1 Introduction & Purpose

1.1 Purpose

This Data Processing Agreement ("DPA") supplements and forms part of the Principal Agreement between the Controller and the Processor. It establishes the responsibilities of each party with respect to the processing of personal information by the Processor on behalf of the Controller in connection with the Services provided under the Principal Agreement.

1.2 Legal Framework

This DPA is designed to ensure compliance with:

• Personal Information Protection Act (PIPA), S.A. 2003, c. P-6.5 — governing private-sector organizations in Alberta
• Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5 — governing federally regulated organizations and inter-provincial data transfers
• Any applicable sector-specific regulations (e.g., occupational health and safety reporting requirements)

1.3 Prevalence

In the event of conflict between this DPA and the Principal Agreement, this DPA shall prevail with respect to the processing of personal information.

2 Definitions

In addition to terms defined in the Principal Agreement:

• "Personal Information" has the meaning set out in PIPA, Section 1(1)(k): information about an identifiable individual.
• "Processing" means any operation performed on Personal Information, including collection, use, disclosure, storage, modification, retrieval, destruction, and de-identification.
• "Controller" means the party that determines the purposes and means of Processing Personal Information.
• "Processor" means the party that Processes Personal Information on behalf of and under the instructions of the Controller.
• "Sub-Processor" means any third party engaged by the Processor to assist in Processing Personal Information.
• "Privacy Breach" has the meaning set out in PIPA, Section 34.1: the loss of, or unauthorized access to or disclosure of, Personal Information.
• "Data Subject" means an identifiable individual to whom the Personal Information relates.

3 Scope of Processing

3.1 Processing Details

The following details of Processing are agreed:

Subject Matter

Processing of Personal Information as necessary to provide the Services under the Principal Agreement

Duration

The term of the Principal Agreement plus the data retention period in Section 9

Nature and Purpose

AI-powered analysis, prediction, reporting, storage, and retrieval of industrial operational data

Types of Personal Information

[e.g., employee names, job titles, safety records, equipment assignments, procurement contacts, training records]

Categories of Data Subjects

[e.g., Controller's employees, contractors, clients, suppliers]

3.2 Controller Instructions

The Processor shall Process Personal Information only in accordance with the Controller's documented instructions, as set out in the Principal Agreement, any applicable SOW, and this DPA. If the Processor believes that a Controller instruction infringes applicable privacy legislation, it shall promptly notify the Controller.

4 Processor Obligations

4.1 Lawfulness

The Processor shall Process Personal Information in compliance with all applicable privacy legislation, including PIPA and PIPEDA, and shall not Process Personal Information for any purpose other than as instructed by the Controller or as required by law.

4.2 Personnel

The Processor shall ensure that all personnel authorized to Process Personal Information:

1. Are subject to confidentiality obligations (contractual or statutory)
2. Have received appropriate privacy and security training
3. Access Personal Information only on a need-to-know basis

4.3 Security Measures

The Processor shall implement and maintain appropriate technical and organizational measures to protect Personal Information, as required by PIPA Section 34. These measures include, at a minimum:

• Encryption: AES-256 at rest, TLS 1.2+ in transit
• Access controls: Role-based access with principle of least privilege
• Authentication: Multi-factor authentication for administrative access
• Network security: Firewalls, intrusion detection, and network segmentation
• Monitoring: Continuous security monitoring and logging with 90-day log retention
• Vulnerability management: Regular security assessments and patching
• Backup: Encrypted backups with tested restoration procedures
• Physical security: Secure data center facilities with access controls

Security measures shall be reviewed and updated at least annually, or more frequently as required by changes in the threat landscape or applicable regulations.

4.4 AI-Specific Obligations

Where Personal Information is processed by the Company's AI/ML systems:

1. Personal Information shall not be used to train, fine-tune, or benchmark the Processor's AI models without the Controller's prior explicit written consent
2. AI Processing shall be logged and auditable
3. The Processor shall maintain human oversight for any automated decision-making that produces significant effects on Data Subjects
4. AI model inputs and outputs containing Personal Information shall be subject to the same security and retention controls as other Personal Information

5 Controller Obligations

The Controller represents, warrants, and undertakes that:

1. It has lawful authority and all necessary consents to collect and disclose Personal Information to the Processor for the purposes described in this DPA
2. It has provided appropriate notice to Data Subjects regarding the use of AI-powered processing services
3. Its instructions for Processing comply with all applicable privacy legislation
4. It shall respond to Data Subject access and correction requests (PIPA Sections 24–25) and shall promptly notify the Processor of any such requests that require the Processor's assistance
5. The Personal Information provided is accurate, complete, and up-to-date

6 Sub-Processors

6.1 Prior Authorization

The Processor shall not engage any Sub-Processor without the Controller's prior written consent. The Controller hereby approves the Sub-Processors listed in Schedule A.

6.2 New Sub-Processors

The Processor shall notify the Controller at least 30 days prior to engaging any new Sub-Processor, providing: the Sub-Processor's name, location, and a description of the processing activities. The Controller may object in writing within the 30-day period. If the Controller objects, the parties shall negotiate in good faith to resolve the concern.

6.3 Sub-Processor Obligations

The Processor shall ensure that each Sub-Processor is bound by data protection obligations no less restrictive than those in this DPA, through a written agreement. The Processor remains fully liable for the acts and omissions of its Sub-Processors.

6.4 Current Sub-Processors

The Processor's current Sub-Processors are listed in Schedule A. This list shall be kept current and provided to the Controller upon request.

7 Data Location & Transfers

7.1 Data Location

Personal Information shall be stored and processed within Canada unless otherwise agreed in writing. The primary data center locations are: [e.g., Montreal, Toronto].

7.2 International Transfers

The Processor shall not transfer Personal Information outside of Canada without the Controller's prior written consent. Where transfers are approved, the Processor shall ensure comparable levels of protection through contractual safeguards and shall comply with PIPEDA requirements for international transfers (PIPEDA Principle 4.1.3).

7.3 Government Requests

If the Processor receives a request or demand from a government authority or law enforcement agency for access to Personal Information, the Processor shall: (a) promptly notify the Controller (unless legally prohibited); (b) challenge the request if there are reasonable grounds; and (c) disclose only the minimum Personal Information required by law.

8 Privacy Breach Management

8.1 Notification

The Processor shall notify the Controller of any confirmed or suspected Privacy Breach without unreasonable delay and no later than 72 hours after becoming aware. The notification shall include:

1. Description of the nature of the Privacy Breach, including the categories and approximate number of Data Subjects affected
2. Categories and approximate volume of Personal Information affected
3. Name and contact details of the Processor's privacy contact
4. Description of likely consequences of the Privacy Breach
5. Description of measures taken or proposed to address the Privacy Breach and mitigate its effects

8.2 Cooperation

The Processor shall cooperate fully with the Controller in investigating and responding to any Privacy Breach, including: (a) preserving evidence; (b) providing additional information as it becomes available; (c) assisting with notification to affected individuals and regulators as required by PIPA Section 34.1; and (d) implementing remedial measures.

8.3 Controller Notification Obligations

The Controller retains responsibility for determining whether notification to: (a) affected individuals; and (b) the Office of the Information and Privacy Commissioner of Alberta (OIPC), is required under PIPA Section 34.1. The Processor shall assist with but not independently make breach notifications unless instructed by the Controller.

9 Data Retention & Deletion

9.1 Retention

The Processor shall retain Personal Information only for as long as necessary to provide the Services or as required by law. The retention period shall not exceed the term of the Principal Agreement plus 30 days, unless otherwise agreed.

9.2 Return or Deletion

Upon termination of the Principal Agreement or expiry of the retention period:

1. The Processor shall make all Personal Information available for export by the Controller in a standard, machine-readable format (CSV, JSON, or equivalent) for a period of 30 days
2. After the export period, the Processor shall securely delete or de-identify all Personal Information, using cryptographic erasure or equivalent methods
3. The Processor shall provide written certification of deletion within 10 business days of completion

9.3 Exceptions

The Processor may retain Personal Information beyond the retention period only to the extent required by applicable law (e.g., tax, audit, or regulatory requirements). Such retained data shall continue to be protected in accordance with this DPA.

10 Audit Rights

10.1 Controller Audit

The Controller (or its appointed auditor, subject to confidentiality obligations) shall have the right to audit the Processor's compliance with this DPA, upon 30 days' written notice and no more than once per year (unless a Privacy Breach or material non-compliance is suspected). Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.

10.2 Processor Cooperation

The Processor shall cooperate with audits and provide reasonable access to: relevant records, systems, personnel, and facilities. The Processor may require the auditor to sign a confidentiality agreement.

10.3 Audit Costs

Each party bears its own costs of any audit. If an audit reveals material non-compliance by the Processor, the Processor shall bear the costs of the audit and promptly remediate the non-compliance at its own expense.

10.4 Certifications

In lieu of an audit, the Processor may provide: (a) SOC 2 Type II reports; (b) ISO 27001 certification; or (c) other recognized security certifications, provided these certifications are current (within 12 months) and cover the Services.

11 Data Subject Requests

11.1 Notification

If the Processor receives a request from a Data Subject to exercise their rights under PIPA (access, correction, or complaint), the Processor shall promptly forward the request to the Controller and shall not respond directly without the Controller's prior written authorization.

11.2 Assistance

The Processor shall provide reasonable technical and organizational assistance to the Controller to fulfil Data Subject requests, including: extracting, correcting, or deleting Personal Information within the Services.

12 Term & Termination

12.1 Term

This DPA commences on the Effective Date and continues for the duration of the Principal Agreement.

12.2 Termination

This DPA automatically terminates upon termination of the Principal Agreement, subject to the Processor's obligations regarding data retention and deletion (Section 9), which survive termination.

12.3 Survival

Sections 4.3 (Security), 5 (Controller Obligations), 8 (Breach Management), 9 (Retention & Deletion), 10 (Audit), and 13 (Governing Law) survive termination of this DPA.

13 General Provisions

13.1 Governing Law

This DPA shall be governed by the laws of the Province of Alberta and the federal laws of Canada applicable therein.

13.2 Liability

The Processor's total aggregate liability under this DPA is subject to the limitation of liability in the Principal Agreement. The Processor's liability for Privacy Breaches caused by its negligence or failure to comply with this DPA shall not be subject to such limitation.

13.3 Entire Agreement

This DPA, together with its Schedules and the Principal Agreement, constitutes the entire agreement between the parties regarding data processing.

13.4 Amendment

This DPA may only be amended in writing signed by authorized representatives of both parties.

13.5 Complaints

Either party may file a complaint regarding privacy matters with the Office of the Information and Privacy Commissioner of Alberta (OIPC) at 780-422-6860.

A Schedule A — Approved Sub-Processors