Data Processing Agreement (DPA)

Last updated: April 13, 2026

This document is provided in English for convenience. The legally binding version is the French-language version (ETD).

1. Parties

This Data Processing Agreement (DPA) is entered into between:

Data Controller: The organization that subscribes to the Boréal MT service ("Client")
Data Processor: Boréal MT, operated by Manuel Fresnais, Montréal (Québec) Canada

2. Purpose of Processing

Boréal MT processes personal data on behalf of the Client for the sole purpose of providing the automatic translation service into Canadian French (fr-CA), including:

Translation of documents submitted by the Client
Construction and maintenance of the organizational translation memory
Management of terminology glossaries

3. Nature of Personal Data Processed

User information: name, email address, professional role
Document content submitted for translation (may contain personal data)
Usage data: translation history, quality scores, word counts

4. Processor Obligations

Boréal MT undertakes to:

Process data only on documented instructions from the Controller
Ensure that persons authorized to process data are bound by confidentiality
Implement appropriate technical and organizational security measures
Not use data for purposes other than providing the service
Delete or return all personal data at the end of the contract
Provide all information necessary to demonstrate compliance
Notify the Controller of any data breach within 72 hours

5. Sub-processors

The Client authorizes Boréal MT to use the following sub-processors:

Anthropic (USA) — AI translation via Claude API
Microsoft Azure (Canada Central) — Hosting and databases
Stripe (USA) — Payment processing
Microsoft 365 (Exchange Online) (Canada Central) — Transactional emails via Graph sendMail

Boréal MT will notify the Client at least 30 days before adding a new sub-processor.

6. Security Measures

Encryption in transit: TLS 1.2+
Encryption at rest: AES-256
Password hashing: bcrypt (12 rounds)
Two-factor authentication (2FA) available
Session management with JWT + blacklist
Rate limiting and CSRF protection

7. Data Subject Rights

Boréal MT will assist the Controller in fulfilling its obligations to respond to data subject rights requests (access, correction, deletion, portability) within a maximum of 30 days.

8. Data Retention and Deletion

Active account data: retained for the duration of the contract
After termination: 90-day retention, then permanent deletion
Secure deletion confirmed upon request

9. Audits

The Client may conduct, or commission, audits of Boréal MT's data processing activities with 30 days' written notice, at the Client's expense and without disrupting operations.

10. Governing Law

This DPA is governed by the laws of the Province of Québec and the federal laws of Canada (PIPEDA, Law 25).

11. Contact

Data Protection: privacy@borealmt.com

← Back to Boréal MT