Data Processing Agreement (DPA)
Last updated: 2026-02-20
1. Purpose and scope
This Data Processing Agreement ("DPA") defines the respective obligations of BorealHost.ai and its clients ("Data Controller") regarding the processing of personal data in the context of providing web hosting services and artificial intelligence modules.
This DPA supplements the Terms of Use and Privacy Policy of BorealHost.ai and applies to the extent that BorealHost.ai processes personal data on behalf of the client.
2. Role definitions
2.1 Data Controller
The client is the data controller for the personal data of their end users. The client determines the purposes and means of processing data hosted on our servers.
2.2 Data Processor
BorealHost.ai acts as a data processor and processes personal data only according to the client's instructions and in the context of providing hosting services.
2.3 Sub-processors
BorealHost.ai uses sub-processors for certain aspects of service delivery. The complete list is presented in section 4.
3. Obligations of BorealHost.ai
- Process personal data only according to the client's documented instructions
- Ensure the confidentiality of processed personal data
- Implement appropriate technical and organizational security measures
- Assist the client in responding to data subject rights requests
- Notify the client within 72 hours in the event of a data breach
- Delete or return personal data at the end of the contract, at the client's request
- Allow reasonable audits to verify compliance with this DPA
4. List of sub-processors
BorealHost.ai uses the following sub-processors in the delivery of its services:
| Sub-processor | Function | Data processed | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing | Name, email, billing address | Canada (Montreal) |
| Google LLC (Analytics) | Web traffic analysis | IP address (anonymized), pages visited | United States |
| Meta Platforms, Inc. | Marketing and conversion tracking | Conversion events (anonymized) | United States |
| OpenAI, Inc. | AI processing (chatbot, SEO, content) | Content submitted to AI modules | United States |
| Anthropic, Inc. | AI processing (agents, code) | Content submitted to AI modules | United States |
| Google LLC (AI) | AI processing (Gemini) | Content submitted to AI modules | United States |
| DeepSeek | AI processing | Content submitted to AI modules | China |
| Moonshot AI (Kimi) | AI processing | Content submitted to AI modules | China |
| xAI (Grok) | AI processing | Content submitted to AI modules | United States |
Warning — China-based providers: DeepSeek and Moonshot AI (Kimi) are China-based providers. The use of these models requires separate explicit consent from you. Data transmitted to these providers is subject to Chinese data protection laws. We recommend not submitting sensitive personal data to these models.
5. International data transfers
5.1 Hosting data
All hosting data (files, databases, backups) is stored exclusively in Canada (Montreal, Quebec) on our dedicated servers.
5.2 AI data
When you use the artificial intelligence modules, submitted data (prompts, messages) is transmitted to the AI providers listed in section 4. These transfers are carried out with the following protective measures:
- Encryption in transit (TLS 1.3)
- Data minimization: only the content necessary for processing is transmitted
- Contractual clauses with US-based providers
- Explicit consent required for China-based providers
- No personal data is transmitted to AI providers without explicit user action
6. Breach notification
In the event of a personal data breach, BorealHost.ai commits to:
- Notify the client within a maximum of 72 hours after the discovery of the breach
- Provide available details on the nature of the breach, the categories of data affected and the corrective measures
- Cooperate with the client for notification to the Quebec Commission d'acces a l'information (CAI) and affected individuals, in accordance with Law 25
- Take necessary measures to contain the breach and prevent its recurrence
7. Data deletion
At the end of the contractual relationship or at the client's request:
- Grace period: 7 days after end of subscription to allow reactivation
- Final backups: retained for 30 days after deactivation
- Permanent deletion: all data (files, databases, backups, configurations) is irreversibly deleted after the retention period
- Billing data: retained for 7 years in accordance with legal and tax obligations
8. Security measures
BorealHost.ai implements the following security measures:
- LXC container isolation: each hosted site is isolated in a dedicated container
- Encryption in transit: TLS 1.3 on all connections
- Access control: two-factor authentication (2FA), SSH keys
- Intrusion protection: fail2ban, iptables firewall
- Encrypted backups: automatic daily backups
- Vulnerability management: regular security updates
- Restricted access: principle of least privilege for all staff
9. Audits
The client may request reasonable information to verify BorealHost.ai's compliance with this DPA. Audit requests must be submitted in writing to [email protected] with 30 days' notice.
10. Contact
For any questions regarding this Data Processing Agreement:
- Data Protection Officer: [email protected]
- Address: BorealHost.ai, 165-1494 chemin de Chambly, Longueuil, QC J4J 3X3, Canada