Legal

Data Processing Addendum

Last updated: April 6, 2026

This Data Processing Addendum ("DPA") forms part of the HyveAI Terms of Service between Hyve Applied Intelligence LLC ("HyveAI") and the customer identified in the account ("Customer") and applies whenever HyveAI processes Personal Data on Customer's behalf.

1. Definitions

  • Applicable Data Protection Laws — the laws governing the processing of Personal Data that apply to the parties, including the EU General Data Protection Regulation (2016/679) ("GDPR"), the UK GDPR, the Swiss FADP, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and equivalent laws.
  • Personal Data — any information relating to an identified or identifiable natural person, where such information is contained within Customer Data that HyveAI processes on Customer's behalf.
  • Data Subject — the identified or identifiable person to whom Personal Data relates.
  • Processing — has the meaning given in Applicable Data Protection Laws.
  • Subprocessor — a third party engaged by HyveAI to process Personal Data in the course of providing the Service.

2. Roles of the Parties

For Personal Data contained within Customer Data, Customer is the Controller (or Business, under CCPA), and HyveAI is the Processor (or Service Provider, under CCPA). HyveAI will process Personal Data only on Customer's documented instructions, including as set out in the Terms of Service, the account configuration, and this DPA, unless required to do so by applicable law.

3. Scope of Processing

Subject matter: provision of the HyveAI Service.

Duration: the term of the Customer's account, plus any post-termination retrieval and deletion period.

Nature and purpose: hosting, indexing, embedding, retrieval, AI inference, logging, analytics, support, and backup of Customer Data to deliver knowledge-intelligence features.

Categories of Data Subjects: Customer's employees, contractors, end users of the chat widget, API consumers, and any individuals referenced in documents Customer uploads.

Types of Personal Data (depending on Customer's configuration and content):

  • contact details (name, email, phone) and authentication data for account users;
  • content of documents uploaded to the knowledge base, which may contain Personal Data chosen by Customer;
  • questions, answers, feedback, and metadata exchanged through the chat widget and API;
  • IP address, device, and session metadata associated with widget sessions and API requests.

HyveAI does not require Customer to submit any special categories of Personal Data (Art. 9 GDPR) or criminal-conviction data, and the Service is not designed for processing such data. If Customer nonetheless chooses to do so, Customer is responsible for ensuring an appropriate legal basis and notifying HyveAI in writing so additional safeguards can be evaluated.

4. HyveAI Obligations

  • Process Personal Data only on Customer's documented instructions and for the purposes described in Section 3.
  • Ensure personnel authorized to process Personal Data are bound by confidentiality.
  • Implement appropriate technical and organizational measures (see Annex II).
  • Assist Customer, taking into account the nature of the Processing, in responding to Data Subject requests and in fulfilling Customer's obligations under Articles 32–36 GDPR.
  • Make available to Customer all information necessary to demonstrate compliance with this DPA and allow for reasonable audits in accordance with Section 8.

5. Subprocessors

Customer authorizes HyveAI to engage the Subprocessors listed in Annex I to this DPA. HyveAI will impose data protection obligations on each Subprocessor that are no less protective than those in this DPA.

HyveAI will notify Customer (e.g. by email or by updating this page) of any intended addition or replacement of Subprocessors at least 14 days in advance. Customer may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection; if unresolved, Customer may terminate the affected portion of the Service as its exclusive remedy.

6. International Data Transfers

Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country that is not the subject of an adequacy decision, the parties agree that the relevant Standard Contractual Clauses published by the European Commission (Decision (EU) 2021/914) apply to the transfer, and are incorporated by reference into this DPA as follows:

  • For Controller-to-Processor transfers: Module Two of the SCCs; Clause 7 (docking) does not apply; Clause 9(a) option 2 (general written authorisation) applies with the 14-day notice period in Section 5; Clause 11 opt-in does not apply; Clause 17 governing law is Ireland; Clause 18 forum is Ireland.
  • For Processor-to-Processor onward transfers to Subprocessors: Module Three applies with equivalent options.
  • The Annexes of the SCCs are populated by Annex I and Annex II of this DPA.

For transfers from the UK, the International Data Transfer Addendum issued by the UK ICO applies to the SCCs. For transfers from Switzerland, references to the GDPR in the SCCs are deemed to include the Swiss FADP, and references to EU supervisory authorities include the Swiss FDPIC where applicable.

7. Security & Breach Notification

HyveAI maintains the security measures described in Annex II and will notify Customer without undue delay (and in any event within 72 hours where feasible) after becoming aware of a Personal Data Breach affecting Customer Data. The notification will include, to the extent known, the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

8. Audits

HyveAI will make available on request the information necessary to demonstrate compliance with this DPA, including summaries of security measures, subprocessor controls, and — where available — third-party reports and certifications. Where Applicable Data Protection Laws require on-site audit rights, Customer may, with reasonable advance notice and no more than once per year (except following a confirmed Personal Data Breach), audit HyveAI's compliance at Customer's expense, subject to confidentiality and reasonable security constraints.

9. Data Subject Rights

HyveAI will, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures (including self-service tools within the Service) to fulfil Customer's obligation to respond to Data Subject requests under Applicable Data Protection Laws. If a Data Subject contacts HyveAI directly, HyveAI will refer them to Customer where the Personal Data relates to Customer's use of the Service.

10. Deletion of Personal Data

Upon termination or expiration of the account, HyveAI will, at Customer's choice, delete or return all Personal Data in HyveAI's possession within 30 days, except to the extent retention is required by applicable law. Backups containing Personal Data will be overwritten in the ordinary course of HyveAI's backup rotation (see the Privacy Policy).

11. CCPA

With respect to Personal Data subject to the CCPA, HyveAI is a Service Provider and will not (a) sell or share Personal Data, (b) retain, use, or disclose Personal Data for any purpose other than the business purposes specified in the Terms and this DPA, or (c) combine Personal Data received from Customer with Personal Data received from other sources, except as permitted by the CCPA. HyveAI certifies that it understands these restrictions.

12. Liability & Order of Precedence

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to the Processing of Personal Data. Where the SCCs apply, the SCCs prevail over any conflicting provision of this DPA.

Annex I — Subprocessors

HyveAI engages the following Subprocessors to provide the Service. The list is kept current; material changes will be notified as described in Section 5.

Subprocessor Purpose Location
OpenAI, L.L.C. LLM inference and embeddings United States
Pinecone Systems, Inc. Managed vector database for RAG retrieval United States
Stripe, Inc. Payment processing and subscription billing United States
Hugging Face, Inc. Optional SLM fine-tuning and model hosting United States
Functional Software, Inc. d/b/a Sentry Application error and performance monitoring United States
Hosting provider (ronin infrastructure) Compute, storage, reverse proxy, encrypted backups for the core platform Europe
SMTP email provider Transactional email and alerting United States / Europe
Slack Technologies, LLC (optional) Operational alerts and customer Slack integrations United States
Twilio Inc. (optional) SMS delivery for customers using the SMS channel United States

Annex II — Technical & Organizational Measures

HyveAI implements and maintains the following technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 GDPR:

Access control

  • Role-based access control for the client portal (admin, manager, user, viewer).
  • Per-facility authorization checks on all document, analytics, and webhook endpoints (multi-tenant isolation).
  • Administrative access to production infrastructure restricted to named personnel via SSH key authentication over a hardened host.

Authentication & credentials

  • Passwords hashed using industry-standard algorithms.
  • API keys stored as SHA-256 hashes; plaintext keys are shown to the user only once on generation.
  • JWT-based authentication with short-lived tokens and rate-limited login endpoints.

Encryption

  • TLS 1.2+ for all external HTTP traffic (managed by Traefik).
  • Encrypted database backups retained on a rotating schedule.

Network & application security

  • Reverse proxy with automatic certificate management, HSTS, and security headers.
  • Rate limiting and brute-force protection backed by Redis on all authentication and API endpoints.
  • Input validation, CSRF protection, and sanitization on the chat widget to mitigate XSS and injection attacks.

Logging & monitoring

  • Structured JSON logging with trace-ID propagation across services; aggregated through Loki.
  • Metrics scraped by Prometheus; alerting rules routed via Grafana to Slack and email.
  • Application error monitoring through Sentry with scrubbing of authentication headers before data leaves the service.

Backups & disaster recovery

  • Automated daily PostgreSQL backups with 7-day, 4-week, and 3-month retention windows.
  • Documented restore procedures and a disaster-recovery runbook.

Personnel

  • Confidentiality obligations binding all personnel with access to Personal Data.
  • Security-awareness training and access review for individuals with production privileges.

Contact

Questions about this DPA or requests to sign a countersigned version can be sent to loren@hyveappliedintelligence.com.