Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between Hiperlinks Inc. ("Hiperlinks", the processor) and the Customer identified in the applicable order form or sign-up flow (the controller), and applies whenever Hiperlinks processes Customer Personal Data on Customer's behalf.

Terms such as "Personal Data", "Data Subject", "Processing", "Controller", "Processor", "Sub-processor", and "Supervisory Authority" have the meanings given in applicable Data Protection Law (GDPR, UK GDPR, CCPA/CPRA, and analogous frameworks).

Hiperlinks processes Personal Data to provide the governance platform: ingesting Customer communications and documents, running AI-powered clause extraction and rule matching, coordinating signatory voting, producing memos, and maintaining an audit trail. Processing continues for the duration of the agreement and any post-termination retention window required by law.

Types of Personal Data typically processed: names, email addresses, organisational roles, voting records, message content from connected sources (Gmail, Slack, Calendar), and any Personal Data contained in uploaded governance documents.

Customer (controller) determines the purposes and means of processing, provides lawful instructions, and warrants a valid legal basis for transfers to Hiperlinks. Hiperlinks (processor) processes only on documented Customer instructions, ensures confidentiality of processing personnel, and implements appropriate technical and organisational measures (see Annex II).

Customer authorises Hiperlinks to engage the sub-processors listed in Annex III (currently: AWS, Resend, Stripe, Anthropic, OpenAI, Vercel, Railway, Google). Hiperlinks will give at least 30 days' notice of new sub-processors and allow Customer to object on reasonable grounds.

Where Personal Data is transferred outside the EEA/UK, Hiperlinks relies on the Standard Contractual Clauses (Module Two: Controller-to-Processor) and the UK IDTA as appropriate. Customer hereby enters into the SCCs with Hiperlinks and any downstream sub-processor as required.

Hiperlinks will assist Customer in responding to Data Subject access, rectification, erasure, restriction, portability, and objection requests, taking into account the nature of the processing and information available to Hiperlinks.

Hiperlinks will notify Customer without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data breach, providing the information reasonably required for Customer's own notification obligations.

Hiperlinks will make available to Customer all information necessary to demonstrate compliance with this DPA and allow for audits, conducted by Customer or its auditor, once per year on reasonable notice during business hours, subject to confidentiality obligations and at Customer's expense.

On termination Hiperlinks will, at Customer's option, return or delete all Customer Personal Data within 30 days, subject to limited retention required by law or for legitimate business purposes (e.g., anti-fraud, tax records).

Liability under this DPA is subject to the limitations in the Terms of Service. In case of conflict between this DPA and the Terms solely with respect to Personal Data processing, this DPA prevails.

[To be completed in the order form: categories of data subjects, categories of personal data, nature and purpose of processing, duration, and recipients.]

[Describe: encryption at rest + in transit, access controls, logging and monitoring, secure development lifecycle, incident response, vulnerability management, personnel security, physical security, business continuity. Hiperlinks currently relies on: TLS for transit, managed-database encryption at rest, role-based access, Sentry for error tracking, and webhook signature verification for all inbound provider events.]

• Amazon Web Services (S3 document storage; US)
• Railway / Neon (application + database hosting; US)
• Vercel (web hosting; US)
• Stripe (payments; US)
• Resend (transactional email; US)
• Anthropic (LLM for extraction + chat; US)
• OpenAI (embeddings; US)
• Google (OAuth + Gmail/Calendar connector; US)

DPA-related questions, including sub-processor objections and audit requests: legal@hiperlinks.io.