DIYTel Data Processing Addendum (DPA)

Last Updated: June 17, 2025
Effective Date: June 17, 2025

1. INTRODUCTION AND SCOPE

This Data Processing Addendum ("DPA") forms part of the DIYTel Master Terms of Service and governs the processing of personal data by DIYTel on behalf of its customers ("Data Controllers"). This DPA ensures compliance with applicable privacy laws including PIPEDA, GDPR (where applicable), and provincial privacy legislation.

Parties:
- Data Controller: DIYTel customer who determines purposes and means of processing
- Data Processor: DIYTel, processing personal data on behalf of the customer
- Data Subjects: Individuals whose personal data is processed

2. DEFINITIONS

2.1 Key Terms
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data (collection, storage, use, disclosure, etc.)
- Data Breach: Unauthorized access, disclosure, alteration, or destruction of personal data
- Sub-processor: Third party engaged by DIYTel to process personal data

2.2 Categories of Data Subjects
- Customer employees and representatives
- End users of customer telecommunications services
- Website visitors and contacts
- Billing and payment contacts

2.3 Categories of Personal Data
Contact Information:
- Names, email addresses, phone numbers
- Business addresses and contact details
- Job titles and company affiliations

Technical Data:
- Call detail records (CDRs)
- IP addresses and device information
- Usage logs and analytics data
- System performance metrics

Financial Data:
- Billing and payment information
- Credit card and banking details
- Transaction records and invoices

3. DATA PROCESSING OBLIGATIONS

3.1 Processing Instructions
- DIYTel processes personal data only on documented instructions from the customer
- Processing limited to purposes specified in the service agreement
- No processing for DIYTel's own purposes without customer consent
- Customer instructions must comply with applicable privacy laws

3.2 Lawful Basis for Processing
Customer Responsibilities:
- Ensure lawful basis exists for all processing activities
- Obtain necessary consents from data subjects
- Provide required privacy notices
- Maintain records of processing activities

DIYTel Responsibilities:
- Process data only as instructed by customer
- Maintain records of processing activities on behalf of customer
- Assist customer in meeting legal obligations
- Implement appropriate technical and organizational measures

3.3 Data Minimization
- Collect only personal data necessary for service provision
- Retain data only as long as required for specified purposes
- Regularly review and delete unnecessary data
- Implement data retention schedules

4. SECURITY MEASURES

4.1 Technical Safeguards
Encryption:
- End-to-end AES encryption for voice communications
- Encryption of data at rest and in transit
- Secure key management procedures
- Regular encryption key rotation

Access Controls:
- Multi-factor authentication for system access
- Role-based access controls
- Regular access reviews and updates
- Secure authentication protocols

Network Security:
- Firewalls and intrusion detection systems
- Network segmentation and isolation
- Regular security monitoring and logging
- Vulnerability assessments and penetration testing

4.2 Organizational Measures
Staff Training:
- Regular privacy and security training
- Confidentiality agreements for all personnel
- Background checks for sensitive positions
- Incident response training

Policies and Procedures:
- Documented security policies and procedures
- Regular policy reviews and updates
- Compliance monitoring and auditing
- Vendor management and oversight

4.3 Physical Security
Data Center Security:
- 24/7 physical security monitoring
- Biometric access controls
- Environmental controls and monitoring
- Secure disposal of hardware and media

5. SUB-PROCESSING AND THIRD PARTIES

5.1 Sub-processor Authorization
General Authorization:
- Customer provides general authorization for sub-processors
- DIYTel maintains list of authorized sub-processors
- 30-day notice for new sub-processors
- Customer right to object to new sub-processors

Current Sub-processors:
- Cloud infrastructure providers (AWS, Microsoft Azure)
- Payment processing services
- Backup and disaster recovery providers
- Technical support and monitoring services

5.2 Sub-processor Requirements
Contractual Obligations:
- Written agreements with all sub-processors
- Same data protection obligations as in this DPA
- Regular compliance monitoring and auditing
- Right to audit sub-processor compliance

Due Diligence:
- Security and privacy assessments
- Financial stability and reputation checks
- Ongoing performance monitoring
- Incident response capabilities

6. DATA SUBJECT RIGHTS

6.1 Rights Support
Customer Obligations:
- Handle data subject requests directly where possible
- Forward requests to DIYTel when necessary
- Provide clear instructions for request handling
- Maintain records of requests and responses

DIYTel Assistance:
- Provide technical assistance for data subject requests
- Implement measures to facilitate rights exercise
- Respond to requests within required timeframes
- Maintain audit trails of all actions taken

6.2 Specific Rights Support
Access Rights:
- Provide copies of personal data held
- Explain processing purposes and legal basis
- Identify data recipients and retention periods
- Assist with data portability requests

Correction and Deletion:
- Implement data corrections as instructed
- Delete personal data when requested and legally permissible
- Notify sub-processors of correction or deletion requirements
- Maintain records of all changes made

7. DATA TRANSFERS

7.1 International Transfers
Transfer Restrictions:
- Personal data primarily processed in Canada
- International transfers only with appropriate safeguards
- Adequacy decisions or standard contractual clauses
- Customer notification of transfer locations

Safeguards for Transfers:
- Standard contractual clauses (SCCs)
- Binding corporate rules where applicable
- Certification schemes and codes of conduct
- Specific authorization from customer

7.2 Government Access Requests
Legal Process Response:
- Notify customer of government data requests (where legally permitted)
- Challenge overly broad or inappropriate requests
- Provide only minimum data required by law
- Maintain records of all government requests

8. DATA BREACH RESPONSE

8.1 Breach Notification
DIYTel Obligations:
- Notify customer within 24 hours of breach discovery
- Provide detailed breach information and impact assessment
- Assist customer in regulatory notification requirements
- Implement immediate containment measures

Notification Content:
- Nature and scope of the breach
- Categories and approximate number of affected data subjects
- Likely consequences of the breach
- Measures taken to address the breach

8.2 Breach Response Procedures
Immediate Response:
- Contain and investigate the breach
- Assess risk to data subjects
- Document all response actions
- Coordinate with customer on communications

Follow-up Actions:
- Implement additional security measures
- Conduct post-incident review
- Update policies and procedures as needed
- Provide regular status updates to customer

9. DATA RETENTION AND DELETION

9.1 Retention Periods
Standard Retention:
- Call detail records: 7 years (regulatory requirement)
- Billing records: 7 years (tax and accounting requirements)
- Support communications: 3 years
- Technical logs: 1 year unless longer retention required

Customer-Specified Retention:
- Customer may specify different retention periods
- Retention periods must comply with applicable laws
- Regular review of retention requirements
- Automated deletion where technically feasible

9.2 Data Deletion Procedures
End of Service:
- Secure deletion of all customer data within 30 days
- Certificate of destruction provided upon request
- Backup data deletion according to retention schedule
- Sub-processor notification of deletion requirements

Ongoing Deletion:
- Regular deletion of expired data
- Secure deletion methods and verification
- Documentation of all deletion activities
- Customer notification of completed deletions

10. AUDITING AND COMPLIANCE

10.1 Audit Rights
Customer Audit Rights:
- Annual compliance audits or reviews
- Access to relevant compliance documentation
- Interview key personnel involved in data processing
- Review of sub-processor compliance

Audit Procedures:
- Reasonable advance notice required
- Scope and timing to be mutually agreed
- Confidentiality obligations for audit findings
- Remediation plans for any identified issues

10.2 Compliance Monitoring
Regular Assessments:
- Quarterly compliance reviews
- Annual third-party security assessments
- Continuous monitoring of security controls
- Regular policy and procedure updates

Compliance Reporting:
- Annual compliance reports to customers
- Incident reports and breach notifications
- Certification and attestation documents
- Regulatory compliance status updates

11. LIABILITY AND INDEMNIFICATION

11.1 Liability Allocation
Customer Liability:
- Ensuring lawful basis for processing
- Providing accurate processing instructions
- Compliance with data subject rights
- Regulatory notifications and reporting

DIYTel Liability:
- Following customer processing instructions
- Implementing appropriate security measures
- Breach notification and response
- Sub-processor management and oversight

11.2 Indemnification
Mutual Indemnification:
- Each party indemnifies for breaches of their obligations
- Defense of claims arising from party's actions
- Cooperation in defense of third-party claims
- Limitation of liability as specified in main agreement

12. TERM AND TERMINATION

12.1 DPA Term
- Effective for duration of main service agreement
- Survives termination for data retention period
- Automatic renewal with service agreement
- Termination upon completion of all processing

12.2 Post-Termination Obligations
Data Return or Deletion:
- Customer choice of data return or deletion
- Secure deletion of all copies and backups
- Certificate of destruction provided
- Sub-processor data deletion coordination

13. CONTACT INFORMATION

Data Protection Officer:
- Email: privacy@diytel.ca
- Phone: +1 604-635-0700
- Address: A-33771 George Ferguson Way, #329, Abbotsford, BC V2S 2M5

Legal and Compliance:
- Email: legal@diytel.ca
- Emergency: emergency@diytel.ca

This DPA ensures DIYTel's commitment to protecting personal data and maintaining compliance with applicable privacy laws while providing telecommunications services to our business customers.