top of page

Terms of Service

Kenvest Consulting Inc.: Data Processing Addendum (DPA)

Effective Date: March 11, 2026
 

This Data Processing Addendum (“DPA”) forms part of the agreement between Kenvest Consulting Inc. (“Kenvest”, “Service Provider/Processor”) and the customer entity (“Customer”, “Controller/Business”) under the Terms of Service, Master Services Agreement, Statement of Work, or other written agreement governing the Services (the “Agreement”). This DPA applies where Kenvest Consulting Inc. processes Personal Information on behalf of Customer in the course of providing the Services.

1. Definitions

Unless otherwise defined in this DPA, capitalized terms have the meaning in the Agreement.
 

  • Personal Information” includes “personal information” (Canada), “personal data” (if applicable), and “personal information” under U.S. privacy laws, including CCPA/CPRA.

  • Process/Processing” means any operation performed on Personal Information (collection, storage, use, disclosure, deletion, etc.).

  • Customer Personal Information” means Personal Information processed by Kenvest Consulting Inc. on behalf of Customer.

  • Subprocessor” means any third party engaged by Kenvest Consulting Inc. to process Customer Personal Information.

  • Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Information.
     

2. Roles of the Parties
 

  1. Customer is the Controller/Business (as applicable) and determines the purposes and means of processing.

  2. Kenvest Consulting Inc. acts as Processor/Service Provider (as applicable) and processes Customer Personal Information only:

    • to provide the Services;

    • to comply with documented instructions from Customer;

    • as otherwise permitted by applicable law.
       

3. Scope of Processing
 

A. Subject Matter
 

Provision of the Services described in the Agreement, including consulting, hosted software, analytics, support, and related offerings.
 

B. Duration
 

Processing will continue for the term of the Agreement, plus any period required for lawful retention, dispute resolution, or secure deletion.
 

C. Nature and Purpose
 

Processing activities may include collecting, storing, transmitting, analyzing, securing, retrieving, and deleting Customer Personal Information to:

  • deliver and support the Services;

  • maintain and improve security and performance;

  • perform contractual obligations.
     

D. Categories of Personal Information (examples)
 

Depending on Customer’s use of the Services:

  • contact and identity information (name, email, business details);

  • technical identifiers (IP address, device ID, logs);

  • usage data and account activity;

  • customer content and files (as uploaded by Customer users);

  • communications and support records.
     

E. Categories of Data Subjects
 

Customer’s end users, employees, contractors, or other individuals whose Personal Information Customer provides or makes available.
 

4. Customer Instructions
 

  1. Customer instructs Kenvest Consulting Inc. to process Customer Personal Information to provide the Services.

  2. Additional instructions must be documented in writing.

  3. If Kenvest Consulting Inc. believes an instruction violates applicable law, Kenvest Consulting Inc. will notify Customer (unless prohibited by law).
     

5. Confidentiality
 

Kenvest Consulting Inc. will ensure that personnel authorized to process Customer Personal Information are bound by confidentiality obligations.
 

6. Security Measures
 

Kenvest Consulting Inc. will implement and maintain reasonable administrative, technical, and physical safeguards appropriate to the risk, including as applicable:

  • access controls and least privilege;

  • encryption in transit and at rest (where appropriate);

  • security monitoring and logging;

  • vulnerability management and patching;

  • incident response procedures;

  • secure SDLC (where applicable);

  • subcontractor security obligations.
     

7. Subprocessors
 

  1. Customer authorizes Kenvest Consulting Inc. to use Subprocessors to deliver the Services.

  2. Kenvest Consulting Inc. will require Subprocessors to protect Customer Personal Information with protections no less protective than this DPA.

  3. Kenvest remains responsible for Subprocessor performance of obligations under this DPA.
     

Subprocessor List & Updates:
Kenvest Consulting Inc. will provide a current list of Subprocessors upon request.
Customer may object to a new Subprocessor on reasonable privacy/security grounds by providing written notice within a reasonable period, and the parties will work in good faith to address the objection.
 

8. Cross-Border Transfers
 

Customer acknowledges Customer Personal Information may be processed or stored outside Customer’s jurisdiction (including Canada and the U.S.). Kenvest Consulting Inc. will implement appropriate safeguards and risk-based controls for cross-border processing.
 

9. Assistance with Requests and Compliance
 

To the extent legally required and reasonably feasible, Kenvest Consulting Inc. will assist Customer with:

  • responding to access, correction, deletion, portability, and opt-out requests;

  • security and breach notifications;

  • compliance assessments relevant to the Services.
     

10. Security Incident Notification
 

  1. Kenvest Consulting Inc. will notify Customer without undue delay after becoming aware of a Security Incident involving Customer Personal Information.

  2. Kenvest Consulting Inc. will provide information reasonably necessary to support Customer’s legal obligations, subject to availability and confidentiality constraints.

  3. Kenvest Consulting Inc. may delay notice to the extent required to comply with law enforcement requests or legal prohibitions.
     

11. Deletion and Return
 

Upon termination or expiration of the Services, Kenvest Consulting Inc. will delete or return Customer Personal Information within a commercially reasonable timeframe, unless retention is required by law or necessary for dispute resolution, security logging, or backup cycles. Where backups exist, Kenvest Consulting Inc. will ensure secure deletion occurs through normal backup retention schedules.
 

12. Audits and Assessments
 

  1. Upon reasonable written request, Kenvest Consulting Inc. will provide Customer with information reasonably necessary to demonstrate compliance (e.g., security policies, summaries, or third-party reports if available).

  2. On-site audits (if any) will be subject to:

    • reasonable scope and scheduling;

    • confidentiality obligations;

    • restrictions to protect other customers and security integrity;

    • Customer bearing its own costs (unless otherwise agreed).
       

13. CCPA/CPRA Service Provider Terms (if applicable)
 

Where CCPA/CPRA applies and Kenvest Consulting Inc. processes “Personal Information” as a Service Provider/Contractor, Kenvest Consulting Inc.:

  • will not sell or share Customer Personal Information;

  • will not retain, use, or disclose Customer Personal Information outside the direct business relationship with Customer except as permitted by law;

  • will not combine Customer Personal Information with other data except as permitted for security, fraud prevention, or improving services (in a way permitted for service providers);

  • will provide the same level of privacy protection as required by CCPA/CPRA;

  • will notify Customer if Kenvest Consulting Inc. can no longer meet its obligations under CCPA/CPRA.
     

14. Liability
 

Liability under this DPA is subject to the liability limitations in the Agreement, unless prohibited by applicable law.
 

15. Order of Precedence
 

If there is a conflict between this DPA and the Agreement regarding processing of Customer Personal Information, this DPA controls.
 

16. Contact
 

For DPA inquiries and notices:
Kenvest Consulting Inc.
440 Laurier Avenute 200, Ottawa, Ontario K1R 7X6
james@kenvestconsulting.net
613.747.0485

Kenvest Consulting Inc.: AI Governance & Responsible Use Policy

Last Updated: March 11, 2026
 

This AI Governance & Responsible Use Policy (“AI Policy”) describes Kenvest Consulting Inc.’s standards for designing, deploying, using, and overseeing AI-enabled tools and services in alignment with applicable laws in Canada and the United States, and recognized best practices in responsible AI.

 

1. Scope

This policy applies to:

  • AI-enabled software features and tools offered by Kenvest Consulting Inc.;

  • internal use of AI by Kenvest Consulting Inc. personnel in service delivery;

  • third-party AI tools used in connection with Kenvest Consulting Inc. services (where authorized).

 

2. Core Principles

Kenvest Consulting Inc. strives to ensure AI systems are:

  • Lawful and fair

  • Transparent and explainable (to the degree appropriate and feasible)

  • Accountable with human oversight

  • Secure and resilient

  • Privacy-preserving by design

  • Reliable, tested, and monitored

  • Purpose-limited (used only for intended business needs)

 

3. Risk-Based Approach

We use a risk-based governance model that may include:

  • intake and classification of AI use cases by risk (low/medium/high);

  • higher scrutiny for systems used in hiring, lending, healthcare, legal determinations, or other sensitive domains;

  • documented assessments for high-risk systems (including impact, bias, security, and privacy considerations).

 

4. Data Controls and Privacy

  • Kenvest Consulting Inc. will only use data with an appropriate legal basis and contractual authorization.

  • We will apply minimization: collect/use the least amount of data needed.

  • Where feasible, we use de-identification and access restrictions.

  • We do not use Customer confidential data to train generalized AI models unless expressly agreed in writing.

 

5. Transparency and Disclosures

Where AI is used to generate content or recommendations:

  • we may disclose that AI is being used;

  • we may provide usage guidance and known limitations;

  • for significant automated decisions (where applicable), we support legally required disclosures.

 

6. Human Oversight

  • AI outputs are reviewed by qualified personnel when used in contexts with elevated risk.

  • Customers remain responsible for human review of AI outputs before operational, legal, financial, or safety-critical use unless the Agreement expressly states otherwise.

 

7. Bias, Fairness, and Testing

We take reasonable steps to:

  • test for performance issues and harmful bias;

  • mitigate bias where identified;

  • monitor drift and degrade gracefully.

 

8. Security Measures for AI Systems

We implement security practices appropriate to AI systems, which may include:

  • access controls for prompts, logs, and model outputs;

  • protection against prompt injection and data exfiltration patterns;

  • monitoring for abuse and anomalous usage;

  • secure vendor management for third-party AI services.

 

9. Prohibited AI Uses

Kenvest Consulting Inc. will not knowingly support AI uses that:

  • violate law or regulations;

  • enable unlawful surveillance or privacy invasion;

  • facilitate discrimination in prohibited ways;

  • generate or disseminate illegal content;

  • are designed to cause harm, defraud, or mislead.

 

10. Vendor Management

Where third-party AI tools are used, Kenvest Consulting Inc. will:

  • evaluate vendor security and privacy posture;

  • apply contractual requirements (confidentiality, security, subprocessing restrictions);

  • assess cross-border implications where applicable.

 

11. Incident Response for AI

AI-related incidents (including data leakage through prompts, model misuse, or security vulnerabilities) are managed through:

  • containment and investigation procedures;

  • customer notifications where required;

  • corrective actions and post-incident review.

 

12. Training and Acceptable Use

Kenvest Consulting Inc. personnel receive guidance on:

  • safe and compliant AI use;

  • confidentiality and customer data handling;

  • secure prompting and output validation.

 

13. Policy Updates

This policy may be updated to reflect legal changes, evolving standards, and operational improvements.

 

14. Contact

AI Governance inquiries:
Kenvest Consulting Inc.
440 Laurier Avenue West, Suite 200, Ottawa, Ontario K1R 7X6
james@kenvestconsulting.net
613.747.0485

bottom of page