Data Processing Agreement
Terms governing the processing of client data
Last updated: March 26, 2025
Introduction
By subscribing to ATEK's monitoring services and platform, you (the "Client") acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement ("DPA"). This DPA forms part of your agreement with ATEK and governs how ATEK processes personal data on your behalf. It supplements and is incorporated into ATEK's Privacy Policy, Terms & Conditions, and Confidentiality & Non-Disclosure Agreement.
This DPA should be read in conjunction with the ATEK End User License Agreement, Terms & Conditions, Service Level Agreement, Confidentiality & Non-Disclosure Agreement, Privacy Policy, and Cookie Policy.
1. Definitions
1.1. "ATEK" refers to 10007668 CANADA INC., doing business as ATEK, with its head office at 5490 Boulevard Thimens, Office 240, St-Laurent, Quebec, H4R 2K9, Canada.
1.2. "Client" means the natural or legal person who has subscribed to ATEK's services and acts as the data controller in relation to the personal data processed under this DPA.
1.3. "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable privacy legislation including PIPEDA, Quebec Law 25, and the GDPR where applicable.
1.4. "Client Data" means all data, including Personal Data, uploaded to or generated within the ATEK Platform by or on behalf of the Client.
1.5. "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, transfer, or deletion.
1.6. "Controller" means the entity that determines the purposes and means of Processing Personal Data. The Client is the Controller of Client Data processed under this DPA.
1.7. "Processor" means the entity that processes Personal Data on behalf of the Controller. ATEK acts as the Processor under this DPA.
1.8. "Sub-processor" means any third party engaged by ATEK to process Personal Data in connection with the services, as listed in Annex A.
1.9. "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
2. Scope and Nature of Processing
2.1 Scope
This DPA applies to all Personal Data processed by ATEK as a Processor on behalf of the Client in connection with the ATEK environmental monitoring services and platform ("Services").
2.2 Nature and Purpose
ATEK processes Personal Data solely for the purpose of providing the Services, which includes:
- Hosting and operating the ATEK monitoring platform and dashboard
- Delivering real-time environmental monitoring alerts and notifications
- Generating monitoring reports and compliance documentation
- Providing technical support and platform maintenance
- Performing platform improvements and analytics (on aggregated, anonymized data only)
2.3 Types of Personal Data
Depending on how the Client configures and uses the Services, ATEK may process the following categories of Personal Data:
- User Account Data: Names, email addresses, phone numbers, job titles, and login credentials of Client personnel with platform access
- Contact and Notification Data: Phone numbers and email addresses used to receive monitoring alerts and system notifications
- Operational Logs: User activity logs including login timestamps, configuration changes, and acknowledged alerts, linked to named users
- Client-Provided Data: Any additional personal data the Client voluntarily enters into the platform (e.g., contact names in location notes or support tickets)
2.4 No Patient Data
ATEK's platform is not designed or intended to store, process, or transmit patient health information, medical records, or any data subject to HIPAA, PHIPA, or equivalent health privacy legislation. The Client is solely responsible for ensuring that no such data is entered into the ATEK platform. The environmental sensor data processed by ATEK (temperature, humidity, CO2, etc.) relates to environmental conditions, not to individuals.
2.5 Categories of Data Subjects
The Personal Data processed under this DPA relates to the following categories of data subjects:
- Employees and contractors of the Client who use the ATEK platform
- Individuals designated by the Client to receive monitoring alerts or notifications
- Any other individuals whose personal data the Client chooses to enter into the platform
3. Obligations of ATEK as Processor
3.1 Processing Instructions
ATEK shall process Personal Data only on documented instructions from the Client, including as set out in this DPA and the applicable service agreements. If ATEK is required by applicable law to process Personal Data beyond the Client's instructions, ATEK shall notify the Client before such processing, unless prohibited by law.
3.2 Confidentiality
ATEK shall ensure that all personnel authorized to process Client Data are subject to confidentiality obligations, whether by contract or professional duty, consistent with those in the Confidentiality & Non-Disclosure Agreement.
3.3 Security Measures
ATEK shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, or alteration. These measures include:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls and least-privilege principles
- Multi-factor authentication for administrative access
- Regular security assessments and vulnerability scanning
- Incident detection and response procedures
- Employee security training
3.4 Assistance to the Client
Taking into account the nature of the processing, ATEK shall assist the Client in fulfilling its obligations to respond to requests from data subjects and to comply with applicable privacy legislation. This assistance includes:
- Providing tools and mechanisms within the platform to export Client Data
- Deleting or anonymizing Client Data upon documented request
- Providing records necessary for the Client to demonstrate compliance
- Supporting data subject access, correction, and deletion requests forwarded by the Client
3.5 Audit Rights
ATEK shall make available to the Client all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Client or its authorized auditor. These rights are subject to:
- Reasonable advance notice of at least 30 days (except in the case of a Security Incident)
- Execution of a confidentiality agreement prior to the audit
- The audit being conducted during normal business hours and without disrupting ATEK's operations
- The Client bearing all costs of the audit unless a material breach by ATEK is identified
4. Sub-processing
4.1 Authorized Sub-processors
The Client provides general written authorization for ATEK to engage Sub-processors to assist in delivering the Services. The current list of authorized Sub-processors is set out in Annex A of this DPA.
4.2 Obligations on Sub-processors
ATEK shall impose data protection obligations on each Sub-processor that are no less restrictive than those set out in this DPA, including:
- Processing Personal Data only for the purposes for which they were engaged
- Implementing appropriate technical and organizational security measures
- Assisting ATEK in fulfilling its obligations to the Client under this DPA
- Promptly notifying ATEK of any Security Incidents involving Client Data
4.3 Changes to Sub-processors
ATEK shall notify the Client of any intended changes to the list of Sub-processors in Annex A by updating this DPA and providing at least 30 days' advance notice by email to the Client's registered address or through an in-platform notification.
If the Client objects to a new Sub-processor on reasonable grounds related to data protection, the Client shall notify ATEK in writing within 15 days of receiving notice. The parties shall work in good faith to resolve the objection. If no resolution is reached, the Client may terminate the affected Services without penalty, subject to the terms of the applicable service agreement.
4.4 Emergency Sub-processor Changes
In the event of an emergency requiring an immediate change of Sub-processor (e.g., a Sub-processor experiencing a critical security incident), ATEK may engage a replacement Sub-processor without advance notice, provided ATEK notifies the Client as soon as practicable and the replacement Sub-processor meets equivalent data protection standards.
5. Data Hosting and Transfers
5.1 Data Location
ATEK primarily hosts Client Data in Canada. The default deployment region for the ATEK platform is Canada (Google Cloud Platform, Montreal region). Specific data locations for each Sub-processor are identified in Annex A.
5.2 International Transfers
Where Client Data is transferred outside of Canada, ATEK shall ensure that such transfers are made in accordance with applicable privacy legislation and subject to appropriate safeguards, which may include:
- Transfers to countries with an adequacy determination from the relevant regulatory authority
- Standard contractual clauses or equivalent mechanisms as required under applicable law
- Binding corporate rules or other approved transfer mechanisms
5.3 Client Notification
ATEK shall notify the Client of any material change to data hosting locations that may affect the Client's compliance obligations, providing at least 30 days' advance notice where reasonably practicable.
6. Data Breach Notification
6.1 Notification Timeline
In the event of a confirmed Security Incident involving Client Data, ATEK shall notify the Client without undue delay and, where feasible, no later than 72 hours after becoming aware of the incident. The notification shall include, to the extent known at the time:
- The nature of the Security Incident, including the categories and approximate number of data subjects and records affected
- The name and contact details of ATEK's data protection contact
- A description of the likely consequences of the Security Incident
- A description of the measures taken or proposed to address the incident
6.2 Breach Notification Content
Where ATEK cannot provide all required information within the initial 72-hour notification, it may provide information in phases, with subsequent communications as additional information becomes available. Each communication shall include:
- Updated details on the scope, cause, and impact of the incident
- Remediation steps taken and timeline for resolution
- Recommendations for actions the Client may wish to take
6.3 Cooperation
ATEK shall cooperate with the Client and provide all reasonable assistance required for the Client to fulfill its own notification obligations to data subjects and regulatory authorities under applicable law.
6.4 Record Keeping
ATEK shall maintain records of all Security Incidents, including those not rising to the threshold requiring notification, and shall make such records available to the Client upon request.
7. Data Retention and Deletion
7.1 During the Service Term
During the term of the Services, ATEK retains Client Data in accordance with the retention schedules set out in the Terms & Conditions and Service Level Agreement. The Client may access, export, and manage its data at any time through the ATEK platform.
7.2 Upon Termination
Upon termination or expiry of the Services, ATEK shall, at the Client's written election:
- Return all Client Data to the Client in a standard machine-readable format within 30 days; or
- Securely delete all Client Data within 30 days, using industry-standard deletion methods
7.3 Certification of Deletion
Upon the Client's written request, ATEK shall provide a written certification confirming the secure deletion of Client Data within 45 days of termination.
7.4 Backup Retention
Notwithstanding the above, ATEK may retain Client Data in encrypted backups for up to 90 days following termination, solely for disaster recovery purposes. Such backup data is subject to the same confidentiality and security obligations as active Client Data and will be deleted at the end of the backup retention period.
8. Data Subject Rights
8.1 Client Responsibility
As the data Controller, the Client is responsible for receiving and responding to requests from data subjects exercising their rights under applicable privacy legislation (including rights of access, correction, deletion, portability, and objection to processing).
8.2 ATEK Assistance
ATEK shall provide reasonable technical assistance to the Client in responding to data subject rights requests, including:
- Providing data export tools within the platform for the Client's own use
- Executing documented deletion requests for specific data subjects upon written instruction from the Client
- Providing metadata and processing records to support the Client's response
- Correcting inaccurate Personal Data upon documented instruction from the Client
8.3 Response Time
ATEK shall respond to reasonable data subject rights assistance requests from the Client within 10 business days. Complex requests may require up to 30 calendar days, with notice to the Client of the extended timeline.
9. Data Protection Impact Assessments
Where required by applicable privacy legislation, ATEK shall provide the Client with reasonable assistance in conducting a data protection impact assessment (DPIA) in relation to the processing of Personal Data under this DPA. ATEK shall make available documentation of its technical and organizational measures, sub-processor relationships, and data flows to support the Client's DPIA process.
10. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms & Conditions. Nothing in this DPA shall exclude or limit either party's liability for breach of applicable data protection legislation, fraud, or wilful misconduct. Where both parties are responsible for a breach of applicable data protection law, each party shall be liable for the portion of the damage attributable to their respective actions or omissions.
11. Term and Termination
11.1 Term
This DPA is effective as of the date the Client first accesses or uses the Services and remains in force for the duration of the Client's subscription to the Services.
11.2 Survival
The obligations relating to confidentiality (Section 3.2), data breach notification (Section 6), data retention and deletion (Section 7), and liability (Section 10) shall survive termination or expiry of this DPA for the periods specified in each section.
12. Governing Law
This DPA is governed by the laws of the Province of Quebec and the federal laws of Canada applicable therein, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25). To the extent the Client is subject to the GDPR, this DPA is also intended to satisfy the requirements of Article 28 of the GDPR.
Annex A - Authorized Sub-processors
The following Sub-processors are authorized by the Client as of the effective date of this DPA. ATEK will update this Annex in accordance with Section 4.3 when Sub-processors change.
| Sub-processor | Purpose | Type | Data Processed | Data Location |
|---|---|---|---|---|
| GCP (Google Cloud Platform) | Cloud infrastructure, compute, and application hosting | Storage | All Client Data (user accounts, audit logs, reports, configurations, platform application data) | Canada and United States (region varies by deployment) |
| MongoDB Atlas | Database hosting for sensor data, monitoring records, and platform state | Storage | Environmental sensor data (temperature, humidity, pressure, CO2), alert history, calibration records, user configurations | Canada |
| AWS (Amazon Web Services) | Data transfer infrastructure for LoRaWAN sensor network provisioning and installation | Transit only | Sensor telemetry data during transmission from LoRaWAN gateways to the ATEK Platform | Canada (no persistent storage of Client Data) |
| Twilio | SMS and voice call delivery for monitoring alerts and notifications | Transit only | Phone numbers, alert message content | USA and Canada (no persistent storage of Client Data) |
| SendGrid (Twilio) | Email delivery for alerts, notifications, and platform communications | Transit only | Email addresses, alert/notification content | USA (no persistent storage of Client Data) |
Notes on Sub-processor Data Handling
GCP and MongoDB Atlas
These are ATEK's primary data storage Sub-processors. All data stored with GCP and MongoDB Atlas is encrypted at rest and in transit. ATEK configures these services to store data in Canada by default. GCP may replicate certain platform components to US regions for redundancy; in such cases, data transfers are governed by Google's standard contractual clauses and ATEK's data processing addendum with Google.
AWS
AWS is used solely for LoRaWAN network provisioning through AWS IoT Core. Sensor telemetry passes through AWS only during the network join and provisioning phase. No Client Data is persistently stored in AWS; data is forwarded to the ATEK Platform hosted on GCP and is not retained in AWS after transmission.
Twilio and SendGrid
Twilio and SendGrid are transit-only Sub-processors used to deliver real-time alerts. Personal Data (phone numbers, email addresses, and alert content) is transmitted to these services only at the time of alert delivery and is not persistently stored by these Sub-processors for ATEK's purposes. Both Twilio and SendGrid maintain their own data retention policies as independent data processors for their own compliance purposes.
Contact Information
10007668 CANADA INC. (ATEK)
5490 Boulevard Thimens, Office 240
St-Laurent, Quebec H4R 2K9, Canada
Phone: 1-855-982-2835
Email: privacy@atek.io
Related Documents
View all ATEK legal agreements and policies on the Legal Documents page.