Covers data handling, subprocessors, security controls, and compliance commitments.
Last updated October 10, 2025
This Data Processing Agreement ("DPA") forms an integral part of the Modus Terms of Service("Terms") between the party named as "Customer" in the Terms ("Customer" or "Controller")and Nostrade Inc, operating as Fermion AI Group ("Company" or "Processor") and sets out the parties' respective obligations when Customer personal data is processed by Company in relation to the Services performed by Company on Customer's behalf pursuant to the Terms.The purpose of the DPA is to ensure such processing is conducted in accordance with applicable laws and with due respect for the rights and freedoms of individuals whose personal data is processed. This DPA will be effective from the date on which the authorized signatories of the parties sign the Order Form.
This Data Processing Agreement ("Agreement") forms part of the Contract for Services
("Principal Agreement") between the Customer and
Nostrade Inc
Operating as: Fermion AI Group
101 Jevlan Dr
Woodbridge, ON L4L 8C2
Canada
(the "Data Processor")
(together as the "Parties")
WHEREAS
(A) The Company acts as a Data Controller and wishes to engage Service Provider for AI- powered meeting assistance services, including real-time coaching, fact-checking, explanations, transcription, and the Modus: Proactive Listener platform.
(B)The Company wishes to subcontract certain Services, which may involve the processing of personal data and confidential business information, to the Service Provider.
(C)The Parties seek to implement comprehensive data protection, confidentiality, and intellectual property provisions that comply with applicable laws including GDPR, U.S. state privacy laws, Canadian privacy laws (PIPEDA), and other relevant data protection regulations.
(D)The Parties wish to establish clear ownership rights regarding deliverables created during service provision.
IT IS AGREED AS FOLLOWS:
1. DEFINITIONS AND INTERPRETATION
1.1 Definitions
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 "Agreement" means this Data Processing and Services Agreement and all Schedules;
1.1.2 "Company Personal Data" means any Personal Data Processed by Service Provider on behalf of Company pursuant to or in connection with the Principal Agreement;
1.1.3 "Company Confidential Information" means all non-public, proprietary, or confidential information disclosed by Company to Service Provider, including but not limited to business processes, customer data, financial information, technical specifications, and strategic plans;
1.1.4 "Data Protection Laws" means EU Data Protection Laws, U.S. Privacy Laws, Canadian Privacy Laws, and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 "U.S. Privacy Laws" means applicable U.S. federal and state privacy laws including but not limited to the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and any other applicable state privacy laws;
1.1.6 "Canadian Privacy Laws" means applicable Canadian federal and provincial privacy laws including but not limited to the Personal Information Protection and Electronic Documents Act (PIPEDA), and applicable provincial privacy legislation;
1.1.7 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.8 "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.9 "Data Transfer" means:
1.1.10 "Services" means the AI-powered meeting assistance services provided through Modus: Proactive Listener, including real-time coaching, fact-checking, explanations, real-time suggestions, meeting transcription, and analysis;
1.1.11 "Deliverables" means all work products, documents, designs, configurations, customizations, prompt designs, knowledge bases, and other materials created by Service Provider specifically for Company during the performance of Services;
1.1.12 "Subprocessor" means any person appointed by or on behalf of Service Provider to process Personal Data on behalf of the Company in connection with the Agreement.
1.2 GDPR Terms
The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data","Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. CONFIDENTIALITY AND DATA PROTECTION
2.1 Comprehensive Confidentiality
2.1.1 Service Provider acknowledges that it may receive Company Confidential Information and Company Personal Data in connection with the Services.
2.1.2 Service Provider shall:
2.1.3 The confidentiality obligations shall survive termination of this Agreement for a period of five (5) years.
2.2 Processing Obligations Service Provider shall:
2.2.1 comply with all applicable Data Protection Laws in the Processing of Company Personal Data;
2.2.2 not Process Company Personal Data other than on the Company's documented instructions;
2.2.3 ensure all employees handling Personal Data or Confidential Information are bound by legally enforceable confidentiality agreements;
2.2.4 provide adequate training to all employees handling Personal Data on data protection requirements and procedures;
2.2.5 be held liable for any processing activities conducted outside the scope of documented instructions.
2.3 Processing Instructions
The Company instructs Service Provider to process Company Personal Data for the following purposes:
3. PROCESSOR PERSONNEL
Service Provider shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual's duties, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. ENTERPRISE SECURITY MEASURES
4.1 Technical and Organizational Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Service Provider shall implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
4.2 Specific Security Measures
Service Provider implements and maintains the following security measures:
4.2.1 Encryption:
All meeting transcripts and client data are encrypted using industry-standard encryption protocols;
4.2.2 Data Storage:
Service Provider stores only meeting transcripts and user account information necessary for authentication. Audio and video recordings are processed in real-time and are not stored on Service Provider systems;
4.2.3 Access Controls:
Role-based access control limiting data access to authorized personnel only;
4.2.4 Data Minimization:
Meeting transcripts are retained according to configured retention
policies; audio recordings are processed in real-time without storage;
4.2.5 Infrastructure Security:
Regular security assessments, automated security updates, and
comprehensive incident response procedures.
4.3 Risk Assessment
In assessing the appropriate level of security, Service Provider shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5. U.S. AND CANADIAN PRIVACY LAW COMPLIANCE
5.1 Consumer Privacy Rights
Service Provider shall assist Company in fulfilling consumer rights requests under applicable U.S. Privacy Laws and Canadian Privacy Laws, including:
5.2 CCPA/CPRA and PIPEDA Compliance
5.2.1 Service Provider warrants that it will not:
5.2.2 Service Provider shall provide the same level of privacy protection as required by applicable U.S. Privacy Laws and Canadian Privacy Laws.
5.3 Cross-Border Data Transfers
For transfers of personal data across borders, Service Provider shall implement appropriate safeguards including standard contractual clauses or other legally recognized transfer mechanisms as required by applicable Data Protection Laws.
6. INTELLECTUAL PROPERTY AND DELIVERABLES OWNERSHIP
6.1 Deliverables Ownership
6.1.1 All Deliverables created specifically for Company, including but not limited to custom configurations, knowledge bases, and customized workflows, shall be owned by Company upon full payment of applicable fees.
6.1.2 Service Provider hereby assigns to Company all right, title, and interest in and to such Deliverables, including all intellectual property rights therein.
6.2 Service Provider Retained Rights
6.2.1 Service Provider retains ownership of:
6.2.2 Service Provider may use general knowledge, skills, and experience gained from providing Services, provided such use does not violate confidentiality obligations or disclose Company Confidential Information.
6.3 License Grant
6.3.1 Company grants Service Provider a limited, non-exclusive license to use Company Confidential Information solely for the purpose of providing the Services during the term of this Agreement.
6.3.2 Service Provider grants Company a perpetual, irrevocable, royalty-free license to use Deliverables for Company's business purposes, including the right to modify and create derivative works.
7. SUBPROCESSING
7.1 Authorized Subprocessors
Service Provider is authorized to engage the following Subprocessors:
7.2 Subprocessor Requirements
Service Provider shall ensure that all Subprocessors:
7.3 Subprocessor Changes
Service Provider shall inform Company of any intended changes to Subprocessors with at least 30 days' prior written notice. Company may object to such changes within 14 days if the changes do not meet required data protection standards.
8. DATA SUBJECT RIGHTS
8.1 Assistance to Company
Service Provider shall assist Company in fulfilling its obligations to respond to requests to exercise Data Subject rights under applicable Data Protection Laws, including both GDPR, U.S. Privacy Laws, and Canadian Privacy Laws.
8.2 Data Subject Request Handling Service Provider shall:
8.2.1 promptly notify Company within 5 business days if it receives a request from a Data Subject;
8.2.2 not respond to that request except on the documented instructions of Company or as required by applicable laws.
9. DATA PROTECTION IMPACT ASSESSMENT
Service Provider shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by Service Provider, taking into account the nature of the Processing and information available to Service Provider.
10. PERSONAL DATA BREACH
10.1 Breach Notification Service Provider shall notify Company at privacy@[CUSTOMER-DOMAIN] without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data or Confidential Information, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
10.2 Breach Response
Service Provider shall cooperate with Company and take reasonable commercial steps as directed by Company to assist in the investigation, mitigation and remediation of each such
Personal Data Breach.
11. DATA RETENTION AND DELETION
11.1 Data Retention Policy Service Provider maintains the following data retention policies:
11.2 Data Deletion Upon Account Termination
11.2.1 Upon user account deletion, Service Provider shall delete all Company Personal Data within 30 days, except for:
11.3 Certification
Service Provider shall provide written certification to Company that it has fully complied with this section within 30 days of account deletion.
12. AUDIT RIGHTS
12.1 Audit Access
Subject to this section 12, Service Provider shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of Company Personal Data.
12.2 Annual Audit Rights Company may conduct at least one audit per year of Service Provider's data processing activities upon reasonable notice.
12.3 Compliance Documentation
Service Provider shall maintain and provide documentation demonstrating compliance with this Agreement and applicable Data Protection Laws.
13. DATA TRANSFER AND CROSS-BORDER PROCESSING
13.1 International Transfers
Personal data processed under this Agreement may be transferred from Company's jurisdiction to Canada, the United States, and other jurisdictions where Service Provider or its Subprocessors operate.
13.2 Transfer Safeguards
For transfers from the EU/EEA, the Parties shall rely on EU approved standard contractual clauses as set forth in Schedule A (when applicable).
13.3 Government Access Requests
Service Provider shall immediately notify Company of any legally binding request for disclosure of Personal Data by a government authority, unless prohibited by law.
14. NO-TRAINING AND AI ETHICS
14.1 No-Training Rights
Service Provider shall not use Company Personal Data or Confidential Information for the purpose of training or developing its artificial intelligence models, machine learning algorithms, or similar technologies, except where explicitly authorized by Company in writing.
14.2 AI Ethics
Service Provider warrants that its AI systems are designed and operated in accordance with responsible AI principles, including fairness, transparency, and accountability.
15. LIABILITY AND INDEMNIFICATION
15.1 Data Protection Liability
Service Provider shall be liable for damages caused by:
15.2 Confidentiality Breach
Service Provider shall indemnify Company for damages resulting from unauthorized disclosure of Company Confidential Information.
15.3 Commercial Liability
All other liability matters, including commercial liability, limitation of damages, and general indemnification, shall be governed by the Principal Agreement between the parties.
16. TERM AND TERMINATION
16.1 Term
This Agreement shall remain in effect for the duration of the Principal Agreement.
16.2 Survival
The following provisions shall survive termination:
17. GOVERNING LAW AND DISPUTE RESOLUTION
17.1 Governing Law
This Agreement shall be governed by the laws of the Province of Ontario, Canada, or by the laws of the jurisdiction where Company is headquartered, as applicable.
17.2 Dispute Resolution
Any disputes shall be resolved in accordance with the dispute resolution mechanism set forth in the Principal Agreement.
18. GENERAL PROVISIONS
18.1 Entire Agreement
This Agreement, together with the Principal Agreement, constitutes the entire agreement between the parties regarding data processing and confidentiality.
18.2 Amendments
This Agreement may only be amended in writing signed by both parties.
18.3 Notices
All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address set out in the heading of this Agreement or at such other address as notified from time to time by the Parties.
18.4 Severability
If any provision is found unenforceable, the remainder of the Agreement shall remain in full force and effect.
SCHEDULE A - STANDARD CONTRACTUAL CLAUSES
(For EU/EEA Data Transfers - When Applicable)
This Schedule A incorporates the EU Standard Contractual Clauses for Controller to Processor transfers as approved by the European Commission. These clauses apply only when a Company is transferring personal data from the EU/EEA to Service Provider.
ANNEX I - PARTIES AND TRANSFER
A. LIST OF PARTIES
Data exporter:
Data importer:
B. DESCRIPTION OF TRANSFER
Categories of data subjects:
Meeting participants (employees, contractors, clients, and other individuals participating in meetings where Modus is active).
Categories of personal data transferred:
Sensitive data transferred:
Potentially sensitive data may include business confidential information, personal conversations, or other sensitive content discussed in meetings. Applied safeguards include:
Frequency of transfer:
Continuous during active meeting sessions when service is engaged
Nature of processing:
Real-time AI processing of audio data to generate meeting transcripts, insights, fact-checking, explanations, and suggestions
Purpose of transfer:
To provide real-time AI-powered meeting assistance and intelligence to users during meetings
Retention period:
Meeting transcripts retained for the lifespan of the user account. All data deleted within 30 days of account deletion unless required by law.
Subprocessors:
C. COMPETENT SUPERVISORY AUTHORITY
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses, based on the data exporter's establishment or the location of affected data subjects.
Service Provider Contact:
Pavel Halko, Head of Engineering pavel@fermionaigroup.com
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES
Service Provider implements the following technical and organizational measures to ensure an appropriate level of security:
Encryption:
Access Controls:
Data Minimization:
Data Retention and Deletion:
Infrastructure Security:
Personnel Security:
ANNEX III - LIST OF SUBPROCESSORS
The following subprocessors are authorized to process Company Personal Data:
.svg)
.svg){kind=small}
.svg){kind=small}
.png)
.png)