Access controls: role-based access control (RBAC) limits access to Personal Data to authorized personnel only; (d) Authentication: multi-factor authentication (MFA) is enforced for administrative access to production systems; (e) API security: all API endpoints require authentication tokens; rate limiting and quota controls are implemented; (f) Vulnerability management: regular dependency scanning, patching of known CVEs, and penetration testing [confirm frequency — annually?]; (g) Honey tokens: deceptive credential monitoring to detect unauthorized access.
Organizational Measures: (a) Data minimization: Aletheos processes only the minimum Personal Data necessary for the Services; (b) Staff confidentiality: all personnel with access to Personal Data are bound by confidentiality obligations; (c) Vendor management: Sub-Processors are assessed for security compliance before engagement; (d) Incident response: Aletheos maintains a documented incident response plan.
8.2 Aletheos may update security measures over time. Changes that materially reduce security levels will be communicated to Controllers in advance.
9. Security Incident Notification
9.1 Detection and Assessment. In the event Aletheos becomes aware of a Security Incident affecting Controller Personal Data, it will promptly investigate and assess the scope and nature of the incident.
9.2 Notification to Controller. Aletheos will notify the Controller: (a) Without undue delay, and in any event within 72 hours of becoming aware of a Security Incident (to meet GDPR Article 33 obligations where applicable); (b) Within 30 days for PIPEDA purposes (as required by the Breach of Security Safeguards Regulations under PIPEDA).
9.3 Notification Content. The notification will include, to the extent known at the time: (a) Description of the nature of the Security Incident; (b) Categories and approximate number of data subjects affected; (c) Categories and approximate number of Personal Data records affected; (d) Contact details of Aletheos's Privacy Officer; (e) Likely consequences of the Security Incident; (f) Measures taken or proposed to address the incident and mitigate its effects.
9.4 Notification Does Not Imply Fault. A notification under this section does not constitute an admission of liability by Aletheos.
9.5 Controller's Reporting Obligations. The Controller remains solely responsible for determining whether it is required to notify data subjects, supervisory authorities (including the Office of the Privacy Commissioner of Canada, Information and Privacy Commissioner of Ontario, or EU data protection authorities), or other regulators, and for making any required notifications.
10. Data Subject Rights
10.1 Requests to Aletheos. If a data subject makes a request directly to Aletheos to exercise their rights (access, rectification, erasure, restriction, portability, or objection), Aletheos will: (a) Promptly redirect the request to the Controller if the Controller can be identified; and (b) Not respond substantively to the request except on the Controller's documented instructions.
10.2 Assistance to Controller. Aletheos will reasonably assist the Controller in responding to data subject rights requests by providing the technical capability (e.g., data export tools, deletion functions) within the platform. Additional assistance beyond platform capabilities may be provided at cost.
10.3 Erasure Requests. Where the Services include the capability to submit erasure requests to data brokers or AI model operators on the Controller's behalf, those requests are made in the Controller's name under the Controller's lawful authority.
11. Data Retention and Deletion
11.1 During the Subscription. Personal Data processed under this DPA is retained for the duration of the subscription and for any additional period required by applicable law or as specified in the platform's data retention settings.
11.2 Upon Termination. Within 30 days of termination or expiry of the subscription, Aletheos will, at the Controller's election: (a) Return all Personal Data in a machine-readable format; or (b) Securely delete or destroy all Personal Data, including copies held by Sub-Processors (to the extent technically feasible and subject to Sub-Processor retention policies).
11.3 Aletheos will confirm in writing when deletion or return has been completed. Aletheos may retain Personal Data for longer periods where required by applicable law (e.g., tax records, audit trails), in which case it will notify the Controller of the legal basis and the retention period.
12. Audit Rights
12.1 Aletheos will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA.
12.2 Annual Audit. The Controller (or an independent third-party auditor appointed by the Controller and reasonably acceptable to Aletheos) may conduct an audit of Aletheos's data processing activities relevant to this DPA no more than once per calendar year, upon at least 30 days' written notice.
12.3 Audit Scope. Audits are limited in scope to Aletheos's data processing activities under this DPA. Audits must not unreasonably disrupt Aletheos's operations. Aletheos may restrict audit access to information that is confidential, commercially sensitive, or relates to other customers.
12.4 Audit Cost. Audits are conducted at the Controller's cost.
12.5 Alternative. Aletheos may satisfy audit requests by providing the results of third-party security certifications or penetration test reports (with appropriate redactions), in lieu of an on-site audit, where the Controller agrees.
13. Liability and Indemnification
13.1 Each party is liable for any material breach of its obligations under this DPA in accordance with the liability limitations set out in the Terms of Sale.
13.2 [LAWYER NOTE: GDPR Article 82 liability provisions for joint and several liability between Controller and Processor should be reviewed here. Include appropriate indemnification and limitation of liability caps for data breaches.]
14. Term and Termination
14.1 This DPA takes effect on the date the Controller's subscription commences and remains in effect for the duration of the subscription.
14.2 Termination of the subscription automatically terminates this DPA, subject to the data return and deletion obligations in section 11.
15. Governing Law and Disputes
15.1 Governing Law: This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada applicable therein. Where EU GDPR applies to the Controller's data, the SCCs entered into pursuant to section 7.2 govern cross-border transfer obligations.
15.2 Disputes: Any dispute arising out of or related to this DPA shall be submitted to the courts of the Province of Ontario, Canada, except where EU GDPR law mandates otherwise.
15.3 Regulatory Rights: Nothing in this DPA limits the Controller's data subjects' rights to file complaints with the Office of the Privacy Commissioner of Canada ([https://www.priv.gc.ca]), the Information and Privacy Commissioner of Ontario ([https://www.ipc.on.ca]), or any applicable EU data protection supervisory authority.
16. General
16.1 Order of Precedence. In the event of conflict between this DPA and the Terms of Sale or Subscription Agreement, this DPA prevails with respect to data protection and privacy matters.
16.2 Entire Agreement. This DPA, together with Schedule A and the documents referenced herein, constitutes the entire agreement between the parties with respect to the subject matter of data processing.
16.3 Amendments. Aletheos may amend this DPA by providing 30 days' notice to Controllers. Continued use of the Services constitutes acceptance. Where a change to this DPA is required by applicable law (e.g., new SCCs issued by the European Commission), Aletheos may implement the change with less than 30 days' notice and will notify Controllers promptly.
Contact: legal@aletheos.tech | Privacy Officer: privacy@aletheos.tech Governing Law: Province of Ontario, Canada, and the federal laws of Canada applicable therein. Disputes: Courts of Ontario, Canada.
12. EU Customers — Transfer Impact Assessment & Standard Contractual Clauses
Aletheos serves customers in the European Union and the European Economic Area (EEA). All personal data processed under this DPA is stored outside the EEA (United States, per §5 Sub-Processors). For EU/EEA Data Controllers:
12.1 Standard Contractual Clauses (SCCs). The European Commission's
2021 Standard Contractual Clauses (Module Two — Controller-to-Processor)
are incorporated by reference and form part of this DPA. A counter-signed
set of Module Two SCCs will be provided to any EU-domiciled customer upon
request to legal@aletheos.tech.
12.2 Transfer Impact Assessment (TIA). Aletheos has performed a TIA
for transfers to the United States (Supabase / AWS us-east-2, Stripe,
Railway) consistent with the European Data Protection Board's
Recommendations 01/2020. The TIA is available on request, under NDA, to
any EU Data Controller prior to signing this DPA.
12.3 Supplementary measures. Aletheos applies TLS 1.3 for all data in transit, AES-256 encryption for data at rest, access-log retention of one year, and contractual commitments from each sub-processor to challenge any government data-access request before complying.
Open item for lawyer review: counter-sign the SCCs with a Canadian-licensed lawyer before first EU enterprise customer onboarding; confirm TIA is current.