Data Processing Agreement

The subscribing business is the controller of the personal information it enters into the platform (its clients, properties, employees and technicians). MainteQC acts as a processor and processes that information only on the controller’s documented instructions, to provide the service.

Processing covers hosting, storage, backup, search, AI assistance and transmission of data, for the duration of the subscription, plus any applicable regulatory retention periods.

MainteQC engages subprocessors, each bound by an agreement with equivalent protection obligations. The current list is published publicly. Subprocessor list.

• Encryption in transit (TLS) and at rest.
• Strict tenant isolation via row-level security (RLS).
• Mandatory two-factor authentication for sensitive roles; role-based access control.
• Audit logging, monitoring and security testing.
• PII redaction before any AI processing; AI routed to Canadian regions.

In the event of a confidentiality incident affecting the controller’s data, MainteQC notifies the controller without undue delay and provides the information reasonably needed for the controller to meet its own reporting obligations under Law 25 (notice to affected individuals and to the Commission d’accès à l’information where a risk of serious injury exists).

Primary data is hosted in Canada (ca-central-1) and primary AI processing occurs in Canada. Transfers to subprocessors outside Canada are subject to contractual safeguards and a privacy impact assessment.

MainteQC assists the controller in honouring data-subject rights and in its compliance assessments. At the end of the relationship, MainteQC makes the data available for export, then deletes it, subject to regulatory retention floors.

Questions: privacy@mainteqc.com.