Data Processing Agreement (DPA) — AIOrouter

Template Version: 1.1.1 Date: 2026-06-02 Status: Draft Template — Customize per enterprise customer agreement. Public template uses customer-facing control descriptions; detailed implementation evidence is available under review. Governing Law: Province of Quebec, Canada


1. Parties

This DPA forms part of the AIOrouter Terms of Service and governs the processing of Personal Data by AIOrouter on behalf of the Customer.


2. Purpose and Scope

2.1 Processing Purpose

AIOrouter processes Personal Data solely for:

2.2 Data Categories

The Personal Data processed includes:

2.3 Data Subjects

The data subjects are the Customer's authorized users of the AIOrouter API service.


3. Data Residency

All Personal Data is processed and stored exclusively in Canada:

Storage System Location Encryption
Primary database Montreal, Canada Managed encryption at rest
Cache and session services Montreal, Canada Encrypted private service access where supported
Operational audit logs Montreal, Canada Managed encryption and retention controls
Security and key-management services Canada-oriented cloud controls Managed encryption and least-privilege access

Outbound data: Prompt content is forwarded to the selected AI model provider's API endpoint (located in China or the United States, depending on the model). Before forwarding, AIOrouter applies privacy filtering and data minimization intended to reduce exposure of sensitive Personal Data.


4. Sub-Processors

AIOrouter uses the following sub-processors:

Sub-Processor Service Data Processed Location
Google Cloud Platform (GCP) Cloud hosting, database, cache, storage, logging, secrets, and security services Infrastructure and operational data Montreal, Canada
Stripe, Inc. Payment processing Payment transaction data (CAD) Global (Stripe Canada)
DeepSeek AI model inference Protected prompt content (in-memory only) China / Global
Alibaba Cloud Model Studio AI model inference for Qwen and GLM models Protected prompt content (in-memory only) China / Global
Moonshot AI AI model inference for Kimi models Protected prompt content (in-memory only) China / Global
Google AI AI model inference for Gemini models Protected prompt content (in-memory only) United States / Global

AIOrouter will notify the Customer of any new sub-processors at least 30 days before engagement. The Customer may object to new sub-processors on reasonable data protection grounds.


5. Security Measures

AIOrouter implements the following technical and organizational security measures:

Measure Description Standard
Encrypted Transport Data in transit encrypted using modern HTTPS standards NIST SP 800-52
API Key Authentication All API access requires a 256-bit random API key stored only as a SHA-256 lookup hash OWASP ASVS V2.10
Privacy Filtering Automated controls reduce exposure of sensitive Personal Data before provider routing PIPEDA Schedule 1
Abuse Prevention Request screening and service controls reduce misuse and unsafe behavior OWASP LLM Top 10
Zero Prompt Retention Prompts processed in memory only; never written to disk, DB, or logs Technical enforcement
Audit Trail Operational audit metadata retained in Canadian infrastructure with managed retention and access controls PIPEDA §5
Rate Limiting Per-user, per-model rate limiting prevents abuse and model extraction OWASP API Top 10
Network and Application Controls Layered controls reduce common web and API risks OWASP Top 10
Access Control Least-privilege access, MFA for privileged operations, and periodic access review Cloud security best practice

5.2 Limitation on Security Warranty

The security measures described in Section 5.1 represent AIOrouter's commercially reasonable efforts and are consistent with or exceed industry standards for API proxy services. However, the Controller acknowledges that:

(a) No security system is absolute. AIOrouter does not warrant that its security measures will prevent all unauthorized access, cyberattacks, data breaches, or security incidents.

(b) The threat landscape evolves continuously. Novel attack vectors, zero-day vulnerabilities, and supply chain compromises may defeat any defensive system.

(c) The Controller accepts the residual risk inherent in any cloud-based service and agrees that AIOrouter's liability for security incidents is governed by the Limitation of Liability provisions of the master Terms of Service.

(d) AIOrouter shall notify the Controller of any confirmed security breach affecting the Controller's Personal Data in accordance with Section 6 (Breach Notification). Such notification does not constitute an admission of liability.


6. Breach Notification

6.1 Detection

AIOrouter maintains breach detection procedures monitoring:

6.2 Notification to Controller

In the event of a confirmed Personal Data breach, AIOrouter will notify the Customer:

6.3 Cooperation

AIOrouter will reasonably cooperate with the Customer in:


7. Data Subject Rights

AIOrouter assists the Customer in fulfilling Data Subject Access Requests (DSARs):

AIOrouter will notify the Customer of any DSARs received directly from data subjects within 5 business days.


8. Data Deletion / Return

8.1 Contract Termination

Upon termination of the service agreement:

8.2 Deletion Method

Personal Data is deleted by:


9. Audit Rights

9.1 Compliance Evidence

AIOrouter provides the following compliance evidence upon request:

9.2 Audit

The Customer may audit AIOrouter's compliance with this DPA:

Alternatively, AIOrouter may provide a third-party audit report (e.g., SOC 2 Type II) in lieu of an on-site audit.


10. Governing Law

This DPA is governed by the laws of the Province of Quebec, Canada. Any disputes arising from this DPA shall be resolved through arbitration in Montreal, Quebec.

Applicable privacy laws:


Template Usage: Replace [Enterprise Customer Name] with the legal entity name of the Customer. Both parties must sign and retain executed copies in their records.