Data Processing Addendum

INNOVASIUM INC.

Version 2026-2.0 · Effective: January 1, 2026 · innovasium.com/dpa

This Data Processing Addendum ("DPA") is incorporated into and forms part of the Innovasium Standard Terms (or, where applicable, the Innovasium Master Services Agreement) between Innovasium and Client. Capitalized terms not defined here have the meanings given in the Standard Terms or MSA.

1. Definitions

"Personal Information" means information about an identifiable individual, including "personal information" under the Personal Information Protection and Electronic Documents Act (Canada) and applicable provincial privacy legislation. "Processing"(and "Process") means any operation performed on Personal Information. "Sub-Processor" means any third party engaged by Innovasium to Process Personal Information in connection with the Services.

2. Roles

With respect to Personal Information Processed in the course of the Services, Client is the controller (or, under applicable Canadian legislation, the accountable organization) and Innovasium is the processor (or third-party service provider acting on Client's behalf). Innovasium Processes Personal Information solely on Client's behalf for the purposes specified in the applicable estimate or statement of work.

3. Compliance

Each party will comply with its obligations under applicable Canadian privacy legislation, including PIPEDA and applicable provincial privacy legislation. Client represents that it has obtained all consents, provided all notices, and has all legal bases necessary for the collection, use, and disclosure of Personal Information to Innovasium for Processing in accordance with the Standard Terms and this DPA.

4. Sub-Processors

Client authorizes Innovasium to engage Sub-Processors (including AI service providers, hosting providers such as AWS, and other third-party service providers) to assist in providing the Services. Innovasium will:

  1. maintain a list of material Sub-Processors and make it available on request,
  2. impose contractual obligations on Sub-Processors substantially equivalent to those in this DPA, and
  3. provide prior notice of any material new Sub-Processor before that Sub-Processor begins Processing Personal Information.

5. Security

Innovasium implements appropriate technical and organizational measures to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such measures are appropriate to the risks presented and the nature of the Personal Information, and include access controls, encryption in transit and at rest where appropriate, regular security testing, and personnel confidentiality obligations.

6. Breach Notification

Innovasium will notify Client without undue delay, and in any event within 72 hours, after becoming aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Information Processed by Innovasium. The notice will include reasonably available information about the nature of the breach, affected categories of data, likely consequences, and measures taken or proposed.

7. Data Residency and Cross-Border Transfer

7.1 Default Region

Unless otherwise specified in the applicable estimate, Personal Information is Processed and stored within the AWS US-East-1 region. The applicable estimate may specify alternative regions (including AWS Canada (Central) or other regions) where required for data sovereignty, regulatory compliance, or other legitimate purposes.

7.2 Cross-Border Acknowledgements

Client acknowledges:

  1. Personal Information Processed in the United States is subject to access requests from US governments, courts, and law enforcement under applicable US law, including the CLOUD Act;
  2. AI Services involve a distinction between persistent data(application data, knowledge bases, vector indices, conversation history, session state, logs) and transient Foundation Model inference processing. While persistent data is stored in the primary data region specified in the applicable estimate, Foundation Model inference may transit other AWS regions via Amazon Bedrock's Cross-Region Inference (CRIS) capability where the selected Foundation Models are not natively hosted in the primary data region (for example, Anthropic's Claude models are not hosted in the AWS Canada (Central) region and are accessed via Cross-Region Inference to a US region). AWS does not persist inference inputs or outputs in the destination region after the inference call completes, subject to AWS's standard service operation, abuse-prevention, and logging practices;
  3. Client is responsible for providing notice to its end users of cross-border transfer where required by applicable Canadian or other privacy law, including under PIPEDA and applicable provincial legislation;
  4. Innovasium uses contractual measures (including AWS's Data Processing Addendum and Foundation Model Provider commitments) to provide a comparable level of protection wherever Personal Information is Processed.

8. Cooperation

Innovasium will provide reasonable assistance to Client in responding to (a) requests from individuals to access, correct, or delete Personal Information, (b) requests from regulators, and (c) data protection impact assessments where required. Innovasium may charge for assistance at its then-current time-and-materials rates beyond routine handling.

9. Return or Deletion

On termination of an engagement, Innovasium will, at Client's option, return or delete Personal Information in its possession, subject to (a) retention required by applicable law, (b) retention in backup systems pending routine deletion, and (c) retention of de-identified data.

10. Survival and Conflict

This DPA survives termination of the underlying agreement for so long as Innovasium retains any Personal Information of Client. In the event of conflict between this DPA and the Standard Terms or MSA with respect to Personal Information, this DPA controls.

Questions about this DPA: [email protected]
Innovasium Inc., Toronto, Ontario, Canada