Data Processing Agreement

This DPA applies to personal data that Latinum IT Partners processes on behalf of the subscriber in the course of providing the Latinum AI agent service. This includes data accessed through connected integrations, subscriber account data, and agent conversation history.

You are the data controller: you determine the purposes and means of processing, including connected integrations and agent actions. Latinum IT Partners acts as processor and handles personal data only according to your documented instructions and as necessary to provide the Service.

Your use of the Service — including the actions you direct your agent to take — constitutes your processing instructions. If we believe an instruction would violate applicable law, we will notify you and decline to carry it out until the issue is resolved.

To provide the Service, we use OVH Canada for infrastructure, Stripe for billing, and Anthropic for AI inference on the Personal tier only. Each sub-processor is engaged under contractual obligations consistent with this DPA.

• OVH Canada: hosting of the agent and associated data in Beauharnois, Quebec.
• Stripe: payment processing and the billing information required to process payments.
• Anthropic: AI inference for the Personal tier only; Sovereign and Corporate tiers run inference locally in Canada.

We implement appropriate technical and organizational measures, including:

• Encryption of personal data at rest and in transit
• Application-level encryption for OAuth tokens and credentials
• SSH key-only access to server infrastructure
• Hardened operating system configuration with automatic security patching
• Least-privilege access controls
• Audit logging of agent actions and administrative access events

As controller, you remain responsible for data subject requests. Latinum assists by providing exports, deleting data within 30 days of a written request, and notifying you promptly if we receive a request directly related to your account.

Personal data processed under this DPA does not leave Canada, except for billing data handled by Stripe and, on the Personal tier, inference requests sent to Anthropic. If complete sovereignty is required, we recommend the Sovereign or Corporate tiers.

In the event of a personal data breach, Latinum will notify you without undue delay and within 72 hours of becoming aware of the incident. The notice will describe the nature of the breach, affected categories, likely consequences, and the measures taken.

Personal data is retained for the duration of your subscription, plus 90 days after termination. At the end of that period, it is deleted from active systems and backups in accordance with our retention procedures.

You may request deletion at kevin@latinum.ca.

Upon written request, Latinum will provide information reasonably necessary to demonstrate compliance with this DPA. For Corporate tier clients, we can facilitate third-party audits with reasonable notice and appropriate confidentiality protections.

Data processing inquiries: kevin@latinum.ca

Latinum IT Partners · Ontario, Canada