Data Processing

Data Processing Addendum

How PeakSpire handles, secures, and processes client data during service delivery.

Last Updated: March 2026

This Data Processing Addendum (“DPA”) supplements the Master Services Agreement between PeakSpire Inc. (“PeakSpire,” “Processor”) and the Client (“Controller”). It applies when PeakSpire processes personal data on behalf of the Client during service delivery.

1. When This DPA Applies

This DPA applies when PeakSpire has access to or processes personal data belonging to the Client’s customers, users, or contacts. Common scenarios include:

  • Building or maintaining a website with contact forms that collect visitor data
  • Accessing the Client’s Google Analytics or other analytics platforms
  • Configuring CRM integrations on the Client’s website
  • Managing email list integrations
  • Accessing the Client’s WordPress admin where customer data (orders, inquiries) may be visible

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable individual, as defined by PIPEDA.
  • Processing: Any operation performed on personal data, including collection, storage, access, modification, transmission, or deletion.
  • Controller: The Client, who determines the purposes and means of processing personal data.
  • Processor: PeakSpire, which processes personal data on behalf of the Controller.

3. PeakSpire’s Obligations

When processing personal data on behalf of the Client, PeakSpire will:

  • Process personal data only as necessary to deliver the services described in the SOW
  • Not use the Client’s personal data for PeakSpire’s own purposes (marketing, analytics, profiling)
  • Implement reasonable technical and organizational security measures to protect personal data
  • Not share the Client’s personal data with third parties without the Client’s written consent, except as required by law
  • Promptly notify the Client if PeakSpire receives a request from a data subject (the Client’s customer) regarding their personal data
  • Assist the Client in responding to data subject requests (access, correction, deletion) to the extent commercially reasonable
  • Return or delete all Client personal data upon termination of the service engagement, at the Client’s direction

4. Security Measures

PeakSpire maintains the following security measures when handling Client data:

  • Encrypted connections (SSL/TLS) for all remote access
  • SSH key-based authentication for server access (no password-based login)
  • Credentials stored in encrypted, gitignored configuration files, never in source code
  • Access limited to PeakSpire’s founder (sole operator) on a need-to-know basis
  • Two-factor authentication on all service provider accounts (hosting, CRM, email)
  • Client credentials deleted from PeakSpire’s systems within 30 days of project completion

5. Sub-Processors

PeakSpire may use the following sub-processors when delivering services that involve Client data:

Sub-Processor Purpose Location
SiteGround Website hosting (if PeakSpire provisions hosting) Various (Client chooses data centre location)
Google (Analytics, PageSpeed) Analytics and performance monitoring United States
Brevo Email delivery (if configured for Client forms) European Union

PeakSpire will notify the Client before engaging a new sub-processor that would have access to the Client’s personal data. The Client may object within 14 days of notification.

6. Breach Notification

In the event of a personal data breach involving Client data:

  • PeakSpire will notify the Client within 72 hours of becoming aware of the breach.
  • The notification will include: the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
  • PeakSpire will cooperate with the Client’s investigation and any required notifications to affected individuals or the Privacy Commissioner.

7. Data Retention

  • PeakSpire does not retain Client personal data beyond what is necessary to deliver the contracted services.
  • Upon project completion or service termination, PeakSpire will delete Client personal data from its systems within 30 days, unless the Client requests earlier deletion or data return.
  • Backups containing Client data are rotated and overwritten within 90 days.

8. Audit Rights

The Client may request, no more than once per year, a summary of PeakSpire’s data processing activities and security measures related to the Client’s data. PeakSpire will respond within 30 days.

9. Term

This DPA remains in effect for the duration of the service relationship and for 30 days after termination (to allow for data deletion).

10. Contact

Questions About This Policy?

Email: info@peakspire.ca

Phone: (343) 842-4444

Address: 110 Didsbury Rd Suite M110, Kanata, ON K2T 0C2

Related Policies

Privacy Policy
Master Services Agreement
AI Disclosure Policy