Data Processing Agreement

Parties & scope

This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms of Service (the "Agreement") between you, the customer ("Controller"), and {{COMPANY_NAME}}, org.nr {{ORG_NR}}, {{COMPANY_ADDRESS}} ("Processor" or "Hauly") regarding the Processor's processing of Personal Data on behalf of the Controller in connection with the Service.

This DPA reflects the parties' agreement on the terms governing such processing in compliance with Article 28 of Regulation (EU) 2016/679 (the "GDPR").

Definitions

"Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data submitted to the Service by or on behalf of the Controller. "Subprocessor" means a third party engaged by Hauly to process Customer Personal Data.

Roles & responsibilities

With respect to Customer Personal Data submitted through the Service, the Controller is the data controller and Hauly is the data processor. The Controller is responsible for (a) the lawfulness of its instructions and the Personal Data it submits and (b) ensuring it has a legal basis under the GDPR for processing.

Processor's processing of Personal Data

Hauly will process Customer Personal Data only on documented instructions from the Controller, including with regard to transfers, unless required to do so by EU or Member State law. The Agreement and this DPA, together with the Controller's use of the Service, constitute the Controller's complete and final instructions to Hauly.

If Hauly believes an instruction infringes the GDPR or other Union or Member State data protection law, it will inform the Controller before carrying out the instruction, unless prohibited by law.

Personnel confidentiality

Hauly ensures that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations and have received appropriate training in their data protection responsibilities.

Security of processing

Taking into account the state of the art, costs, nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to natural persons, Hauly implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These measures are described in Annex II and may be updated by Hauly from time to time, provided the level of security is not materially reduced.

Subprocessors

The Controller grants Hauly general written authorisation to engage Subprocessors. Hauly will:

• Maintain an up-to-date list of Subprocessors, available at the bottom of this DPA;
• Notify the Controller of any intended changes (addition or replacement) at least 30 days in advance, giving the Controller the opportunity to object on reasonable, data-protection-related grounds;
• Impose data protection obligations on each Subprocessor that are no less protective than this DPA;
• Remain liable to the Controller for the performance of its Subprocessors' obligations.

Current Subprocessors

Data-subject rights

Hauly will, to the extent legally permitted, promptly notify the Controller of any request received directly from a Data Subject. Taking into account the nature of the processing, Hauly will assist the Controller with appropriate technical and organisational measures, insofar as possible, to fulfil the Controller's obligation to respond to such requests.

Personal data breaches

Hauly will notify the Controller without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification will, to the extent then known, include:

• The nature of the breach, including categories and approximate number of Data Subjects and records;
• The likely consequences;
• The measures taken or proposed to mitigate possible adverse effects.

Hauly will reasonably cooperate with the Controller in any required notifications to Supervisory Authorities or Data Subjects.

Audits

Hauly will make available to the Controller all information necessary to demonstrate compliance with this DPA and the GDPR. Upon reasonable prior written request and no more than once per year (except where required by a Supervisory Authority or following a Personal Data Breach), Hauly will allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller. Audits are conducted at the Controller's expense and subject to reasonable confidentiality obligations.

Independent third-party audit reports (e.g. SOC 2, ISO 27001) of Hauly's Subprocessors may be made available to satisfy this obligation in part.

International transfers

To the extent that Hauly transfers Customer Personal Data outside the European Economic Area, it will do so only on the basis of an adequacy decision or, in their absence, the European Commission's Standard Contractual Clauses (Module 2 or 3, as applicable), supplemented by appropriate technical and contractual measures.

Return & deletion

Upon termination of the Service, and at the Controller's choice, Hauly will return all Customer Personal Data or delete it, including all copies, within 30 days, unless EU or Member State law requires storage of the Personal Data. Backups containing Customer Personal Data will be deleted in accordance with Hauly's standard backup retention schedule, not exceeding 90 days.

Term

This DPA will remain in effect for the term of the Agreement and any period thereafter during which Hauly processes Customer Personal Data on behalf of the Controller.

Annex I — Description of processing

A. Categories of Data Subjects

• Authorised users of the Controller's Hauly workspace (employees, contractors, agents);
• Any third-party individuals whose Personal Data the Controller submits through the Service (to be specified by the Controller in writing).

B. Categories of Personal Data

• Identifiers (name, email address, role);
• Account & authentication data;
• Content submitted to the Service (prompts, files, configuration);
• Usage and technical metadata (IP address, User-Agent, timestamps).

C. Special categories

The Service is not intended for the processing of special categories of Personal Data (GDPR Art. 9). The Controller must not submit such data unless agreed in writing.

D. Nature & purpose of processing

Hosting, storing, securing, and displaying Customer Content; performing AI-assisted operations requested by the Controller; providing customer support; and complying with legal obligations.

E. Duration

For the duration of the Agreement plus any deletion/return period set out in Section 12.

Annex II — Technical & organisational measures

• Encryption — TLS 1.3 in transit; encryption at rest provided by Subprocessors (AES-256 or equivalent).
• Access control — Role-based access; principle of least privilege; mandatory MFA for all administrative access.
• Database isolation — Row Level Security on all customer-scoped tables; tenant boundaries enforced at the database layer.
• Network controls — Strict Content Security Policy, HSTS, frame-ancestors restrictions, origin allow-listing on API endpoints.
• Logging & monitoring — Structured request logs with no message-content retention; rate limiting per IP; alerting on anomalous access patterns.
• Personnel — Background checks, confidentiality undertakings, and regular security training.
• Vendor management — Written DPAs and SCCs with each Subprocessor; periodic review of certifications.
• Incident response — Documented runbook; 72-hour notification target; post-incident review.
• Backups & resilience — Encrypted, geographically distributed backups managed by Subprocessors; defined RPO/RTO targets.
• Data minimisation — Collect only what is necessary; configurable retention; secure deletion on termination.