Data Processing Agreement

• “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
• “Processing” means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
• “Controller” means the customer who determines the purposes and means of Processing.
• “Processor” means HAIEC Inc., which processes Personal Data on behalf of the Controller.
• “Sub-processor” means a third party engaged by HAIEC to process Personal Data.
• “Data Subject” means the individual to whom Personal Data relates.

HAIEC shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
• Ensure that persons authorized to process Personal Data have committed to confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Security Practices).
• Not engage another processor without prior written authorization of the Controller. Current sub-processors are listed at /subprocessors.
• Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability).
• Assist the Controller in ensuring compliance with obligations related to security, breach notification, and data protection impact assessments.
• Delete or return all Personal Data upon termination of services, at the Controller's choice.
• Make available all information necessary to demonstrate compliance and allow for audits.

The Controller authorizes HAIEC to engage the sub-processors listed on our Subprocessor List.

HAIEC will notify the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object. If the Controller objects, HAIEC will make reasonable efforts to provide an alternative or the Controller may terminate the affected services.

HAIEC imposes data protection obligations on each sub-processor no less protective than those in this DPA.

HAIEC is based in the United States. Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland may be transferred to the United States.

For transfers subject to GDPR, HAIEC relies on:

• Standard Contractual Clauses (SCCs): EU Commission Decision 2021/914 (Module Two: Controller to Processor).
• UK Addendum: International Data Transfer Addendum to the EU SCCs, as issued by the UK ICO.

Copies of the applicable SCCs are available upon request.

HAIEC implements the security measures described in our Security Practices page, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Authentication via OAuth 2.0 with secure session management
• Tenant isolation at the database query level
• Rate limiting and abuse prevention
• Audit logging of data access and modifications
• Input validation and injection prevention
• Error monitoring and incident detection

HAIEC will notify the Controller without undue delay after becoming aware of a Personal Data breach. Notification will include:

• Nature of the breach, including categories and approximate number of Data Subjects affected
• Contact details for further information
• Description of likely consequences
• Description of measures taken or proposed to address the breach

For full details, see our Incident Response Plan.

HAIEC will assist the Controller in fulfilling Data Subject requests, including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object (Article 21 GDPR)

Data Subject requests should be directed to the Controller. If HAIEC receives a request directly, we will redirect the Data Subject to the Controller unless legally required to respond.

Upon termination of the service agreement, HAIEC will:

• Delete all Personal Data within 30 days, unless retention is required by applicable law
• Provide data export upon request before deletion
• Certify deletion upon Controller's request