Data Processing Agreement

This DPA applies to personal data ("Personal Data") that Latinum IT Partners ("Processor") processes on behalf of the subscriber ("Controller") in the course of providing the Latinum AI agent service.

Personal Data subject to this DPA includes data accessed through connected integrations — such as email contacts, calendar event participants, and CRM records — as well as subscriber account data and agent conversation history.

This DPA does not apply to data that Latinum processes as a data controller in its own right (e.g., billing data, marketing communications), which is governed by our Privacy Policy.

You (the subscriber) are the data controller. You determine the purposes and means of processing — i.e., you decide what the agent does, what integrations it connects to, and what actions it takes on your behalf.

Latinum IT Partners is the data processor. We process Personal Data only according to your instructions, as expressed through your use of the Service and your agent configuration. We do not process Personal Data for our own purposes beyond what is necessary to provide the Service.

Latinum processes Personal Data solely in accordance with your documented instructions. Your use of the Service — including the actions you direct your agent to take — constitutes your processing instructions.

If we believe an instruction would violate applicable law, we will notify you promptly and decline to carry out the instruction until the issue is resolved.

To provide the Service, Latinum uses the following sub-processors. Each is engaged under a contract that imposes data protection obligations consistent with this DPA:

We will notify you of any changes to this sub-processor list by email at least 14 days before a new sub-processor begins processing your data, giving you the opportunity to object.

Latinum implements the following technical and organizational measures to protect Personal Data:

• Encryption of Personal Data at rest using AES-256
• Encryption of Personal Data in transit using TLS 1.2 or higher
• Application-level encryption for OAuth tokens and credentials
• SSH key-only access to server infrastructure; no password authentication
• Hardened operating system configuration with automatic security patching
• Least-privilege access controls: services and personnel access only what they need
• Audit logging of agent actions and administrative access events
• Regular security assessments conducted by our certified cybersecurity team

As the data controller, you are responsible for responding to data subject requests (access, correction, deletion) from individuals whose Personal Data you process through the Service.

Latinum will assist you in fulfilling these obligations by:

• Providing you with access to export your data and agent history on request
• Deleting your data and all associated Personal Data within 30 days of a written deletion request
• Notifying you within 72 hours if we receive a data subject request directly related to your account
• Providing information about our data processing practices to support your PIPEDA compliance obligations

Personal Data processed under this DPA does not leave Canada, except as follows:

• Stripe: Billing data is processed by Stripe, which may operate infrastructure outside Canada. Only the minimum data necessary for payment processing is transferred (name, email, billing address).
• Anthropic (Personal tier): AI inference requests on the Personal tier are sent to Anthropic's API. Anthropic's infrastructure may be located outside Canada. If this is a concern, we recommend the Sovereign tier.

In the event of a Personal Data breach, Latinum will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include:

• A description of the nature of the breach
• The categories and approximate number of individuals and records affected
• A description of the likely consequences of the breach
• The measures taken or proposed to address the breach

You remain responsible for notifying affected individuals and the Office of the Privacy Commissioner of Canada as required under PIPEDA and the Breach of Security Safeguards Regulations.

Latinum retains Personal Data for as long as your subscription is active, plus 90 days after termination. At the end of the retention period, all Personal Data is permanently deleted from active systems and backups.

You may request deletion at any time by emailing kevin@latinum.ca. Deletion will be completed within 30 days of the request.

Upon written request, Latinum will provide you with information necessary to demonstrate compliance with this DPA. For Corporate tier clients, we will facilitate third-party security audits with reasonable notice (minimum 30 days) and subject to a confidentiality agreement.

Data processing inquiries: kevin@latinum.ca

Latinum IT Partners · Ontario, Canada