Data Processing Addendum (DPA)
Last updated: June 30, 2026
Summary: This DPA applies when Hardalion processes personal data on your behalf under a separate agreement. You are the data controller; Hardalion acts as processor. Request a countersigned copy for enterprise contracts.
1. Scope and order of precedence
This Data Processing Addendum ("DPA") forms part of the agreement between you ("Customer", "Controller") and Hardalion("Hardalion", "Processor") governing use of the Service. If this DPA conflicts with the main agreement on data protection matters, this DPA prevails. Otherwise the main agreement controls.
2. Roles and instructions
Customer determines the purposes and means of processing personal data submitted to the Service. Hardalion processes such data only on documented instructions from Customer, including as necessary to provide the Service, maintain security, comply with law, or as otherwise permitted in this DPA and the Privacy Policy.
3. Categories of data and subjects
Depending on Customer's use, processing may include account identifiers, contact information, usage logs, configuration data, and content Customer uploads or generates through the Service. Data subjects may include Customer's employees, contractors, and end users.
4. Processor obligations
- Process personal data only on Customer's documented instructions
- Ensure personnel with access are bound by confidentiality
- Implement appropriate technical and organizational security measures
- Assist Customer with data subject requests where technically feasible
- Notify Customer without undue delay of confirmed personal data breaches affecting Customer data
- Delete or return personal data upon termination, subject to legal retention requirements
- Make available information reasonably necessary to demonstrate compliance
5. Subprocessors
Customer authorizes Hardalion to engage subprocessors listed at /legal/subprocessors. Hardalion remains responsible for subprocessors' performance of data protection obligations. Enterprise customers may have additional notice and objection rights in a signed order form.
6. International transfers
Where personal data is transferred outside the EEA, UK, or Switzerland, Hardalion will implement appropriate safeguards such as Standard Contractual Clauses or equivalent mechanisms as required by applicable law.
7. Audits
Upon reasonable written request and subject to confidentiality, Hardalion will provide information about its security program or third-party audit summaries where available. Onsite audits may be conducted no more than once annually with 30 days' notice, during business hours, and without disrupting operations, unless required by a supervisory authority.
8. Liability
Liability arising from or relating to this DPA is subject to the limitation of liability in the main agreement between the parties.
9. Term
This DPA remains in effect for the duration of the agreement under which Hardalion processes personal data on Customer's behalf.
10. Execution
This page describes our standard DPA terms. For a countersigned DPA, contact legal@hardalion.com.