Netxafe

Data Processing Agreement

Effective Date: April 6, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Netxafe (“Processor”) and the client organisation (“Controller”) and governs the processing of personal data by Netxafe on behalf of the Client in connection with the delivery of cybersecurity services. This DPA is intended to satisfy the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian privacy law.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person provided by the Client to Netxafe for the purpose of service delivery
  • “Processing” means any operation performed on Personal Data, including collection, storage, use, analysis, and deletion
  • “Controller” means the Client organisation that determines the purposes and means of processing Personal Data
  • “Processor” means Netxafe, which processes Personal Data on behalf of and under the instruction of the Controller

2. Scope of Processing

Netxafe processes the following categories of Client data in the course of service delivery:

  • Domain names and associated technical infrastructure data
  • Staff email addresses submitted for breach database verification
  • Contact information of the Client’s authorised representative
  • Security findings and vulnerability data specific to the Client’s organisation

Netxafe processes this data solely for the purpose of delivering contracted cybersecurity services and for no other purpose.

3. Netxafe’s Obligations as Processor

Netxafe agrees to:

  • Process Client Personal Data only on the documented instructions of the Client
  • Ensure that all personnel with access to Client data are bound by confidentiality obligations
  • Implement appropriate technical and organisational security measures to protect Client data
  • Not engage any sub-processor to process Client data without prior written notification to the Client
  • Assist the Client in responding to requests from individuals exercising their rights under PIPEDA
  • Notify the Client without undue delay upon becoming aware of a personal data breach affecting Client data
  • Delete or return all Client Personal Data upon termination of the service agreement
  • Make available all information reasonably necessary to demonstrate compliance with this DPA

4. Technical and Organisational Security Measures

Netxafe implements the following measures to protect Client data:

  • Encryption of all Client data in transit using TLS 1.2 or higher
  • Encrypted storage of all Client data at rest
  • Access controls ensuring only authorised personnel can access Client data
  • Secure deletion protocols applied upon data retention expiry or Client request
  • Regular internal review of security practices applicable to data processing activities

5. Data Retention and Deletion

Netxafe retains Client Personal Data for the following periods:

  • Scan results and report data: 24 months from date of delivery
  • Retainer client data: Duration of service agreement plus 24 months
  • Contact and billing records: 7 years as required by Canadian tax law

Upon expiry of the applicable retention period, Netxafe will securely delete all Client Personal Data using industry-standard deletion methods. The Client may request earlier deletion at any time by contacting legal@netxafe.ca.

6. Data Breach Notification

In the event of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Personal Data, Netxafe will notify the Client within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to address the breach.

7. Sub-processors

Netxafe currently uses the following sub-processors in the delivery of services:

  • Anthropic (Claude API): AI processing for report generation. Data processed: anonymised scan results only. Location: United States (data minimisation applied)
  • Bluehost: Website hosting. Data processed: website visitor data only. Location: United States

Netxafe will notify the Client of any intended changes to the above sub-processor list at least 30 days in advance, providing the Client an opportunity to object.

8. Governing Law

This DPA is governed by the laws of the Province of Ontario and the federal laws of Canada. Any dispute arising from this DPA shall be resolved in the courts of Ontario, Canada.

9. Contact

Data processing enquiries: legal@netxafe.ca

error: Content is copyright protected!