LEGAL
Data Processing Agreement
Version 1.0 · Effective date: April 15, 2026 · Last updated: March 30, 2026
This Data Processing Agreement (
"DPA") forms part of the VimyHQ
Terms of Service between
BluePeak Systems Inc. ("Processor," "BluePeak," "we," or "us") and the Customer ("Controller," "you," or "your"). This DPA sets out the terms governing BluePeak's processing of Personal Data on behalf of the Customer in connection with the VimyHQ service.
In the event of a conflict between this DPA and the Agreement, this DPA shall prevail to the extent of the conflict with respect to data processing matters.
1. Definitions
●"Personal Data" means any information about an identifiable individual, as defined under PIPEDA and applicable provincial privacy legislation, that is processed by BluePeak in connection with the Service.
●"Processing" means any operation performed on Personal Data, including collection, use, storage, disclosure, modification, transmission, retrieval, and deletion.
●"Security Incident" means any confirmed unauthorized access to, acquisition of, use of, or disclosure of Personal Data in BluePeak's custody or control.
●"Subprocessor" means any third party engaged by BluePeak to process Personal Data on behalf of the Customer.
●"Applicable Privacy Law" means PIPEDA, Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25), the Personal Information Protection Act (British Columbia), the Personal Information Protection Act (Alberta), and any other applicable Canadian federal or provincial privacy legislation.
●"PIPEDA" means the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, as amended.
2. Scope and Roles
2.1 Roles: For the purposes of this DPA, the Customer is the Controller of Personal Data, and BluePeak is the Processor. BluePeak processes Personal Data solely on behalf of and under the documented instructions of the Customer.
2.2 Scope of Processing: BluePeak processes Personal Data only to the extent necessary to provide the VimyHQ Service as described in the Agreement. The details of processing are set out in Annex A of this DPA.
2.3 Customer Obligations: The Customer represents and warrants that: (a) it has all necessary rights, consents, and legal authority to provide Personal Data to BluePeak for processing; (b) its instructions to BluePeak comply with Applicable Privacy Law; and (c) it has provided any required notices and obtained any required consents from individuals whose Personal Data is processed through the Service.
3. Processing Instructions
BluePeak will process Personal Data only in accordance with the Customer's documented instructions. The Agreement, including this DPA, constitutes the Customer's initial instructions. Additional instructions must be provided in writing and mutually agreed upon.
BluePeak will inform the Customer if, in BluePeak's opinion, an instruction infringes Applicable Privacy Law. BluePeak is not obligated to independently determine whether the Customer's instructions comply with law.
BluePeak will not process Personal Data for any purpose other than providing the Service, unless required by law. If BluePeak is required by law to process Personal Data for another purpose, BluePeak will inform the Customer of that legal requirement before processing, unless prohibited by law from doing so.
4. Data Location and Sovereignty
All Personal Data processed by BluePeak in connection with the Service is stored and processed exclusively within Canada. BluePeak does not transfer Personal Data outside of Canada for processing, storage, or any other purpose.
BluePeak's infrastructure, including compute, storage, AI inference, and backup systems, is located entirely in Canadian data centers. No Personal Data is sent to any infrastructure located outside Canada.
If a Subprocessor requires access to Personal Data, such Subprocessor must process the data within Canada, as set out in Section 7 of this DPA.
5. Security Measures
BluePeak implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, at minimum:
- ✓Encryption: AES-256 at rest, TLS 1.3 in transit
- ✓Tenant isolation: database-per-tenant architecture ensuring Personal Data is never co-mingled between customers
- ✓Access controls: role-based access, principle of least privilege, and multi-factor authentication for all BluePeak personnel accessing infrastructure
- ✓Audit logging: comprehensive logging of all access to Personal Data by BluePeak personnel, retained for a minimum of 2 years
- ✓Vulnerability management: regular vulnerability scanning and annual third-party penetration testing
- ✓Employee security: background checks, security training, and binding confidentiality agreements for all personnel with access to Personal Data
- ✓Physical security: data center physical access controls including biometric and badge access, 24/7 surveillance, and environmental controls
5.2 Review and Updates: BluePeak will periodically review and update its security measures to address evolving threats and industry best practices. Security measures will not be materially reduced during the term of the Agreement.
6. Security Incidents and Breach Notification
6.1 Notification Timeline: BluePeak will notify the Customer of a Security Incident without undue delay and in any event within seventy-two (72) hours of confirming the Security Incident.
6.2 Notification Content: The notification will include, to the extent reasonably available:
- ●A description of the nature of the Security Incident, including the categories of Personal Data affected and approximate number of records
- ●The likely consequences of the Security Incident
- ●A description of the measures taken or proposed by BluePeak to address the Security Incident and mitigate its effects
- ●The name and contact information of BluePeak's designated point of contact
6.3 Cooperation: BluePeak will cooperate with the Customer in investigating the Security Incident, provide ongoing updates as additional information becomes available, and assist the Customer in fulfilling its own breach notification obligations under Applicable Privacy Law.
6.4 Customer's Regulatory Obligations: The Customer is solely responsible for determining its notification obligations under PIPEDA, provincial privacy legislation, and any other applicable law, including reporting to the Office of the Privacy Commissioner of Canada, provincial privacy commissioners, and affected individuals as required.
6.5 Record of Incidents: BluePeak maintains a record of all Security Incidents, including the facts, effects, and remedial actions taken. This record will be made available to the Customer upon request.
7. Subprocessors
7.1 Authorization: The Customer grants BluePeak general authorization to engage Subprocessors to process Personal Data in connection with the Service. The current list of Subprocessors is available at
vimyhq.com/subprocessors.
7.2 Obligations: Before engaging a new Subprocessor, BluePeak will: (a) conduct appropriate due diligence on the Subprocessor's data protection practices; (b) enter into a written agreement imposing data protection obligations no less protective than those in this DPA; and (c) ensure the Subprocessor processes Personal Data exclusively within Canada.
7.3 Notice of Changes: BluePeak will provide at least 30 days' advance notice before engaging a new Subprocessor. The notice will identify the Subprocessor, its location, and the nature of processing.
7.4 Objection Right: If the Customer objects to a new Subprocessor on reasonable data protection grounds, the Customer must notify BluePeak in writing within 15 days. If the objection cannot be resolved, the Customer may terminate the affected Service with a pro-rata refund of prepaid fees.
7.5 Liability: BluePeak remains fully liable to the Customer for the performance of its Subprocessors' obligations under this DPA.
8. Data Subject Rights
BluePeak will assist the Customer in responding to requests from individuals exercising their rights under Applicable Privacy Law, including access, correction, and deletion requests. BluePeak will promptly notify the Customer if it receives a request directly from an individual, and will not respond to such requests without the Customer's prior written instruction, unless required by law.
If BluePeak is legally required to respond to an individual request, BluePeak will notify the Customer and provide minimum disclosure necessary to comply with the legal requirement, unless prohibited by law from doing so.
9. Data Retention and Deletion
BluePeak will process and retain Personal Data only for the duration of the Agreement and in accordance with the data retention periods specified in the Agreement.
Upon termination of the Agreement, BluePeak will:
- ●Provide the Customer a 30-day window to export Personal Data using the platform's built-in export tools
- ●Securely delete all Personal Data in BluePeak's possession within 90 days after the export window closes, using industry-standard deletion methods
- ●Provide written confirmation of deletion upon the Customer's request
BluePeak may retain Personal Data beyond the deletion timeline only where required by Applicable Privacy Law or legitimate legal obligation (such as litigation hold). In such cases, BluePeak will isolate the retained data, limit processing to the purpose required by law, and delete it as soon as the legal obligation expires.
10. Audits and Compliance
10.1 Information Requests: BluePeak will make available to the Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Privacy Law, including summaries of security assessments, penetration test reports (with sensitive findings redacted), and audit logs relevant to the Customer's data.
10.2 Audit Rights: The Customer may conduct or commission an audit of BluePeak's processing activities, subject to:
- ●At least 30 days' advance written notice
- ●Audits conducted during regular business hours with minimal disruption to BluePeak's operations
- ●The Customer (or its appointed auditor) must execute a confidentiality agreement
- ●Audits are limited to one per 12-month period, unless a Security Incident has occurred or a regulatory authority requires an audit
- ●The Customer bears the costs of the audit, unless the audit reveals a material breach of this DPA by BluePeak
10.3 Regulatory Cooperation: BluePeak will cooperate with the Office of the Privacy Commissioner of Canada and any applicable provincial privacy commissioner in connection with any investigation or inquiry relating to BluePeak's processing of Personal Data under this DPA.
11. AI Processing
To the extent that BluePeak uses artificial intelligence to process Personal Data in connection with the Service:
- ✓AI inference is performed on infrastructure located exclusively in Canada
- ✓Personal Data is processed in stateless, isolated sessions; no Personal Data is retained in AI model weights or training data
- ✓Personal Data is not used to train, fine-tune, or improve AI models served to other customers
- ✓BluePeak treats all AI outputs with the same confidentiality and security controls as Personal Data
- ●The Customer acknowledges that AI processing may produce errors, false positives, or false negatives, and the Customer is responsible for human review of AI outputs before taking action that may affect individuals
12. Term and Termination
This DPA takes effect on the date the Customer accepts the Agreement and remains in effect for the duration of the Agreement. Provisions that by their nature should survive termination will survive, including obligations related to data deletion, confidentiality, and Security Incident notification for incidents discovered within 90 days after termination.
13. Limitation of Liability
The liability of each party under this DPA is subject to the limitations of liability set forth in the Agreement. This DPA does not create additional or independent liability beyond what is provided in the Agreement.
14. Governing Law
This DPA is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein, consistent with the Agreement.
Annex A: Details of Processing
Subject Matter
Processing of Personal Data to provide cloud-based cybersecurity detection, investigation, response, and compliance evidence generation services.
Duration
For the term of the Agreement, plus the data export and deletion period.
Nature and Purpose
Collection, storage, analysis, and display of security telemetry, log data, and user identity information for threat detection, automated response, AI-driven investigation, and compliance evidence generation.
Data Subjects
Customer's employees, contractors, and authorized users; individuals whose data appears in security logs, network telemetry, or authentication records processed by the Service.
Types of Personal Data
Names, email addresses, usernames, IP addresses, device identifiers, authentication logs, network connection metadata, session data, and any other personal data contained in security logs or telemetry submitted by the Customer.
Special Categories
BluePeak does not intentionally process sensitive personal data (health, biometric, financial account data). If such data appears in security logs, it is processed incidentally and subject to the same protections.
Data Location
Canada (all processing, storage, and AI inference)