Data Processing Agreement

Last Updated: January 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Client," "Data Controller") and Hutton Tech Solutions ("Processor," "we," "us") and governs the processing of personal information in connection with AI and automation services.

This DPA complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and other applicable Canadian privacy laws.

2. Definitions

Personal Information

Information about an identifiable individual as defined by PIPEDA

Processing

Any operation performed on personal information, including collection, use, disclosure, storage, or destruction

Data Controller

The Client who determines the purposes and means of processing personal information

Data Processor

Hutton Tech Solutions, who processes personal information on behalf of the Data Controller

3. Scope and Purpose of Processing

Subject Matter

Processing of personal information for AI model training, automation services, and business intelligence.

Duration

For the term of the service agreement and retention period specified in Section 9.

Nature and Purpose

  • AI model training and fine-tuning
  • Automated customer service and lead response
  • Business process automation
  • Data analysis and reporting
  • System hosting and maintenance

Types of Personal Information

  • Contact information (names, emails, phone numbers)
  • Business information (company names, job titles)
  • Communication records (emails, chat logs, call transcripts)
  • Usage data (interaction patterns, preferences)
  • Technical data (IP addresses, device information)

Categories of Data Subjects

  • Client's customers and prospects
  • Client's employees and contractors
  • Website visitors and users

4. Processor Obligations

Hutton Tech Solutions agrees to:

  • Process personal information only on documented instructions from the Client
  • Ensure personnel processing data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with prior written consent
  • Assist the Client in responding to data subject requests
  • Assist the Client with security breach notifications
  • Delete or return personal information upon termination
  • Make available information necessary to demonstrate compliance

5. Security Measures

Technical Measures

  • Encryption: AES-256 for data at rest, TLS 1.2+ for data in transit
  • Access Control: Role-based access control (RBAC) and multi-factor authentication
  • Network Security: Firewalls, intrusion detection, and DDoS protection
  • Monitoring: 24/7 security monitoring and logging
  • Backup: Daily encrypted backups with geographic redundancy

Organizational Measures

  • Training: Regular security and privacy training for all personnel
  • Policies: Documented security policies and procedures
  • Audits: Annual security audits and vulnerability assessments
  • Incident Response: Documented breach response procedures
  • Vendor Management: Security requirements for all sub-processors

6. Sub-Processors

We may engage the following sub-processors:

Current Sub-Processors

Amazon Web Services (AWS)

Cloud infrastructure hosting (Canada region)

Purpose: Server hosting and data storage

Stripe, Inc.

Payment processing

Purpose: Billing and payment transactions

Google Cloud Platform

Authentication services (optional)

Purpose: Single sign-on and calendar integration

We will notify you of any changes to sub-processors and provide an opportunity to object within 30 days.

7. Data Subject Rights

We will assist you in fulfilling data subject requests, including:

  • Access: Providing copies of personal information
  • Correction: Updating inaccurate or incomplete data
  • Deletion: Erasing personal information upon request
  • Portability: Exporting data in machine-readable format
  • Objection: Stopping certain processing activities
  • Restriction: Limiting processing in specific circumstances

Response Timeline

We will respond to data subject requests within 30 days as required by PIPEDA, or inform you if additional time is needed.

8. Security Breach Notification

In the event of a security breach involving personal information:

  • We will notify you without undue delay (within 72 hours of discovery)
  • Notification will include nature of breach, affected data, and mitigation steps
  • We will cooperate with your breach response and regulatory notifications
  • We will document all breaches and remediation actions

Breach Contact

security@huttontech.solutions

Available 24/7 for security incidents

9. Data Retention and Deletion

Retention Period

  • Active services: Data retained for duration of service agreement
  • After termination: 30 days for data export and transition
  • Backups: Retained for 90 days for disaster recovery
  • Legal holds: Retained as required by law or legal proceedings

Deletion Process

Upon termination or deletion request:

  • Production data deleted within 30 days
  • Backup data deleted within 90 days
  • Secure deletion using industry-standard methods
  • Certification of deletion provided upon request

10. International Data Transfers

Our primary infrastructure is located in Canada. If data must be transferred outside Canada:

  • We will obtain your prior written consent
  • We will implement appropriate safeguards (standard contractual clauses)
  • We will ensure the receiving jurisdiction provides adequate protection
  • We will document all international transfers

Data Residency

By default, all data is stored in Canadian data centers (AWS Canada region) to comply with Canadian data sovereignty requirements.

11. Audits and Compliance

You have the right to:

  • Request information about our processing activities
  • Conduct audits with reasonable notice (30 days)
  • Review our security certifications and audit reports
  • Inspect our facilities and systems (subject to confidentiality)

Audits must not disrupt our operations or compromise security. We may provide third-party audit reports in lieu of direct audits.

12. Liability and Indemnification

Each party is liable for its own breaches of this DPA. We will indemnify you against claims arising from our failure to comply with this DPA, subject to the limitations in our Terms of Service.

You will indemnify us against claims arising from your instructions to process data in violation of applicable laws.

13. Contact Information

Privacy Officer

privacy@huttontech.solutions

For data subject requests and privacy inquiries

Data Protection Officer

dpo@huttontech.solutions

For DPA compliance and processing questions