Data Processing Agreement

"Data Protection Laws"means all laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation 2016/679 ("EU GDPR"), the UK GDPR and the UK Data Protection Act 2018 ("UK GDPR"), and applicable U.S. state privacy laws.

"Controller," "Processor," "Data Subject," "Personal Data," "Processing," and "Supervisory Authority" have the meanings given in the Data Protection Laws.

"Sub-processor" means any third party engaged by us to process Personal Data in connection with the Service.

"Standard Contractual Clauses" ("SCCs") means the clauses annexed to Commission Implementing Decision (EU) 2021/914 for the transfer of personal data to third countries. "UK IDTA" means the UK International Data Transfer Agreement or the UK Addendum to the SCCs issued by the UK Information Commissioner.

As between the parties, Customer is the Controller and we are the Processor of the Personal Data processed in connection with the Service. Where Customer is itself a processor acting on behalf of a third-party controller, we act as a sub-processor and Customer warrants it has the controller's authority to engage us on these terms. We process Personal Data only as a Processor and not for our own independent purposes. The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 1.

We will:

• Instructions.Process Personal Data only on Customer's documented instructions, including the Agreement, this DPA, and Customer's configuration and use of the Service, unless required to act by law (in which case we will inform Customer unless legally prohibited). We will notify Customer if, in our opinion, an instruction infringes the Data Protection Laws.
• Confidentiality. Ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.
• Security. Implement and maintain the technical and organizational measures set out in Annex 2 to ensure a level of security appropriate to the risk (Art. 32).
• Sub-processors. Engage Sub-processors only in accordance with Section 5.
• Data Subject requests. Taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests by Data Subjects to exercise their rights. Where a Data Subject contacts us directly, we will refer them to Customer.
• Assistance. Assist Customer in ensuring compliance with its obligations regarding security, Personal Data breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and the information available to us.
• Deletion or return.At Customer's choice, delete or return all Personal Data at the end of the provision of the Service, and delete existing copies unless retention is required by law. Standard deletion timelines are described in the Agreement and our Privacy Policy.
• Audits. Make available the information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, subject to reasonable confidentiality, scheduling, and frequency conditions. We may satisfy audit requests by providing relevant certifications, reports, or summaries of our security program.

We will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer's Personal Data, and will provide information reasonably available to us to assist Customer in meeting its breach-notification obligations. Notification will be sent to the contact on file for the account. Our incident response process governs detection, containment, assessment, and remediation.

Customer provides general authorization for us to engage the Sub-processors listed in Annex 3, and to engage additional Sub-processors to provide the Service. We impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for each Sub-processor's performance. We will inform Customer of any intended addition or replacement of a Sub-processor with a reasonable opportunity to object on reasonable data-protection grounds; if the parties cannot resolve the objection, Customer may terminate the affected Service.

We and our Sub-processors may process Personal Data in the United States and other countries. Where we transfer Personal Data originating in the European Economic Area to a country that has not received an adequacy decision, the SCCs (Module Two, controller-to-processor) are incorporated into this DPA by reference and completed by Annex 1 (details of processing) and Annex 2 (technical and organizational measures). For Personal Data originating in the United Kingdom, the UK IDTA (or the UK Addendum to the SCCs) applies on the same basis. Where we onward-transfer to a Sub-processor, equivalent transfer safeguards are imposed.

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not increase the aggregate liability cap in the Agreement. Nothing in this DPA limits any liability that cannot be limited under the Data Protection Laws.

This DPA takes effect when Customer accepts the Agreement (or begins using the Service) and continues until all processing of Personal Data on Customer's behalf has ceased and Personal Data has been deleted or returned in accordance with Section 3.

Data protection enquiries and Data Subject requests should be sent to privacy@harnyss.ai.

UK Representative (UK GDPR Art. 27): to be appointed where required for UK or EEA Data Subjects; in the interim, please direct enquiries to privacy@harnyss.ai. EU Representative (EU GDPR Art. 27): to be appointed if and when EEA Data Subjects are in scope.

We maintain a security program that includes, at minimum, the following measures (which serve as the SCC/IDTA technical-measures annex):

• Encryption. Encryption in transit (TLS, with HSTS) and encryption at rest, including AES-256-GCM encryption of provider credentials and workspace secrets; database storage encrypted at the infrastructure layer.
• Tenant isolation. Row-level security policies isolate each Workspace; Customer Data in one Workspace is not accessible to another. Application-layer authorization gates back the database policies.
• Access control. Role-based access for account members; available multi-factor authentication; idle-session timeout; per-agent authorization controls for automated tool access; least-privilege internal access.
• Authentication and abuse prevention. Managed authentication with secure session handling, failed-login / brute-force detection, and rate limiting on sensitive endpoints.
• Logging and monitoring. An append-only audit log of security-relevant and administrative actions; error monitoring with sensitive-data scrubbing; automated platform health and anomaly detection with alerting.
• Secret hygiene. Credentials are never written to logs, telemetry, or client responses; decrypted only in memory for the operation that requires them.
• Input and integration safeguards. Upload file-type validation, server-side request forgery protections on outbound fetches, and signed/verified webhooks.
• Resilience and retention. Managed backups with point-in-time recovery; tiered data retention; deletion of Customer Data following account deletion within the period stated in the Agreement.
• Secure development. Continuous-integration checks (type checking, automated tests, and security/authorization audit scripts) gate changes; sequential, reviewed database migrations.
• Sub-processor management. Sub-processors are bound by data-protection terms no less protective than this DPA (Section 5).

The platform uses Anthropic for its own AI operations. Where Customer configures its own AI model-provider keys (bring-your-own-key) — for example to use OpenAI for a model or for semantic-search embeddings — data is sent to that provider under Customer's own account, and the resulting relationship is Customer's own and not a Sub-processor under this DPA. A current sub-processor list is available on request.

Questions about this DPA: privacy@harnyss.ai.