Data Processing Agreement.
When we build and run systems that handle personal information for your business, you are the controller of that data and we act as your processor. This page summarizes the terms that govern that relationship. A full DPA is available to execute for any engagement — just ask.
Current version · we update this page as our practices evolve
Roles
You (the client) are the data controller— you decide what data is collected and why. AltaPro AI is the data processor — we process that data only to deliver the system we were hired to build and run, and only on your documented instructions.
Scope & Purpose
We process the categories of data, for the purposes, and for the duration set out in your service agreement. We don't process it for our own unrelated purposes. Where your agreement permits us to use data to improve and expand our services and AI capabilities, that is stated in the agreement.
Security
We apply appropriate technical and organizational measures — encryption in transit and at rest, role-based access and least privilege, and vetted infrastructure providers. See our Security & Compliance page.
Subprocessors
We use the subprocessors listed on our compliance page to help deliver the service. Each is bound to protect data. We keep client data confidential and never expose one client's data to another, and we notify you before adding a subprocessor that would process your data.
Data Subject Rights
If someone whose data you control asks to access, correct, or delete their information, we'll help you respond within the timelines the law requires under PIPEDA and Alberta's PIPA.
Breach Notification
If we become aware of a security breach affecting your data, we'll notify you without undue delay and share what we know so you can meet your own reporting obligations.
Return & Deletion
When an engagement ends, we return or delete the personal data we hold for you, except where we're required to keep it by law. Your data belongs to you.
International Transfers
Some of our infrastructure and AI providers operate in the United States and elsewhere. Where data crosses borders, we rely on those providers' own safeguards and only use reputable vendors.
Requesting the Full DPA
Need a signed DPA for your procurement or compliance file? Email haruun@unconventionalgroup.ca and we'll send our current DPA to review and execute. This summary is for information and doesn't replace the signed agreement.