Legal
Data Processing Agreement
Last updated June 24, 2026
When you use AccessMonk to support your clients' devices, we process some personal information on your behalf. This describes how — our roles, safeguards, sub-processors, and obligations.
Roles & scope
This Data Processing Agreement (“DPA”) forms part of the agreement between [Legal Entity Name] (“AccessMonk”) and the customer (“Customer”) for use of the Service, and applies where AccessMonk processes personal information on the Customer’s behalf.
With respect to that personal information, the Customer is the organization responsible for it (the controlling party) and AccessMonk acts as the Customer’s service provider (processor), processing personal information only to provide the Service and on the Customer’s documented instructions, including as set out in this DPA. AccessMonk handles personal information in accordance with PIPEDA.
Details of the processing
Subject matter & purpose. Providing remote support and unattended-access software to the Customer.
Duration.The term of the Customer’s subscription, plus the deletion periods in this DPA.
Categories of individuals.The Customer’s technicians and administrators, and the end users of the devices the Customer supports.
Types of personal information. Account details (name, work email, company, role); device information (hostname, operating system, status, agent version, public IP); and session metadata (times, technician, session type, audit events). The Service does not record session screen content, keystrokes, or transferred files.
Customer instructions
AccessMonk processes personal information only to provide the Service and on the Customer’s documented instructions (including configuration in the console), unless required to do otherwise by law — in which case AccessMonk will inform the Customer where legally permitted. The Customer is responsible for the lawfulness of the personal information it processes and for having any authority and consent required to access the relevant devices and individuals.
Confidentiality
AccessMonk ensures that personnel authorized to process personal information are bound by appropriate confidentiality obligations and access it only as needed to provide and support the Service.
Security measures
AccessMonk maintains technical and organizational measures appropriate to the risk, including:
- encryption in transit (TLS for web/console/API; DTLS-SRTP for live session media);
- mandatory multi-factor authentication and role-based access control;
- per-tenant data isolation, brute-force lockout, and rate limiting;
- hashed passwords (Argon2) and encrypted, access-controlled database backups;
- audit logging of security-relevant actions; and
- ongoing monitoring and patching of the production environment.
Session screen content, keystrokes, and transferred files are exchanged between the participants and are not recorded or stored by AccessMonk.
Sub-processors
The Customer authorizes AccessMonk to engage the following sub-processors, each bound by data-protection obligations no less protective than this DPA:
- Stripe — payment processing.
- Mailgun — transactional email delivery.
- [Hosting provider — confirm, e.g. OVHcloud] — cloud hosting in Canada.
AccessMonk remains responsible for its sub-processors’ performance and will give the Customer notice before adding or replacing a sub-processor, so the Customer may object on reasonable data-protection grounds.
Assisting with individual requests
Taking into account the nature of the processing, AccessMonk will provide reasonable assistance — including through console functionality — to help the Customer respond to requests from individuals to access, correct, or delete their personal information. If AccessMonk receives such a request directly, it will refer the individual to the Customer where appropriate.
Breach notification
AccessMonk will notify the Customer without undue delay after becoming aware of a breach of security safeguards affecting the Customer’s personal information, and will provide information reasonably available to help the Customer meet its own notification and record-keeping obligations.
Return & deletion
On termination of the Service, or on the Customer’s request, AccessMonk will delete or de-identify the Customer’s personal information within [90] days, except where retention is required by law. Encrypted backups rotate out on their normal cycle (within 14 days).
Audits & compliance
On reasonable written request and subject to confidentiality, AccessMonk will make available information necessary to demonstrate compliance with this DPA. Any on-site review will be at a mutually agreed time, no more than once per year absent a security incident, and conducted so as not to disrupt the Service or compromise other customers’ data.
Location of processing
Personal information processed by AccessMonk is hosted in Canada. Certain sub-processors may process limited personal information in other countries; where they do, that processing remains subject to contractual safeguards consistent with this DPA.
Order of precedence
This DPA forms part of, and is subject to, the Terms of Service. In the event of a conflict regarding the processing of personal information, this DPA prevails over the Terms of Service.
Contact
Questions about this DPA or to exercise rights under it, contact our Privacy Officer at privacy@accessmonk.com.