Data Processing Agreement

Folio AI offers a standard Data Processing Agreement (DPA) for every customer who handles personal information through the platform. Custom DPAs are available on Business and Enterprise plans.

1. Roles & scope

For personal information processed through the Folio AI platform, the customer (your firm) is the data controller and Folio AI Inc. is the data processor. The DPA covers all processing activities incidental to providing the document automation, extraction, review, and integration services.

2. Categories of data

• Document files (receipts, invoices, tax slips, supporting financial records).
• Extracted financial data — vendor, amounts, line items, tax codes, CRA box values.
• User account data — name, work email, role, audit-log activity.
• End-client identifiers contained within uploaded documents.

3. Sub-processors

Folio AI uses a defined list of sub-processors to deliver the service. The current list and notice procedure for additions are published at folioai.ca/legal/sub-processors.

4. Security measures

Technical and organizational measures are described at folioai.ca/security and include encryption at rest and in transit, RLS isolation, PII redaction before AI inference, RBAC, audit logging, and breach response.

5. Data subject rights

Folio AI provides export, correction, and deletion APIs and dashboard actions to support customer responses to data subject requests under PIPEDA, Quebec Law 25, and applicable provincial privacy legislation.

6. Breach notification

Folio AI will notify the customer of any confirmed personal information breach within 72 hours of detection, with a description of the affected data, scope, mitigation steps, and ongoing remediation plan.

7. Data residency & transfer

All customer data is processed and stored within Canada (AWS ca-central-1 primary, ca-west-1 backup). In strict_canada mode, AI inference is also restricted to Canadian regions.

8. Term & deletion

Upon termination, customer data is retained per the agreed retention period (default: CRA 6 years), then permanently deleted with a 30-day advance notice and certified deletion log.