Legal

Data Protection Agreement

Introduction

The parties agree that this HASH Data Protection Agreement (“DPA”) sets forth their obligations with respect to the processing and security of Personal Data and, where explicitly stated in the DPA Terms, Customer Data in connection with the Online Services provided by HASH, Inc. and HASH, Ltd. ("HASH").

The DPA (including its Appendix and Attachments) is between HASH and any customer receiving Online Services from HASH based on the HASH Customer Agreement (“Customer”), and is incorporated by reference into the HASH Customer Agreement.

In the event of any conflict or inconsistency between the DPA Terms and any other terms in the HASH Customer Agreement, the DPA Terms will prevail. The provisions of the DPA Terms supersede any conflicting provisions of the HASH Privacy Statement that otherwise may apply to processing of Personal Data. For clarity, the Standard Contractual Clauses prevail over any other term of the DPA Terms.

Applicable DPA Terms and Updates

Limits on Updates

When Customer renews or purchases a new subscription to an Online Service, the then-current DPA Terms will apply and will not change during the term of that new subscription for that Online Service.

Notwithstanding the foregoing limits on updates, when HASH introduces features, supplements or related software that are new (i.e., that were not previously included with the subscription), HASH may provide terms or make updates to the DPA that apply to Customer’s use of those new features, supplements or related software. If those terms include any material adverse changes to the DPA Terms, HASH will provide Customer a choice to use the new features, supplements, or related software, without loss of existing functionality of a generally available Online Service. If Customer does not use the new features, supplements, or related software, the corresponding new terms will not apply.

Government Regulation and Requirements

Notwithstanding the foregoing limits on updates, HASH may modify or terminate an Online Service in any country or jurisdiction where there is any current or future government requirement or obligation that (1) subjects HASH to any regulation or requirement not generally applicable to businesses operating there, (2) presents a hardship for HASH to continue operating the Online Service without modification, and/or (3) causes HASH to believe the DPA Terms or the Online Service may conflict with any such requirement or obligation.

Electronic Notices

HASH may provide Customer with information and notices about Online Services electronically, including via email, or through a web site that HASH identifies. Notice is given as of the date it is made available by HASH.

Prior Versions

The DPA Terms provide terms for Online Services that are currently available. For earlier versions of the DPA Terms, Customer may contact HASH Support.

Definitions

Capitalized terms used but not defined in this DPA will have the meanings provided in the HASH Customer Agreement. The following defined terms are used in this DPA:

→
“CCPA” means the California Consumer Privacy Act as set forth in Cal. Civ. Code §1798.100 et seq. and its implementing regulations.
→
“Customer Data” means all data, including all text, sound, video, or image files, and software, that are provided to HASH by, or on behalf of, Customer through use of the Online Service.
→
“Data Protection Requirements” means the GDPR, Local EU/EEA Data Protection Laws, CCPA, and any applicable laws, regulations, and other legal requirements relating to (a) privacy and data security; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.
→
“Diagnostic Data” means data collected or obtained by HASH from software that is locally installed by Customer in connection with the Online Service. Diagnostic Data may also be referred to as telemetry. Diagnostic Data does not include Customer Data, Service Generated Data, or Professional Services Data.
→
“DPA Terms” means both the terms in this DPA and any Online Service-specific terms in the HASH Customer Agreement that specifically supplement or modify the privacy and security terms in this DPA for a specific Online Service (or feature of an Online Service). In the event of any conflict or inconsistency between the DPA and such Online Service-specific terms, the Online Service-specific terms shall prevail as to the applicable Online Service (or feature of that Online Service).
→
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). In connection with the United Kingdom, “GDPR” means Regulation (EU) 2016/679 astransposed into national law of the United Kingdom by the UK European Union (Withdrawal) Act 2018 and amended by the UK Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (as may be amended from time to time).
→
“Local EU/EEA Data Protection Laws” means any subordinate legislation and regulation implementing the GDPR.
→
“GDPR Related Terms” means the terms in Attachment 3, under which HASH makes binding commitments regarding its processing of Personal Data as required by Article 28 of the GDPR.
→
“HASH Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with HASH.
→
“HASH Customer Agreement” means the service or other agreement(s) entered into by Customer with HASH for Online Services.
→
“HASH Privacy Statement” means the HASH privacy statement available at hash.ai/legal/privacy
→
“Online Service” means any service or software provided by HASH to Customer under the HASH Customer Agreement agreed upon with Customer, including Previews, updates, patches, bug fixes, and technical support.
→
“Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
→
“Preview” means Online Services provided for preview, evaluation, demonstration or trial purposes, or pre-release versions of the Online Services.
→
“Professional Services Data” means all data, including all text, sound, video, image files or software, that are provided to HASH, by or on behalf of a Customer (or that Customer authorizes HASH to obtain from an Online Service) or otherwise obtained or processed by or on behalf of HASH through an engagement with HASH to obtain Professional Services. Professional Services Data includes Support Data.
→
“Service Generated Data” means data generated or derived by HASH through the operation of an Online Service. Service Generated Data does not include Customer Data, Diagnostic Data, or Professional Services Data.
→
“Standard Contractual Clauses” means either of the following sets of Standard Contractual Clauses, as applicable in the individual case to the transfer of personal data according to the section of this DPA entitled “Data Transfers and Location” below:
- →
  the Standard Contractual Clauses (MODULE TWO: Transfer controller to processor), dated 4 June 2021, for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as described in Article 46 of the GDPR and approved by European Commission Implementing Decision (EU) 2021/91 (“Standard Contractual Clauses (EU/EEA)”) and adopted by the Switzerland Federal Data Protection and Information Commissioner (“Swiss FDPIC”). The Standard Contractual Clauses (EU/EEA) are set forth in Attachment 1.
- →
  the International Data Transfer Addendum to the Standard Contractual Clauses (EU/EEA) as adopted by the United Kingdom Information Commissioner’s Office (“UK ICO”) for use in connection with data transfers from the United Kingdom (“Standard Contractual Clauses (UK)”). The Standard Contractual Clauses (UK) are set forth in Attachment 2.
→
“Sub-processor” means other processors used by HASH to process Personal Data on behalf of Customer in connection with the Online Services, as described in Article 28 of the GDPR.
→
“Support Data” means all data, including all text, sound, video, image files, or software, that are provided to HASH by or on behalf of Customer (or that Customer authorizes HASH to obtain from an Online Service) through an engagement with HASH to obtain technical support for Online Services covered under this agreement. Support Data is a subset of Professional Services Data.

Lower case terms used but not defined in this DPA, such as “personal data breach”, “processing”, “controller”, “processor”, “profiling”, “personal data”, and “data subject” will have the same meaning as set forth in Article 4 of the GDPR, irrespective of whether GDPR applies. The terms “data importer” and “data exporter” have the meanings given in the Standard Contractual Clauses.

For clarity, and as detailed above, data defined as Customer Data, Diagnostic Data, Service Generated Data, and Professional Services Data may contain Personal Data. For illustrative purposes, please see the chart below:

Type of data	Description	May contain Support Data	May contain Personal Data
Customer Data	“provided” by Customer		Yes
Diagnostic Data	“collected” or “obtained” from software installed by Customer		Yes
Service Generated Data	“generated” or “derived” by HASH		Yes
Professional Services Data	“provided” by Customer in connection with "Professional Services”	Yes	Yes
Support Data	“provided” by Customer in connection with technical support	n/a	Yes
Personal Data	“information relating to an identified or identifiable natural person”		n/a

The above table outlines the various data types defined in the DPA. All Personal Data is processed as a part of one of the other data types (all of which also include non-personal data). Support Data is a sub-set of Professional Services Data. Except where explicitly stated otherwise, the DPA Terms exclusively apply to Personal Data.

General Terms

Compliance with Laws

HASH will comply with all laws and regulations applicable to its provision of the Online Services, including security breach notification law and Data Protection Requirements. However, HASH is not responsible for compliance with any laws or regulations applicable to Customer or Customer’s industry that are not generally applicable to information technology service providers. HASH does not determine whether Customer Data includes information subject to any specific law or regulation. All Security Incidents are subject to the Security Incident Notification terms below.

Customer must comply with all laws and regulations applicable to its use of Online Services, including laws related to biometric data, confidentiality of communications, and Data Protection Requirements. Customer is responsible for determining whether the Online Services are appropriate for storage and processing of information subject to any specific law or regulation and for using the Online Services in a manner consistent with Customer’s legal and regulatory obligations. Customer is responsible for responding to any request from a third party regarding Customer’s use of an Online Service, such as a request to take down content under the U.S. Digital Millennium Copyright Act, including in accordance with the HASH Copyrighted Materials Policy, or other applicable laws.

Data Protection Terms

This section of the DPA includes the following subsections:

→
Scope
→
Nature of Data Processing; Ownership
→
Disclosure of Processed Data
→
Processing of Personal Data; GDPR
→
Data Security
→
Security Incident Notification
→
Data Transfers and Location
→
Data Retention and Deletion
→
Processor Confidentiality Commitment
→
Notice and Controls on Use of Sub-processors
→
Educational Institutions
→
CJIS Customer Agreement, HIPAA Business Associate, Biometric Data
→
California Consumer Privacy Act (CCPA)
→
How to Contact HASH
→
Appendix A – Security Measures

Scope

The DPA Terms apply to all Online Services.

Previews may employ lesser or different privacy and security measures than those typically present in the Online Services. Unless otherwise noted, Customer should not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements. The following terms in this DPA do not apply to Previews: Processing of Personal Data; GDPR, Data Security, and California Consumer Privacy Act.

Nature of Data Processing; Ownership

Except as otherwise stated in the DPA Terms, HASH will use and otherwise process Customer Data and Personal Data as described and subject to the limitations provided below (a) to provide Customer the Online Service in accordance with Customer’s documented instructions, and/or (b) for HASH’s legitimate business operations incident to delivery of the Online Services to Customer. As between the parties, Customer retains all right, title and interest in and to Customer Data. HASH acquires no rights in Customer Data other than the rights Customer grants to HASH in this section. This paragraph does not affect HASH’s rights in software or services HASH licenses to Customer.

Processing to Provide Customer the Online Services

For purposes of this DPA, “to provide” an Online Service consists of:

→
Delivering functional capabilities as licensed, configured, and used by Customer and its users, including providing personalized user experiences;
→
Troubleshooting (e.g., preventing, detecting, and repairing problems); and
→
Ongoing improvement (e.g., installing the latest updates and making improvements to user productivity, reliability, efficacy, and security).

When providing Online Services, HASH will use or otherwise process Personal Data only on Customer’s behalf and in accordance with Customer’s documented instructions.

Processing for HASH’s Legitimate Business Operations

For purposes of this DPA, “HASH’s legitimate business operations” consist of the following, each as incident to delivery of the Online Services to Customer: (1) billing and account management; (2) compensation (e.g., calculating employee commissions and partner incentives); (3) internal reporting and business modeling (e.g., forecasting, revenue, capacity planning, product strategy); (4) combatting fraud, abuse, cybercrime, or cyber-attacks that may affect HASH or Online Services; (5) improving the core functionality of accessibility, privacy or energy-efficiency; (6) financial reporting and compliance with legal obligations (subject to the limitations on disclosure of Processed Data outlined below); (7) the creation or management of end user accounts and profiles by HASH for individual users of Customer (except where Customer creates, manages or otherwise controls such end user accounts or profiles itself); and (8) other purposes pertaining to Personal Data not provided by Customer for storage in HASH projects, webs, workspaces, repositories or in connection with Professional Services.

When processing for HASH’s legitimate business operations, HASH will not use or otherwise process Personal Data for: (a) user profiling, (b) advertising or similar commercial purposes, (c) data selling or brokering, or (d) any other purpose, other than for the purposes set out in this section.

Disclosure of Processed Data

HASH will not disclose or provide access to any Processed Data except: (1) as Customer directs; (2) as described in this DPA; or (3) as required by law. For purposes of this section, “Processed Data” means: (a) Customer Data; (b) Personal Data and (c) any other data processed by HASH in connection with the Online Service that is Customer’s confidential information under the HASH Customer Agreement. All processing of Processed Data is subject to HASH’s obligation of confidentiality under the HASH Customer Agreement.

HASH will not disclose or provide access to any Processed Data to law enforcement unless required by law. If law enforcement contacts HASH with a demand for Processed Data, HASH will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose or provide access to any Processed Data to law enforcement, HASH will promptly notify Customer and provide a copy of the demand, unless legally prohibited from doing so.

Upon receipt of any other third-party request for Processed Data, HASH will promptly notify Customer unless prohibited by law. HASH will reject the request unless required by law to comply. If the request is valid, HASH will attempt to redirect the third party to request the data directly from Customer.

HASH will not provide any third party: (a) direct, indirect, blanket, or unfettered access to Processed Data; (b) platform encryption keys used to secure Processed Data or the ability to break such encryption; or (c) access to Processed Data if HASH is aware that the data is to be used for purposes other than those stated in the third party’s request.

In support of the above, HASH may provide Customer’s basic contact information to the third party.

All Personal Data processed by HASH in connection with the Online Services is obtained as part of either Customer Data, Professional Services Data (including Support Data), Diagnostic Data, or Service Generated Data. Personal Data provided to HASH by, or on behalf of, Customer through use of the Online Service is also Customer Data. Pseudonymized identifiers may be included in Diagnostic Data or Service Generated Data and are also Personal Data. Any Personal Data pseudonymized, or de-identified but not anonymized, or Personal Data derived from Personal Data is also Personal Data.

To the extent HASH is a processor or sub-processor of Personal Data subject to the GDPR, the GDPR Related Terms in Attachment 3 govern that processing and the parties also agree to the following terms in this sub-section (“Processing of Personal Data; GDPR”):

Processor and Controller Roles and Responsibilities

Customer and HASH agree that Customer is the controller of Personal Data and HASH is the processor of such data, except (a) when Customer acts as a processor of Personal Data, in which case HASH is a sub-processor; or (b) as stated otherwise in the HASH Customer Agreement or this DPA. When HASH acts as the processor or sub-processor of Personal Data, it will process Personal Data only on Customer’s behalf and in accordance with documented instructions from Customer. Customer agrees that its HASH Customer Agreement (including the DPA Terms and any applicable updates), along with the product documentation and Customer’s use and configuration of features in the Online Services, are Customer’s complete documented instructions to HASH for the processing of Personal Data. Information on use and configuration of the Online Services can be found at hash.ai/guide or a successor location.

Any additional or alternate instructions must be agreed to according to the process for amending Customer’s HASH Customer Agreement. In any instance where the GDPR applies and Customer is a processor, Customer warrants to HASH that Customer’s instructions, including appointment of HASH as a processor or sub-processor, have been authorized by the relevant controller.

To the extent HASH uses or otherwise processes Personal Data subject to the GDPR for HASH’s legitimate business operations incident to delivery of the Online Services to Customer, HASH will comply with the obligations of an independent data controller under GDPR for such use. HASH is accepting the added responsibilities of a data “controller” under the GDPR for processing in connection with its legitimate business operations to: (a) act consistent with regulatory requirements, to the extent required under the GDPR; and (b) provide increased transparency to Customers and confirm HASH’s accountability for such processing. HASH employs safeguards to protect Personal Data in processing, including those identified in this DPA and those contemplated in Article 6(4) of the GDPR. With respect to processing of Personal Data under this paragraph, HASH makes the commitments set forth in the Standard Contractual Clauses set forth in Attachment 1 or Attachment 2 (as applicable); for those purposes, (i) any HASH disclosure of Personal Data, as described in Annex IV to Attachment 1, that has been transferred in connection with HASH’s legitimate business operations is deemed a “Relevant Disclosure” and (ii) the commitments in Annex IV to Attachment 1 apply to such Personal Data.

Processing Details

The parties acknowledge and agree that:

→
Subject Matter. The subject-matter of the processing is limited to Personal Data within the scope of the section of this DPA entitled “Nature of Data Processing; Ownership” above and the GDPR.
→
Duration of the Processing. The duration of the processing shall be in accordance with Customer instructions and the terms of the DPA.
→
Nature and Purpose of the Processing. The nature and purpose of the processing shall be to provide the Online Service pursuant to Customer’s HASH Customer Agreement and for HASH's legitimate business operations incident to delivery of the Online Service to Customer (as further described in the section of this DPA entitled “Nature of Data Processing; Ownership” above).
→
Categories of Data. The types of Personal Data processed by HASH when providing the Online Service include: (i) Personal Data that Customer elects to include in Customer Data or Professional Services Data (including, without limitation, Support Data); and (ii) those expressly identified in Article 4 of the GDPR that may be contained in Diagnostic Data or Service Generated Data. The types of Personal Data that Customer elects to include in Customer Data or Professional Services Data (including, without limitation, Support Data) may be any categories of Personal Data identified in records maintained by Customer acting as controller pursuant to Article 30 of the GDPR, including the categories of Personal Data set forth in Annex I to Attachment 1.
→
Data Subjects. The categories of data subjects are Customer’s representatives and end users, such as employees, contractors, collaborators, and customers, and may include any other categories of data subjects as identified in records maintained by Customer acting as controller pursuant to Article 30 of the GDPR, including the categories of data subjects set forth in Annex I to Attachment 1.

Data Subject Rights; Assistance with Requests

HASH will make available to Customer, in a manner consistent with the functionality of the Online Service and HASH’s role as a processor of Personal Data of data subjects, the ability to fulfill data subject requests to exercise their rights under the GDPR. If HASH receives a request from Customer’s data subject to exercise one or more of its rights under the GDPR in connection with an Online Service for which HASH is a data processor or sub-processor, HASH will redirect the data subject to make its request directly to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Online Service. HASH shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request.

Records of Processing Activities

To the extent the GDPR requires HASH to collect and maintain records of certain information relating to Customer, Customer will, where requested, supply such information to HASH and keep it accurate and up-to-date. HASH may make any such information available to the supervisory authority if required by the GDPR.

Data Security

HASH will implement and maintain appropriate technical and organizational measures and security safeguards against accidental or unlawful destruction, or loss, alteration, unauthorized disclosure of or access to, Customer Data and Personal Data processed by HASH on behalf and in accordance with the documented instructions of Customer in connection with the Online Services. HASH will regularly monitor compliance with these measures and safeguards and will continue to take appropriate steps throughout the term of the HASH Customer Agreement. Appendix A – Security Safeguards contains a description of the technical and organizational measures and security safeguards implemented by HASH.

Customer is solely responsible for making an independent determination as to whether the technical and organizational measures and security safeguards for an Online Service meet Customer’s requirements, including any of its security obligations under applicable Data Protection Requirements. Customer acknowledges and agrees that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the processing of its Customer Data and Personal Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons) the technical and organizational measures and security safeguards implemented and maintained by HASH provide a level of security appropriate to the risk with respect to its Customer Data and Personal Data. Customer is responsible for implementing and maintaining privacy protections and security measures for components that Customer provides or controls.

HASH will provide security compliance reporting such as external SOC1, type 2 and SOC2, type2 audit reports upon Customer request. Customer agrees that any information and audit rights granted by the applicable Data Protection Requirements (including, where applicable, Article 28(3)(h) of the GDPR) will be satisfied by these compliance reports, and will otherwise only arise to the extent that HASH's provision of a compliance report does not provide sufficient information, or to the extent that Customer must respond to a regulatory or supervisory authority audit or investigation.

Should Customer be subject to a regulatory or supervisory authority audit or investigation or carry out an audit or investigation in response to a request by a regulatory or supervisory authority that requires participation from HASH, and Customers’ obligations cannot reasonably be satisfied (where allowable by Customer’s regulators) through audit reports, documentation, or compliance information that HASH makes generally available to its customers, then HASH will promptly respond to Customer’s additional instructions and requests for information, in accordance with the following terms and conditions:

→
HASH will provide access to relevant knowledgeable personnel, documentation, and application software.
→
Customer and HASH will mutually agree in a prior written agreement (email is acceptable) upon the scope, timing, duration, control and evidence requirements, provided that this requirement to agree will not permit HASH to unreasonably delay its cooperation.
→
Customer must ensure its regulator’s use of an independent, accredited third-party audit firm, during regular business hours, with reasonable advance written notice to HASH, and subject to reasonable confidentiality procedures. Neither Customer, its regulators, nor its regulators’ delegates shall have access to any data from HASH’s other customers or to HASH systems or facilities not involved in the Online Services.
→
Customer is responsible for all costs and fees related to HASH’s cooperation with the regulatory audit of Customer, including all reasonable costs and fees for any and all time HASH expends, in addition to the rates for services performed by HASH.
→
If the report generated from HASH’s cooperation with the regulatory audit of Customer includes any findings pertaining to HASH, Customer will share such report, findings, and recommended actions with HASH where allowed by Customer’s regulators.

Security Incident Notification

If HASH becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data processed by HASH on behalf and in accordance with the documented instructions of Customer in connection with the Online Services (each a "Security Incident"), HASH will promptly and without undue delay (1) notify Customer of the Security Incident; (2) investigate the Security Incident and provide Customer with detailed information about the Security Incident; (3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.

Notification(s) of Security Incidents will be delivered to one or more of Customer's administrators by any means HASH selects, including via email. It is Customer's sole responsibility to ensure it maintains accurate contact information with HASH and that Customer's administrators monitor for and respond to any notifications. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.

HASH will make reasonable efforts to assist Customer in fulfilling Customer's obligation under GDPR Article 33 or other applicable law or regulations to notify the relevant regulatory or supervisory authority and individual data subjects about a Security Incident.

HASH’s notification of or response to a Security Incident under this section is not an acknowledgement by HASH of any fault or liability with respect to the Security Incident.

Customer must notify HASH promptly about any possible misuse of its accounts or authentication credentials or any Security Incident related to an Online Service.

Data Transfers and Location

Personal Data that HASH processes on behalf and in accordance with the documented instructions of Customer in connection with the Online Services may not be transferred to, or stored and processed in a geographic location except in accordance with the DPA Terms and the safeguards provided below in this section. Taking into account such safeguards, Customer appoints HASH to transfer Personal Data to the United States or any other country in which HASH or its Sub-processors operate and to store and process Personal Data to provide the Online Services, except as may be described elsewhere in these DPA Terms.

All transfers of Personal Data out of the European Union, European Economic Area, or Switzerland to provide the Online Services shall be governed by the Standard Contractual Clauses(EU/EEA) in Attachment 1. All transfers of Personal Data out of the United Kingdom to provide the Online Services shall be governed by the Standard Contractual Clauses (UK) in Attachment 2. For the purposes of the Data Protection Law of Switzerland, Standard Contractual Clauses (EU/EEA) in Attachment 1, shall be interpreted as follows:

i. references to the “European Union,” “EU,” “European Economic Area,” “EEA” or a “Member State” shall be interpreted to refer to “Switzerland”

ii. references to “Regulation (EU) 2016/679” and any articles therefrom shall be interpreted to include references to the “Data Protection Law of Switzerland”.

iii. References to “supervisory authority” shall be interpreted to refer to the “Swiss FDPIC”.

HASH will abide by the requirements of applicable European Union, European Economic Area, United Kingdom and Swiss data protection law, and other Data Protection Requirements, in each case regarding the transfer of Personal Data to recipients or jurisdictions outside such jurisdiction. All such transfers of Personal Data will, where applicable, be subject to appropriate safeguards as described in Article 46 of the GDPR and such transfers and safeguards will be documented according to Article 30(2) of the GDPR.

Subject to the safeguards described above, HASH may transfer, store and otherwise process Personal Data to or in jurisdictions and geographic locations worldwide as it, subject to its sole discretion, considers reasonably necessary in connection with the Online Services.

Data Retention and Deletion

Upon Customer's reasonable request, unless prohibited by law, HASH will return or destroy all Customer Data and Personal Data processed by HASH on behalf and in accordance with the documented instructions of Customer in connection with the Online Services at all locations where it is stored within 30 days of the request, provided that it is no longer needed for providing the Online Services or the purposes for which a data subject had authorized the processing of their Personal Data. HASH may retain Customer Data or Personal Data to the extent required by the applicable Data Protection Requirements or other applicable law, and only to the extent and for such period as required by the applicable Data Protection Requirements or other applicable law, provided that HASH will ensure that the Customer Data or Personal Data is processed only as necessary for the purpose specified in the applicable Data Protection Requirements or other applicable law and no other purpose, and the Customer Data or Personal Data remains protected by the Applicable Data Protection Requirements or other applicable law.

Processor Confidentiality Commitment

HASH will ensure that its personnel engaged in the processing of Customer Data and Personal Data on behalf of Customer in connection with the Online Services (i) will process such data only on instructions from Customer or as described in this DPA, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. HASH shall provide periodic and mandatory data privacy and security training and awareness to its employees with access to Customer Data and Personal Data in accordance with applicable Data Protection Requirements or other applicable law and industry standards.

Notice and Controls on Use of Sub-processors

HASH may hire Sub-processors to provide certain limited or ancillary services on its behalf. Customer consents to this engagement and to HASH Affiliates as Sub-processors. The above authorizations will constitute Customer’s prior written consent to the subcontracting by HASH of the processing of Personal Data if such consent is required under applicable law, the Standard Contractual Clauses or the GDPR Related Terms. HASH is responsible for its Sub-processors’ compliance with HASH’s obligations in this DPA. HASH makes available information about Sub-processors on the Sub-processors page on the HASH website (or a successor location). When engaging any Sub-processor, HASH will ensure via a written contract that the Sub-processor may access and use Customer Data or Personal Data only to deliver the services HASH has retained them to provide and is prohibited from using Customer Data or Personal Data for any other purpose. HASH will ensure that Sub-processors are bound by written agreements that require them to provide at least the level of data protection required of HASHby the DPA, including the limitations on disclosure of Personal Data. HASH agrees to oversee the Sub-processors to ensure that these contractual obligations are met.

From time to time, HASH may engage new Sub-processors. HASH will give Customer notice (by updating the Sub-processors page on the HASH website (or a successor location) and providing Customer with a mechanism to obtain notice of that update) of any new Sub-processor in advance of providing that Sub-processor with access to Customer Data. If HASH engages a new Sub-processor for a new Online Service, HASH will give Customer notice prior to availability of that Online Service.

If Customer does not approve of a new Sub-processor, then Customer may terminate any subscription for the affected Online Service without penalty by providing, before the end of the relevant notice period, written notice of termination. Customer may also include an explanation of the grounds for non-approval together with the termination notice, in order to permit HASH to re-evaluate any such new Sub-processor based on the applicable concerns. If the affected Online Service is part of a suite (or similar single purchase of services), then any termination will apply to the entire suite.

After termination, HASH will remove payment obligations for any subscriptions for the terminated Online Service from subsequent invoices to Customer or its reseller.

Educational Institutions

If Customer is an educational agency or institution subject to the regulations under the Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), or similar state student or educational privacy laws (collectively “Educational Privacy Laws”), Customer shall not provide Personal Data covered by such Educational Privacy Laws to HASH without obtaining HASH’s prior, written and specific consent and entering into a separate agreement with HASH governing the parties’ rights and obligations with respect to the processing of such Personal Data by HASH in connection with the Online Services.

Subject to the above, if Customer intends to provide to HASH Personal Data covered by FERPA, the parties agree and acknowledge that, for the purposes of this DPA, HASH is a “school official” with “legitimate educational interests” in the Personal Data, as those terms have been defined under FERPA and its implementing regulations. Customer understands that HASH may possess limited or no contact information for Customer’s students and students’ parents. Consequently, Customer will be responsible for obtaining any student or parental consent for any end user’s use of the Online Services that may be required by applicable law and to convey notification on behalf of HASH to students (or, with respect to a student under 18 years of age and not in attendance at a postsecondary institution, to the student’s parent) of any judicial order or lawfully-issued subpoena requiring the disclosure of Personal Data in HASH’s possession as may be required under applicable law.

CJIS Customer Agreement, HIPAA Business Associate, Biometric Data

Except with HASH’s prior, written and specific consent, Customer shall not provide to HASH any Personal Data:

→
relating to criminal convictions and offenses or Personal Data collected or otherwise processed by Customer subject to or in connection with FBI Criminal Justice Information Services or the related Security Policy;
→
constituting protected health information governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Parts 160 and 164 of Title 45 of the Code of Federal Regulations, established pursuant to the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) or by state health or medical privacy laws;
→
collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects (Common Rule); or
→
covered by state, federal or foreign biometric privacy laws or otherwise constituting biometric information including information on an individual’s physical, physiological, biological or behavioral characteristics or information derived from such information that is used or intended to be used, singly or in combination with each other or with other information, to establish individual identity.

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

If and to the extent HASH is processing Personal Data on behalf and in accordance with the documented instructions of Customer within the scope of the CCPA, HASH makes the following additional commitments to Customer. HASH will process the Personal Data on behalf of Customer and will not:

→
sell the Personal Data as the term “selling” is defined in the CCPA;
→
share, rent, release, disclose, disseminate, make available, transfer or otherwise communicate orally, in writing or by electronic or other means, the Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money is exchanged;
→
retain, use or disclose the Personal Data for any purpose other than for the business purposes specified in the DPA Terms and the HASH Customer Agreement, including retaining, using or disclosing the Personal Data for a commercial purpose other than the business purposes specified in the DPA Terms or the HASH Customer Agreement, or as otherwise permitted by the CCPA;
→
retain, use or disclose the Personal Data outside of the direct business relationship with Customer;
→
combine the Personal Data with personal information that it receives from or on behalf of a third party or collects from California residents, except that HASH may combine Personal Data to perform any business purpose as permitted by the CCPA or any regulations adopted or issued under the CCPA.

How to Contact HASH

If Customer believes that HASH is not adhering to its privacy or security commitments, Customer may contact HASH customer support.

For the fastest response time, Customer may contact HASH via the online form located at hash.ai/contact. We will respond promptly.

Our mailing addresses is:

HASH, Inc.
Attn: HASH Privacy Team

2109 Broadway Unit 1141

New York, NY 10023

United States

David Wilkinson is HASH’s data protection representative for the European Economic Area. The privacy representative of HASH can be reached at the following address:

David Wilkinson
Attn: HASH EU/EEA Data Protection Representative

10 Netherwood Rd

Manchester, M22 4BQ

United Kingdom

Appendix A - Security Safeguards

HASH has implemented and will maintain for Customer Data and Personal Data processed by HASH on behalf and in accordance with the documented instructions of Customer in connection with HASH services the following technical and organizational measures and security safeguards, which in conjunction with the security commitments in this DPA (including the GDPR Related Terms), are HASH's only responsibility with respect to the security of that data:

Domain	Practices
Organization of Information Security	Security Ownership HASH has appointed one or more security officers responsible for coordinating and monitoring the security policies and procedures. Security Roles and Responsibilities. HASH personnel with access to Customer Data and Personal Data are subject to confidentiality obligations. Risk Management Program. HASH performs an annual risk assessment. HASH retains its security documents pursuant to its retention requirements after they are no longer in effect. Vendor Management. HASH has a vendor risk assessment process, vendor contract clauses and additional data protection agreements with vendors.
Asset Management	Asset Inventory. HASH maintains an inventory of all media on which Customer Data and Personal Data is stored. Access to the inventories of such media is restricted to HASH personnel authorized to have such access. Asset Handling: HASH classifies Customer Data and Personal Data to help identify it and to allow for access to it to be appropriately restricted. HASH communicates employee responsibility and accountability for data protection up to and including cause for termination. HASH personnel must obtain HASH's authorization prior to remotely accessing Customer Data and Personal Data or processing Customer Data and Personal Data outside HASH’s facilities.
Human Resources Security	Security Training. HASH requires all new hires to complete security and privacy awareness training as part of initial on-boarding. Participation in annual training is required for all employees to provide a baseline for security and privacy basics.
Physical and Environmental Security	Physical Access to Facilities. HASH limits access to facilities where information systems that process Customer Data and Personal Data are located to identified authorized individuals. Physical Access to Components. HASH maintains records of the incoming and outgoing media containing Customer Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of Customer Data and Personal Data they contain. Protection from Disruptions. HASH uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference. Component Disposal. HASH uses industry standard processes to delete Customer Data and Personal Data when it is no longer needed.
Communications and Operations Management	Operational Policy. HASH maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data. Data Recovery Procedures: On an ongoing basis, but in no case less frequently than once a week (unless no Customer Data and Personal Data has been updated during that period), HASH maintains multiple copies of Customer Data and Personal Data from which Customer Data and Personal Data can be recovered. HASH stores copies of Customer Data and Personal Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data and Personal Data is located. HASH has specific procedures in place governing access to copies of Customer Data. HASH logs data restoration efforts, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process. Malicious Software. HASH has threat detection controls to help identify and respond to anomalous or suspicious access to Customer Data, including malicious software originating from public networks. Data Beyond Boundaries: HASH encrypts, or enables Customer to encrypt, Customer Data and Personal Data that is transmitted over public networks. HASH restricts access to Customer Data and Personal Data in media leaving its facilities. Event Logging. HASH logs, or enables Customer to log, access and use of information systems containing Customer Data, registering the access ID, time, authorization granted or denied, and relevant activity.
Access Control	Access Policy. HASH maintains a record of security privileges of individuals having access to Customer Data. Access Authorization: HASH maintains and updates a record of personnel authorized to access HASH systems that contain Customer Data. HASH identifies those personnel who may grant, alter or cancel authorized access to data and resources. HASH ensures that where more than one individual has access to systems containing Customer Data, the individuals have separate identifiers/log-ins where technically and architecturally feasible, and commercially reasonable. Least Privilege: Technical support personnel are only permitted to have access to Customer Data and Personal Data when needed. HASH restricts access to Customer Data and Personal Data to only those individuals who require such access to perform their job function. HASH employees are only granted access to production systems based on their role within the organization. Integrity and Confidentiality: HASH instructs HASH personnel to disable administrative sessions when computers are left unattended. HASH stores passwords such that they are encrypted or unintelligible while they are in force. Authentication: HASH uses industry standard practices to identify and authenticate users who attempt to access information systems. Where authentication mechanisms are based solely on passwords, HASH requires the password to be at least eight characters long. HASH ensures that de-activated or expired employee identifiers are not granted to other individuals. HASH monitors, or enables Customer to monitor, repeated attempts to gain access to the information system using an invalid password. HASH maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed. HASH uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage. Network Design. HASH has controls to ensure no systems storing Customer Data and Personal Data are part of the same logical network used for HASH business operations.
Information Security Incident Management	Incident Response Process: HASH maintains a record of security incidents with a description of the incidents, the time period, the consequences of the breach, the name of the reporter, and to whom the incident was reported, and details regarding the handling of the incident. In the event that HASH Security confirms or reasonably suspects that a HASH customer is affected by a data breach, we will notify the customer without undue delay. HASH tracks, or enables Customer to track, disclosures of Customer Data, including what data has been disclosed, to whom, and at what time. Service Monitoring. HASH employs a wide range of continuous monitoring solutions for preventing, detecting, and mitigating attacks to the site.
Business Continuity Management	HASH maintains emergency and contingency plans for the facilities in which HASH information systems that process Customer Data and Personal Data are located. HASH’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data and Personal Data in its original or last-replicated state from before the time it was lost or destroyed.

Appendix B - Supplementary Files

By signing up you agree to our terms and conditions and privacy policy