Case Studies Free Playbook About Contact Terms of Service Apply for a Proof of Concept →

Perceptrus helps businesses validate AI projects before they invest by running evidence-based proof of concepts that deliver clarity in 21 days.

Legal

Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement or Statement of Work (the "Principal Agreement") between Perceptrus.com (the "Service Provider" or "Processor") and [Client Business Name] (the "Client" or "Controller").

1

Definitions

"Personal Information" means any information about an identifiable individual as defined by the Personal Information Protection and Electronic Documents Act (PIPEDA).

"Client Data" means any data, including Personal Information, provided by the Client to the Service Provider for the purpose of the Proof of Concept (PoC).

"Proof of Concept (PoC)" means the temporary, localized project designed to test the feasibility of Artificial Intelligence (AI) solutions for the Client.

"Sub-processor" means any third party (such as cloud hosting or AI API providers) engaged by the Service Provider to process Client Data.

2

Scope and Purpose of Processing

  • Role of the Parties: The Client is the owner and Controller of the Client Data. The Service Provider is the Processor acting solely on behalf of the Client.
  • Purpose: The Service Provider will process Client Data exclusively for the purpose of executing the AI Proof of Concept as outlined in the Principal Agreement.
  • No Alternative Use: The Service Provider will not use, sell, rent, or disclose Client Data for any other purpose, including for the Service Provider's own marketing or internal development, outside the scope of the PoC.

3

Artificial Intelligence Specific Commitments

Because the nature of the Services involves Artificial Intelligence technologies, the Service Provider expressly agrees to the following:

  • No Public Model Training: The Service Provider guarantees that Client Data will not be used to train, retrain, or improve public or foundational AI models (e.g., public versions of OpenAI's ChatGPT, Google Gemini, or Anthropic Claude).
  • API Privacy: If utilizing third-party AI models, the Service Provider will strictly use Enterprise API endpoints that have zero-data-retention policies regarding model training.
  • Data Minimization & De-identification: The Service Provider strongly advises the Client to provide synthetic (fake), anonymized, or de-identified data for the PoC whenever possible.

4

Obligations of the Client

  • The Client warrants that it has all necessary rights, consents, and lawful authority to provide the Client Data to the Service Provider.
  • The Client is solely responsible for the accuracy, quality, and legality of the Client Data.

5

Sub-processing

  • The Client grants general authorization for the Service Provider to use Sub-processors (such as Microsoft Azure, Amazon Web Services, or OpenAI Enterprise API) to deliver the PoC.
  • The Service Provider maintains a list of current Sub-processors and will notify the Client of any changes.
  • The Service Provider ensures that any Sub-processor is bound by written obligations providing the same or greater level of data protection as this DPA.

6

Security of Client Data

The Service Provider will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Client Data in transit (e.g., TLS) and at rest.
  • Strict access controls, ensuring only authorized personnel working directly on the PoC have access to the data.
  • Secure data isolation (e.g., using isolated cloud environments or tenant isolation).

7

Incident and Breach Management

  • In the event of a suspected or actual security breach involving Client Data, the Service Provider will notify the Client without undue delay, and in no event later than forty-eight (48) hours after becoming aware of the breach.
  • The Service Provider will provide reasonable assistance to the Client to investigate and mitigate the breach, and to fulfill any legal obligations the Client has to report the breach to the Office of the Privacy Commissioner of Canada (OPC) or affected individuals.

8

Return and Deletion of Data (The "PoC Sunset Clause")

Because a Proof of Concept is a temporary project, data retention is strictly limited.

  • Upon completion, termination, or expiration of the PoC, the Service Provider will securely delete and destroy all Client Data from its systems and the systems of its Sub-processors within [e.g., fourteen (14) days], unless required by law to retain it.
  • The Service Provider will provide written certification of this deletion upon the Client’s request.

9

Governing Law & Execution

This DPA shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein.

IN WITNESS WHEREOF, the parties have executed this Data Processing Agreement as of the Effective Date.

Perceptrus.com (Processor)
Signature: __________________________
Name: ______________________________
Title: _______________________________
Date: _______________________________

[Client Business Name] (Controller)
Signature: __________________________
Name: ______________________________
Title: _______________________________
Date: _______________________________