Data Processing Agreement
Effective: March 15, 2026 · Questions: [email protected]
1. Introduction
This Data Processing Agreement ("DPA") supplements the Master Services Agreement and Terms of Service between Northcast ("Processor," "we") and the Client ("Controller," "you"). This DPA applies when Northcast processes personal data on behalf of Client in the course of providing services, including the Northcast Inbox (AI receptionist), voice agents, website hosting, CRM integrations, and audit services.
This DPA is designed to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, the European Union General Data Protection Regulation (GDPR) and other international data protection laws.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that Northcast processes on Client's behalf.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, transmission, and deletion.
- "Data Subject" means the individual whose Personal Data is processed (e.g., Client's customers, leads, contacts).
- "Sub-processor" means any third party engaged by Northcast to process Personal Data on behalf of Client.
- "Data Breach" means any unauthorized access, disclosure, or loss of Personal Data.
3. Roles and Responsibilities
3.1 Controller (Client)
Client determines the purposes and means of processing Personal Data. Client is responsible for: (a) ensuring a lawful basis for processing under applicable law; (b) informing Data Subjects about the use of AI-powered communication tools; (c) responding to Data Subject access, correction, and deletion requests; (d) ensuring all data provided to Northcast is collected in compliance with applicable privacy laws.
3.2 Processor (Northcast)
Northcast processes Personal Data only on Client's documented instructions. Northcast shall: (a) process data solely to provide the contracted services; (b) implement appropriate technical and organizational security measures; (c) assist Client in responding to Data Subject requests; (d) delete or return all Personal Data upon termination of services, as directed by Client.
4. Data Processed
The categories of Personal Data processed depend on the services engaged:
| Service | Data Categories | Data Subjects |
|---|---|---|
| Inbox (AI Receptionist) | Name, phone number, email, message content, channel identifiers | Client's customers |
| Voice Agents | Name, phone number, call recordings, transcripts | Client's leads/customers |
| Website / Lead Capture | Name, email, phone, form submissions, IP address | Website visitors |
| Audit Reports | Business owner name, email, business data | Client (business owner) |
| CRM Integrations | Contact details, job details, communication history | Client's customers |
5. Sub-processors
Client authorizes Northcast to engage the following sub-processors. Northcast will provide thirty (30) days notice before adding new sub-processors.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | Canada |
| Vercel | Application hosting and CDN | Global |
| Stripe | Payment processing | USA |
| OpenAI | AI model processing | USA |
| Google (Gemini) | AI model processing | USA |
| Anthropic | AI model processing | USA |
| Twilio | SMS and voice communications | USA |
| Meta (WhatsApp/IG/FB) | Messaging channels | USA |
| Retell AI | Voice agent infrastructure | USA |
| Resend | Transactional email | USA |
6. Security Measures
Northcast implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
- Encryption in transit (TLS 1.2+) and at rest
- Authentication and access controls (OAuth 2.0, session management)
- Regular security audits and vulnerability assessments
- Webhook signature verification (HMAC-SHA256) for all inbound integrations
- API route authentication enforcement (session-based access control)
- Principle of least privilege for database and infrastructure access
- Logging and monitoring of access to Personal Data
7. Data Breach Notification
In the event of a Data Breach involving Personal Data processed on Client's behalf, Northcast shall:
- Notify Client without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach
- Provide details of: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the breach
- Cooperate with Client's investigation and notification obligations under applicable law
- Take immediate steps to contain the breach and prevent further unauthorized access
Client is responsible for determining whether and how to notify affected Data Subjects and regulatory authorities under applicable law (e.g., the Office of the Privacy Commissioner of Canada).
8. Data Subject Rights
Northcast shall assist Client in fulfilling Data Subject requests under applicable law, including requests for: access, rectification, erasure, restriction of processing, data portability, and objection to processing.
If Northcast receives a request directly from a Data Subject, Northcast will promptly redirect the request to Client unless legally prohibited from doing so.
9. International Transfers
Personal Data may be processed by sub-processors located outside of Canada. Where Personal Data is transferred to jurisdictions that may not provide equivalent data protection, Northcast ensures that appropriate safeguards are in place through: (a) contractual obligations with sub-processors requiring equivalent data protection standards; (b) sub-processors' compliance with applicable data protection certifications and frameworks.
10. Data Retention and Deletion
Northcast retains Personal Data for the duration of the service engagement plus ninety (90) days for transition purposes. Upon termination or upon Client's written request:
- Client may request a data export in a standard machine-readable format (JSON or CSV)
- Northcast will delete all Personal Data within thirty (30) days of receiving a deletion request, except where retention is required by law
- Deletion includes removal from active databases and, within ninety (90) days, from backup systems
11. Audit Rights
Client may request, no more than once per calendar year and with thirty (30) days advance notice, reasonable documentation demonstrating Northcast's compliance with this DPA. Northcast may satisfy this obligation by providing: security certifications, audit reports, or written responses to Client's reasonable compliance questionnaire.
12. Term
This DPA remains in effect for the duration of Northcast's processing of Personal Data on Client's behalf. Obligations regarding data deletion and confidentiality survive termination.
13. Contact
For data protection inquiries:
Northcast — Privacy
Email: [email protected]
Canada