Data Processing Agreement

About this agreement

This DPA supplements and forms part of the Terms of Service (the "Principal Agreement") between HotHawk Ltd, a company registered in England and Wales under company number 14998792 (the "Processor", "we", "us"), and the customer (the "Controller", "you"). It sets out the terms on which we process Personal Data on your behalf in connection with the HotHawk cold email platform (the "Service"), and is entered into to ensure compliance with Article 28 of the EU GDPR, Article 28 of the UK GDPR, and other Applicable Data Protection Laws.

Definitions

Capitalised terms not defined here have the meaning given in Applicable Data Protection Laws or the Principal Agreement. "Applicable Data Protection Laws" means the EU GDPR, the UK GDPR, the UK Data Protection Act 2018, the EU ePrivacy Directive as implemented in applicable Member States, and all other applicable data protection and privacy laws. "Personal Data" means personal data processed by us on your behalf under the Service. "Controller","Processor", "Data Subject", "Processing", and"Personal Data Breach" have the meanings given in the EU and UK GDPR."Sub-Processor" means any third party we engage to process Personal Data on your behalf.

Roles and scope

For Personal Data processed through the Service, you are the Controller and we are the Processor. We process Personal Data only as necessary to provide the Service and only on your documented instructions, including with regard to international transfers, unless we are required to process by law (in which case we will inform you before processing, unless the law prohibits it). We will inform you if, in our opinion, an instruction infringes Applicable Data Protection Laws. The details of the processing are set out in Annex 1.

Our obligations as processor

We will:

• process Personal Data only on your documented instructions, unless required by law;
• ensure that people authorised to process Personal Data are bound by confidentiality;
• implement the technical and organisational security measures required by Article 32 of the EU and UK GDPR, as described in Annex 2;
• respect the conditions in this DPA for engaging Sub-Processors;
• taking into account the nature of the processing, assist you by appropriate measures, insofar as possible, to respond to requests from Data Subjects exercising their rights;
• assist you in ensuring compliance with your obligations under Articles 32 to 36 of the EU and UK GDPR (security, breach notification, and impact assessments), taking into account the nature of processing and the information available to us;
• at your choice, delete or return all Personal Data at the end of the provision of the Service, and delete existing copies unless law requires storage; and
• make available to you all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits as described below.

Sub-processors

You give us general written authorisation to engage Sub-Processors to help provide the Service, subject to this section. Our current Sub-Processors are listed in Annex 3, which is also available on our website. We will inform you of any intended addition or replacement of a Sub-Processor at least30 days in advance, giving you a reasonable opportunity to object on reasonable, documented data-protection grounds. If we cannot resolve a valid objection, you may terminate the affected part of the Service.

We impose data-protection obligations on each Sub-Processor by written contract that are substantively equivalent to those in this DPA, and we remain fully liable to you for each Sub-Processor's performance.

International transfers

Personal Data processed through the core Service is stored within the European Economic Area (EEA) and the United Kingdom, as set out in Annex 3. Transfers between the EEA and the UK rely on the adequacy decisions in force between those jurisdictions.

Where a Sub-Processor is located outside the UK and EEA, or where Personal Data is otherwise transferred outside those jurisdictions, we ensure that one of the following safeguards is in place: the recipient's certification under the EU-US Data Privacy Framework and its UK extension; the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and/or the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs; or another lawful transfer mechanism under Article 46 or 49 of the EU or UK GDPR. We will, on reasonable request, provide information relevant to a transfer impact assessment and cooperate with you in conducting one.

Security measures

We implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures are described in Annex 2, and we review and update them periodically.

Breach notification

We will notify you without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA, regardless of severity, so you can assess your own notification obligations. The notification will include, to the extent reasonably available, a description of the breach, the likely consequences, the measures taken or proposed, and a contact point for further information. We will cooperate with you and assist with investigation, mitigation, and remediation.

Data subject rights

We will promptly notify you if we receive a request from a Data Subject to exercise their rights in relation to Personal Data processed under this DPA, and we will not respond directly except on your documented instructions or as required by law. Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures to respond to such requests within the required timeframes.

Audit and compliance

We will make available the information necessary to demonstrate compliance with Article 28. As the primary method, and at no charge, we will on request (no more than once per year) provide a completed data-protection questionnaire or written self-assessment covering our measures, Sub-Processor management, transfer safeguards, and incident-response procedures, together with relevant security documentation. If you reasonably determine that further verification is necessary, you may request a remote audit on at least 60 days' notice, conducted by video conference and secure document exchange during normal business hours, no more than once per year (unless required by a supervisory authority or prompted by a confirmed breach), subject to a confidentiality agreement and reasonable cost arrangements. Nothing in this section limits the powers of a supervisory authority.

Impact assessments

We will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities that you reasonably consider are required under Article 35 or 36 of the EU or UK GDPR, in each case in relation to the processing of Personal Data under this DPA.

Term, deletion, and return

This DPA takes effect when the Principal Agreement does and continues for its duration. On termination or expiry, we will, at your election, either return all Personal Data in a commonly used machine-readable format or securely delete it within 30 days, and certify deletion. Where law requires us to retain Personal Data, we will inform you and continue to protect it under this DPA.

Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Principal Agreement, except that nothing limits either party's liability for breaches of Applicable Data Protection Laws to the extent such limitation is prohibited by law. Each party is liable for damage caused by processing that infringes Applicable Data Protection Laws in accordance with Article 82 of the EU and UK GDPR.

Governing law

This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, without prejudice to any Data Subject or supervisory authority bringing proceedings where permitted by Applicable Data Protection Laws. Where the EU GDPR applies, its provisions take precedence over any conflicting provision; where the UK GDPR applies, its provisions take precedence. In the event of a conflict between this DPA and the Principal Agreement, this DPA prevails with respect to the processing of Personal Data.

Annex 1: Details of processing

• Subject matter. Provision of the HotHawk cold email platform, enabling you to send and manage outbound email campaigns from your own mailboxes and to manage replies.
• Duration. The term of the Principal Agreement, plus any post-termination retention period in the term section above.
• Nature and purpose. Collection, storage, organisation, retrieval, transmission, and erasure of Personal Data as necessary to operate the Service, including email sending, receiving, reply management, team collaboration, and account administration.
• Categories of Data Subjects. Your employees and authorised users; the recipients of emails sent through the Service; and contacts you import into or create within the Service.
• Categories of Personal Data. Name, email address, job title, company name, IP address, email content and metadata (such as subject lines, timestamps, and reply status), account credentials (encrypted), browser and device information, and any other Personal Data you include in communications sent through the Service. The Service does not use open tracking or click tracking, and does not collect open or click data.
• Special category data. None anticipated. You must not submit special category data (as defined in Article 9 of the EU and UK GDPR) unless expressly agreed in writing with appropriate safeguards in place.

Annex 2: Security measures

We implement the following technical and organisational measures, in line with Article 32 of the EU and UK GDPR.

Infrastructure and encryption

• Personal Data is hosted within the EEA and UK on secure cloud infrastructure maintaining industry-standard physical, environmental, and logical access controls.
• Data in transit is encrypted using TLS 1.2 or higher; data at rest is encrypted using AES-256 or equivalent.
• Regular automated backups are performed and stored securely with geographic redundancy.
• Network segmentation and firewall rules restrict access to systems holding Personal Data.

Access controls

• Role-based access control across all systems processing Personal Data.
• Access to production systems is restricted to authorised personnel and requires multi-factor authentication.
• The principle of least privilege is applied, and access rights are reviewed periodically and revoked promptly on role change or departure.
• Unique credentials per individual; shared accounts are prohibited for production access.

Application security

• Secure software development practices, including code review and testing.
• Input validation and output encoding to prevent common vulnerabilities.
• Regular security updates and patching of software, systems, and dependencies.
• Secrets and credentials are managed through a secure secrets management system and are not stored in source code.

Organisational measures

• Confidentiality obligations and ongoing data-protection awareness training for personnel.
• A documented incident response plan, tested periodically.
• Business continuity and disaster recovery procedures.
• A data retention policy ensuring Personal Data is not kept longer than necessary.
• Access logging, retained for a reasonable period, and anomaly detection and alerting for key systems.

Annex 3: Sub-processors

The following Sub-Processors are engaged to provide the core Service. We will give at least 30 days' notice of any change, as described above.

The following Sub-Processors are engaged only if you choose to enable the relevant optional integration, and only for the data needed to provide that integration:

Transfers to Sub-Processors outside the UK and EEA are covered by the safeguards described in the international transfers section above.