Data Processing Agreement (DPA) — AIOrouter
Template Version: 1.1.1 Date: 2026-06-02 Status: Draft Template — Customize per enterprise customer agreement. Public template uses customer-facing control descriptions; detailed implementation evidence is available under review. Governing Law: Province of Quebec, Canada
1. Parties
- Data Processor: AIOCANA Inc. (operating as "AIOrouter"), Montreal, Quebec, Canada — privacy@aiorouter.ca
- Data Controller: [Enterprise Customer Name] ("Customer")
This DPA forms part of the AIOrouter Terms of Service and governs the processing of Personal Data by AIOrouter on behalf of the Customer.
2. Purpose and Scope
2.1 Processing Purpose
AIOrouter processes Personal Data solely for:
- Routing AI API requests from the Customer's authorized users to selected AI model providers
- Billing and usage tracking per the Customer's subscription tier
- Security monitoring, including abuse-prevention and privacy-filtering controls
- Compliance audit logging as required by Canadian privacy law (PIPEDA)
2.2 Data Categories
The Personal Data processed includes:
- Customer user email addresses (for account identification)
- API request metadata (model, token count, timestamp, cost)
- API request content (prompts) — processed in memory only, never stored
- IP addresses (for security and geo-anomaly detection)
2.3 Data Subjects
The data subjects are the Customer's authorized users of the AIOrouter API service.
3. Data Residency
All Personal Data is processed and stored exclusively in Canada:
| Storage System | Location | Encryption |
|---|---|---|
| Primary database | Montreal, Canada | Managed encryption at rest |
| Cache and session services | Montreal, Canada | Encrypted private service access where supported |
| Operational audit logs | Montreal, Canada | Managed encryption and retention controls |
| Security and key-management services | Canada-oriented cloud controls | Managed encryption and least-privilege access |
Outbound data: Prompt content is forwarded to the selected AI model provider's API endpoint (located in China or the United States, depending on the model). Before forwarding, AIOrouter applies privacy filtering and data minimization intended to reduce exposure of sensitive Personal Data.
4. Sub-Processors
AIOrouter uses the following sub-processors:
| Sub-Processor | Service | Data Processed | Location |
|---|---|---|---|
| Google Cloud Platform (GCP) | Cloud hosting, database, cache, storage, logging, secrets, and security services | Infrastructure and operational data | Montreal, Canada |
| Stripe, Inc. | Payment processing | Payment transaction data (CAD) | Global (Stripe Canada) |
| DeepSeek | AI model inference | Protected prompt content (in-memory only) | China / Global |
| Alibaba Cloud Model Studio | AI model inference for Qwen and GLM models | Protected prompt content (in-memory only) | China / Global |
| Moonshot AI | AI model inference for Kimi models | Protected prompt content (in-memory only) | China / Global |
| Google AI | AI model inference for Gemini models | Protected prompt content (in-memory only) | United States / Global |
AIOrouter will notify the Customer of any new sub-processors at least 30 days before engagement. The Customer may object to new sub-processors on reasonable data protection grounds.
5. Security Measures
AIOrouter implements the following technical and organizational security measures:
| Measure | Description | Standard |
|---|---|---|
| Encrypted Transport | Data in transit encrypted using modern HTTPS standards | NIST SP 800-52 |
| API Key Authentication | All API access requires a 256-bit random API key stored only as a SHA-256 lookup hash | OWASP ASVS V2.10 |
| Privacy Filtering | Automated controls reduce exposure of sensitive Personal Data before provider routing | PIPEDA Schedule 1 |
| Abuse Prevention | Request screening and service controls reduce misuse and unsafe behavior | OWASP LLM Top 10 |
| Zero Prompt Retention | Prompts processed in memory only; never written to disk, DB, or logs | Technical enforcement |
| Audit Trail | Operational audit metadata retained in Canadian infrastructure with managed retention and access controls | PIPEDA §5 |
| Rate Limiting | Per-user, per-model rate limiting prevents abuse and model extraction | OWASP API Top 10 |
| Network and Application Controls | Layered controls reduce common web and API risks | OWASP Top 10 |
| Access Control | Least-privilege access, MFA for privileged operations, and periodic access review | Cloud security best practice |
5.2 Limitation on Security Warranty
The security measures described in Section 5.1 represent AIOrouter's commercially reasonable efforts and are consistent with or exceed industry standards for API proxy services. However, the Controller acknowledges that:
(a) No security system is absolute. AIOrouter does not warrant that its security measures will prevent all unauthorized access, cyberattacks, data breaches, or security incidents.
(b) The threat landscape evolves continuously. Novel attack vectors, zero-day vulnerabilities, and supply chain compromises may defeat any defensive system.
(c) The Controller accepts the residual risk inherent in any cloud-based service and agrees that AIOrouter's liability for security incidents is governed by the Limitation of Liability provisions of the master Terms of Service.
(d) AIOrouter shall notify the Controller of any confirmed security breach affecting the Controller's Personal Data in accordance with Section 6 (Breach Notification). Such notification does not constitute an admission of liability.
6. Breach Notification
6.1 Detection
AIOrouter maintains breach detection procedures monitoring:
- Abuse-prevention anomaly signals
- Privacy-filter anomaly signals
- Outbound data volume anomalies
6.2 Notification to Controller
In the event of a confirmed Personal Data breach, AIOrouter will notify the Customer:
- Within 72 hours of confirmation (per PIPEDA requirements)
- Via email to the Customer's designated privacy contact
- Including: description of breach, categories of data affected, estimated number of data subjects, likely consequences, measures taken
6.3 Cooperation
AIOrouter will reasonably cooperate with the Customer in:
- Investigating the breach
- Notifying affected data subjects
- Notifying relevant supervisory authorities (e.g., OPC, CAI Quebec)
7. Data Subject Rights
AIOrouter assists the Customer in fulfilling Data Subject Access Requests (DSARs):
- Export: Self-service data export via GET /privacy/my-data
- Deletion: Account deletion with 30-day grace period via DELETE /privacy/my-data
- Portability: Machine-readable JSON export of all user data
- Response SLA: 30 days from request (per PIPEDA Principle 9)
AIOrouter will notify the Customer of any DSARs received directly from data subjects within 5 business days.
8. Data Deletion / Return
8.1 Contract Termination
Upon termination of the service agreement:
- Customer may export all user data via the DSAR export API (within 30 days of termination)
- AIOrouter will delete all Personal Data within 30 days of contract termination
- Billing records retained for 7 years as required by Canada Revenue Agency (CRA)
8.2 Deletion Method
Personal Data is deleted by:
- Anonymizing user email addresses (
deleted_{userId}@deleted.aiorouter.ca) - Revoking all API keys
- Deleting consent records
- Retaining only billing records (for CRA compliance, 7 years)
9. Audit Rights
9.1 Compliance Evidence
AIOrouter provides the following compliance evidence upon request:
- Privacy and security evidence package under NDA
- Breach history summary (anonymized)
- Sub-processor list (current)
9.2 Audit
The Customer may audit AIOrouter's compliance with this DPA:
- No more than once per 12-month period
- With 30 days' advance written notice
- During normal business hours
- At Customer's expense
Alternatively, AIOrouter may provide a third-party audit report (e.g., SOC 2 Type II) in lieu of an on-site audit.
10. Governing Law
This DPA is governed by the laws of the Province of Quebec, Canada. Any disputes arising from this DPA shall be resolved through arbitration in Montreal, Quebec.
Applicable privacy laws:
- Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada
- Act Respecting the Protection of Personal Information in the Private Sector (Law 25) — Quebec
Template Usage: Replace
[Enterprise Customer Name]with the legal entity name of the Customer. Both parties must sign and retain executed copies in their records.