Data Processing Addendum

1. Roles & definitions

For personal data processed through the Service, Customer is the controller (or processor acting on behalf of its own controllers) and HiveKey is the processor (or subprocessor). Terms such as "controller", "processor", "personal data", and "processing" have the meanings given in applicable data protection law, including the GDPR and CCPA.

2. Scope & duration

HiveKey will process personal data only on documented instructions from Customer — including those set out in the agreement and this DPA — for the duration of the agreement and any subsequent deletion window. HiveKey will inform Customer if an instruction infringes applicable law.

3. Processing details

The subject matter, nature, purpose, data categories, and data subjects are described in the Annex below. HiveKey ensures that personnel authorized to process personal data are bound by confidentiality.

4. Subprocessors

Customer authorizes HiveKey to engage subprocessors to provide the Service. A current list is maintained at /legal/subprocessors. HiveKey imposes data protection obligations on each subprocessor no less protective than this DPA and remains responsible for their performance. We will give notice of new subprocessors and a reasonable window to object.

5. Security measures

HiveKey maintains appropriate technical and organizational measures, including:

• Encryption of personal data in transit and at rest.
• Role-based access control and least-privilege provisioning.
• Network segmentation, logging, and continuous monitoring.
• Secure software development and regular vulnerability testing.
• Business continuity, backup, and incident response procedures.

6. Data subject requests

Taking into account the nature of the processing, HiveKey will assist Customer by appropriate measures to respond to requests from data subjects to exercise their rights. If HiveKey receives such a request directly, it will redirect the data subject to Customer unless legally required to respond.

7. Breach notification

HiveKey will notify Customer without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting Customer data, and will provide information reasonably required for Customer to meet its own notification obligations.

8. Audits

HiveKey will make available information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, subject to reasonable notice, confidentiality, and frequency limits. Independent third-party reports may be provided to satisfy audit requests where appropriate.

9. International transfers

Where processing involves a transfer of personal data outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree the EU Standard Contractual Clauses (SCCs) and the UK Addendum are incorporated by reference and apply to that transfer, with HiveKey as data importer.

10. Return & deletion

Upon termination, HiveKey will, at Customer's choice, return or delete personal data within a defined window, unless retention is required by law. Backups are purged on their ordinary cycle.

Annex: processing details

Questions about this DPA? Email privacy@hivekey.ai.