GDPR Data Processing Addendum (DPA)

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person as defined in GDPR Art. 4(1).
• "Processing" means any operation performed on Personal Data as defined in Art. 4(2).
• "Controller" means the customer that determines the purpose and means of processing.
• "Processor" means HackHunters, acting on behalf of the Controller.
• "Subprocessors" are third parties engaged by HackHunters to process Personal Data.
• "Services" means digital account security analysis, cleanup automation, scanning, reporting, and related services offered by HackHunters.

2. Scope and Roles

The parties acknowledge that:

• Controller determines the purposes and means of processing
• Processor processes Personal Data solely to provide the Services
• No joint-controller relationship exists
• HackHunters does not sell or share Personal Data for advertising or profiling

3. Processor Obligations

HackHunters agrees to:

3.1 Process only on documented instructions

Processor will process Personal Data only:

• to provide and improve the Services
• as documented by the Controller
• as required by law

Processor will never:

• use Personal Data for advertising
• combine Personal Data with third-party data
• use Google, Microsoft, or social media data to train AI or ML models
• transfer data to third parties except as permitted in this DPA

3.2 Maintain confidentiality

All personnel with access to Personal Data are bound by confidentiality obligations.

3.3 Implement appropriate security measures

Processor maintains security measures appropriate for the risk, including:

• encryption in transit and at rest
• restricted token access
• network and platform isolation
• role-based access controls
• audit logging
• secure OAuth token storage
• incident response procedures

3.4 Assist with data subject rights

Processor will assist Controller in fulfilling requests under GDPR, including:

• access
• correction
• deletion
• portability
• restriction of processing
• objection

3.5 Notification of data breaches

Processor will notify Controller without undue delay of any Personal Data breach.

4. Subprocessors

Processor uses trusted third-party Subprocessors necessary to provide the Services. Current subprocessors include:

• Supabase (database + authentication)
• Vercel (hosting)
• Stripe (payments + invoices)
• Resend (email delivery)
• Google LLC (OAuth identity verification)
• Microsoft Corporation (OAuth identity verification)
• Meta Platforms (OAuth identity verification)
• Cloudflare (network security)

Processor will:

• maintain an updated list of Subprocessors
• provide notice of significant changes
• ensure Subprocessors are bound by equivalent obligations

5. Cross-Border Data Transfers

Personal Data may be processed in the United States or other jurisdictions. Processor ensures lawful transfers under GDPR Chapters V, including use of:

• Standard Contractual Clauses (SCCs), or
• An adequacy decision, or
• Other appropriate safeguards

By using the Services, Controller authorizes such transfers.

6. Data Retention and Deletion

Processor stores Personal Data only as long as necessary to provide the Services, unless otherwise required by law.

Upon termination:

• Processor will delete or return all Personal Data upon Controller's request
• Processor will delete all OAuth tokens, scan results, findings, contact identities, and identity mapping data
• Processor may retain anonymized analytics and financial records that do not identify a natural person
• Backups delete on a rolling schedule within 30 days

Processor's deletion operations are documented at: https://www.hackhunters.ai/data-deletion

7. Data Subject Requests

If Processor receives a direct request from an individual, it will:

• Redirect the request to the Controller
• Assist with fulfilling the request as required
• Not respond independently unless required by law

8. Audit and Compliance

Processor will make available appropriate documentation to demonstrate compliance and will reasonably support:

• compliance audits
• data protection assessments
• security reviews
• GDPR Article 28 obligations

Audits must:

• be performed with reasonable notice
• not disrupt Processor operations
• not require access to confidential system infrastructure

9. Liability

Processor's liability under this DPA is governed by the liability limitations in the Agreement.

10. Termination

This DPA terminates with the Agreement.

Controller's deletion instructions survive termination.

11. Governing Law

This DPA is governed by Delaware law, unless GDPR requires otherwise.

12. Entire Agreement

This DPA supersedes any conflicting terms in the Agreement with respect to GDPR-required processing.