Standard SAZ Data Processing Agreement.
The DPA we sign with every client handling personal data. PIPEDA, Quebec Law 25, GDPR, and SOC-equivalent controls.
This is the standard SAZ DPA. We will sign your DPA if you have your own template, or use this template if you prefer. We typically execute DPAs within 5 business days. Custom amendments negotiable for enterprise engagements.
1. Scope and roles
This DPA governs the processing of personal data by SAZ Consulting Group ("Processor") on behalf of the Client ("Controller") under the engagement agreement. SAZ acts as a data processor; the Client remains the data controller responsible for lawful basis, consent, and data subject rights.
2. Applicable frameworks
SAZ commits to processing personal data in accordance with PIPEDA (Canada), Quebec Law 25 (PL 25), GDPR (EU/UK), CCPA/CPRA (California), and HIPAA / PHIPA where applicable. The Client warrants their own compliance with applicable frameworks before sharing personal data.
3. Permitted processing
SAZ processes personal data only on the Client's documented instructions and only for the purposes specified in the engagement agreement — including consulting delivery, AI system development, analytics, and reporting. SAZ will not process personal data for any other purpose without the Client's prior written consent.
4. Confidentiality
SAZ ensures that all personnel authorized to process personal data are bound by confidentiality obligations (employment agreements, contractor agreements, or NDAs) and have received privacy and security training.
5. Security measures
SAZ implements appropriate technical and organizational measures, including encryption at rest (AES-256) and in transit (TLS 1.3), access controls with MFA, audit logging, role-based access, network segmentation, and security incident response procedures. Full security controls available in the Trust Center.
6. Subprocessors
SAZ may engage subprocessors (cloud providers, AI model providers, communication tools) as listed on the Trust Center page. The Client consents to current subprocessors. SAZ provides 30 days' notice of new subprocessors and gives the Client the right to object.
7. Data subject rights
SAZ assists the Client in responding to data subject rights requests (access, correction, deletion, portability, restriction, objection) within timelines required by applicable law. Requests should be directed to info@Sedighi.ca.
8. Personal data breach notification
In the event of a personal data breach, SAZ will notify the Client without undue delay and in any case within 48 hours of becoming aware, providing relevant details to support the Client's notification obligations.
9. International transfers
Where personal data is transferred outside Canada (e.g., to AI model providers, cloud infrastructure), SAZ ensures appropriate safeguards — including Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms.
10. Audit and inspection
SAZ provides the Client with documentation reasonably required to demonstrate compliance with this DPA, and supports audits or inspections at the Client's reasonable request and cost.
11. Return or deletion
Upon termination of the engagement, SAZ will return or delete all personal data within 90 days, except as required by applicable law to retain. Certificates of destruction available on request.
12. Liability and indemnification
Liability under this DPA is governed by the engagement agreement's limitation of liability provisions, subject to applicable law's minimum requirements for data protection liability.
Need a signed copy?
Email us at info@Sedighi.ca and we\'ll send a fully-executed DPA tailored to your engagement scope. We can also sign your DPA template — most are reviewed and signed within 5 business days.
Anything else procurement needs?
SOC questionnaires, CAIQ, SIG, security attestations, certificates of insurance — request directly at info@Sedighi.ca.