HyperStart Data Processing Addendum (USA)

This Data Processing Addendum (“DPA”) is incorporated into the Order Form and read with the HyperStart Terms of Service (“Terms”), between HyperVerge Technologies Private Limited (“HyperStart”) and the client entity referred in the Order Form (“Client”).

Client and HyperStart shall be individually referred to as the “Party” and collectively as the “Parties”.

1. Definitions

Terms not defined in this DPA shall have the meaning ascribed to them in the Terms. For this DPA, the following terms and those defined within the body of this DPA apply:

“Business”/ “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

“Data Protection Laws” means the relevant data protection and data privacy laws, rules and regulations applicable to Processing of Personal Data by HyperStart, including the California Consumer Privacy Act of 2018 as amended by California Privacy Rights Act of 2020 (“CCPA”) and its implementing regulations, as applicable.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Personal Data” means any information that describes, relates to or identifies a natural person, or is capable of identifying such person, or as defined under the applicable Data Protection Laws, which is provided by the Client to HyperStart.

“Process” or “Processing” means any operation or set of operations performed on the Personal Data such as transfer, storage, organization/classification, adaptation or alteration, disclosure, retrieval, use, or making available, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Business/ Data Controller.

“Security Incident” shall mean a security breach of HyperStart’s systems leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data provided by the Client.

“Sub-processors” means an entity engaged by HyperStart in accordance with this DPA, to Process Personal Data to provide Services to the Client.

2. Processing of Personal Data

2.1. Role of Parties: The Parties agree that with regards to Processing of Personal Data, Client is the Business/ Data Controller and HyperStart is the Processor.

2.2. Compliance: The Parties shall comply with their respective obligations under the Data Protection Laws.

2.3. Consents: Client is responsible to obtain consents from Data Subjects as required by Data Protection Laws for Processing of Personal Data by HyperStart.

2.4. Quality of Personal Data: Client is responsible to ensure accuracy and quality of Personal Data Provided to HyperStart.

2.5. Purpose limitation: HyperStart shall Process Personal Data only for (i) providing Services in accordance with the Terms and this DPA; (ii) complying with reasonable written instructions of the Client for provision of Services as mutually agreed between Parties (collectively the “Purpose”). HyperStart shall not Process Personal Data beyond any period necessary to accomplish the Purpose.

2.6. Disclosure: HyperStart shall not disclose Personal Data to third parties except to employees, Sub-processors, or advisers who have a need to know the Personal Data, and are under confidentiality and privacy obligations at least as restrictive as those described under this DPA. Unless prohibited by Data Protection Laws or a legally-binding request of law enforcement, HyperStart shall promptly notify the Client of any request by government agency or law enforcement authority for access to Personal Data, and shall render reasonable assistance to the Client, if Client wishes to contest the access.

2.7. Details of Processing of Personal Data: The Personal Data and the specific uses of the Personal Data are detailed in Annex attached hereto.

2.8. No sale or sharing of Personal Data: HyperStart shall not ‘sell’ or ‘share’ Personal Data. For this clause, ‘selling’ and ‘sharing’ shall have the meaning ascribed to them in the CCPA.

2.9. CCPA Specific Obligations:

  1. HyperStart shall process Personal Data solely for a valid business purpose to perform the Services.
  2. HyperStart shall not ‘sell’ or ‘share’ Personal Data. For this clause, ‘selling’ and ‘sharing’ shall have the meaning ascribed to them in the CCPA.
  3. HyperStart shall not combine the Personal Data with any other personal data which HyperStart receives from or on behalf of another person or persons or otherwise.

3. Sub-processing

3.1. Appointment of Sub-processors: Client authorises HyperStart to engage Sub-processors to the extent necessary for HyperStart to provide Services to the Client.

3.2. List of Sub-processors: HyperStart’s list of Sub-processors is accessible at https://www.hyperstart.com/sub-processors/ 

3.3. Notification of new Sub-processor and objection process: Prior to engaging any new Sub- processor, HyperStart will notify the Client via email and allow seven (7) days to object. If the Client fails to object within such period, the Sub-processor change will be deemed to be accepted. If the Client has legitimate objections to the appointment of any new Sub- processor, i.e. where appointment of Sub-processor will violate the Data Protection Laws or weaken the protection of Personal Data, the Parties will work together in good faith to resolve the concern within seven (7) days of the Client raising the objection. If the Parties are unable to resolve the objection within seven (7) days, (i) HyperStart will use commercially reasonable efforts to make available to Client a change in Services, or recommend a commercially reasonable change to Client’s configuration to avoid Processing of Personal Data by the new Sub-processor, and (ii) if HyperStart is unable to make such change, either Party may terminate the part of the Service performed under the Terms that cannot be performed by HyperStart without use of the new Sub-processor.

3.4. Appropriate agreement with Sub-processors: With respect to each Sub-processor, HyperStart shall ensure to enter into an agreement with the Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-processor.

3.5. Liability for Sub-processors: HyperStart shall be liable to the Client for the acts and omissions of the Sub-processor in relation to HyperStart’s obligations under this DPA and the Terms.

4. Data Security

4.1. Client is responsible for implementing adequate access controls and security measures of its systems and networks through which the Platform is accessed, in accordance with generally accepted industry practices.

4.2. HyperStart has obtained third party certifications such as ISO 27001, SOC 2 Type 2. Upon Client’s written request, HyperStart shall make available its third-party certifications and policies implemented by HyperStart.

4.3. HyperStart will maintain all Personal Data in strict confidence using appropriate technical and organisation measures to prevent unauthorized access, use or disclosure of Personal Data in accordance with generally accepted industry practices and Data Protection Laws.

4.4. HyperStart will ensure that its systems are maintained in a secure place, preventing unauthorized penetration and entry, and which is suitable to the nature of its activities and the sensitivity of the Personal Data. HyperStart will take measures to monitor and document the entry and exit from the premises in which the systems are located, as well as the setting and removing of equipment in and from the premises.

4.5. HyperStart will maintain access controls and follow principles of least privilege in relation to access to the Personal Data. HyperStart will revoke the authorizations to access Personal Data of such individuals upon the termination of their role.

4.6. HyperStart will ensure that the systems are managed and operated properly, to ensure that the Personal Data is logically separated from any other data it holds for other clients and/or third parties.

4.7. HyperStart will (i) not connect the systems to the internet without installing appropriate security measures against unauthorized penetration or programs that are capable of causing damage or disruption to such systems; and (ii) use appropriate industry standard encryption methods in any transfer of Personal Data over the internet.

4.8. HyperStart shall ensure it undertakes manual reviews and automated scans and regular assessments, audits, or other technical and operational testing of its systems Processing Personal Data, at least once every 12 months.

5. Security Incident Notification

5.1. HyperStart will maintain a reasonable security incident framework in place in accordance with Data Protection Laws.

5.2. HyperStart will report Security Incidents to the Client, without undue delay and within the time permitted under Data Protection Laws, but in no event within forty-eight (48) hours of detection. Such notice will include necessary details required under Data Protection Laws for the Client to comply with its own notification obligations to regulatory authorities or Data Subjects affected by the Security Incident.

5.3. HyperStart will provide commercially reasonable cooperation to the Client and take such reasonable steps to assist in the investigation, mitigation, remediation of such Security Incident.

5.4. HyperStart will take all reasonable measures necessary to prevent any further unauthorized third-party access, disclosure, loss of Personal Data.

5.5. The obligations herein do not apply to incidents that are caused by the Client, its authorized users, and/or any third-party products and/or services used by the Client in combination with Services.

6. Data Subject Rights

HyperStart will notify the Client if HyperStart receives a request from a Data Subject and shall not respond to that request except on the documented instructions of the Client or as required by Data Protection Laws. HyperStart will assist with the reasonable requests of the Client to facilitate the fulfilment of Client’s obligation to respond to requests for exercising Data Subject’s rights laid down in Data Protection Laws.

7. Deletion of Personal Data

7.1. HyperStart will securely delete Personal Data, and procure deletion of Personal Data from its Sub-processors, upon receipt of written request from the Client and reasonably demonstrate to the Client that it has undertaken deletion. Client can make deletion requests at [email protected]

7.2. The Client acknowledges and agrees that the deletion of Personal Data, may affect the availability, accuracy, or functionality of the Services. HyperStart disclaims all liability for any limitations, disruptions, or issues in the performance of the Services arising directly or indirectly from such deletion of Personal Data.

7.3. Upon termination or expiration of the Order Form, HyperStart will securely delete, and require its Sub-processors to delete, Personal Data within thirty (30) days of termination or expiration. If the Client wants the data to be deleted sooner, the Client can make a request under Clause 7.1.

7.4. All deletion of Personal Data will be conducted in accordance with standard industry practices for deletion. 

8. Data Protection Impact Assessments

Upon Client’s prior written request, HyperStart shall provide reasonable assistance to the Client with any data protection impact assessments, including any prior consultations to any supervisory authority of the Client, which are required under Data Protection Laws. Such cooperation will be offered solely in relation to Processing of Personal Data by HyperStart and to the extent such information is not available with the Client. The Client shall bear sole responsibility for conducting the data protection impact assessment and for any external costs associated with such assessment, including legal, consultancy, or third-party service provider fees.

9. Data Protection Officer

HyperStart has a data protection officer responsible for its data protection that can be reached at [email protected]

10. Contact

Client can write to [email protected] for all queries relating to this DPA and Processing of Personal Data.

11. Order of Precedence

In the event of any conflict or inconsistencies between this DPA, the Terms and any other document between the parties, this DPA shall prevail.

12. Reference of terms by incorporation

This DPA shall be read with and form part of the Order Form. All other provisions of the Terms shall be applicable mutatis mutandis to this DPA.

13. Term

This DPA shall be co-terminus with the Order Form.

ANNEX: DETAILS OF PROCESSING OF PERSONAL DATA

Purpose of ProcessingProviding Services to the Client in accordance with the Agreement, specifically provision and use of HyperStart CLM Platform by the Client.
DurationHyperStart retains Personal Data for as long as the Client has an active account with. HyperStart, unless deleted in accordance with the Terms or this DPA.
Categories of Data SubjectsIncludes the following:
  1. Client employees, consultants and authorized users (who are natural persons) who access the Platform.
  2. Client’s prospects, customers, partners, advisors vendors, and their authorized signatories (who are natural persons).
  3. Where email tracking or sending feature on the Platform is used, the email recipients.
  4. Natural persons whose Personal Data is uploaded on the Platform or is present in any Client document processed on Platform.
Categories of Personal DataIncludes the following:
  1. First, middle and last name;
  2. Title;
  3. Position;
  4. Employer;
  5. Contact information (email, phone number, physical address);
  6. Electronic identification data (such as timestamp, IP addresses and mobile device IDs);
  7. Any other Personal Data uploaded on the Platform or present in a document Processed on the Platform.