LegalsData Processing Addendum (DPA)

Data Processing Addendum (DPA)

Effective date: Dec 01, 2025

Corporate Privacy Statement
Accessibility Statement
E-Verify
End-User License Agreement
Acceptable Use Policy for SaaS Services
Privacy Policy
Cookie Policy

1. Scope, Order of Precedence and Parties

This DATA PROCESSING ADDENDUM (“DPA”) applies to the Processing of Personal Data by Hypori, Inc. on Your behalf when providing Hypori products (“Products”) and technical support services or consulting services (“Services”). The Products and Services are described in the relevant license and/or services agreement and the applicable order for Products and Services (collectively, the “Agreement”). In the event of a conflict between the terms of this DPA and the EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss Addendum (if applicable), the terms of the EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss Addendum (if applicable) shall control. For the avoidance of doubt, this order of precedence applies solely to data protection and privacy obligations and does not override commercial terms unless required by Applicable Data Protection Laws.

This DPA is between the end-user customer (“You”) and the Hypori contracting entity (“Hypori,” “We,” “Us,” or “Our”) and is incorporated by reference into the Agreement.

2. Definitions

Affiliate” means any subsidiary of Hypori, Inc. that may assist Hypori in the processing of Your Personal Data under this DPA that is bound by written obligations no less protective than those set out herein.

Aggregate” means information that relates to a group or category of individuals, from which identities have been removed such that the information is not linked or reasonably linkable to any individual subject to Applicable Data Protection Laws.  Aggregate data does not constitute Personal Data for the purposes of this DPA.

Applicable Data Protection Laws” means (i) the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (“FADP”), and any laws or regulations implementing or supplementing the foregoing; and (ii) any other international, federal, state, provincial and local privacy or data protection laws.

Controller” is a legally defined term that generally refers to the party that determines the purposes and means (the why and how) of the processing of Personal Data.

Customer Content” means any data uploaded to a Hypori Product for storage or processing. Customer Content may include Personal Data.

2021 EU Standard Contractual Clauses” or “2021 EU SCCs” means the contractual clauses annexed to the EU Commission Decision 2021/914/EU or any successor clauses approved by the EU Commission.

Personal Data” means any Customer Content Processed in connection with the performance of Products and/or Services that can identify a unique individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of individuals, or as otherwise defined under Applicable Data Protection Laws.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed to perform the Products and/or Services that compromises the security of the Personal Data.

“Processor” is a legally defined term that generally refers to the party that processes Personal Data on behalf of the Controller.

Sub-Processor” means any third party engaged by a Processor or another Sub-Processor to assist with the Processing of Personal Data for the performance of Products and/or Services under the Agreement.

Swiss SCC Addendum” means the adaptation of the 2021 EU SCCs designed to ensure an adequate level of protection for data transfers from Switzerland to a third country subject to the FADP.

Usage Data” means technical data collected from Your use of Hypori Products solely for the purposes expressly set out in this DPA and the Agreement, as further described in the relevant Product Documentation.

UK Data Protection Laws” means the UK GDPR and the Data Protection Act 2018, or any successor UK data protection laws as updated, amended or replaced from time to time.

"UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (vB1.0 or any subsequent version) issued by the UK Information Commissioner’s Office.

Terms used but not defined in this DPA (e.g., “Business Purpose, Consumer, Controller, Data Subject, Process/Processing, Processor”) shall have the same meaning as set forth in the Agreement or Applicable Data Protection Laws.

3. Roles as Controller and Processor

For purposes of this DPA, You are the Controller of the Personal Data Processed by Hypori under the terms of the Agreement. You are responsible for complying with your obligations as a Controller under Applicable Data Protection Laws governing your provision of Personal Data to Us for the performance of the Products and/or Services, including without limitation obtaining any consents, providing any notices, otherwise establishing the required legal basis, and responding promptly to any inquiries from a data protection authority. Unless specified in the Agreement, You will not provide Us with access to any Personal Data that imposes specific data protection requirements greater than those agreed to in the Agreement and this DPA, and you will limit Our access to Personal Data as necessary for Your use of the Products and Services under the Agreement.

Hypori is the Processor and service provider with respect to such Personal Data, except when You act as a Processor of Personal Data, in which case We are a Sub-Processor.

Hypori acts as an independent Controller with respect to Usage Data and is responsible for the Processing of such Usage Data solely for its legitimate business interests, such as measuring Customer’s use of Hypori Products in accordance with the Agreement and this DPA.

Each party shall comply with their respective obligations as Controllers and Processors under Applicable Data Protection Laws.

4. Hypori’s Purpose of Processing

Hypori and any persons acting under its authority under this DPA, including Sub-Processors and Affiliates as described in Section 6, will process Personal Data only for the purposes of performing the Products and/or Services in accordance with your documented instructions as specified in the Agreement, this DPA, Your Product configurations, and in accordance with Applicable Data Protection Laws. We may also aggregate and irreversibly anonymize Personal Data as part of the Products and/or Services to provide, secure, and enhance Hypori Products and Services, provided that such data cannot be re-identified and does not constitute Personal Data.

We will not disclose Personal Data in response to a subpoena, judicial or administrative order, or other binding instrument (a “Demand”) unless required by law, and even in that case, we will only disclose that portion of the Personal Data that is required to be disclosed pursuant to such Demand. We will, without undue delay, notify You of any Demand unless prohibited by law and provide You reasonable assistance to facilitate Your timely response to the Demand. We may provide Personal Data to Affiliates in connection with any contemplated or actual merger, acquisition, sale, bankruptcy, or other reorganization of some or all its business, subject to the obligation to protect Personal Data consistent with the terms of this DPA.

5. Data Subjects and Categories of Personal Data

You determine the Personal Data to which You provide Hypori access in connection with the use of the Products and/or Services. Hypori does not independently determine the categories of Personal Data processed and processes such data solely in accordance with Your instructions and configuration of the Products.

  • Categories of Data Subjects

Depending on Your use of the Products and Services, Personal Data may relate to the following categories of Data Subjects:

  1. Authorised users of the Products (including employees, contractors, and other end users designated by You); and
  2. Administrative users managing access to the Products on Your behalf
  • Categories of Personal Data

The Personal Data processed by Hypori is limited to the extent necessary to provide secure access to applications, data, and services and may include:

  1. User identification and contact details, such as name, work email address, organisational role, and user ID;
  2. Authentication and access information, such as certificates, tokens, or identifiers used to enable secure access (excluding plaintext passwords);
  3. Device and session data, including device identifiers, IP address, access logs, timestamps, and security-related telemetry; and
  4. Customer-configured content, solely to the extent that such content is accessed, displayed, or transmitted through the Products in accordance with Your instructions

6. Sub-Processing

Subject to the terms of this DPA, You authorize Hypori to engage Sub-Processors and Affiliates to process Personal Data in connection with the provision of the Products and Services. Hypori shall ensure that any such Sub-Processor or Affiliate is bound by written obligations that provide at least the same level of data protection as required under this DPA and Applicable Data Protection Laws. Hypori remains fully responsible for the performance of its Sub-Processors in accordance with this DPA. Upon reasonable request, Hypori will make available information necessary to demonstrate compliance with this Section, including by providing a list of Sub-Processors and relevant third-party audit reports or certifications, where available.

Where Hypori is a Processor (and not a Sub-Processor), the following terms apply:

  1. If, based on reasonable grounds related to the inability of such Sub-Processor to protect Personal Data, You object to a new Sub-Processor, the parties shall discuss in good faith a commercially reasonable alternative. Where no such alternative is available, You may terminate the affected Service by providing written notice before the end of the notice period, including an explanation of the grounds for objection.
  2. If the affected Product and/or Service is part of a suite (or similar single purchase of Products and/or Services), then any such termination will apply to the entire suite. After such termination, You shall remain obligated to make all payments required under any purchase order or other contractual obligation with any Reseller and/or Hypori and shall not be entitled to any refund or return of payment from the Reseller and/or Hypori.

7. International Transfer of Personal Data

Depending upon the Products and/or Services, You and Hypori may agree upon the location for storage of Personal Data. Notwithstanding the foregoing, subject to any agreed data residency commitments, We may transfer Personal Data to the United States and/or to other third countries where necessary to perform the Products and/or Services, and you appoint Hypori to perform any such transfer to process Personal Data as necessary to provide the Services and you authorize Hypori to carry out such transfers in accordance with Applicable Data Protection Laws and the transfer mechanisms set out in this DPA. We will follow the requirements of this DPA regardless of where such Personal Data is stored or Processed.

Where the Processing involves the international transfer of Personal Data of a resident(s) of a country within the EEA, Switzerland or UK to Hypori, Affiliates or Sub-Processors in a jurisdiction (i) that has not been deemed by the European Commission or the UK Information Commissioner’s Office to provide an adequate level of data protection, and (ii) there is not another legal basis for the international transfer of such Personal Data, such transfers are subject to either the 2021 EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss SCC Addendum (as applicable) or other valid transfer mechanisms available under Applicable Data Protection Laws.

For international transfers subject to:

  1. the GDPR, the Parties hereby incorporate by reference the 2021 EU SCCs in unmodified form (Model One where You and Hypori are both Controllers, Module Two where You are a Controller and Hypori is a Processor, or Module Three where both You and Hypori are both Processors, as applicable);
  2. the UK Data Protection Laws, the Parties hereby incorporate by reference the UK SCC Addendum in unmodified form; and
  3. the FADP, the Parties hereby incorporate by reference the Swiss SCC Addendum

The 2021 EU SCCs and the UK SCC Addendum shall be between You and Hypori, irrespective of Your location. For such purposes, You will act as the Data Exporter on Your behalf and on behalf of any of Your entities, and Hypori will act as the Data Importer on its own behalf and/or on behalf of its Affiliates. For purposes of Clause 7 of the 2021 EU SCCs, any acceding entity shall enforce its rights through You.

For the purposes of the Swiss SCC Addendum, (i) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the 2021 EU SCCs; (ii) the references to the GDPR should be understood as references to the FADP insofar as the data transfers are subject to the FADP; (iii) the Federal Data Protection and Information Commissioner of Switzerland shall be the competent supervisory authority in Annex I.C under Clause 13 of the 2021 EU SCCs, where the transfer of Personal Data is subject to the FADP.

In the event of any direct conflict between this DPA and the 2021 EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss SCC Addendum the 2021 EU Standard Contractual Clauses, the UK SCC Addendum and/or the Swiss SCC Addendum (as applicable) shall prevail.

8. Requests from Data Subjects

We will make available to You the Personal Data of Your Data Subjects and provide reasonable technical and organisational support to enable You with the ability to fulfill requests by Data Subjects to exercise one or more of their rights under Applicable Data Protection Laws, in a manner consistent with Our role as a Processor.  We will provide reasonable assistance to help with Your response.

If We receive a request directly from Your Data Subject to exercise one or more of their rights under Applicable Data Protection Laws, We will direct the Data Subject to You, unless prohibited by law.

9. Security

We shall implement and maintain appropriate administrative, technical, and organizational practices designed to protect Personal Data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such security practices are set forth in the Hypori Security Exhibit, which is available at Exhibit A to Our End User License agreement. We seek to continually strengthen and improve security practices and so reserve the right to modify the controls described herein. No modifications will diminish the level of security during the relevant term of Products and/or Services.

Our employees are bound by appropriate confidentiality agreements and required to take regular data protection training as well as comply with Our corporate privacy and security policies and procedures.

10. Personal Data Breach

We shall notify You without undue delay after becoming aware of a Personal Data Breach involving Personal Data in Our possession, custody or control. Such notification shall at least: (i) describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Your Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) provide the name and contact details of the data protection officer (DPO) or other contact where more information can be obtained; and (iii) describe the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects. You will coordinate with Us on the content of any public statements or required notices to individuals and/or Supervisory Authorities.

11. Your Instructions and Providing Information & Assistance

You may provide additional instructions to Us related to the Processing of Personal Data that are necessary for You and Hypori to comply with our respective obligations under Applicable Data Protection Laws as Controller and Processor. We will comply with Your instructions, provided that if Your instructions impose costs on Us beyond those included in the scope of Products and/or Services under the Agreement, the parties agree to negotiate in good faith to determine the additional costs. We will promptly inform You if We believe that Your instructions are not consistent with Applicable Data Protection Laws, provided that We will not be obligated to independently inspect or verify Your Processing of Personal Data.

We will provide You with information reasonably necessary to assist You in enabling Your compliance with Your obligations under Applicable Data Protection Laws, including without limitation Our obligations as a Processor under such laws to implement appropriate data security measures, assist with data protection impact assessments and consult competent supervisory or regulatory authorities (taking into account the nature of the Processing and the information available to Us), and as further specified in this DPA.

12. Return and Deletion of Personal Data

Upon termination or expiry of the Agreement, Hypori shall, on your instruction, delete Personal Data Processed on Your behalf or make such Personal Data available for retrieval, to the extent technically feasible and consistent with the nature of the Products and Services.

Where applicable, You may request access to retrieve Personal Data from technical support for a period of up to 30 calendar days following termination of the Agreement, after which Hypori shall delete or render permanently inaccessible Personal Data, except where retention is required by applicable law.

Hypori shall continue to protect any Personal Data retained pursuant to applicable law in accordance with the security and confidentiality obligations set out in this DPA and, upon reasonable request, shall provide written confirmation of deletion.

13. Audit

Hypori shall make available to You, upon reasonable request, information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws, including relevant policies, procedures, and independent third-party audit reports or certifications, where available.

Hypori does not permit routine customer audits. Where, and solely to the extent, required by Applicable Data Protection Laws, and where the information made available by Hypori is insufficient to demonstrate compliance, Hypori will cooperate with a reasonable and proportionate audit, subject to mutually agreed scope, timing, and confidentiality obligations, and conducted in a manner that minimizes disruption to Hypori’s business.

Any audit findings shall be treated as confidential information and used solely for the purpose of assessing compliance with this DPA and Applicable Data Protection Laws

14. Data Protection Officer

You may contact the Our global Chief Privacy Officer and privacy team c/o Hypori, Inc., 1801 Robert Fulton Drive, Suite 340, Reston VA 20191, USA, [email protected]. If you have appointed a Data Protection Officer, you may include their contact information in your order for Products and Services.

15. Term

This DPA becomes effective upon Your purchase of the Products and Services. Termination of the Agreement does not relieve either party of its obligations under this DPA.