LegalsData Processing Addendum (DPA) - Partner/Reseller

Data Processing Addendum (DPA) - Partner/Reseller

Effective date: May 29, 2026

Download PDF
Website Privacy Policy
Acceptable Use Policy for SaaS Services
Cookie Policy
End-User License Agreement
Corporate Privacy Statement
Data Processing Addendum (DPA)
Privacy Statement in Connection with the use of Hypori Products
Maser Subscription Agreement
Terms of Service
Partner Code of Business Conduct
Accessibility Statement
E-Verify

Last Updated: May 2026

1. Scope, Order of Precedence and Parties

This DATA PROCESSING ADDENDUM (“DPA”) applies to the Processing of Personal Data by Hypori, Inc. on Your behalf as a Partner or Reseller when providing Hypori products (“Products”) and technical support services or consulting services (“Services”), including where You resell, distribute, integrate, or otherwise make the Products available to End Customers.

The Products and Services are described in the relevant partner, reseller, distribution, referral, or similar agreement and the applicable Order for Products and Services (collectively, the “Agreement”).

In the event of a conflict between the terms of this DPA and the EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss Addendum (if applicable), the terms of the EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss Addendum (if applicable) shall control. For the avoidance of doubt, this order of precedence applies solely to data protection and privacy obligations and does not override commercial terms unless required by Applicable Data Protection Laws.

This DPA is between the Partner or Reseller (“You”) and the Hypori contracting entity (“Hypori,” “We,” “Us,” or “Our”) and is incorporated by reference into the Agreement.

2. Definitions

Affiliate” means any subsidiary of Hypori, Inc. that may assist Hypori in the processing of Your Personal Data under this DPA that is bound by written obligations no less protective than those set out herein.

Aggregate” means information that relates to a group or category of individuals, from which identities have been removed such that the information is not linked or reasonably linkable to any individual. Aggregate data does not constitute Personal Data for the purposes of this DPA.

Applicable Data Protection Laws” means (i) the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018, the Swiss Federal Act on Data Protection (“FADP”), and any laws or regulations implementing or supplementing the foregoing; and (ii) any other international, federal, state, provincial and local privacy or data protection laws.

Controller” is a legally defined term that generally refers to the party that determines the purposes and means (the why and how) of the processing of Personal Data.

Customer Content” means any data uploaded to a Hypori Product for storage or processing by You or by or on behalf of Your End Customers. Customer Content may include Personal Data.

2021 EU Standard Contractual Clauses” or “2021 EU SCCs” means the contractual clauses annexed to the EU Commission Decision 2021/914/EU or any successor clauses approved by the EU Commission.

End Customer” means any third-party customer, client, organization, or end user to whom You provide access to the Products, whether directly or indirectly.

Partner” means the partner or reseller identified as “You” in this DPA, being the entity that has entered into the Agreement with Hypori for the purpose of reselling, distributing, integrating, or otherwise making the Products available to End Customers.

Personal Data” means any Customer Content Processed in connection with the performance of Products and/or Services that can identify a unique individual, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of individuals, or as otherwise defined under Applicable Data Protection Laws.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed to perform the Products and/or Services that compromises the security of the Personal Data.

Processor” is a legally defined term that generally refers to the party that processes Personal Data on behalf of the Controller.

Sub-Processor” means any third party engaged by a Processor or another Sub-Processor to assist with the Processing of Personal Data for the performance of Products and/or Services under the Agreement.

Swiss SCC Addendum” means the adaptation of the 2021 EU SCCs designed to ensure an adequate level of protection for data transfers from Switzerland to a third country subject to the FADP.

Usage Data” means technical data collected from Your use of Hypori Products solely for the purposes expressly set out in this DPA and the Agreement, as further described in the relevant Product Documentation.

UK Data Protection Laws” means the UK GDPR and the Data Protection Act 2018, or any successor UK data protection laws as updated, amended or replaced from time to time.

UK SCC Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (vB1.0 or any subsequent version) issued by the UK Information Commissioner’s Office.

Terms used but not defined in this DPA (e.g., “Data Subject, Process/Processing, Processor, Controller”) shall have the same meaning as set forth in the Agreement or Applicable Data Protection Laws.

3. Roles as Controller and Processor

For purposes of this DPA, You act either as a Controller or as a Processor of the Personal Data Processed by Hypori under the terms of the Agreement, depending on the applicable data processing context.

You are responsible for complying with Your obligations as a Controller or Processor (as applicable) under Applicable Data Protection Laws governing Your provision of Personal Data to Us for the performance of the Products and/or Services, including without limitation obtaining any required consents, providing required notices, establishing a lawful basis for Processing, and responding promptly to any inquiries from a data protection authority.

Unless specified in the Agreement, You will not provide Us with access to any Personal Data that imposes specific data protection requirements greater than those agreed to in the Agreement and this DPA, and You will limit Our access to Personal Data as necessary for Your use of the Products and Services under the Agreement.

Hypori acts as a Processor where You act as a Controller. Where You act as a Processor of Personal Data on behalf of an End Customer, Hypori acts as a Sub-Processor.

Each party shall comply with their respective obligations as Controllers and Processors under Applicable Data Protection Laws.

4. Hypori’s Purpose of Processing

Hypori and any persons acting under its authority under this DPA, including Sub-Processors and Affiliates as described in Section 6, will process Personal Data only for the purposes of performing the Products and/or Services in accordance with Your documented instructions as specified in the Agreement, this DPA, Your Product configurations, and in accordance with Applicable Data Protection Laws. We may also aggregate and irreversibly anonymize Personal Data as part of the Products and/or Services solely to provide, secure, and operate Hypori Products and Services, and not to develop or improve Hypori’s products or services beyond what is necessary for the performance of the Agreement, unless otherwise agreed in writing, provided that such data cannot be re-identified and does not constitute Personal Data.

We will not disclose Personal Data in response to a subpoena, judicial or administrative order, or other binding instrument (a “Demand”) unless required by law, and even in that case, we will only disclose that portion of the Personal Data that is required to be disclosed pursuant to such Demand. We will, without undue delay, notify You of any Demand unless prohibited by law and provide You reasonable assistance to facilitate Your timely response to the Demand. We may provide Personal Data to Affiliates in connection with any contemplated or actual merger, acquisition, sale, bankruptcy, or other reorganization of some or all its business, subject to the obligation to protect Personal Data consistent with the terms of this DPA.

5. Data Subjects and Categories of Personal Data

You determine the Personal Data to which You provide Hypori access in connection with the use of the Products and/or Services. Hypori does not independently determine the categories of Personal Data processed and processes such data solely in accordance with Your instructions and configuration of the Products.

Categories of Data Subjects

Depending on Your use of the Products and Services, Personal Data may relate to the following categories of Data Subjects:

(a) Authorized users of the Products (including employees, contractors, and other end users designated by You); and

(b) Administrative users managing access to the Products on Your behalf

Categories of Personal Data

The Personal Data processed by Hypori is limited to the extent necessary to provide secure access to applications, data, and services and may include:

(a) User Identification and Contact Details, such as name, work email address, organizational role, and user ID;

(b) Authentication and Access Information, such as certificates, tokens, or identifiers used to enable secure access (excluding plaintext passwords);

(c) Device and Session Data, including device identifiers, IP address, access logs, timestamps, and security-related telemetry;

(d) Customer-Configured Content, solely to the extent that such content is accessed, displayed, or transmitted through the Products in accordance with Your instructions; and

(e) Hypori Secure Messaging and Hypori Lyte for Secure Messaging Data, where Customer has enabled those services: message content and metadata (including sender identifier, recipient identifier, timestamp, and message length) stored within Customer’s designated security boundary; file attachments shared within the secure messaging environment; and user identifiers and authentication data associated with messaging accounts. This data is processed solely on behalf of Customer for the purpose of delivering the messaging service and supporting Customer’s audit, retention, and compliance requirements.

6. Sub-Processing

Subject to the terms of this DPA, You authorize Hypori to engage Sub-Processors and Affiliates to process Personal Data in connection with the provision of the Products and Services. Hypori shall ensure that any such Sub-Processor or Affiliate is bound by written obligations that provide at least the same level of data protection as required under this DPA and Applicable Data Protection Laws. Hypori remains fully responsible for the performance of its Sub-Processors in accordance with this DPA. Upon reasonable request, Hypori will make available information necessary to demonstrate compliance with this Section, including by providing a list of Sub-Processors upon written request and relevant third-party audit reports or certifications, where available.

Where Hypori is a Processor (and not a Sub-Processor), the following terms apply:

(a) If, based on reasonable grounds related to the inability of such Sub-Processor to protect Personal Data, You object to a new Sub-Processor, the parties shall discuss in good faith a commercially reasonable alternative. Where no such alternative is available, You may terminate the affected Service by providing written notice before the end of the notice period, including an explanation of the grounds for objection.

(b) If the affected Product and/or Service is part of a suite (or similar single purchase of Products and/or Services), termination shall apply only to the specific Product or Service affected by the Sub-Processor change, unless the Sub-Processor change materially affects the entire suite, in which case termination of the suite is permitted. After such termination, You shall remain obligated to make all payments required under any purchase order or other contractual obligation with any Reseller and/or Hypori for the non-terminated Products and Services, and shall not be entitled to any refund or return of payment for Products and Services already delivered.

7. International Transfer of Personal Data

Depending upon the Products and/or Services, You and Hypori may agree upon the location for storage of Personal Data. Notwithstanding the foregoing, subject to any agreed data residency commitments, We may transfer Personal Data to the United States and/or to other third countries where necessary to perform the Products and/or Services, and you appoint Hypori to perform any such transfer to process Personal Data as necessary to provide the Services and you authorize Hypori to carry out such transfers in accordance with Applicable Data Protection Laws and the transfer mechanisms set out in this DPA. We will follow the requirements of this DPA regardless of where such Personal Data is stored or Processed.

Where the Processing involves the international transfer of Personal Data of a resident(s) of a country within the EEA, Switzerland or UK to Hypori, Affiliates or Sub-Processors in a jurisdiction (i) that has not been deemed by the European Commission or the UK Information Commissioner’s Office to provide an adequate level of data protection, and (ii) there is not another legal basis for the international transfer of such Personal Data, such transfers are subject to either the 2021 EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss SCC Addendum (as applicable) or other valid transfer mechanisms available under Applicable Data Protection Laws.

Where You are located in the United Kingdom, the transfer of personal data to Hypori, Inc. in the United States is made pursuant to the UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (UK SCC Addendum), issued by the Information Commissioner’s Office under S119A(1) of the Data Protection Act 2018. Hypori Ltd acts as the UK-established entity and data importer for UK-based processing. Hypori’s UK GDPR representative is Prior Analytics Ltd (d/b/a PrivacyAid), 590 Green Lanes, London, N13 5RY, [email protected].

Where You are located in the European Economic Area, Hypori’s EU GDPR Article 27 representative is EU Business Partners, 10 Ashe Street, Clonakilty, Co. Cork P85 E403, Ireland, [email protected].

For international transfers subject to:

(a) the GDPR, the Parties hereby incorporate by reference the 2021 EU SCCs in unmodified form (Model One where You and Hypori are both Controllers, Module Two where You are a Controller and Hypori is a Processor, or Module Three where both You and Hypori are both Processors, as applicable);

(b) the UK Data Protection Laws, the Parties hereby incorporate by reference the UK SCC Addendum in unmodified form; and

(c) the FADP, the Parties hereby incorporate by reference the Swiss SCC Addendum

The 2021 EU SCCs and the UK SCC Addendum shall be between You and Hypori, irrespective of Your location. For such purposes, You will act as the Data Exporter on Your behalf and on behalf of any of Your entities, and Hypori will act as the Data Importer on its own behalf and/or on behalf of its Affiliates. For purposes of Clause 7 of the 2021 EU SCCs, any acceding entity shall enforce its rights through You.

For the purposes of the Swiss SCC Addendum, (i) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the 2021 EU SCCs; (ii) the references to the GDPR should be understood as references to the FADP insofar as the data transfers are subject to the FADP; (iii) the Federal Data Protection and Information Commissioner of Switzerland shall be the competent supervisory authority in Annex I.C under Clause 13 of the 2021 EU SCCs, where the transfer of Personal Data is subject to the FADP.

In the event of any direct conflict between this DPA and the 2021 EU Standard Contractual Clauses, the UK SCC Addendum and/or Swiss SCC Addendum the 2021 EU Standard Contractual Clauses, the UK SCC Addendum and/or the Swiss SCC Addendum (as applicable) shall prevail.

The information required for Annex I and Annex II of the 2021 EU SCCs, and the equivalent provisions of the UK SCC Addendum and Swiss SCC Addendum, is set out in Schedule 2 to this DPA.

8. Requests from Data Subjects

We will make available to You the Personal Data of Your Data Subjects and provide reasonable technical and organizational support to enable You with the ability to fulfill requests by Data Subjects to exercise one or more of their rights under Applicable Data Protection Laws, in a manner consistent with Our role as a Processor. We will provide reasonable assistance to help with Your response.

If We receive a request directly from Your Data Subject to exercise one or more of their rights under Applicable Data Protection Laws, We will direct the Data Subject to You, unless prohibited by law.

9. Security

We shall implement and maintain appropriate administrative, technical, and organizational practices designed to protect Personal Data against any misuse or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. Such security practices are consistent with Hypori’s written information security program, which is aligned to recognized industry standards including NIST-based controls appropriate to the applicable deployment model and subject to independent third-party assessment including SOC 2 Type II for commercial deployments and FedRAMP High for Government Cloud deployments, as further described in the applicable Agreement. We seek to continually strengthen and improve security practices and so reserve the right to modify the controls described herein. No modifications will diminish the level of security during the relevant term of Products and/or Services.

Our employees are bound by appropriate confidentiality agreements and required to take regular data protection training as well as comply with Our corporate privacy and security policies and procedures.

10. Personal Data Breach

We shall notify You without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach involving Personal Data in Our possession, custody or control, consistent with the notification obligations set forth in the applicable Agreement. Such notification shall at least: (i) describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Your Data Subjects concerned and the categories and approximate number of Personal Data records concerned; (ii) provide the name and contact details of the data protection officer (DPO) or other contact where more information can be obtained; and (iii) describe the measures taken or proposed to be taken to address the Personal Data Breach including, where appropriate, measures to mitigate its possible adverse effects. You will coordinate with Us on the content of any public statements or required notices to individuals and/or Supervisory Authorities.

Notwithstanding the foregoing, Hypori’s notification obligation may be delayed where required by applicable law or at the instruction of a law enforcement or government authority, for so long as such delay is required, after which Hypori will notify You as soon as legally permissible.

11. Your Instructions and Providing Information & Assistance

You may provide additional instructions to Us related to the Processing of Personal Data that are necessary for You and Hypori to comply with our respective obligations under Applicable Data Protection Laws as Controller and Processor. We will comply with Your instructions, provided that if Your instructions impose costs on Us beyond those included in the scope of Products and/or Services under the Agreement, the parties agree to negotiate in good faith to determine the additional costs. We will promptly inform You if We believe that Your instructions are not consistent with Applicable Data Protection Laws, provided that We will not be obligated to independently inspect or verify Your Processing of Personal Data.

We will provide You with information reasonably necessary to assist You in enabling Your compliance with Your obligations under Applicable Data Protection Laws, including without limitation Our obligations as a Processor under such laws to implement appropriate data security measures, assist with data protection impact assessments and consult competent supervisory or regulatory authorities (taking into account the nature of the Processing and the information available to Us), and as further specified in this DPA.

12. Return and Deletion of Personal Data

Upon termination or expiry of the Agreement, Hypori shall, on your instruction, delete Personal Data Processed on Your behalf or make such Personal Data available for retrieval, delete Personal Data Processed on Your behalf or make such Personal Data available for retrieval, except where retention is required by applicable law or where such Personal Data is contained in backup systems subject to automated deletion in accordance with Hypori’s standard backup retention schedule.

Where applicable, You may request access to retrieve Personal Data from technical support for a period of up to 30 calendar days following termination of the Agreement, after which Hypori shall delete or render permanently inaccessible Personal Data, except where retention is required by applicable law.

Hypori shall continue to protect any Personal Data retained pursuant to applicable law in accordance with the security and confidentiality obligations set out in this DPA and, upon reasonable request, shall provide written confirmation of deletion.

13. Audit

Hypori shall make available to You, upon reasonable request, information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws, including relevant policies, procedures, and independent third-party audit reports or certifications, where available.

Hypori will cooperate with reasonable and proportionate audits conducted by You or a third party mandated by You, subject to mutually agreed scope, timing, and confidentiality obligations, and conducted in a manner that minimizes disruption to Hypori’s business. Hypori may satisfy audit obligations through the provision of independent third-party audit reports or certifications where available and where such reports adequately address the subject matter of the requested audit. Where, and solely to the extent, required by Applicable Data Protection Laws, and where the information made available by Hypori is insufficient to demonstrate compliance, Hypori will cooperate with a reasonable and proportionate audit, subject to mutually agreed scope, timing, and confidentiality obligations, and conducted in a manner that minimizes disruption to Hypori’s business.

Any audit findings shall be treated as confidential information and used solely for the purpose of assessing compliance with this DPA and Applicable Data Protection Laws.

14. Privacy Contact

You may contact Our global Chief Privacy Officer and privacy team c/o Hypori, Inc., 1801 Robert Fulton Drive, Suite 340, Reston VA 20191, USA, [email protected]. If you have appointed a Data Protection Officer, you may include their contact information in your order for Products and Services.

15. Term

This DPA becomes effective upon Your purchase of the Products and Services. Termination of the Agreement does not relieve either party of its obligations under this DPA with respect to Personal Data processed prior to termination. The obligations of this DPA shall survive termination of the Agreement until all Personal Data has been deleted or returned in accordance with the Return and Deletion section of this DPA.

SCHEDULE 1 – END CUSTOMER FLOW-DOWN OBLIGATIONS

Where You provide access to the Products to an End Customer and You act as a Processor on behalf of that End Customer, You shall:

1. Contractual Flow-Down. Enter into a legally binding written agreement with the End Customer that imposes data protection obligations no less protective than those set out in this DPA, including obligations equivalent to Articles 28(3) and 32 of the GDPR (where applicable).

2. Sub-Processing Authorization. Ensure that such agreement expressly authorizes You to appoint Hypori as a Sub-Processor (where You act as a Processor) or as a Processor (where You act as a Controller) for the purposes of providing the Products and Services.

3. Transparency to End Customers. Ensure that End Customers are informed that Hypori Processes Personal Data as a Sub-Processor and that international transfers may occur in accordance with the International Transfer of Personal Data section of this DPA.

4. Allocation of Responsibility. Remain fully responsible for compliance with Applicable Data Protection Laws in respect of End Customer Personal Data, including handling Data Subject requests and communications with supervisory authorities.

5. No Direct Obligations on Hypori. Ensure that no End Customer agreement purports to impose obligations directly on Hypori unless expressly agreed in writing by Hypori.

Where an End Customer is a U.S. Government agency or government contractor subject to federal data protection requirements including FISMA, DFARS 252.204-7012, or FedRAMP, You are responsible for ensuring that the applicable agreement with such End Customer addresses those requirements. The obligations in this Schedule are in addition to, and do not limit, any applicable federal data protection requirements.

SCHEDULE 2 — ANNEX INFORMATION FOR STANDARD CONTRACTUAL CLAUSES

This Schedule satisfies the requirements of Annex I and Annex II of the 2021 EU SCCs, the UK SCC Addendum, and the Swiss SCC Addendum.

A. LIST OF PARTIES

Data Exporter: Partner or Reseller, as identified in the applicable Agreement. Contact details: as specified in the applicable Agreement or Order.

Data Importer: Hypori, Inc., 1801 Robert Fulton Drive, Suite 340, Reston VA 20191, USA. Contact: [email protected].

Where Processing is Carried Out by or Through Hypori’s UK Operations: Hypori Ltd (UK entity), acts as an Affiliate of Hypori, Inc. assisting in the performance of the Products and Services, and is bound by data protection obligations no less protective than those set out in this DPA.

UK GDPR Representative: Prior Analytics Ltd (d/b/a PrivacyAid), 590 Green Lanes, London, N13 5RY, [email protected].

EU GDPR Article 27 Representative: EU Business Partners, 10 Ashe Street, Clonakilty, Co. Cork P85 E403, IRELAND, [email protected].

B. DESCRIPTION OF TRANSFER

Categories of Data Subjects and Personal Data: As described in the Data Subjects and Categories of Personal Data section of this DPA and Hypori’s Privacy Statement in Connection with the Use of Hypori Products, available at hypori.com/privacy. Where You act as a Processor on behalf of an End Customer, the categories of data subjects and personal data are determined by the relevant End Customer and may extend beyond those described in this DPA.

Sensitive Data: None, unless You or an End Customer configures the Products to process sensitive data, in which case You are responsible for ensuring an appropriate legal basis for such processing.

Frequency of Transfer: Continuous, for the duration of the Agreement.

Nature and Purpose of Processing: Provision of the Products and Services as described in the Agreement, including secure access, authentication, security monitoring, and technical support, and — where Partner or an End Customer has enabled Hypori Secure Messaging or Hypori Lyte for Secure Messaging — storage and delivery of encrypted messages, attachments, and metadata within Customer’s designated security boundary for the purpose of secure enterprise communication, audit, and compliance.

Retention Period: As described in the Return and Deletion section of this DPA.

Supervisory Authority: The supervisory authority of the EU member state in which the Data Exporter is established. Where the Data Exporter is not established in any EU member state but processes personal data of individuals located in the EU, the competent supervisory authority shall be determined by reference to the location of the data subjects or, where no other supervisory authority has jurisdiction, the Irish Data Protection Commission (Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland, [email protected]).

For UK transfers, the applicable supervisory authority is the Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom, [email protected], https://ico.org.uk.

For Swiss transfers, the applicable supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC), Feldeggweg 1, CH-3003 Berne, Switzerland, [email protected].

C. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

Hypori implements and maintains technical and organizational measures consistent with its written information security program as described in the Security section of this DPA and the applicable Agreement, including access controls, encryption in transit and at rest, security monitoring, vulnerability management, incident response procedures, and personnel training. Current third-party assessment reports including SOC 2 Type II for commercial deployments and FedRAMP High for Government Cloud deployments are available upon request subject to applicable confidentiality obligations.