Data Processing Agreement

1. Definitions

Terms such as "Personal Data," "processing," "controller," "processor," "data subject," "personal data breach," and "supervisory authority" have the meanings given to them in the applicable Data Protection Law. "UK GDPR" means the United Kingdom General Data Protection Regulation. "EU GDPR" means Regulation (EU) 2016/679. "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.

2. Roles of the Parties

As between the parties, you are the Controller and we are the Processor of the Personal Data you submit to, or that is generated through your use of, the Service ("Customer Personal Data"), as described in Annex 1. You are responsible for the accuracy, quality, and lawfulness of the Customer Personal Data and the means by which you acquired it, and for having a valid legal basis for the processing, including providing any required notices and obtaining any required consents from data subjects.

3. Processing on Your Instructions

We will process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by law to which we are subject. In that case, we will inform you of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest. Your instructions are set out in this DPA, the Terms and Conditions, and your use and configuration of the Service. If we believe an instruction infringes Data Protection Law, we will inform you.

4. Confidentiality

We will ensure that persons authorized to process Customer Personal Data are bound by an appropriate duty of confidentiality and only process the data as instructed.

5. Security

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to data subjects, we will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2. We regularly review and, where appropriate, update these measures.

6. Sub-processors

You provide general authorization for us to engage Sub-processors to process Customer Personal Data. A current list of our Sub-processors is available at our Sub-processors page. We will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible to you for each Sub-processor's performance of its obligations.

We will provide a mechanism to notify you of intended additions or replacements of Sub-processors, giving you the opportunity to object on reasonable data-protection grounds. If you object and we cannot reasonably accommodate your objection, you may, as your sole remedy, terminate the affected part of the Service.

7. Assistance to You

Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as this is possible, to fulfil your obligation to respond to requests from data subjects exercising their rights under Data Protection Law (such as access, rectification, erasure, restriction, portability, and objection). Where we receive such a request directly relating to Customer Personal Data, we will, unless legally prohibited, direct the data subject to you rather than responding ourselves.

Taking into account the nature of processing and the information available to us, we will also assist you in ensuring compliance with your obligations regarding security of processing, personal data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.

8. Personal Data Breach

We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide you with information reasonably available to us to help you meet your own breach-notification obligations.

9. Deletion or Return of Data

Upon termination of the Service, and at your choice, we will delete or return all Customer Personal Data and delete existing copies, unless applicable law requires us to retain it. You may also delete Customer Personal Data through the Service at any time. We may retain certain data where required by law (for example, transaction and tax records), in which case we will continue to protect it in accordance with this DPA.

10. Audits and Information

We will make available to you information reasonably necessary to demonstrate compliance with our obligations under this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to reasonable notice, confidentiality obligations, and limits to protect the security and confidentiality of other customers' data. Where available, we may satisfy audit requests by providing relevant certifications or third-party reports.

11. International Transfers

Where our provision of the Service involves transferring Customer Personal Data outside the UK or the EEA, we will ensure that an appropriate transfer mechanism applies, such as an adequacy decision, or the Standard Contractual Clauses approved under the EU GDPR together with the UK International Data Transfer Addendum where the UK GDPR applies. Those clauses are incorporated into this DPA by reference and apply to such transfers.

12. Liability and Governing Law

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms and Conditions. This DPA is governed by the laws of the United Kingdom, and any disputes are subject to the same jurisdiction provisions as the Terms and Conditions.

Annex 1 — Details of Processing

Subject matter: Provision of the Hinto AI Service, which transforms screen recordings into documentation.

Duration: For the term of your use of the Service, plus any period required for deletion or return of data and any legally required retention period.

Nature and purpose: Hosting, storage, processing, AI-assisted content generation, and related operations needed to provide, maintain, secure, and support the Service.

Types of Personal Data: Account information (such as name and email); usage and billing data; and any Personal Data contained within the recordings, documents, and content you upload or generate, which is determined and controlled by you.

Categories of data subjects: Your authorized users and team members, and any individuals whose Personal Data appears in the content you submit to the Service.

Annex 2 — Technical and Organizational Measures

Our security measures include, as appropriate to the risk: encryption of data in transit and at rest; access controls and authentication; least-privilege access for personnel; logical separation of customer data; monitoring and logging; regular backups; vulnerability management; secure software development practices; and incident response procedures. A more detailed description is available to customers on request.

Contact

For data protection matters, including to enter into this DPA on a signed basis, contact us at contact@hintoai.com.