Skip to main content

Hex Data Processing Addendum

Last Modified: May 1, 2026

This Data Processing Addendum (this "DPA"), forms part of the agreement(s) between Customer and Hex Technologies Inc. ("Hex"), covering Customer's use of the Services to which this Addendum is incorporated (the "Agreement") and is effective upon its incorporation into the Agreement, as specified in the Agreement itself or in any Order ("Effective Date"). Hex and Customer may be referred to herein collectively as the "Parties" or individually as a "Party."

Customer enters into this DPA on behalf of itself and its Authorized Affiliates to the extent Hex Processes Customer Personal Data in performance of the Services for such Authorized Affiliates. For the purposes of this DPA only, and except where indicated otherwise in this DPA, the term "Customer" will include Customer and its Authorized Affiliates.

HOW THIS DPA APPLIES

This DPA is binding on the Parties only to the extent applicable Data Protection Laws govern the Processing of Customer Personal Data in performance of the Services. This DPA is fully incorporated into and made a part of the Agreement. This DPA replaces any existing terms, exhibits, schedules, appendices, addendums, or other attachments related to the Processing of Customer Personal Data unless otherwise expressly stated in this DPA. In the event of any inconsistency between the terms of this DPA and any terms of the Agreement with respect to Customer Personal Data, the terms of this DPA will govern and control.

DATA PROCESSING TERMS

The Parties agree that the terms of this DPA govern the Processing of Customer Personal Data in performance of the Services. Each Party, acting reasonably and in good faith, will comply with the terms of this DPA. Any other Processing of Personal Data with respect to Customer and Customer's users conducted by Hex as a Data Controller, including business relationship administration and system security, will be carried out in accordance with Hex's then-current privacy policy located at the following hyperlink: https://learn.hex.tech/docs/legal/privacy (or any successor hyperlink).

1. Definitions and Interpretation

Capitalized terms used in this DPA shall have the meanings set forth in this Section 1 and elsewhere in this DPA. All other capitalized terms not defined in this DPA will have the meanings set forth in the Agreement. For purposes of this DPA: (i) the words "include," "includes," and "including" are deemed to be followed by the words "without limitation;" (ii) the word "or" is not exclusive; (iii) words denoting the singular have a comparable meaning when used in the plural, and vice-versa; and (iv) words denoting any gender include all genders.

1.1 "Affiliate" of a Party means any other entity that directly or indirectly, through one or more intermediaries, controls, is controlled by, or is under common control with, such Party. The term "control" (including the terms "controlled by" and "under common control with") means the direct or indirect power to direct or cause the direction of the management and policies of an entity, whether through the ownership of voting securities, by contract, or otherwise. An "Authorized Affiliate" is any Affiliate of Customer which is authorized by Customer to use the Services pursuant to the Agreement between Customer and Hex, but has not directly engaged with Hex to provide the Services and is not a "Customer" as defined under the Agreement.

1.2 "Authorized User" means an employee or contractor of Customer who is authorized by Customer to access and use the Services on behalf of and for the benefit of Customer.

1.3 "Customer Personal Data" means Personal Data Processed by Hex (or any Subprocessor) as a Data Processor on behalf of and at the direction of Customer in performance of the Services.

1.4 "Data Controller" (or equivalent term under applicable Data Protection Laws) means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

1.5 "Data Privacy Framework" or "DPF" means the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.

1.6 "Data Processor" (or equivalent term under applicable Data Protection Laws) means a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of the Data Controller.

1.7 "Data Protection Laws" means any applicable laws or regulations governing the Processing of Customer Personal Data in performance of the Services, including, to the extent applicable, the European General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), the GDPR as it forms part of the UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (the "UK GDPR"), the Swiss Federal Act on Data Protection in its revised version of 25 September 2020 ("FADP"), the Singapore Personal Data Protection Act 2012 ("PDPA"), the Australian Privacy Act of 1988 (Cth) ("APA"), the Brazilian Personal Data Protection Law ("LGPD"), the Saudi Arabia Personal Data Protection Law implemented by Royal Decree M/19 of 9/2/1443H (16 September 2021) and amended by Royal Decree No. M147 of 5/9/1444H (27 March 2023) (the "KSA PDPL"), the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection ("UAE PDPL"), and the US State Privacy Laws.

1.8 "Data Subject" means an identified or identifiable natural person to whom Customer Personal Data relates. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

1.9 "Data Transfer Mechanism" means a mechanism that enables the lawful transfer of Personal Data to a third country in accordance with Data Protection Laws, including with respect to transfers of Personal Data from the EU, the UK, or Switzerland to the United States, the Data Privacy Framework, the Standard Contractual Clauses, and the UK International Data Transfer Addendum, as applicable in accordance with Section 11.

1.10 "HIPAA" means the Health Insurance Portability and Accountability Act ("HIPAA") of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009.

1.11 "Personal Data" means any information relating to a Data Subject that is subject to protection under applicable Data Protection Laws.

1.12 "Personal Data Breach" means a breach of Hex's security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data in Hex's possession, custody, or control. For the avoidance of doubt, a Personal Data Breach does not include any incident arising from Customer's acts or omissions, including misconfiguration of Customer Systems, unauthorized sharing of access credentials by Authorized Users, or actions taken by third-party integrations authorized by Customer. Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data (such as unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems).

1.13 "Processing" means any operation or set of operations that is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, retention, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.14 "Restricted Transfer" means: (a) a transfer or disclosure of Customer Personal Data from Customer to Hex; or (b) an onward transfer or disclosure of Customer Personal Data from Hex to a Subprocessor; in each case, where such transfer or disclosure would be prohibited by applicable Data Protection Laws in the absence of Data Transfer Mechanism (as applicable).

1.15 "Services" means the services provided by Hex to Customer (or Customer's Authorized Affiliates, as the case may be) under the Agreement.

1.16 "Service Data" means any data relating to the use, support, and/or operation of the Services that is collected by Hex from and/or about Authorized Users of the Services and/or Customer's use of the Service for use for Hex's own purposes (certain of which may constitute Personal Data). Service Data includes Personal Data of Customer's business representatives.

1.17 "Special Data Categories" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, protected health information as defined under HIPAA, other data concerning a person's physical or mental health condition, diagnosis, history, treatment or other health data, health insurance information, pregnancy, data concerning a natural person's sex life or sexual orientation, status as transgender or non-binary, citizenship, citizenship or immigration status, union membership, status as a victim of crime, genetic, biometric, neural or biological data, personal information of children or teens, precise location information, Social Security number, driver's license number, state identification card number, passport number, other government-issued identification numbers, account login information, financial information or account number, tax return data, contents of a communication to which you were not a party, or any bulk U.S. sensitive personal data or U.S. government-related data, in each case as defined in the U.S. Department of Justice's Final Rule on Prohibition on Bulk Data Transfers to Foreign Adversaries (28 C.F.R. Part 202), as amended, or any successor or similar rule, law, or regulation, or such other types of information designated for heightened protection under applicable Data Protection Laws.

1.18 "Standard Contractual Clauses" or "SCCs" means the Commission Implementing Decision (EU) 2021/914 establishing Standard Contractual Clauses for data transfers to third countries (as amended, modified, or replaced from time to time). Specifically, the applicable modules within the Standard Contractual Clauses are MODULE TWO (Transfer Controller to Processor) and MODULE THREE (Transfer Processor to Processor). For the avoidance of doubt, MODULE ONE (Transfer Controller to Controller) and MODULE FOUR (Transfer Processor to Controller) do not apply to this DPA.

1.19 "Subprocessor" means a Data Processor engaged by Hex for the purpose of Processing Customer Personal Data in performance of the Services.

1.20 "Supervisory Authority" means the relevant governmental body or bodies having jurisdiction over the Processing of Customer Personal Data under this DPA.

1.21 "UK International Data Transfer Addendum" means the template Addendum B.1.0 issued by the UK Information Commissioner's Office (ICO) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section ‎‎18 of the UK Mandatory Clauses included in Part 2 thereof.

1.22 "US State Privacy Laws" means, collectively, the comprehensive state-specific data privacy laws and their regulations currently in effect and applicable to Hex's Processing of Personal Data under the Agreement.

2. Processing of Customer Personal Data

2.1 Roles of the Parties. To the extent Hex Processes Customer Personal Data in performance of the Services, the Parties agree that Customer is the Data Controller and Hex is the Data Processor, with the exception of Service Data, as to which Hex is the Data Controller.

2.2 Hex as Data Processor. Hex, when acting as a Data Processor, will Process Customer Personal Data only on the documented instructions of Customer as provided in Section 2.5 and Section 2.6 of this DPA. Hex will not Process Customer Personal Data for any other purpose, except to the extent Processing of Customer Personal Data is required by applicable laws.

2.3 US State Privacy Law-Specific Terms. If Hex is Processing Customer Personal Data as a Data Processor within the scope of the US State Privacy Laws in performance of the Services, such Processing shall be subject to Annex 3 (US State Privacy Laws Annex) to this DPA.

2.4 Customer as Data Controller. Customer, as Data Controller, agrees that Customer:

a) is solely responsible for the accuracy, quality, and legality of Customer Personal Data, including the means by which Customer acquires Customer Personal Data;

b) is solely responsible for any registration, notice, or other authorization under applicable laws to engage Hex to perform the Services;

c) has the authority to transmit or disclose Customer Personal Data to Hex (or permit Hex to access Customer Personal Data); and

d) will provide Hex with lawful instructions with respect to the Processing of Customer Personal Data.

2.5 Customer's Instructions. Customer instructs Hex (and authorizes Hex to instruct each Subprocessor) to Process Customer Personal Data in performance of the Services, including any necessary Restricted Transfers. The Parties agree that the scope of Customer's instructions for the Processing of Customer Personal Data is defined by: (i) the Agreement; (ii) any applicable ordering documents, including service orders, order forms, statements of work, and product or service descriptions; (iii) this DPA; and (iv) any Modified Instructions (as defined in Section 2.6).

2.6 Modified Instructions. Customer may request amendments to Customer's instructions, where such amendments are required to ensure that Customer complies with applicable Data Protection Laws and Customer cannot achieve Customer's compliance with applicable Data Protection Laws unless Hex implements such instructions ("Modified Instructions"), by submitting a written request to Hex in accordance with the change control or amendment procedures set forth in the Agreement. Customer and Hex may mutually agree in writing to amend the Agreement to effect such Modified Instructions. If Hex notifies Customer that it is infeasible or impracticable to implement any Modified Instructions, Customer may terminate the applicable Service by providing Hex with written notice within thirty (30) days of Hex's notification and receive a prorated refund of prepaid fees applicable to the terminated Service for the period after termination. This Section 2.6 states Customer's sole and exclusive remedy, and Hex's sole liability, with regard to Modified Instructions.

2.7 Duty to Inform. To the extent required by applicable Data Protection Laws, Hex will inform Customer if, in Hex's opinion, any Customer instruction violates such applicable Data Protection Laws.

2.8 Details of the Processing of Customer Personal Data. The details of the Processing of Customer Personal Data are set forth in Annex 1 (Processing Details) to this DPA.

2.9 Processing of Special Data Categories/At-Risk Data. Any Processing of Special Data Categories/At-Risk Data is subject to mutual agreement of the Parties.

2.10 Protected Health Information. Customer shall not, and agrees to ensure its Authorized Users do not, provide or otherwise make available to Hex, through or while using the Services, any Customer Personal Data that contains any protected health information ("PHI") subject to HIPAA, unless specifically covered by an executed Business Associate Agreement ("BAA") between Customer and Hex. If Customer and Hex have entered into a BAA regarding the Processing of PHI subject to HIPAA, then in the event of any conflict between this DPA and the BAA regarding obligations for Customer Personal Data that is also PHI, the terms of the BAA shall apply to the Customer Personal Data that is also PHI. For the avoidance of doubt, this DPA does not apply to PHI that is processed subject to a BAA.

3. Confidentiality Obligations of Hex Personnel

​​​​​3.1 Confidentiality Obligations of Hex Personnel. Hex will ensure that any person it authorizes to Process Customer Personal Data is: (a) subject to confidentiality and restricted use obligations that are no less protective than the confidentiality and restricted use obligations set forth in the Agreement; or (b) under an appropriate statutory obligation of confidentiality.

4. Information Security Program

​​​​​4.1 Information Security Program. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Hex will in relation to Customer Personal Data implement a written information security program that includes technical and organizational measures designed to protect such Customer Personal Data against unauthorized access, use, disclosure, alteration, or destruction, including the measures set forth in Article 32(1) of the GDPR (and corresponding provisions of the UK GDPR) to the extent such measures are applicable to Hex's Processing of Customer Personal Data in performance of the Services ("Information Security Program"). As of the Effective Date of this DPA, a summary of such Information Security Program is set forth in the Hex Security Addendum available at https://learn.hex.tech/docs/legal/security-addendum ("Security Measures"). Hex may update the Information Security Program from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.

5. Subprocessing

​​​​​5.1 Use of Subprocessors; Liability. Customer generally authorizes Hex to use Subprocessors, including Hex Affiliates, for the purpose of providing the Services. Hex will enter into a written agreement with each Subprocessor containing data protection obligations not less protective than those set forth in this DPA with respect to the Processing of Customer Personal Data. Hex will remain responsible for any Processing of Customer Personal Data by Subprocessors.

​​​​​5.2 Initial Subprocessor List. Customer expressly authorizes the use of the Subprocessors listed on https://learn.hex.tech/docs/legal/subprocessors (the "Subprocessor List Site"). Hex may engage new Subprocessors in accordance with Section 5.3 (Notification) of this DPA.

​​​​​5.3 Notification. Except in exigent circumstances such as if the Services will be severely disrupted if Hex does not engage a new Subprocessor in fewer than ten (10) days, Hex shall provide notification of a new Subprocessor(s) before authorizing any new Subprocessor(s) to Process Personal Data in connection with the provision of the applicable Services and post the name of the new Subprocessor(s) on the Subprocessor List Site. Customer is obliged to observe the Subprocessor List Site on an on-going basis and may, in connection with executing the Agreement or other documents that this DPA is appended to, register for updates of the Subprocessor List Site.

​​​​​5.4 Customer's Right to Object to New Subprocessors. Customer will have ten (10) days from the date of an update to the Subprocessor List Site or any notice thereof to reasonably object to the engagement of any new Subprocessor by providing written notice to Hex. If Customer objects to the engagement of a new Subprocessor and the Parties cannot reach an agreement as to the use of the new Subprocessor, which shall not exceed thirty (30) days, Customer may terminate the portion of the Service for which the new Subprocessor is engaged and receive a prorated refund of prepaid fees applicable to the terminated portion of the Service for the period after termination as its sole and exclusive remedies. If Customer has not notified Hex of its objection within the time period set forth in this Section 5.4, Customer will be deemed to have approved the use of the new Subprocessor.

​​​​​5.5 Automated Notification Mechanism. For purposes of providing notice in accordance with Sections 5.3 and 5.4 of this DPA, Hex may implement mechanisms by which Customer can receive automated notifications of new Subprocessor engagements (each, an "Automated Notification Mechanism") at no additional cost to Customer. If Hex implements an Automated Notification Mechanism, Hex will notify Customer and provide detailed instructions on the use of such Automated Notification Mechanism. Customer agrees to register for and use any Automated Notification Mechanism if it is made available by Hex.

​​​​​5.6 Restricted Transfers to Subprocessors. To the extent Hex makes a Restricted Transfer to a Subprocessor, Hex will establish appropriate safeguards (e.g., use of a Data Transfer Mechanism) for such Restricted Transfer as required by applicable Data Protection Laws.

​​​​​6.1 Data Subject Request Notification. Hex will promptly notify Customer if Hex receives a request from a Data Subject to exercise their rights under applicable Data Protection Laws with respect to Customer Personal Data.

​​​​​6.2 Customer's Responsibility with respect to Data Subject Requests. Customer will be solely responsible for responding to requests, complaints, and all other communications from Data Subjects; provided, however, Hex may confirm to the Data Subject that Hex received their communication. To the extent that Customer can respond to such requests by using its access to Customer Personal Data or any "self-service" functionality of the Services, Customer will do so.

​​​​​6.3 Assistance in Responding to Data Subject Requests. Upon Customer's written instruction and to the extent required by applicable Data Protection Laws, Hex will provide Customer with assistance to fulfill Customer's obligations to respond to requests from Data Subjects to exercise their rights under applicable Data Protection Laws by implementing appropriate technical and organizational measures, insofar as it is possible, taking into account the nature of the Processing.

7. Assistance with Customer's Other Data Protection Rights and Obligations

​​​​​7.1 Assistance Related to Customer's Other Data Protection Rights and Obligations. Taking into account the nature of the Processing and the information available to Hex, Hex will provide assistance required to be provided by Data Processors to Data Controllers under applicable Data Protection Laws, including the assistance required under Article 28(3) of the GDPR (and the corresponding provisions of the UK GDPR) to the extent such assistance is applicable to Hex's Processing of Customer Personal Data in performance of the Services.

​​​​​7.2 Information Security Materials. Upon Customer's written request, Hex will make available to Customer the relevant information security materials for the applicable Service (the "Information Security Materials") through an access-restricted website in read-only format available at https://trust.hex.tech. The Information Security Materials are the Confidential Information of Hex. Hex may modify, amend, or replace the Information Security Materials without notice to Customer. To the extent available for the applicable Service, the Information Security Materials may contain the following:

a) A summary of any third-party audits or certifications relating to the security controls of the applicable Service, including any Service Organization Control (SOC) Type 2 reports and HIPAA attestations;

b) Hex's information security policies and standards; and

c) Any other published materials made available by Hex, which further describe Hex's principles, programs, and practices regarding information security and privacy, including those elements available at https://hex.tech/security/.

8. Customer Audit Rights

​​​​​8.1 Customer Audit Rights. In order to satisfy any audit or inspection request by Customer under applicable Data Protection Laws or the Standard Contractual Clauses and/or UK International Data Transfer Addendum (if applicable), Hex will provide Customer with Information Security Materials set forth in Section 7 of this DPA and provide responses to Customer's reasonable requests for information in order to verify Hex's compliance with its obligations under this DPA.

9. Return or Deletion of Customer Personal Data

​​​​​9.1 Return or Deletion of Customer Personal Data. Upon termination of the Agreement, Hex will delete, return, or provide Customer with a mechanism to allow Customer to obtain a copy of or delete all Customer Personal Data, except to the extent Hex or its Affiliates are required to retain such Customer Personal Data under applicable laws or document retention policies adopted in accordance with such laws; provided, however, the confidentiality and restricted use obligations set forth in the Agreement will continue to apply to such Customer Personal Data for the duration of such retention.

10. Personal Data Breach of Customer Personal Data

​​​​​10.1 Personal Data Breach Notification. If Hex becomes aware of a Personal Data Breach of the Services involving Customer Personal Data, Hex will notify Customer of such Personal Data Breach without undue delay (no later than 48 hours) unless prohibited by law or as otherwise requested by a governmental authority.

​​​​​10.2 Personal Data Breach Assistance. If Hex notifies Customer of a Personal Data Breach in accordance with Section 10.1 of this DPA, Hex will provide Customer with assistance in relation to handling a Supervisory Authority's request for information with respect to such Personal Data Breach as required by applicable Data Protection Laws.

11. Restricted Transfers

11.1 Restricted European Transfers. To the extent that Customer makes a Restricted Transfer of Personal Data originating from the EU, UK or Switzerland to Hex, the Parties agree that such transfer will be made in reliance on the Data Privacy Framework, to which Hex is certified. If Hex's DPF certification lapses or the DPF is no longer deemed a valid Data Transfer Mechanism for the applicable jurisdiction pursuant any binding decree, law, or court order or because it is no longer deemed adequate by the applicable authority, then the Standard Contractual Clauses will apply to the transfer in accordance with Section 11.2.

11.2 Standard Contractual Clauses. To the extent that Customer makes a Restricted Transfer to Hex, including a Restricted Transfer of Personal Data originating from the EU, UK, or Switzerland for which the Data Privacy Framework is no longer deemed a valid Data Transfer Mechanism because Hex's DPF certification has lapsed or the DPF is no longer deemed a valid Data Transfer Mechanism for the applicable jurisdiction pursuant to any binding decree, law or court order or because it is no longer deemed adequate by the applicable authority, the Parties agree that the Standard Contractual Clauses will apply to such Restricted Transfer as described in Annex 2 (Restricted Transfer Annex).

12. LIMITATIONS OF LIABILITY

​​​​​12.1. EACH PARTY'S AND ALL OF ITS AFFILIATES' LIABILITY, TAKEN TOGETHER IN THE AGGREGATE, ARISING OUT OF OR RELATED TO THIS DPA, AND ALL DPAS BETWEEN AUTHORIZED AFFILIATES AND HEX, WHETHER IN CONTRACT OR TORT UNDER ANY OTHER THEORY OF LIABILITY, IS SUBJECT TO THE 'LIMITATION OF LIABILITY' SECTION OF THE AGREEMENT, AND ANY REFERENCE IN SUCH SECTION TO THE LIABILITY OF A PARTY MEANS THE AGGREGATE LIABILITY OF THAT PARTY AND ALL OF ITS AFFILIATES UNDER THE AGREEMENT AND ALL DPAS TOGETHER.

12.2. FOR THE AVOIDANCE OF DOUBT, HEX'S AND ITS AFFILIATES' TOTAL LIABILITY FOR ALL CLAIMS FROM CUSTOMER AND ALL OF ITS AUTHORIZED AFFILIATES ARISING OUT OF OR RELATED TO THE AGREEMENT AND ALL DPAS SHALL APPLY IN THE AGGREGATE FOR ALL CLAIMS UNDER BOTH THE AGREEMENT AND ALL DPAS ESTABLISHED UNDER THIS AGREEMENT, INCLUDING BY CUSTOMER AND ALL AUTHORIZED AFFILIATES, AND, IN PARTICULAR, SHALL NOT BE UNDERSTOOD TO APPLY INDIVIDUALLY AND SEVERALLY TO CUSTOMER AND/OR TO ANY AUTHORIZED AFFILIATE THAT IS A CONTRACTUAL PARTY TO ANY SUCH DPA.

13. Service Data

13.1 Permitted Uses. Customer acknowledges that Hex may collect, use and disclose Service Data for its own business purposes: (i) for accounting, tax, billing, audit, and compliance purposes; (ii) to provide, improve, develop, optimise, market, and maintain the Services; (iii) to investigate fraud, spam, wrongful, or unlawful use of the Services; (iv) to combine Service Data with other data; (v) to de-identify Personal Data so the de-identified data can be used and disclosed by Hex for lawful business purposes; and/or (vi) as otherwise permitted or required by applicable law.

13.2 Processing of Service Data. In respect of any such Processing described in Section 13.1, Hex: (i) independently determines the purposes and means of such Processing; (ii) shall comply with Data Protection Laws (if and as applicable in the context); (iii) shall process requests from Data Subjects that are forwarded to Hex by Customer to the extent required by Data Protection Laws and upon request provide documentation to Customer that it has done so; (iv) shall Process such Service Data as described in Hex's relevant privacy notices/policies, as updated from time to time; and (v) where possible, shall apply technical and organizational safeguards to any relevant Personal Data that are no less protective than those described in the Security Measures.

14. Miscellaneous

​​​​14.1 Assistance Costs. To the extent legally permitted, Customer is responsible for the reasonable costs and fees associated with Hex's provision of assistance under this DPA and implementation of any Modified Instructions.

14.2 Expansion or Modification of Customer Audit Rights. For the avoidance of doubt, no provision in this DPA will be deemed to expand or modify the audit rights of Customer under the Agreement.

​​​​14.3 Choice of Law. Except with respect to the Standard Contractual Clauses, this DPA is governed by the laws that govern the Agreement, and any dispute between the Parties will be handled as set forth in the Agreement.

​​​​​​​​14.4 Entire Agreement; Amendments and Modifications. This DPA, together with all exhibits, schedules, addenda, and appendices attached to this DPA and any other documents incorporated into this DPA by reference, constitutes the sole and entire agreement of the Parties with respect to the subject matter of this DPA and supersedes all prior and contemporaneous understandings, agreements, and representations and warranties, both written and oral, with respect to such subject matter. Except as expressly provided in this DPA, the terms of the Agreement are and will remain in full force and effect. This DPA may only be amended by a written amendment that specifically references this DPA and the intent of the Parties to modify this DPA.

Annex 1: Data Processing Details

HEX / 'DATA IMPORTER' DETAILS

Name: Hex Technologies Inc., a U.S. corporation

Address: 2261 Market St #4233, San Francisco, CA 94114

Contact Details for Data Protection: [email protected]

Hex Activities: Processing to carry out the Services pursuant to the Agreement entered into between Customer and Hex.

Role: Processor (and Controller of Service Data)

CUSTOMER / 'DATA EXPORTER' DETAILS

Name: The entity or other person who is a counterparty to the Agreement.

Address: As specified on the applicable order form or subscription when Customer accepts the Agreement.

Contact Details for Data Protection: As specified on the applicable order form or subscription when Customer accepts the Agreement.

Customer Activities: Customer's activities relevant to this DPA are the use and receipt of the Services under and in accordance with, and for the purposes anticipated and permitted in, the Agreement as part of its ongoing business operations.

Role: Controller

Categories of Data Subjects: Relevant Data Subjects include any Data Subjects of Personal Data that Customer causes Hex to process as part of the provisions of the Service, including Authorized Users, as well as any other data subjects whose personal data may be included in Customer Personal Data to which the Customer provides Hex access in order to provide the Services.

Categories of Personal Data: Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:

  • Contacts – Such as name and email address from Customer's users and customers.

  • Interaction Information – On how users and customers of Customer use its services.

  • Database information – Personal Data stored in databases connected to Hex.

  • Input information – Personal Data contained in file uploads and customer inputs.

  • Device Information – E.g., IP address, user agent, browser settings from Customer's users and customers.

  • Third-Party Information – Additional information collected from public sources and third parties based on the information Customer's users and Customer have provided.

  • Additional Information – Other information, when and to the extent submitted to Customer by Customer's users and customers. For example, participation in a focus group, contest, request support, leave reviews, or otherwise communicate with Customer.

  • Cookie Information – Metadata from cookies.

Sensitive Categories of Data, and associated additional restrictions/safeguards:

  • Categories of sensitive data: None – as noted in Section 2.9 of the DPA, Customer agrees that Special Data Categories, which includes "sensitive data" (as defined in Clause 8.7 of the SCCs), must not be submitted to the Services unless as otherwise provided in writing.

  • Additional safeguards for sensitive data: N/A

Frequency of transfer: Ongoing – as initiated by Customer in and through its use, or use on its behalf, of the Services.

Nature of the Processing: Processing operations required in order to provide the Services in accordance with the Agreement.

Purpose of the Processing: as necessary to provide the Services as initiated by Customer in its use thereof, and to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA, specifically for the purposes of collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.

Duration of Processing / Retention Period: For the period determined in accordance with the Agreement and DPA, including Section 9 of the DPA.

Transfers to (sub)processors: As set out in Section 5 of the DPA.

Annex 2: Restricted Transfer Annex

  1. RESTRICTED TRANSFERS

    1.1. EU Restricted Transfers

    To the extent that any Processing of Personal Data under this DPA involves the disclosure, grant of access, or other transfer of Personal Data when transferred from the EEA, to any person located in any country or territory outside the EEA that does not benefit from an adequacy decision from the European Commission (an "EU Restricted Transfer") or is not otherwise transferred in reliance on the DPF from Customer to Hex, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:

    a. populated in accordance with Part 1 of Attachment 1 to Annex 2 (Restricted Transfer Annex); and

    b. entered into by the Parties and incorporated by reference into this DPA.

    1.2. UK Restricted Transfers

    To the extent that any Processing of Personal Data under this DPA involves the disclosure, grant of access, or other transfer of Personal Data when transferred from the UK, to any person located in any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a "UK Restricted Transfer") or is not otherwise transferred in reliance on the DPF from Customer to Hex, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:

    a. varied to address the requirements of the UK GDPR in accordance with the UK International Data Transfer Addendum and populated in accordance with Part 2 of Attachment 1 to Annex 2 (Restricted Transfer Annex); and

    b. entered into by the Parties and incorporated by reference into this DPA.

    1.3. Swiss Restricted Transfers

    To the extent that any Processing of Personal Data under the DPA involves the disclosure, grant of access, or other transfer of Personal Data, when transferred from Switzerland, to any person located in a country or territory outside of Switzerland which does not benefit from an adequacy decision from the Swiss authorities (a "Swiss Restricted Transfer") or is not otherwise transferred in reliance on the DPF from Customer to Hex, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:

    a. varied to address the requirements of the FADP and populated in accordance with Part 3 of Attachment 1; and

    b. entered into by the Parties and incorporated by reference in the DPA.

    Nothing in any applicable SCCs (as deemed amended pursuant to this Section 1.3) should be interpreted or construed in such a way as would limit or exclude the rights of Data Subjects under Clause 18(c) of those SCCs (as deemed amended pursuant to this Section 1.3) to bring legal proceedings before the courts in Switzerland where Switzerland is that Data Subject's place of habitual residence.

    1.4. Other Restricted Transfers

    To the extent that any Processing of Personal Data under this DPA involves a Restricted Transfer from Customer to Hex other than as described in Section 1.1, 1.2, or 1.3 above, the Parties shall comply with their respective obligations set out in the SCCs, which are hereby deemed to be:

    a. varied to address the requirements of applicable Data Protection Laws and populated in accordance with Part 4 of Attachment 1 to Annex 2 (Restricted Transfer Annex); and

    b. entered into by the Parties and incorporated by reference into this DPA.

    1.5. Adoption of new transfer mechanism

    Hex may on notice vary this DPA and replace the relevant SCCs with:

    a. any new form of the relevant SCCs or any replacement therefor prepared and populated accordingly (e.g., standard data protection clauses adopted by the European Commission for use specifically in respect of transfers to data importers subject to Article 3(2) of the EU GDPR); or

    b. another transfer mechanism, other than the SCCs, that enables the lawful transfer of Personal Data to Hex under this DPA in compliance with applicable Data Protection Laws.

    1.6. Provision of full-form SCCs

    In respect of any given Restricted Transfer, if requested of Customer by a Supervisory Authority, Data Subject or further Controller (where applicable) – on specific written request (made to the contact details set out in Annex 1 (Data Processing Details); accompanied by suitable supporting evidence of the relevant request), Hex shall provide Customer with an executed version of the relevant set(s) of SCCs responsive to the request made of Customer (amended and populated in accordance with Attachment 1 to Annex 2 (Restricted Transfer Annex) in respect of the relevant Restricted Transfer) for countersignature by Customer, onward provision to the relevant requestor and/or storage to evidence Customer's compliance with applicable Data Protection Laws.

    1.7. Operational clarifications

    a. When complying with its transparency obligations under Clause 8.3 of the SCCs, Customer agrees that it shall not provide or otherwise make available, and shall take all appropriate steps to protect, Hex's and its licensors' trade secrets, business secrets, confidential information, and/or other commercially sensitive information.

    b. Where applicable, for the purposes of Clause 10(a) of Module Three of the SCCs, Customer acknowledges and agrees that there are no circumstances in which it would be appropriate for Hex to notify any third-party controller of any Data Subject Request and that any such notification shall be the sole responsibility of Customer.

    c. For the purposes of Clause 15.1(a) of the SCCs, except to the extent prohibited by applicable law and/or the relevant public authority, as between the Parties, Customer agrees that it shall be solely responsible for making any notifications to relevant Data Subject(s) if and as required.

    d. The terms and conditions of Section 5 of the DPA apply in relation to Hex's appointment and use of Subprocessors under the SCCs. Any approval by Customer of Hex's appointment of a Subprocessor that is given expressly or deemed given pursuant to that Section 5 constitutes Customer's documented instructions to effect disclosures and onward transfers to any relevant Subprocessors if and as required under Clause 8.8 of the SCCs.

    e. The audits described in Clauses 8.9(c) and 8.9(d) of the SCCs shall be subject to any relevant terms and conditions detailed in Section 8 of the DPA.

    f. Certification of deletion of Personal Data as described in Clauses 8.5 and 16(d) of the SCCs shall be provided only upon Customer's written request.

Attachment 1: To Annex 2 (Restricted Transfer Annex)

POPULATION OF SCCs

Note

  • In the context of any EU Restricted Transfer, the SCCs populated in accordance with Part 1 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Section 1.1 of Annex 2 (Restricted Transfer Annex) to the DPA).

  • In the context of any UK Restricted Transfer, the SCCs as varied by the UK International Data Transfer Addendum and populated in accordance with Part 2 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Section 1.2 of Annex 2 (Restricted Transfer Annex) to the DPA).

  • In the context of any Swiss Restricted Transfer, the SCCs as varied and populated by Part 3 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Section 1.3 of Annex 2 (Restricted Transfer Annex) to the DPA.

  • In the context of any other Restricted Transfer, the SCCs as varied and populated by Part 4 of this Attachment 1 are incorporated by reference into and form an effective part of the DPA (if and where applicable in accordance with Section 1.4 of Annex 2 (Restricted Transfer Annex) to the DPA.

PART 1: POPULATION OF THE SCCs

  1. SIGNATURE OF THE SCCs:

    1.1. Where the SCCs apply in accordance with Section 1.1 of Annex 2 (Restricted Transfer Annex) to the DPA, each of the Parties is hereby deemed to have signed the SCCs at the relevant signature block in Annex I to the Appendix to the SCCs.

  2. MODULES

    2.1. The following modules of the SCCs apply in the manner set out below (having regard to the role(s) of Customer set out in Annex 1 (Data Processing Details to the DPA):

    1. Module Two of the SCCs applies to any Restricted Transfer involving Processing of Personal Data in respect of which Customer is a Controller in its own right; and/or

    2. Module Three of the SCCs applies to any Restricted Transfer involving Processing of Personal Data in respect of which Customer is itself acting as a Processor on behalf of any other person.

  3. POPULATION OF THE BODY OF THE SCCs

    3.1. For each Module of the SCCs, the following applies as and where applicable to that Module and the Clauses thereof:

    a. The optional 'Docking Clause' in Clause 7 is not used and the body of that Clause 7 is left intentionally blank.

    b. In Clause 9:

    i. OPTION 2: GENERAL WRITTEN AUTHORISATION applies, and the minimum time period for advance notice of the addition or replacement of Subprocessors shall be the advance notice period set out in Section 5 of the DPA; and

    ii. OPTION 1: SPECIFIC PRIOR AUTHORISATION is not used and that optional language is deleted; as is, therefore, Annex III to the Appendix to the SCCs.

    c. In Clause 11, the optional language is not used and is deleted.

    d. For Clause 13 (Supervision), the Supervisory Authority with responsibility for ensuring compliance by the data exporter with the GDPR with regard to Restricted Transfers, namely, the lead Supervisory Authority of the data exporter, shall act as the competent Supervisory Authority.

    e. In Clause 17:

    i. OPTION 1 applies, and the Parties agree that the SCCs shall be governed by the law of Ireland in relation to any EU Restricted Transfer; and

    ii. OPTION 2 is not used and that optional language is deleted.

    f. For the purposes of Clause 18, the Parties agree that any dispute arising from the SCCs in relation to any EU Restricted Transfer shall be resolved by the courts of Ireland, and Clause 18(b) is populated accordingly.

    3.2. In this Paragraph 3, references to "Clauses" are references to the Clauses of the SCCs.

  4. POPULATION OF ANNEXES TO THE APPENDIX TO THE SCCs

    4.1. Annex I to the Appendix to the SCCs is populated with the corresponding information detailed in Annex 1 (Data Processing Details) to the DPA, with:

    a. Customer being 'data exporter'; and

    b. Hex being 'data importer'.

    4.2. Part C of Annex I to the Appendix to the SCCs is populated as below:

    4.3. The competent supervisory authority for any EU Restricted Transfer shall be determined as follows:

    • Where Customer is established in an EU Member State: the competent supervisory authority shall be the supervisory authority of that EU Member State in which Customer is established.

    • Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies and Customer has appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State in which Customer's EU representative relevant to the processing hereunder is based (from time-to-time).

    • Where Customer is not established in an EU Member State, Article 3(2) of the GDPR applies, but Customer has not appointed an EU representative under Article 27 of the GDPR: the competent supervisory authority shall be the supervisory authority of the EU Member State notified in writing to Hex's contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA, which must be an EU Member State in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behavior is monitored, are located.

4.4. Annex II to the Appendix to the SCCs is populated as below:

General:

  • Please refer to Section 7 of the DPA and the Security Measures.

  • In the event that Customer receives a Data Subject Request under the EU GDPR and requires assistance from Hex, Customer should email Hex's contact point for data protection identified in Annex 1 (Data Processing Details) to the DPA.

Subprocessors: When Hex engages a Subprocessor under these Clauses, Hex shall enter into a binding contractual arrangement with such Subprocessor that imposes upon them data protection obligations which, in substance, meet or exceed the relevant standards required under these Clauses and the DPA – including in respect of:

  • applicable information security measures;

  • notification of information security incidents (meaning any event that may compromise the confidentiality, integrity, or availability of information systems or data, including Personal Data Breaches) to Hex;

  • return or deletion of Personal Data as and where required; and engagement of further Subprocessors.

PART 2: UK RESTRICTED TRANSFERS

  1. UK INTERNATIONAL DATA TRANSFER ADDENDUM

    1.1. Where relevant in accordance with Paragraph 1.2 of Annex 2 (Restricted Transfer Annex) to the DPA, the SCCs also apply in the context of UK Restricted Transfers as varied by the UK International Data Transfer Addendum in the manner described below:

    a. Part 1 to the UK International Data Transfer Addendum. As permitted by Section 17 of the UK International Data Transfer Addendum, the Parties agree:

    i. Tables 1, 2, and 3 to the UK International Data Transfer Addendum are deemed populated with the corresponding details set out in Annex 1 (Data Processing Details) and the foregoing provisions of this Attachment 1 (subject to the variations effected by the Mandatory Clauses described in (b) below); and

    ii. Table 4 to the UK International Data Transfer Addendum is completed by the box labelled 'Data Importer' being deemed to have been ticked.

    b. Part 2 to the UK International Data Transfer Addendum. The Parties agree to be bound by the Mandatory Clauses of the UK International Data Transfer Addendum.

    1.2. In relation to any UK Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Section 1.1 of this Part 2.

PART 3: SWISS RESTRICTED TRANSFERS

  1. VARIATIONS FOR SWISS RESTRICTED TRANSFERS

    1.1. Where applicable in accordance with Section 1.3 of Annex 2 (Restricted Transfer Annex), the SCCs also apply in the context of Swiss Restricted Transfers with the following terms deemed to have the following substituted meanings:

    a. "GDPR" means the FADP;

    b. "European Union", "Union", and "Member State(s)" each mean Switzerland; and

    c. "supervisory authority" means the Swiss Federal Data Protection and Information Commissioner ("FDPIC").

    1.2. In relation to any Swiss Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Section 1.1 of this Part 3.

PART 4: OTHER RESTRICTED TRANSFERS

  1. VARIATIONS FOR OTHER RESTRICTED TRANSFERS

    1.1. Where applicable in accordance with Section 1.4 of Annex 2 (Restricted Transfer Annex), the SCCs also apply in the context of other Restricted Transfers with the following terms deemed to have the following substituted meanings:

    a. "GDPR" means the applicable Data Protection Laws of the jurisdiction of the data exporter;

    b. "European Union", "Union", and "Member State(s)" each mean the jurisdiction of the data exporter; and

    c. "supervisory authority" means the Supervisory Authority of the jurisdiction of the data exporter.

    1.2. In relation to any other Restricted Transfer to which they apply, where the context permits and requires, any reference in the DPA to the SCCs, shall be read as a reference to those SCCs as varied in the manner set out in Section 1.1 of this Part 4.

Annex 3: US State Privacy Laws Annex

  1. For purposes of this Annex 3, the terms "business," "commercial purpose," "Consumer," "sell," "share," "targeted advertising," and "service provider" shall have the respective meanings given thereto in the US State Privacy Laws, and "personal information" shall mean Personal Data that constitutes personal information governed by the US State Privacy Laws.

  2. It is the parties' intent that with respect to any personal information, Hex is a service provider. Hex (a) acknowledges that personal information is disclosed by Customer only for limited and specified purposes described in the Agreement; (b) shall comply with applicable obligations under the US State Privacy Laws and shall provide the same level of privacy protection to personal information as is required by the US State Privacy Laws; (c) agrees that Customer has the right to take reasonable and appropriate steps to help to ensure that Hex's use of personal information is consistent with Customer's obligations under the US State Privacy Laws; (d) shall notify Customer in writing of any determination made by Hex that it can no longer meet its obligations under the US State Privacy Laws; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

  3. Hex shall not (a) sell or share any personal information or use it for targeted advertising; (b) retain, use, or disclose any personal information for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing the personal information for a commercial purpose other than the provision of the Services; (c) retain, use, or disclose the personal information outside of the direct business relationship between Hex and Customer; or (d) combine personal information received pursuant to the Agreement with personal information (i) received from or on behalf of another person, or (ii) or collected from Hex's own interaction with any Consumer to whom such personal information pertains, except in each case (a) through (d) as and to the extent necessary as a part of Hex's provision of the Services or as otherwise permitted by a service provider or processor under the US State Privacy Laws. Hex hereby certifies that it understands its obligations under this Annex 3 and will comply with them.

  4. Giving Customer notice of Subprocessor engagements in accordance with Section 5 of the DPA shall satisfy Hex's obligation under the US State Privacy Laws to give notice of and an opportunity to object to such engagements.

  5. Hex agrees that Customer may conduct audits, in accordance with Section 8 of the DPA, to help ensure that Hex's use of personal information is consistent with Hex's obligations under the US State Privacy Laws.

  6. The parties acknowledge that Hex's retention, use, and disclosure of personal information authorized by Customer's instructions documented in the DPA are integral to Hex's provision of the Services and the business relationship between the parties.

On this page