Data Processing Addendum

1. Definitions

For the purposes of this DPA:

• “Applicable Data Protection Law” means the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA/CPRA), and any other applicable laws relating to the processing of personal data.
• “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach” have the meanings given in the UK / EU GDPR.
• “Customer Personal Data” means Personal Data processed by Hilead on behalf of Customer in connection with the Service.
• “Subprocessor” means any third party engaged by Hilead to process Customer Personal Data.
• “Standard Contractual Clauses” or “SCCs” means the European Commission’s standard contractual clauses for the transfer of personal data to third countries, as updated from time to time, and the UK International Data Transfer Agreement (IDTA) or UK Addendum, as applicable.

2. Scope and roles

2.1 Roles

For Customer Personal Data processed in connection with Customer’s outbound campaigns, lists, and communications sent through the Service:

• Customer is the Controller.
• Hilead is the Processor.

For the prospect database that Hilead makes available within the Service, Hilead acts as an independent Controller, as further described in our Privacy Policy. This DPA does not apply to that processing.

2.2 Compliance with law

Each party will comply with its respective obligations under Applicable Data Protection Law in connection with the processing of Customer Personal Data.

3. Subject matter and details of processing

4. Customer’s obligations

Customer warrants and undertakes that:

• It has a valid lawful basis under Applicable Data Protection Law for processing Customer Personal Data through the Service.
• It has provided all required notices to Data Subjects and obtained any necessary consents.
• Its use of the Service complies with our Sending Policy and Applicable Data Protection Law.
• It will respond promptly to Data Subject requests and complaints relating to its own processing activities.
• It will not upload special categories of personal data, criminal data, or data of minors through the Service.

5. Hilead’s obligations

Hilead shall:

• Process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by Applicable Data Protection Law (in which case Hilead will inform Customer before processing, unless prohibited by law).
• Ensure that persons authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
• Implement appropriate technical and organisational measures (see Section 7).
• Assist Customer, taking into account the nature of the processing, in fulfilling its obligations to respond to Data Subject requests, conduct Data Protection Impact Assessments (DPIAs), and consult with supervisory authorities where required.
• Make available to Customer information necessary to demonstrate compliance with this DPA, subject to Section 11.
• Engage Subprocessors only in accordance with Section 6.
• Notify Customer of Personal Data Breaches as set out in Section 8.

6. Subprocessors

6.1 General authorisation

Customer provides Hilead with general authorisation to engage Subprocessors to process Customer Personal Data, subject to the safeguards in this Section 6.

6.2 Current Subprocessors

The current list of Subprocessors used by Hilead is available at hilead.co/legal/subprocessors and includes (without limitation):

• Hetzner Online GmbH (Germany) — hosting and infrastructure.
• Lemon Squeezy LLC (United States) — payments and Merchant of Record.
• Resend Inc. (United States) — transactional email delivery.
• Other subprocessors used for analytics, monitoring, and operational support.

6.3 Subprocessor obligations

When engaging a Subprocessor, Hilead will:

• Conduct due diligence to ensure adequate data protection.
• Enter into a written contract that imposes data protection obligations no less protective than those in this DPA.
• Remain liable to Customer for the acts and omissions of its Subprocessors.

6.4 Notice of changes

Hilead will provide reasonable notice (at least 30 days where practicable) of new Subprocessors by updating the Subprocessors list at hilead.co/legal/subprocessors. Customer may, on legitimate grounds, object to a new Subprocessor by emailing hello@hilead.co within 30 days of notice. If a reasonable resolution cannot be reached, Customer’s sole remedy is to terminate the Agreement, with no entitlement to a refund of fees already paid.

7. Security

Hilead implements and maintains appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These include:

• Encryption in transit (TLS) for data transmitted over public networks.
• Encryption at rest for sensitive data, where appropriate.
• Access controls, including role-based permissions, multi-factor authentication for administrative access, and the principle of least privilege.
• Network security, including firewalls and segmentation.
• Regular software updates and patching.
• Backups of critical data with retention appropriate to the risk.
• Logging and monitoring of access to systems containing Customer Personal Data.
• Incident response procedures.
• Staff training on data protection and security.
• Subprocessor due diligence.

Hilead may update its security measures from time to time, provided that any updates do not materially decrease the level of protection.

8. Personal Data Breaches

8.1 Notification

Hilead will notify Customer without undue delay (and where feasible, within 72 hours) after becoming aware of a Personal Data Breach affecting Customer Personal Data.

8.2 Content of notification

The notification will include, to the extent then known:

• The nature of the breach, including categories and approximate number of Data Subjects and records affected.
• The likely consequences of the breach.
• Measures taken or proposed to address the breach and mitigate its possible adverse effects.
• The name and contact details of the Hilead point of contact for further information.

8.3 Cooperation

Hilead will cooperate reasonably with Customer in the investigation, mitigation, and remediation of the breach, including providing information necessary for Customer to comply with its own notification obligations under Applicable Data Protection Law.

9. Data Subject requests

9.1 Forwarding

If Hilead receives a Data Subject request relating to Customer Personal Data processed on Customer’s behalf, Hilead will (unless legally prohibited) forward the request to Customer without undue delay and not respond directly, except to confirm receipt and refer the Data Subject to Customer.

9.2 Assistance

Hilead will provide reasonable assistance, taking into account the nature of the processing and the information available, to enable Customer to respond to Data Subject requests within statutory deadlines. Where Hilead’s assistance requires more than minimal effort, Hilead may charge reasonable fees.

10. International data transfers

Customer Personal Data is primarily stored and processed within the European Economic Area (EEA), specifically in Germany.

Where Customer Personal Data is transferred outside the UK or EEA to a country not benefiting from an adequacy decision, the transfer is governed by appropriate safeguards, including:

• The European Commission’s Standard Contractual Clauses (Module 2 or Module 3 as applicable), which are incorporated into this DPA by reference.
• The UK International Data Transfer Agreement (IDTA) or UK Addendum, as applicable.
• Where required, additional safeguards identified through transfer impact assessments.

Customer authorises Hilead to enter into the SCCs (and equivalent UK transfer instruments) with Subprocessors on Customer’s behalf, where Hilead acts as data exporter from the UK or EEA to a third country.

11. Audits

11.1 Information

Hilead will make available to Customer, upon reasonable written request, information necessary to demonstrate Hilead’s compliance with this DPA, including completed security questionnaires (such as SIG Lite or CAIQ) and applicable third-party audit reports where available.

11.2 On-site audits

If documentation provided is insufficient and a Customer reasonably demonstrates the need, Customer may request an on-site audit, subject to:

• At least 30 days’ written notice.
• Conducted during regular business hours and in a manner that does not unreasonably disrupt Hilead’s operations.
• No more than once per twelve-month period, unless required by a regulator or following a Personal Data Breach.
• Subject to confidentiality obligations.
• At Customer’s cost, unless the audit reveals a material breach of this DPA.

12. Modifications and counter-signing

Due to operational constraints, Hilead is generally unable to negotiate or sign Customer-specific DPAs that materially deviate from this standard DPA. This standard DPA reflects current best practice and is designed to meet the requirements of UK / EU GDPR.

Where a counter-signed copy is required for Customer’s compliance records, Hilead will provide one upon written request to hello@hilead.co, signed in this form without modification.

13. Term and termination

This DPA takes effect upon Customer’s subscription to the Service and continues for the duration of the Agreement. Sections that by their nature should survive termination (including Sections 5, 7, 8, 10, and 11) will continue to apply.

14. Return and deletion of data

Upon termination of the Agreement, Hilead will, in accordance with Customer’s reasonable instructions and within the timeframes set out in our Privacy Policy:

• Delete Customer Personal Data, or
• Return Customer Personal Data to Customer in a structured, commonly used, machine-readable format,

except where retention is required by Applicable Data Protection Law or for legitimate business purposes such as backups (which will be deleted in line with normal retention cycles).

15. Order of precedence

In the event of any conflict between this DPA and the Agreement, this DPA prevails with respect to the processing of Customer Personal Data. In the event of any conflict between this DPA and any Standard Contractual Clauses, the Standard Contractual Clauses prevail.

16. Governing law

This DPA is governed by the laws of England and Wales, save where the Standard Contractual Clauses prescribe a different governing law for transfers between specific jurisdictions.

Hilead Ltd
71-75 Shelton Street, Covent Garden
London WC2H 9JQ, United Kingdom
Companies House Number: 17205087

Contact for DPA-related queries: hello@hilead.co