Data Processing Agreement
Effective Date: February 28, 2026
This Data Processing Agreement ("DPA") is entered into by and between the customer using the AdvisorIQ service ("Advisor," "Controller," or "You") and Astrabyte Technologies Inc., a corporation incorporated under the laws of Ontario, Canada ("Astrabyte," "Processor," or "We"). This DPA governs the processing of personal data in connection with the provision of the AdvisorIQ service (the "Service").
This DPA is incorporated into and forms part of the Terms of Service. By executing the Terms of Service or by accessing or using the Service to process Client Data, you enter into this DPA on behalf of yourself and, to the extent required under applicable Data Protection Laws, on behalf of your authorized affiliates.
1. Definitions
- "Client Data" means any Personal Data pertaining to the Advisor's end-clients that is provided to Astrabyte through the Service, including but not limited to client names, portfolio holdings, investment profiles, uploaded documents, and associated financial information.
- "Data Protection Laws" means all applicable laws and regulations relating to the processing, privacy, and protection of Personal Data, including: (a) the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable Canadian provincial privacy legislation; (b) the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR; (c) the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act ("CPRA"); and (d) any other applicable data protection or privacy legislation.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Astrabyte on behalf of the Advisor in connection with the Service.
- "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, or destruction.
- "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data.
2. Roles, Scope, and Purpose
The parties acknowledge and agree that with regard to the Processing of Client Data: the Advisor is the Controller and Astrabyte is the Processor. Astrabyte will Process Client Data exclusively in accordance with the Advisor's documented instructions as embodied in the Terms of Service and the Advisor's use of the Service.
The purpose of Processing is limited to: (a) providing the Service, including retrieval-augmented generation of research responses, pre-meeting briefs, and document indexing; (b) maintaining immutable compliance audit logs; and (c) providing account administration and technical support.
Astrabyte will not sell, rent, lease, or trade Client Data. Astrabyte will not use Client Data for any purpose other than as specified in this DPA and the Terms of Service. Astrabyte will not use Client Data to train, fine-tune, or improve any artificial intelligence or machine learning models.
3. Categories of Data Processed
The following categories of Personal Data may be processed under this DPA:
| Category | Data Elements | Retention |
|---|---|---|
| Advisor account data | Name, email, firm name, role | Duration of subscription + 30 days |
| Client profile data | Client name, investment objectives, risk tolerance, account types, meeting notes | Duration of subscription + 30 days |
| Portfolio data | Ticker symbols, asset names, allocation weights, asset classes | Duration of subscription + 30 days |
| Uploaded documents | File contents (PDF, DOCX, TXT, CSV, XLSX), indexed text segments | Duration of subscription + 30 days |
| Audit trail records | Query text, AI-generated responses, citations, confidence scores, timestamps | 7 years (immutable, regulatory requirement) |
4. Confidentiality
Astrabyte shall ensure that all personnel authorized to Process Client Data: (a) have committed themselves to confidentiality obligations or are under an appropriate statutory obligation of confidentiality; (b) have received appropriate training on data protection responsibilities; and (c) process Client Data only on documented instructions from the Advisor, unless required to do so by applicable law, in which case Astrabyte shall inform the Advisor of that legal requirement before Processing (unless prohibited from doing so by law).
5. Security Measures
Astrabyte shall implement and maintain appropriate technical and organizational measures to protect Client Data against Security Incidents, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. These measures include:
- Encryption: AES-256 encryption of data at rest; TLS 1.3 encryption of data in transit.
- Access controls: Role-based access control (RBAC) with the principle of least privilege. Multi-factor authentication for administrative access to production systems.
- Multi-tenant isolation: Logical separation of each firm's data at the application level, enforced through firm-scoped database queries.
- Immutable logging: Compliance audit records are append-only and cannot be modified or deleted.
- Monitoring: Continuous security monitoring of production infrastructure.
- Personnel security: Background checks and confidentiality agreements for all personnel with access to production systems.
6. Security Incident Notification
In the event of a Security Incident affecting Client Data, Astrabyte shall:
- Notify the Advisor without undue delay, and in any event within seventy-two (72) hours of becoming aware of the Security Incident;
- Provide the Advisor with sufficient information to enable the Advisor to meet any obligations to report or inform affected individuals or data protection authorities, including: the nature of the incident, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the incident;
- Take all reasonable steps to contain, investigate, and mitigate the effects of the Security Incident;
- Cooperate with the Advisor and provide such information and assistance as the Advisor may reasonably require in connection with any investigation, notification, or remediation.
7. Sub-processing
Astrabyte does not share, sell, or disclose Client Data to third parties for their own purposes. All data Processing is performed within Astrabyte's controlled technical environment on secure cloud infrastructure.
In the event that Astrabyte needs to engage a Sub-processor in the future, Astrabyte will: (a) provide the Advisor with at least thirty (30) days' prior written notice identifying the Sub-processor and describing the Processing to be performed; (b) ensure the Sub-processor is bound by data protection obligations no less protective than those set out in this DPA; and (c) remain fully liable to the Advisor for the performance of the Sub-processor's obligations. If the Advisor objects to a proposed Sub-processor, the Advisor may terminate the affected Service by providing written notice within the thirty-day notice period.
8. International Data Transfers
Client Data may be processed in Canada and the United States, where our cloud infrastructure is hosted. Where Client Data originating from the European Economic Area ("EEA"), the United Kingdom, or Switzerland is transferred to a jurisdiction that has not received an adequacy determination, Astrabyte shall ensure that appropriate safeguards are in place in accordance with applicable Data Protection Laws, including the execution of Standard Contractual Clauses ("SCCs") as approved by the European Commission, or reliance on other lawful transfer mechanisms. Advisors may request a copy of the applicable transfer mechanism by contacting research@advisoriq.dev.
9. Data Subject Rights
Astrabyte shall, taking into account the nature of the Processing, provide reasonable assistance to the Advisor in responding to requests from data subjects exercising their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection). Where Astrabyte receives a request directly from a data subject, Astrabyte shall promptly redirect the individual to the Advisor unless legally prohibited from doing so. Astrabyte shall not independently respond to data subject requests except as required by applicable law.
10. Audit Rights
Astrabyte shall make available to the Advisor, upon reasonable written request and no more than once per twelve-month period, information necessary to demonstrate compliance with the obligations set out in this DPA. This may include: (a) completion of a written security questionnaire; (b) provision of relevant third-party audit reports or certifications (such as SOC 2 Type II reports, when available); or (c) subject to mutual agreement on scope, timing, and confidentiality, a reasonable on-site or remote audit conducted by the Advisor or an independent third-party auditor at the Advisor's expense.
11. Deletion and Return of Data
Upon termination or expiration of the Terms of Service, and at the Advisor's written election, Astrabyte shall either: (a) return all Client Data to the Advisor in a structured, commonly used, machine-readable format (CSV or JSON); or (b) securely delete all Client Data in its possession or control, and provide written certification of such deletion.
The following exceptions apply:
- Audit trail records: Compliance audit logs (queries, responses, citations) are retained for a minimum of seven (7) years from creation regardless of account termination, as these records are maintained for regulatory compliance purposes. These records are immutable and cannot be modified or deleted during the retention period.
- Legal holds: Data subject to a legal hold, litigation, regulatory investigation, or other legal obligation will be retained for the duration of such obligation.
- Backup systems: Data residing on backup systems will be overwritten in accordance with Astrabyte's standard backup rotation schedule and will not be actively processed during the backup retention period.
12. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA shall limit either party's liability for: (a) breaches of confidentiality obligations; (b) either party's indemnification obligations; or (c) liability that cannot be limited by applicable law.
13. Governing Law
This DPA shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, consistent with the governing law provisions of the Terms of Service.
14. Contact
For inquiries regarding data processing, to exercise audit rights, or to report a Security Incident, please contact:
Astrabyte Technologies Inc.
Data Protection Officer
Toronto, Ontario, Canada
research@advisoriq.dev