Data Processing Agreement

Terms used in this DPA have the meanings given in the GDPR (Regulation (EU) 2016/679). Specifically:

• Personal Data — any information relating to an identified or identifiable natural person.
• Controller — the customer who determines the purposes and means of processing.
• Processor — HummingDeck, processing Personal Data on behalf of the Controller.
• Sub-processor — any third party engaged by HummingDeck to process Personal Data, listed at hummingdeck.com/sub-processors.
• Data Subject — the natural person to whom the Personal Data relates, including the Controller's employees, contacts, and the recipients who view documents shared via HummingDeck ("Document Viewers").

HummingDeck acts as a Processor on behalf of the Controller for all Personal Data processed in connection with the service, including:

• Account holders and team members the Controller adds to a workspace.
• Contacts and leads the Controller imports or creates.
• Document Viewers who open links shared by the Controller.
• Engagement events generated by Document Viewers (page views, time on page, return visits, location at country level, IP-derived signals).

The Controller remains responsible for the lawfulness of the processing, the choice of lawful basis under Article 6 GDPR, and the rights of Data Subjects.

The Controller represents and warrants that:

• It has a valid lawful basis under GDPR Article 6 for the processing it instructs HummingDeck to carry out.
• It has provided all required notices to Data Subjects under GDPR Articles 13 and 14, including informing Document Viewers about the engagement tracking carried out via HummingDeck links. The Controller is solely responsible for this disclosure, whether via its own privacy policy, the email or message accompanying the share link, or any other appropriate channel.
• It will not instruct HummingDeck to process Personal Data in violation of applicable data protection law.

To support the Controller in meeting its disclosure obligation, HummingDeck makes the following available:

• A public privacy policy at hummingdeck.com/privacy describing what is collected from Document Viewers and on what basis.
• Template language the Controller may adopt or adapt for its own privacy policy, available on request.
• A public sub-processor list at hummingdeck.com/sub-processors.

As Processor, HummingDeck shall:

• Process Personal Data only on documented instructions from the Controller, including those given through the use of the service itself.
• Ensure persons authorized to process Personal Data are bound by confidentiality obligations.
• Implement appropriate technical and organizational security measures (Section 5).
• Engage sub-processors only under written contracts that impose equivalent data-protection obligations, and notify the Controller of intended changes per Section 6.
• Assist the Controller, taking into account the nature of the processing, in fulfilling its obligations to respond to Data Subject requests under GDPR Chapter III.
• Assist the Controller with security, breach notification, data protection impact assessments, and prior consultation obligations under GDPR Articles 32 to 36.
• Notify the Controller without undue delay (and within 72 hours where feasible) after becoming aware of a Personal Data Breach affecting the Controller's data.
• At the Controller's choice, delete or return all Personal Data after the end of the service, and delete existing copies unless retention is required by law.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow audits or inspections by the Controller or an auditor mandated by the Controller (subject to Section 7).

HummingDeck implements and maintains appropriate technical and organizational measures, including:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest (Google Cloud Storage default encryption).
• Access controls based on least-privilege principles, with logging of administrative access.
• Authentication via Google Firebase with secure session handling.
• Bot and abuse-detection systems to filter automated traffic from engagement analytics.
• Backup and disaster-recovery procedures.
• Regular review of security practices.

HummingDeck is not currently SOC 2 certified. Customers requiring formal certification should contact hello@hummingdeck.com for the current security questionnaire and timeline.

The Controller authorizes HummingDeck to engage the sub-processors listed at hummingdeck.com/sub-processors. HummingDeck will provide at least 30 days' prior notice to the Controller before adding or replacing any sub-processor that processes Controller's Personal Data, by:

• Updating the public sub-processor list, and
• Notifying the workspace owner by email if the change materially affects the processing.

If the Controller objects in good faith to a new sub-processor on data-protection grounds within 30 days of notice, the parties will work in good faith to address the concern. If no resolution is reached, the Controller may terminate the affected portion of the service for convenience.

HummingDeck will make available, on reasonable notice and no more than once per 12-month period (or more often if required by a regulator):

• Its current Records of Processing Activities (Article 30 documentation).
• Information on its security measures and any third-party assessments.
• The opportunity for a remote audit (questionnaire-based or video conference) at the Controller's expense.

On-site inspections are permitted only where required by applicable law or by binding regulator order, on reasonable notice and at the Controller's expense.

The Controller acknowledges that some sub-processors are located outside the European Economic Area, primarily in the United States. For such transfers, HummingDeck relies on the European Commission's Standard Contractual Clauses (Module Two, Controller-to-Processor) incorporated into its agreements with the relevant sub-processors, supplemented by the technical and organizational measures described in Section 5.

Upon termination of the service, the Controller may, within 30 days, request a structured export of its data via the application or via support. After 30 days, HummingDeck will delete all Controller Personal Data from production systems within a further 30 days, except where retention is required by law (e.g., billing records). Backup copies are retained according to standard backup-rotation schedules and overwritten in due course.

Each party's liability under this DPA is subject to the limitations of liability set out in the underlying agreement between the parties.

In the event of a conflict between this DPA and the underlying agreement (including HummingDeck's Terms of Service), this DPA prevails to the extent of the conflict and only with respect to the processing of Personal Data.

HummingDeck may update this DPA from time to time to reflect changes in applicable law or in our processing practices. Material changes will be communicated to the workspace owner by email at least 30 days before they take effect. Continued use of the service after the effective date constitutes acceptance.

Questions about this DPA, requests for a signed counterpart, or formal Data Subject requests should be sent to hello@hummingdeck.com.