Data Processing Agreement (DPA)

Parties to this Agreement

This Data Processing Agreement ("DPA") is entered into between:

Data Controller

Name: You (the user of ThisOne AI Platform Services)

Role: Data Controller under GDPR Art. 4(7)

Responsibilities: You determine the purposes and means of processing Personal Data that you submit to our Services.

Data Processor

Name: Hashed Horizon Sp. z o.o.

Registered Office: Poland

Contact: support@hashedhorizon.com

Data Protection Officer: dpo@hashedhorizon.com

Role: Data Processor under GDPR Art. 4(8)

Responsibilities: We process Personal Data on your behalf and on your documented instructions only.

Purpose and Applicability

ENTERPRISE-ONLY AGREEMENT

This Data Processing Agreement ("DPA") applies only when:

1. A business customer processes third-party personal data (not their own photos) via our Services, AND
2. The customer has executed the Enterprise Addendum

Not for Consumer Use: This DPA does NOT apply to consumer use of own photos. Consumers using ThisOne AI Platform for personal photos are covered by our Privacy Policy, where Hashed Horizon acts as Controller.

This Data Processing Agreement ("DPA") governs the processing of Personal Data that you (the Data Controller) submit to ThisOne AI Platform Services, where such Personal Data includes information about third parties (Data Subjects) other than yourself.

Business/Team Plan Customers Only

Applicability: This DPA applies only to customers who:

1. Purchase a Business/Team Plan, OR
2. Execute an Order Form with Hashed Horizon, OR
3. Sign this DPA explicitly as part of an Enterprise Agreement

Not for Consumer Users: If you use ThisOne AI Platform for personal, non-commercial purposes, this DPA does not apply. Hashed Horizon acts as the Data Controller for your personal data as described in our Privacy Policy.

Automatic Incorporation: For Business/Team Plan customers, this DPA is automatically incorporated via the Enterprise Addendum. No separate DPA signature is required unless you specifically request a custom DPA.

Legal Basis

GDPR Requirement: This DPA is required by GDPR Art. 28(3), which mandates a written contract between Data Controllers and Data Processors setting out the subject matter, duration, nature, purpose, type of Personal Data, categories of Data Subjects, and obligations and rights of the Controller.

Integration: This DPA is incorporated into and forms part of:

1. Enterprise Addendum (for Business/Team Plan customers)
2. Terms of Service (as modified by Enterprise Addendum)
3. Order Form or MSA (if executed)

Document Hierarchy

In case of conflict:

1. Custom DPA terms in Order Form (if any)
2. This DPA
3. Enterprise Addendum
4. Privacy Policy (for data protection matters)
5. Terms of Service

When This DPA Applies

This DPA applies when all of the following conditions are met:

Required Conditions

1. Business/Team Plan: You have purchased a Business/Team Plan or have an executed Order Form
2. Third-Party Personal Data: You submit Personal Data about individuals other than yourself (end users, employees, clients, etc.)
3. Processing on Your Behalf: Hashed Horizon processes that Personal Data as instructed by you to provide the Services
4. GDPR Applies: The processing is subject to GDPR (EU) 2016/679, UK GDPR, or equivalent data protection laws

Example Scenarios Where DPA Applies

DPA Applies:

• SaaS Provider: You offer a photo editing SaaS and use ThisOne AI Platform APIs to process your end users' images
• Enterprise Internal Tool: Your company uses ThisOne AI Platform for employees to edit images; you control employee data
• Agency Use: Your marketing agency processes client photos through ThisOne AI Platform on behalf of clients

DPA Does NOT Apply (Hashed Horizon is Controller):

• Personal Use: You use ThisOne AI Platform to edit your own vacation photos
• Freelancer: You edit images for your portfolio or personal projects
• Consumer Account: You have a free or individual paid plan (not Business/Team)

Verification

Not Sure? If uncertain whether this DPA applies to your use case, contact dpo@hashedhorizon.com with subject "DPA Applicability Question"

Customer Type Check:

• Consumer Users → Privacy Policy governs (Hashed Horizon is Controller)
• Business/Team Plan → This DPA applies (you are Controller, Hashed Horizon is Processor)

When This DPA Does NOT Apply:

• Processing of your own Personal Data (covered by our Privacy Policy)
• Processing necessary to provide the Services to you directly (e.g., your Account data)

Hierarchy of Documents

In case of conflict, the following hierarchy governs:

1. Enterprise Addendum (if applicable) - Enhanced terms for Enterprise Customers
2. This DPA (Data Processing Agreement)
3. Standard Contractual Clauses (Annex to this DPA) - for international data transfers
4. Order Form (if any) - Service-specific terms and pricing
5. Privacy Policy - For data protection matters
6. Terms of Service - For general service usage
7. Cookie Policy - For cookie and tracking disclosures

Amendments: We may update this DPA by providing at least 30 days' advance notice to the Customer's designated admin email and/or via in-app notification. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.

Defined Terms

Unless otherwise defined in this DPA, capitalized terms have the meanings set forth in the next section (Definitions) or in our Terms of Service.

Definitions

For the purposes of this DPA, the following terms have the meanings below. These definitions supplement the definitions in our Terms of Service and Privacy Policy.

GDPR-Specific Definitions (GDPR Art. 4)

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject"), as defined in GDPR Art. 4(1).

"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, transmission, erasure, or destruction, as defined in GDPR Art. 4(2).

"Data Controller" means you (the user), who determines the purposes and means of Processing Personal Data, as defined in GDPR Art. 4(7).

"Data Processor" means Hashed Horizon, which Processes Personal Data on behalf of the Data Controller (you), as defined in GDPR Art. 4(8).

"Data Subject" means an identified or identifiable natural person whose Personal Data is being Processed, as defined in GDPR Art. 4(1).

"Sub-processor" means any third party engaged by Hashed Horizon (the Data Processor) to Process Personal Data on behalf of the Data Controller, as defined in GDPR Art. 28(2) and (4).

"Supervisory Authority" means an independent public authority responsible for monitoring GDPR compliance, as defined in GDPR Art. 4(21).

Service-Specific Definitions

"Customer Data" means all Personal Data that you (the Data Controller) submit to the Services, including:

• AI Inputs: Text, images, or other content you provide to AI Services that contains Personal Data

• AI Outputs: Generated content that may incorporate or derive from Personal Data in Inputs

• User-Generated Content: Files, documents, datasets, or other content uploaded by you

• API Data: Personal Data transmitted via our APIs or integrations

"Processing Instructions" means your documented instructions to Hashed Horizon regarding the Processing of Customer Data, as set forth in Processing Instructions of this DPA.

"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data (also known as a "Personal Data Breach" under GDPR Art. 4(12)).

"Standard Contractual Clauses" (SCCs) means the clauses approved by the European Commission Decision 2021/914/EU for the transfer of Personal Data to third countries, as set forth in Annex to this DPA.

"EEA" means the European Economic Area, comprising the 27 EU Member States plus Iceland, Liechtenstein, and Norway.

"Third Country" means any country outside the EEA that has not been recognized by the European Commission as providing an adequate level of data protection under GDPR Art. 45.

Processing Operations

"Restricted Transfer" means the transfer of Personal Data from the EEA to a Third Country, subject to GDPR Art. 44-50 safeguards.

"Onward Transfer" means the transfer of Personal Data by Hashed Horizon (Data Processor) to a Sub-processor.

"Return or Deletion" means, at the Data Controller's choice:

• Return: Providing the Data Controller with a complete copy of Customer Data in a commonly used electronic format, or
• Deletion: Secure and permanent erasure of Customer Data from all Hashed Horizon systems, including backups (subject to legal retention obligations)

Consent and Objection

"Prior Authorization" means your explicit written consent for Hashed Horizon to engage a new Sub-processor, as required by GDPR Art. 28(2).

"Objection" means your written notice to Hashed Horizon objecting to a new Sub-processor on reasonable grounds relating to data protection compliance, exercised within 30 days of notification.

Legal and Contractual Terms

"Data Protection Laws" means all applicable laws and regulations relating to the Processing of Personal Data, including:

• General Data Protection Regulation (EU) 2016/679 ("GDPR")
• ePrivacy Directive 2002/58/EC (as amended)
• Applicable national data protection laws implementing or supplementing the GDPR
• Any successor or replacement legislation

"Relevant Member State" means:

• The Member State in which the Data Controller is established (for businesses), or
• The Member State in which the Data Subject resides (for individuals)

"Applicable Data Protection Laws" means Data Protection Laws applicable to the Data Controller's Processing of Customer Data and the Services provided by Hashed Horizon.

Scope Limitations

"Out of Scope Data" means:

1. Personal Data Processed by Hashed Horizon as an independent Data Controller (e.g., your Account data) - covered by our Privacy Policy, not this DPA
2. Non-Personal Data (anonymized, aggregated, or de-identified data)
3. Personal Data Processed in violation of this DPA or the Terms of Service

This DPA governs only the Processing of Customer Data where Hashed Horizon acts as a Data Processor on your behalf. For all other Processing, refer to our Privacy Policy and Terms of Service.

Scope of Processing (GDPR Art. 28(3)(a-b))

This section defines the scope of Processing as required by GDPR Art. 28(3)(a)-(b).

Subject Matter of Processing

Service Provision: Hashed Horizon Processes Customer Data to provide ThisOne AI Platform Services to you as described in our Terms of Service.

Processing Activities:

1. Data Hosting and Storage: Storing Customer Data on secure cloud infrastructure
2. Service Delivery: Processing Customer Data to perform the Services you request
3. AI Processing: Transmitting AI Inputs to AI Subprocessors and delivering AI Outputs
4. Technical Operations: Backups, disaster recovery, system maintenance
5. Security Monitoring: Detecting and preventing security threats, fraud, and abuse
6. Legal Compliance: Processing required by law or court order

Nature of Processing

Operations Performed: The Processing operations include:

• Collection: Receiving Customer Data from you via web interface, API, or file upload

• Storage: Storing Customer Data on cloud infrastructure (see Sub-processors list)

• Organization: Structuring and indexing Customer Data for service provision

• Transmission: Sending AI Inputs to AI Subprocessors for processing

• Retrieval: Generating and delivering AI Outputs to you

• Use: Using Customer Data to provide the Services

• Disclosure: Sharing Customer Data with authorized Sub-processors

• Deletion: Erasing Customer Data upon your request or contract termination

No Other Operations: Hashed Horizon will not perform any Processing operations beyond those listed above without your prior written authorization.

Purpose of Processing

Primary Purpose: To provide ThisOne AI Platform Services to you as the Data Controller, including:

1. AI Services: Processing Inputs through AI models to generate Outputs
2. Service Functionality: Enabling the features and functionality you request
3. Technical Support: Providing customer support and troubleshooting
4. Security: Protecting the Services from fraud, abuse, and security threats
5. Legal Obligations: Complying with legal requirements and court orders

Purpose Limitation (GDPR Art. 5(1)(b)): Hashed Horizon will Process Customer Data only for the purposes above and will not Process Customer Data for any other purpose without your explicit authorization.

No Secondary Use: We do NOT use Customer Data for:

• Our own marketing or advertising
• Training publicly available AI models (without your consent)
• Selling or licensing to third parties
• Any purpose incompatible with the Services

Duration of Processing

Processing Period: Hashed Horizon will Process Customer Data for the duration of your use of the Services, plus any retention period necessary for:

1. Backup Retention: up to 90 days for disaster recovery backups
2. Legal Compliance: Retention required by applicable law (e.g., tax, accounting)
3. Legal Claims: Retention necessary to establish, exercise, or defend legal claims

Data Deletion Obligation: Upon termination or expiration of the Services, Hashed Horizon will delete or return Customer Data in accordance with Termination and Data Return (Termination and Data Return).

No Indefinite Retention: Customer Data will not be retained indefinitely. Maximum retention period (excluding legal holds): up to 12 months after account closure.

Categories of Data Subjects

The Data Subjects whose Personal Data may be Processed include:

• End Users: Individuals whose data appears in AI Inputs (e.g., customer data, user-generated content)

• Employees: Employees of the Data Controller (you) if you submit their data

• Customers: Your customers or clients whose data you Process using our Services

• Contacts: Individuals in contact databases or CRM systems

• Website Visitors: Visitors to your websites or applications integrated with our Services

• Other Third Parties: Any other individuals whose Personal Data you submit to the Services

Exclusions: This DPA does NOT cover:

• Your own Personal Data as an individual user (covered by our Privacy Policy)
• Personal Data of Hashed Horizon employees, contractors, or service providers

Types of Personal Data

The categories of Personal Data that may be Processed include:

Identity Data

• Names, usernames, identification numbers
• Demographic information (age, gender, nationality)
• Identity documents (passport numbers, ID numbers)

Contact Data

• Email addresses, phone numbers
• Physical addresses, postal codes
• Social media handles

Professional Data

• Employment information, job titles
• Business contact details
• Professional qualifications

Technical Data

• IP addresses, device identifiers
• Browser type, operating system
• Usage logs, interaction data

Content Data (AI Inputs/Outputs)

• Text, images, audio, video submitted to AI Services
• AI-generated outputs derived from Inputs
• Metadata associated with AI Processing

Financial Data (if applicable)

• Payment information, billing details
• Transaction history
• VAT/Tax information

Special Categories of Personal Data

GDPR Art. 9 Restriction: The Data Controller (you) must NOT submit Special Categories of Personal Data (racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation) unless:

1. You have obtained explicit consent from Data Subjects (GDPR Art. 9(2)(a)), OR
2. You have another lawful basis under GDPR Art. 9(2), AND
3. You have notified Hashed Horizon in writing and received written confirmation

Criminal Convictions Data (GDPR Art. 10): The Data Controller must NOT submit data relating to criminal convictions or offenses unless authorized by applicable law.

Your Responsibility: You are solely responsible for ensuring you have a lawful basis to submit any Special Categories or Criminal Convictions Data to the Services.

Sensitive Data Handling

If you are authorized to submit Special Categories of Personal Data:

1. Encryption: Encrypt sensitive data before transmission
2. Labeling: Clearly label sensitive data to enable special handling
3. Access Controls: Limit access to authorized personnel only
4. Audit Trail: Maintain detailed logs of sensitive data Processing
5. Enhanced Security: Implement additional safeguards as required by GDPR Art. 32(1)

Hashed Horizon reserves the right to reject or delete Special Categories Data submitted without prior authorization.

Processing Instructions (GDPR Art. 28(3)(a))

Hashed Horizon (Data Processor) will Process Customer Data only on your documented instructions as the Data Controller.

Documented Instructions

Your instructions to Hashed Horizon are documented as follows:

1. Terms of Service

Your use of ThisOne AI Platform Services constitutes an instruction to Process Customer Data to provide the Services described in our Terms of Service.

Implied Instructions: By using specific features, you instruct us to:

• AI Services: Process Inputs through AI models and deliver Outputs

• Storage: Store Customer Data on cloud infrastructure

• Backups: Create and maintain disaster recovery backups

• Security: Implement security measures to protect Customer Data

2. Service Configuration

Your configuration settings within the Services constitute additional instructions:

• Access Controls: User permissions, role assignments
• Retention Settings: Data retention periods you configure
• Feature Toggles: Enabling or disabling specific features
• Integration Settings: API configurations, third-party integrations

3. Data Subject Requests

When you submit a Data Subject Rights request (GDPR Art. 15-22) via support@hashedhorizon.com, you instruct us to:

• Access (GDPR Art. 15): Provide copies of Customer Data
• Rectification (GDPR Art. 16): Correct inaccurate Customer Data
• Erasure (GDPR Art. 17): Delete Customer Data (subject to legal retention)
• Restriction (GDPR Art. 18): Restrict Processing of Customer Data
• Portability (GDPR Art. 20): Export Customer Data in a structured format

4. Additional Written Instructions

You may provide additional written instructions by:

• Emailing dpo@hashedhorizon.com with the subject line "DPA Processing Instructions"
• Using the data processing controls in your Account settings
• Submitting a formal instruction request via our support portal

Response Time: Hashed Horizon will acknowledge additional instructions within 7 business days and implement them within 30 days (or as otherwise agreed).

Limitations on Instructions

Hashed Horizon will comply with your instructions unless:

1. Unlawful Instructions

Legal Compliance Obligation: Hashed Horizon will not follow instructions that violate GDPR, EU law, or Member State law (GDPR Art. 28(3)(a)).

Notification Requirement: If we believe your instruction would violate applicable law, we will:

1. Immediately notify you of the issue
2. Suspend Processing under that instruction
3. Provide a written explanation of the legal concern
4. Allow you 14 days to withdraw or modify the instruction

Your Responsibility: You are responsible for ensuring your instructions comply with all applicable Data Protection Laws.

2. Technically Infeasible Instructions

Feasibility Assessment: If an instruction is technically infeasible or would compromise security, we will:

1. Notify you within 7 days
2. Explain why the instruction cannot be implemented
3. Propose alternative approaches (if available)
4. Work with you in good faith to find a solution

Examples:

• Requesting deletion of data required for legal compliance
• Instructions requiring disclosure of other customers' data
• Instructions incompatible with security or encryption measures

3. Conflicting Instructions

Conflict Resolution: If your instructions conflict with:

• Terms of Service: The DPA takes precedence for data protection matters
• Legal Requirements: Legal obligations supersede your instructions
• Previous Instructions: The most recent instruction applies

Clarification Process: We will request clarification if instructions are ambiguous or conflicting.

Instruction Modifications

Amendment Process: You may modify your Processing instructions at any time by:

1. Submitting Written Notice: Email dpo@hashedhorizon.com with:

   • Clear description of the modification
   • Effective date (minimum 7 days' notice for material changes)
   • Acknowledgment of any service impact

2. Configuration Changes: Update settings in your Account dashboard (effective immediately)

Impact Assessment: For material instruction changes, Hashed Horizon will:

• Assess feasibility and legal compliance
• Notify you of any required changes to the Services or pricing
• Implement within agreed timeline

Your Right to Instruct: You retain full control over how your Customer Data is Processed, subject to the limitations above.

Prohibited Instructions

Hashed Horizon will NOT comply with instructions to:

1. Violate Data Subject Rights: Deny Data Subjects their GDPR rights (GDPR Art. 15-22)
2. Process Outside EEA Without Safeguards: Transfer data to Third Countries without SCCs or adequacy decisions
3. Disclose to Unauthorized Parties: Share Customer Data with third parties not authorized as Sub-processors
4. Indefinite Retention: Retain Customer Data indefinitely without a lawful basis
5. Discriminatory Processing: Process data in ways that violate anti-discrimination laws
6. Security Degradation: Remove or weaken security measures protecting Customer Data

Notification: If you provide a prohibited instruction, we will notify you immediately and not comply with that instruction.

Processing Outside Instructions

Strict Compliance: Hashed Horizon will NOT Process Customer Data outside your documented instructions except where:

1. Legal Requirement (GDPR Art. 28(3)(a)): Required by EU or Member State law

   • Example: Court order, regulatory investigation, tax audit
   • Notification: We will inform you of the legal requirement before Processing, unless prohibited by law

2. Security Incident Response: Necessary to investigate or mitigate a Security Incident

   • Example: Forensic analysis after a breach
   • Notification: We will notify you within 72 hours

3. Data Subject Rights Requests: Required to comply with Data Subject rights under GDPR Art. 15-22

   • Example: Data Subject directly requests deletion from Hashed Horizon
   • Coordination: We will coordinate with you to ensure consistent response

Audit Trail: All Processing outside your instructions will be logged and documented for audit purposes.

Processor Warranty

Hashed Horizon warrants that:

1. We will Process Customer Data only on your documented instructions
2. We will not use Customer Data for our own purposes
3. Persons authorized to Process Customer Data have committed to confidentiality
4. We will notify you if we believe instructions violate GDPR or other laws
5. We will maintain records of Processing activities as required by GDPR Art. 30(2)

Breach Consequences: If Hashed Horizon Processes Customer Data outside your instructions without a lawful basis, we will be liable as a Data Controller under GDPR Art. 82 and you may terminate this DPA immediately.

Data Controller Responsibilities

You (the Data Controller) are responsible for:

1. Lawful Instructions: Ensuring your instructions comply with GDPR and other Data Protection Laws
2. Data Minimization: Instructing Processing only for necessary and legitimate purposes (GDPR Art. 5(1)(c))
3. Accuracy: Ensuring instructions are clear, unambiguous, and achievable
4. Data Subject Rights: Honoring Data Subject rights and coordinating with Hashed Horizon for assistance
5. Lawful Basis: Ensuring you have a lawful basis (GDPR Art. 6) to Process the Customer Data you submit

Hashed Horizon relies on your compliance with these responsibilities.

Security Measures (GDPR Art. 32)

Hashed Horizon implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by GDPR Art. 32.

Technical Security Measures

1. Encryption (GDPR Art. 32(1)(a))

Encryption in Transit:

• TLS 1.3: All data transmissions use Transport Layer Security 1.3 or higher
• Perfect Forward Secrecy: Ephemeral key exchange prevents decryption of past sessions
• Certificate Validation: Strict certificate pinning and validation

Encryption at Rest:

• AES-256 Encryption: All Customer Data stored at rest is encrypted using AES-256-GCM
• Encrypted Backups: Backup copies are encrypted with the same standards
• Key Management: Encryption keys are managed using industry-standard key management systems (AWS KMS, Google Cloud KMS)

Password Hashing:

• bcrypt/argon2: User passwords are hashed using bcrypt (cost factor 12+) or argon2id
• Per-User Salts: Unique salt for each user prevents rainbow table attacks
• No Plain Text Storage: Passwords are never stored in plain text

2. Access Controls (GDPR Art. 32(1)(b))

Authentication:

• Multi-Factor Authentication (MFA): Required for all Hashed Horizon employees with access to Customer Data
• Single Sign-On (SSO): Integration with enterprise identity providers
• Session Management: Secure session tokens, automatic timeout after inactivity

Authorization:

• Role-Based Access Control (RBAC): Least-privilege access model
• Need-to-Know Principle: Access granted only to personnel who require it
• Access Logging: All access to Customer Data is logged with user identity, timestamp, and action

Employee Access:

• Limited Personnel: Only authorized Hashed Horizon employees can access Customer Data
• Background Checks: Employees undergo background checks before accessing Customer Data
• Confidentiality Agreements: All employees sign confidentiality and data protection agreements

3. Pseudonymization (GDPR Art. 32(1)(a))

Where feasible and requested by the Data Controller:

• Data Masking: Replacing direct identifiers with pseudonyms
• Tokenization: Substituting sensitive data with non-sensitive equivalents
• Anonymization: Irreversible anonymization for analytics purposes

Your Control: You may request pseudonymization by configuring settings in your Account or contacting support@hashedhorizon.com.

4. Network Security

Perimeter Security:

• Firewalls: Next-generation firewalls with intrusion detection/prevention
• DDoS Protection: Cloudflare/AWS Shield protection against distributed denial-of-service attacks
• Network Segmentation: Customer Data isolated in separate network zones

Monitoring:

• 24/7 Security Operations Center (SOC): Continuous monitoring for threats
• Intrusion Detection: Real-time detection of suspicious activity
• Log Aggregation: Centralized security logging with SIEM integration

5. Application Security

Secure Development Lifecycle:

• Security Code Review: All code undergoes security review before deployment
• Vulnerability Scanning: Automated scanning for OWASP Top 10 vulnerabilities
• Dependency Management: Regular updates to patch security vulnerabilities
• Penetration Testing: Annual third-party penetration testing

Input Validation:

• Input Sanitization: Validation and sanitization of all user inputs
• SQL Injection Prevention: Parameterized queries, prepared statements
• XSS Protection: Content Security Policy (CSP), output encoding

Organizational Security Measures

1. Data Protection Governance

Data Protection Officer:

• DPO Contact: dpo@hashedhorizon.com
• Role: Oversees GDPR compliance, security policies, breach response

Security Policies:

• Information Security Policy: Comprehensive security policy covering all aspects of data protection
• Incident Response Plan: Documented procedures for Security Incident response
• Business Continuity Plan: Disaster recovery and continuity procedures

2. Employee Training

Mandatory Training:

• GDPR Awareness: All employees complete GDPR training within 30 days of employment
• Security Best Practices: Annual security awareness training
• Phishing Simulations: Regular phishing tests to maintain vigilance
• Role-Specific Training: Additional training for employees with access to Customer Data

Training Records: We maintain records of all employee training for audit purposes.

3. Access Management

Onboarding:

• Least Privilege: New employees granted minimum necessary access
• Approval Process: Access requests require manager and security team approval
• Provisioning: Automated provisioning with documented justification

Offboarding:

• Immediate Revocation: Access revoked within 1 hour of employment termination
• Asset Recovery: Return of all company devices and credentials
• Access Review: Verification that all access has been removed

Periodic Review:

• Quarterly Access Audits: Review all personnel with access to Customer Data
• Recertification: Managers recertify employee access needs every 6 months
• Anomaly Detection: Automated alerts for unusual access patterns

4. Vendor Management

Sub-processor Security:

• Due Diligence: Security assessment before engaging any Sub-processor
• Contractual Requirements: All Sub-processors sign data processing agreements
• Ongoing Monitoring: Regular security audits of Sub-processors
• Annual Recertification: Yearly review of Sub-processor security posture

Approved Sub-processors: See Sub-processors (Sub-processors) for the current list.

Testing and Assurance (GDPR Art. 32(1)(d))

1. Regular Testing

Penetration Testing:

• Frequency: Annual third-party penetration tests
• Scope: All customer-facing services and data storage systems
• Remediation: High/critical findings remediated within 30 days

Vulnerability Assessments:

• Automated Scanning: Weekly vulnerability scans
• Patch Management: Critical patches applied within 7 days, high-risk within 30 days
• Continuous Monitoring: Real-time vulnerability detection

2. Compliance Certifications

Hashed Horizon maintains the following security certifications (where applicable):

• ISO 27001: Information Security Management System certification
• SOC 2 Type II: Service Organization Control reporting
• GDPR Compliance: Regular GDPR audits by external auditors

Audit Reports: Available upon request to enterprise customers with valid NDA.

3. Backup and Recovery

Backup Strategy:

• Frequency: Automated daily backups of Customer Data
• Retention: Backups retained for up to 90 days
• Encryption: All backups encrypted with AES-256
• Offsite Storage: Backups stored in geographically separate locations

Disaster Recovery:

• Recovery Time Objective (RTO): 4 hours for critical services
• Recovery Point Objective (RPO): Maximum 24 hours of data loss
• Annual Testing: Disaster recovery procedures tested annually

4. Incident Response

Security Incident Response Plan:

1. Detection: 24/7 monitoring detects potential incidents
2. Containment: Immediate isolation of affected systems
3. Investigation: Forensic analysis to determine scope and impact
4. Notification: Notification to affected Data Controllers within 72 hours (see Data Breach Notification)
5. Remediation: Implement fixes to prevent recurrence
6. Post-Incident Review: Root cause analysis and improvement actions

Escalation: Critical incidents escalate to executive management and DPO.

Confidentiality Obligations (GDPR Art. 32(4))

Employee Confidentiality:

All Hashed Horizon employees authorized to Process Customer Data have committed to:

1. Confidentiality Agreements: Signed legal agreements prohibiting unauthorized disclosure
2. GDPR Compliance: Understanding and compliance with GDPR obligations
3. Security Awareness: Awareness of security measures and incident reporting procedures

Breach of Confidentiality: Employees who breach confidentiality face disciplinary action up to and including termination and legal action.

Security Monitoring and Improvement

Continuous Improvement:

• Quarterly Security Reviews: Internal security assessments every quarter
• Threat Intelligence: Monitoring for emerging threats and vulnerabilities
• Technology Updates: Regular updates to security tools and infrastructure
• Lessons Learned: Incorporating findings from incidents and audits

State-of-the-Art: Hashed Horizon commits to maintaining security measures that reflect the state of the art in data protection technology.

Your Security Responsibilities

As the Data Controller, you are responsible for:

1. Secure Credentials: Protecting your Account login credentials
2. MFA Enablement: Enabling multi-factor authentication for your Account
3. Access Management: Managing user permissions within your Account
4. Incident Reporting: Promptly reporting suspected Security Incidents to support@hashedhorizon.com
5. Secure Configuration: Configuring security settings appropriately for your use case

Hashed Horizon's security measures are only effective if you also maintain appropriate security practices.

Security Documentation

Available Documentation:

• Security White Paper: Detailed description of security architecture (available upon request)
• Compliance Certifications: ISO 27001, SOC 2 Type II reports (subject to NDA)
• Sub-processor Security: Security documentation for Sub-processors

Requests: Email dpo@hashedhorizon.com to request security documentation.

Sub-processors (GDPR Art. 28(2) and (4))

Hashed Horizon engages third-party Sub-processors to assist in providing the Services. This section discloses all Sub-processors and the change notification process as required by GDPR Art. 28(2)-(4).

Current Sub-processors

The following Sub-processors are currently authorized to Process Customer Data:

Quick Reference Table

Legend:

• SCCs: Standard Contractual Clauses approved by EU Commission (Decision 2021/914/EU)
• GDPR DPA: GDPR Art. 28 Data Processing Agreement
• EU Adequacy Decision: EU Commission determination that country provides adequate data protection
• ISO 27001: International information security management standard
• SOC 2: Service Organization Control Type 2 audit report

Privacy Policies & DPAs: See detailed sections below for links to each Sub-processor's privacy policy and data processing agreement.

Detailed Sub-processor Information

Google Cloud AI (Gemini)

Purpose: AI photo conversion and enhancement

Location: EU/USA

Data Transferred: Customer Data necessary to fulfill the purpose above

Safeguards:

• Standard Contractual Clauses (SCCs) or EU Commission adequacy decision

• GDPR-compliant Data Processing Agreement (DPA)

• Security certifications (ISO 27001, SOC 2, or equivalent)

Sub-processor Information:

• Privacy Policy: https://cloud.google.com/privacy
• Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum

Your Control: By using ThisOne AI Platform Services, you authorize Hashed Horizon to engage Google Cloud AI (Gemini) as a Sub-processor.

Vercel

Purpose: Application hosting and CDN

Location: EU

Data Transferred: Customer Data necessary to fulfill the purpose above

Safeguards:

• GDPR Art. 28 Data Processing Agreement

• No international transfer safeguards required (EEA-based)

• GDPR-compliant Data Processing Agreement (DPA)

• Security certifications (ISO 27001, SOC 2, or equivalent)

Sub-processor Information:

• Privacy Policy: https://vercel.com/legal/privacy-policy
• Data Processing Agreement: https://vercel.com/legal/dpa

Your Control: By using ThisOne AI Platform Services, you authorize Hashed Horizon to engage Vercel as a Sub-processor.

Neon

Purpose: PostgreSQL database hosting

Location: EU

Data Transferred: Customer Data necessary to fulfill the purpose above

Safeguards:

• GDPR Art. 28 Data Processing Agreement

• No international transfer safeguards required (EEA-based)

• GDPR-compliant Data Processing Agreement (DPA)

• Security certifications (ISO 27001, SOC 2, or equivalent)

Sub-processor Information:

• Privacy Policy: https://neon.tech/privacy-policy
• Data Processing Agreement: https://neon.tech/terms-of-service

Your Control: By using ThisOne AI Platform Services, you authorize Hashed Horizon to engage Neon as a Sub-processor.

Sentry

Purpose: Error tracking and crash diagnostics

Location: EU/USA

Data Transferred: Customer Data necessary to fulfill the purpose above

Safeguards:

• Standard Contractual Clauses (SCCs) or EU Commission adequacy decision

• GDPR-compliant Data Processing Agreement (DPA)

• Security certifications (ISO 27001, SOC 2, or equivalent)

Sub-processor Information:

• Privacy Policy: https://sentry.io/privacy/
• Data Processing Agreement: https://sentry.io/legal/dpa/

Your Control: By using ThisOne AI Platform Services, you authorize Hashed Horizon to engage Sentry as a Sub-processor.

Stripe

Purpose: Payment processing and subscription management

Location: EU/USA

Data Transferred: Customer Data necessary to fulfill the purpose above

Safeguards:

• Standard Contractual Clauses (SCCs) or EU Commission adequacy decision

• GDPR-compliant Data Processing Agreement (DPA)

• Security certifications (ISO 27001, SOC 2, or equivalent)

Sub-processor Information:

• Privacy Policy: https://stripe.com/privacy
• Data Processing Agreement: https://stripe.com/legal/dpa

Your Control: By using ThisOne AI Platform Services, you authorize Hashed Horizon to engage Stripe as a Sub-processor.

Apple (App Store / Apple Pay)

Purpose: iOS in-app purchases and Apple Pay transactions

Location: USA

Data Transferred: Customer Data necessary to fulfill the purpose above

Safeguards:

• Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914/EU

• GDPR-compliant Data Processing Agreement (DPA)

• Security certifications (ISO 27001, SOC 2, or equivalent)

Sub-processor Information:

• Privacy Policy: https://www.apple.com/legal/privacy/
• Data Processing Agreement: https://www.apple.com/legal/privacy/data/

Your Control: By using ThisOne AI Platform Services, you authorize Hashed Horizon to engage Apple (App Store / Apple Pay) as a Sub-processor.

Google (Play Store / Google Pay)

Purpose: Android in-app purchases and Google Pay transactions

Location: USA

Data Transferred: Customer Data necessary to fulfill the purpose above

Safeguards:

• Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914/EU

• GDPR-compliant Data Processing Agreement (DPA)

• Security certifications (ISO 27001, SOC 2, or equivalent)

Sub-processor Information:

• Privacy Policy: https://policies.google.com/privacy
• Data Processing Agreement: https://cloud.google.com/terms/data-processing-addendum

Your Control: By using ThisOne AI Platform Services, you authorize Hashed Horizon to engage Google (Play Store / Google Pay) as a Sub-processor.

Sub-processor Obligations (GDPR Art. 28(4))

Hashed Horizon ensures that all Sub-processors:

1. Data Processing Agreement: Have signed a written data processing agreement imposing the same data protection obligations as this DPA
2. GDPR Compliance: Comply with GDPR Art. 28(3) obligations (instructions, security, confidentiality, etc.)
3. Security Measures: Implement appropriate technical and organizational security measures (GDPR Art. 32)
4. Onward Transfer Restrictions: Do not engage further sub-processors without Hashed Horizon's prior authorization
5. Audit Rights: Allow Hashed Horizon to audit their compliance with data protection obligations
6. Breach Notification: Notify Hashed Horizon of Personal Data breaches within 24 hours

Hashed Horizon's Liability: Hashed Horizon remains fully liable to you for the performance of any Sub-processor's obligations under GDPR Art. 28(4).

Authorization to Use Sub-processors

General Authorization: By accepting this DPA, you provide general authorization for Hashed Horizon to engage the Sub-processors listed above (GDPR Art. 28(2) option 2).

Specific Authorization: For specific Sub-processors engaged after the effective date of this DPA, you will be notified and have the right to object as described below.

No Implied Authorization: Hashed Horizon will NOT engage any Sub-processor not listed above without following the change notification process.

Change Notification Process (GDPR Art. 28(2))

Adding or Replacing Sub-processors

When Hashed Horizon intends to add a new Sub-processor or replace an existing one:

1. Advance Notice: We will notify you at least 30 days before the intended change via:

   • Email to support@hashedhorizon.com
   • In-app notification (if applicable)
   • Update to this DPA page

2. Notification Content: The notice will include:

   • Name of the new/replacement Sub-processor
   • Processing activity and purpose
   • Location and applicable transfer safeguards
   • Security certifications
   • Link to Sub-processor's privacy policy and DPA

3. Effective Date: The change will take effect on the date specified in the notification (minimum 30 days after notice)

Your Right to Object

Objection Period: You have 30 days from the notification to object to the new Sub-processor.

Grounds for Objection: You may object on reasonable data protection grounds, including:

• Inadequate security measures
• Lack of appropriate transfer safeguards (for non-EEA Sub-processors)
• Incompatibility with your data protection obligations
• Concerns about Sub-processor's compliance history

How to Object:

1. Email dpo@hashedhorizon.com with subject line "DPA Sub-processor Objection"
2. Provide detailed explanation of your data protection concerns
3. Submit within 30 days of notification

Hashed Horizon's Response: Upon receiving a valid objection:

1. Good Faith Discussion: We will work with you to address your concerns
2. Alternative Solutions: We will attempt to provide alternative Sub-processors or processing methods
3. Timeline: We will respond to your objection within 14 days

Termination Right: If we cannot accommodate your objection and you do not accept the new Sub-processor:

1. You may terminate this DPA and the Services with 30 days' written notice
2. We will refund any prepaid fees for unused Services on a pro-rata basis
3. We will delete or return Customer Data in accordance with Termination and Data Return

Deemed Acceptance: If you do not object within 30 days, the new Sub-processor is deemed accepted.

Sub-processor Security and Compliance

Due Diligence

Before engaging any Sub-processor, Hashed Horizon conducts:

1. Security Assessment: Evaluation of technical and organizational security measures
2. Compliance Review: Verification of GDPR compliance and relevant certifications
3. Financial Viability: Assessment of Sub-processor's business stability
4. Reputation Check: Review of security incident history and compliance record
5. Contractual Review: Ensuring Sub-processor DPA meets GDPR Art. 28(3) requirements

Ongoing Monitoring: We continuously monitor Sub-processor compliance through:

• Annual Audits: Security and compliance audits
• Incident Monitoring: Tracking security breaches and compliance failures
• Certification Reviews: Verifying maintenance of ISO 27001, SOC 2, etc.
• Contract Compliance: Ensuring Sub-processors honor DPA obligations

Data Processing Agreements

All Sub-processors have signed written Data Processing Agreements that include:

1. Processing Instructions: Process only on documented instructions from Hashed Horizon
2. Confidentiality: Ensure personnel are bound by confidentiality obligations
3. Security Measures: Implement appropriate technical and organizational measures (GDPR Art. 32)
4. Sub-Sub-processors: Obtain prior authorization before engaging further sub-processors
5. Data Subject Rights: Assist with Data Subject rights requests
6. Breach Notification: Notify Hashed Horizon of Personal Data breaches within 24 hours
7. Audit Rights: Allow audits and inspections by Hashed Horizon or appointed auditors
8. Deletion/Return: Delete or return Personal Data upon contract termination
9. Standard Contractual Clauses: For non-EEA Sub-processors, include SCCs approved by EU Commission

DPA Copies: You may request copies of Sub-processor DPAs by emailing dpo@hashedhorizon.com (subject to redaction of confidential commercial terms).

International Data Transfers via Sub-processors

Apple (App Store / Apple Pay) (United States)

Transfer Mechanism: Standard Contractual Clauses (SCCs) - EU Commission Decision 2021/914/EU

SCC Module: Module 2 (Controller-to-Processor) between you and Hashed Horizon, Module 3 (Processor-to-Processor) between Hashed Horizon and Apple (App Store / Apple Pay)

Supplementary Measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Contractual prohibition on government access without legal process
• Transparency reporting if government requests are received
• Data minimization - only necessary data transferred

Transfer Impact Assessment: Hashed Horizon has conducted a Transfer Impact Assessment and determined that the combination of SCCs and supplementary measures provides essentially equivalent protection to GDPR standards.

Google (Play Store / Google Pay) (United States)

Transfer Mechanism: Standard Contractual Clauses (SCCs) - EU Commission Decision 2021/914/EU

SCC Module: Module 2 (Controller-to-Processor) between you and Hashed Horizon, Module 3 (Processor-to-Processor) between Hashed Horizon and Google (Play Store / Google Pay)

Supplementary Measures:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• Contractual prohibition on government access without legal process
• Transparency reporting if government requests are received
• Data minimization - only necessary data transferred

Transfer Impact Assessment: Hashed Horizon has conducted a Transfer Impact Assessment and determined that the combination of SCCs and supplementary measures provides essentially equivalent protection to GDPR standards.

Your Right to Object: You may object to international transfers to specific Sub-processors following the objection process above.

Removal of Sub-processors

Hashed Horizon may remove a Sub-processor at any time without notice if:

1. Security Breach: The Sub-processor suffers a material security breach
2. Compliance Failure: The Sub-processor fails to comply with GDPR or DPA obligations
3. Service Quality: The Sub-processor fails to meet service level requirements
4. Business Decision: We choose to bring processing in-house or switch providers

No Objection Right: You do not have a right to object to removal of Sub-processors.

Notification: We will notify you of Sub-processor removals via email within 30 days.

Sub-processor List Updates

Current List: The current Sub-processor list is always available on this DPA page

Update Frequency: We update this page within 7 days of any Sub-processor change

Change Log: All changes are logged with:

• Date of change
• Name of Sub-processor added/removed
• Reason for change (optional)

Your Responsibility: You are responsible for reviewing the Sub-processor list periodically to stay informed of changes.

Liability for Sub-processors

Hashed Horizon's Liability: Under GDPR Art. 28(4), Hashed Horizon is fully liable to you for:

1. Any failure by a Sub-processor to fulfill their data protection obligations
2. Any Personal Data breach caused by a Sub-processor
3. Any violation of GDPR by a Sub-processor while Processing Customer Data

No Direct Liability: Sub-processors have no direct contractual relationship with you. All claims must be directed to Hashed Horizon.

Indemnification: Hashed Horizon will indemnify you for losses caused by Sub-processor failures, subject to the limitation of liability in the Terms of Service.

Emergency Sub-processor Engagement

In emergency situations (e.g., sudden service disruption, security incident, Sub-processor bankruptcy):

1. Immediate Engagement: Hashed Horizon may engage a replacement Sub-processor immediately without 30-day advance notice
2. Expedited Notification: We will notify you within 7 days of the emergency engagement
3. Retroactive Objection: You retain the right to object within 30 days of notification
4. Termination Right: If you object and we cannot accommodate your objection, you may terminate as described above

Emergency Criteria: Emergency engagement is limited to situations where:

• Delay would cause significant service disruption
• Customer Data security or availability is at risk
• Legal or regulatory requirement mandates immediate action

Hashed Horizon will use commercially reasonable efforts to minimize emergency engagements.

Data Subject Rights Assistance (GDPR Art. 28(3)(e))

Hashed Horizon will assist you in fulfilling Data Subject rights requests under GDPR Art. 15-22, as required by GDPR Art. 28(3)(e).

Data Subject Rights Under GDPR

Data Subjects have the following rights:

Assistance Procedures

Request Received by You (Data Controller)

If a Data Subject submits a request to you:

1. Forward to Hashed Horizon: Email the request to dpo@hashedhorizon.com with subject line "GDPR Data Subject Rights Request"

2. Include Required Information:

   • Data Subject's identity (name, email, or unique identifier)
   • Type of request (access, erasure, rectification, etc.)
   • Scope of request (specific data categories or time periods)
   • Deadline for response (GDPR requires response within 1 month)

3. Hashed Horizon's Response Time: We will provide assistance within 10 business days of receiving your request

4. Assistance Provided:

   • Access: Extract and provide copy of Customer Data related to the Data Subject
   • Erasure: Delete the Data Subject's Personal Data from our systems
   • Rectification: Correct inaccurate data as specified
   • Restriction: Mark data for restricted Processing only
   • Portability: Export data in CSV, JSON, or other structured format
   • Objection: Cease Processing or explain why Processing must continue

5. Your Responsibility: You are responsible for verifying the Data Subject's identity and responding to the Data Subject within GDPR timelines (1 month, extendable to 3 months for complex requests)

Request Received by Hashed Horizon Directly

If a Data Subject submits a request directly to Hashed Horizon:

1. Referral to You: We will refer the Data Subject to you (the Data Controller) unless:

   • We are legally required to respond directly (e.g., for our own Processing as a Controller)
   • You have instructed us to handle requests directly

2. Notification: We will notify you within 7 days of receiving a direct request

3. Coordination: We will coordinate with you to ensure a consistent response

4. Emergency Erasure: If the request is urgent (e.g., safety concern), we may delete data immediately and notify you afterward

Specific Assistance for Each Right

1. Right of Access (GDPR Art. 15)

Data Subject Request: "Provide me with a copy of my Personal Data you are Processing"

Hashed Horizon's Assistance:

• Data Extraction: Search all systems for the Data Subject's Personal Data
• Format: Provide data in PDF, CSV, or JSON format (your choice)
• Contents: Include:
  • Categories of Personal Data
  • Purposes of Processing
  • Recipients (Sub-processors)
  • Storage period
  • Source of data (if not collected from Data Subject)
  • Existence of automated decision-making

Timeline: Provided within 10 business days of your request

Free of Charge: First request is free; additional requests may incur reasonable fees

2. Right to Rectification (GDPR Art. 16)

Data Subject Request: "Correct inaccurate Personal Data"

Hashed Horizon's Assistance:

• Update Data: Modify inaccurate or incomplete Personal Data as instructed
• Verification: You are responsible for verifying the accuracy of corrected data
• Notification: Notify Sub-processors of corrections if data was shared

Timeline: Completed within 5 business days of your request

3. Right to Erasure (GDPR Art. 17)

Data Subject Request: "Delete my Personal Data"

Hashed Horizon's Assistance:

• Deletion: Permanently delete the Data Subject's Personal Data from:
  • Production databases
  • Backups (within up to 90 days)
  • Logs (where feasible)
  • Sub-processor systems (via Sub-processor DPAs)
• Confirmation: Provide written confirmation of deletion
• Exceptions: Data retained only if:
  • Legal obligation requires retention (e.g., tax, accounting)
  • Necessary for legal claims
  • Public interest or scientific/historical research

Timeline: Deleted within 30 days (backups deleted within up to 90 days)

Your Obligation: You must honor erasure requests unless a GDPR Art. 17(3) exception applies

4. Right to Restriction (GDPR Art. 18)

Data Subject Request: "Restrict Processing of my Personal Data"

Hashed Horizon's Assistance:

• Flagging: Mark the Data Subject's data with "restricted Processing" status
• Limited Processing: Process only for:
  • Storage (no active use)
  • Data Subject consent for specific purposes
  • Legal claims
  • Protection of others' rights
• Notification: Notify you before lifting restriction

Timeline: Restricted within 5 business days

Duration: Restriction remains until you instruct us to lift it or delete the data

5. Right to Data Portability (GDPR Art. 20)

Data Subject Request: "Provide my Personal Data in a structured, machine-readable format"

Hashed Horizon's Assistance:

• Export: Extract data in structured format:
  • CSV: Comma-separated values for tabular data
  • JSON: JavaScript Object Notation for hierarchical data
  • XML: Extensible Markup Language
• Scope: Only data:
  • Provided by the Data Subject (not derived or inferred)
  • Processed based on consent or contract
• Direct Transmission: If technically feasible, transmit directly to another controller at Data Subject's request

Timeline: Provided within 10 business days

Limitations: Does not apply to Processing based on legal obligation or public interest

6. Right to Object (GDPR Art. 21)

Data Subject Request: "I object to Processing of my Personal Data"

Hashed Horizon's Assistance:

• Cessation: Stop Processing unless:
  • We demonstrate compelling legitimate grounds that override Data Subject's interests, or
  • Processing is necessary for legal claims
• Assessment: Evaluate whether legitimate grounds exist
• Consultation: Coordinate with you to determine if objection must be honored

Timeline: Processing ceased within 5 business days (unless override applies)

Marketing Objection: If objection is to direct marketing, we MUST cease Processing immediately with no exceptions

7. Automated Decision-Making (GDPR Art. 22)

Data Subject Request: "I do not want to be subject to automated decisions"

Hashed Horizon's Assistance:

• Human Review: Provide explanation of AI decision-making logic
• Intervention: Allow Data Subject to contest automated decision
• Manual Override: Implement human review for contested decisions

Not Applicable: GDPR Art. 22 does NOT apply to ThisOne AI Platform because:

• You (the Data Controller) review AI Outputs before use
• Outputs do not automatically result in legal/significant effects on Data Subjects
• Human-in-the-loop process prevents fully automated decision-making

Your Responsibility: If you use AI Outputs to make automated decisions, YOU must comply with GDPR Art. 22

Technical Assistance

Self-Service Tools

Where available, Hashed Horizon provides self-service tools for Data Subject rights:

• Data Export: Download Customer Data in structured format
• Delete Account: Self-service Account deletion (deletes all associated data)
• Access Controls: View and manage who has access to Customer Data

Your Control: You may use these tools directly or request Hashed Horizon assistance

API Access

For enterprise customers:

• Data Access API: Programmatic access to Customer Data for bulk export
• Deletion API: Automated deletion of specific data records
• Webhook Notifications: Real-time notifications of Data Subject requests

Documentation: API documentation available at https://thisone.app/docs/api

Response Times and SLAs

Urgent Requests: For safety-critical or emergency requests, contact dpo@hashedhorizon.com with "URGENT" in subject line for expedited processing

Fees for Assistance

First Request: Free of charge

Subsequent Requests: Hashed Horizon may charge a reasonable fee for:

• Manifestly unfounded or excessive requests (GDPR Art. 12(5))
• Multiple requests from the same Data Subject within 12 months
• Requests requiring significant technical effort

Fee Structure: Fees calculated based on:

• Technical complexity
• Time required
• Data volume
• Frequency of requests

Notification: We will notify you of any fees before providing assistance; you may decline and fulfill the request independently

Your Responsibilities

As the Data Controller, you must:

1. Identity Verification: Verify the identity of Data Subjects making requests
2. Request Evaluation: Assess whether the request is valid under GDPR
3. Timeline Compliance: Respond to Data Subjects within 1 month (extendable to 3 months)
4. Refusal Justification: If refusing a request, explain why to the Data Subject
5. Supervisory Authority: Inform Data Subjects of their right to complain to supervisory authorities
6. Coordination: Coordinate with Hashed Horizon to ensure timely and complete responses

Hashed Horizon's assistance does not relieve you of your obligations as the Data Controller.

Record Keeping

Hashed Horizon maintains records of:

• All Data Subject rights requests received
• Assistance provided to Data Controllers
• Response times and completion dates
• Fees charged (if any)

Audit Access: Records available for your review or supervisory authority audits upon request

Personal Data Breach Notification (GDPR Art. 33-34)

Hashed Horizon will notify you of Personal Data breaches affecting Customer Data as required by GDPR Art. 33(2).

Definition of Personal Data Breach

A "Personal Data Breach" (also called "Security Incident") means a breach of security leading to the accidental or unlawful:

• Destruction of Personal Data
• Loss of Personal Data
• Alteration of Personal Data (unauthorized modification)
• Unauthorized Disclosure of Personal Data
• Unauthorized Access to Personal Data

Examples:

• Ransomware attack encrypting Customer Data
• Unauthorized employee accessing Customer Data
• Accidental email to wrong recipient containing Personal Data
• Hacker exfiltrating Customer Data from database
• Lost or stolen laptop containing unencrypted Customer Data
• Misconfigured cloud storage allowing public access

Breach Detection and Response

Detection

Hashed Horizon employs 24/7 security monitoring to detect breaches:

• Automated Alerts: SIEM systems detecting anomalous activity
• Intrusion Detection: Network and host-based intrusion detection
• Log Analysis: Continuous analysis of access logs
• Employee Reporting: Employees trained to report suspected breaches
• Third-Party Notifications: Sub-processors notify us of breaches

Discovery Time: Most breaches detected within 24 hours through automated monitoring

Incident Response

Upon discovering a Personal Data Breach:

1. Immediate Containment (Within 1 hour):

   • Isolate affected systems
   • Revoke compromised credentials
   • Block attacker access
   • Prevent further data loss

2. Forensic Investigation (Within 24 hours):

   • Determine scope and nature of breach
   • Identify affected Customer Data
   • Assess likelihood and severity of risk to Data Subjects
   • Document root cause and attack vector

3. Notification (Within 72 hours):

   • Notify affected Data Controllers (you)
   • Notify supervisory authority if required
   • Notify Data Subjects if required (in coordination with you)

4. Remediation (Ongoing):

   • Implement fixes to prevent recurrence
   • Restore services from backups if necessary
   • Conduct post-incident review

Notification to Data Controller (You)

Notification Timeline

Hashed Horizon will notify you without undue delay and no later than 72 hours after becoming aware of a Personal Data Breach affecting your Customer Data.

Clock Starts: When Hashed Horizon has a reasonable degree of certainty that a breach has occurred (not mere suspicion)

Urgent Notification: For high-risk breaches, we will notify you within 24 hours or immediately by phone

Notification Method

Primary: Email to support@hashedhorizon.com

Backup:

• In-app notification (if applicable)
• Phone call (for high-risk breaches)
• Secure portal message

24/7 Contact: For emergencies outside business hours, contact support@hashedhorizon.com with subject line "URGENT BREACH NOTIFICATION"

Notification Contents (GDPR Art. 33(3))

The breach notification will include:

1. Nature of Breach:

   • Type of breach (unauthorized access, loss, destruction, etc.)
   • Date and time of breach (or estimated)
   • Date and time breach was discovered
   • Attack vector (if known): phishing, ransomware, misconfiguration, etc.

2. Categories and Number of Data Subjects Affected:

   • Estimated number of individuals affected
   • Categories of Data Subjects (employees, customers, etc.)
   • Geographic location of affected individuals (if known)

3. Categories and Number of Records Affected:

   • Types of Personal Data involved (names, emails, financial data, etc.)
   • Estimated number of records compromised
   • Whether Special Categories of Personal Data (GDPR Art. 9) were affected

4. Contact Point:

   • Name and contact details of dpo@hashedhorizon.com (Data Protection Officer)
   • Point of contact for further information

5. Likely Consequences:

   • Risk assessment: low, medium, high, or critical
   • Potential harm to Data Subjects (identity theft, financial loss, discrimination, etc.)
   • Likelihood of harm occurring

6. Measures Taken:

   • Steps already taken to contain and mitigate the breach
   • Measures to remediate the breach and prevent recurrence
   • Recommendations for Data Controllers to protect Data Subjects

7. Recommendations for Data Controllers:

   • Whether you should notify affected Data Subjects (GDPR Art. 34)
   • Whether you should notify your supervisory authority
   • Suggested communications to Data Subjects

Phased Notification

If complete information is not available within 72 hours:

1. Initial Notification: Provide available information within 72 hours
2. Follow-Up: Provide additional details as they become available
3. Final Report: Comprehensive report within 30 days of breach discovery

No Delay Penalty: Providing phased notification does not constitute "undue delay" if initial notification is timely

Notification to Supervisory Authority (GDPR Art. 33)

Hashed Horizon's Obligation

As the Data Processor, Hashed Horizon is not directly required to notify supervisory authorities. However:

• We will notify YOU (the Data Controller) within 72 hours
• YOU must assess whether to notify the supervisory authority based on risk to Data Subjects

Your Obligation (Data Controller)

You must notify your supervisory authority within 72 hours of becoming aware of a breach unless the breach is unlikely to result in a risk to Data Subjects' rights and freedoms (GDPR Art. 33(1)).

Factors Determining Risk:

• Type and sensitivity of Personal Data
• Ease of identification of individuals
• Severity and likelihood of consequences
• Special characteristics of Data Subjects (children, vulnerable individuals)

Assistance: Hashed Horizon will provide all information necessary for your supervisory authority notification

Relevant Supervisory Authorities

Other EU/EEA: Identify your supervisory authority at https://edpb.europa.eu/about-edpb/board/members_en

Notification to Data Subjects (GDPR Art. 34)

When Required

You (the Data Controller) must notify affected Data Subjects without undue delay if the breach is likely to result in a high risk to their rights and freedoms (GDPR Art. 34(1)).

High Risk Examples:

• Financial data or credentials compromised (risk of fraud/identity theft)
• Special Categories of Personal Data exposed (health, biometric, racial/ethnic origin)
• Large-scale breach affecting thousands of individuals
• Children's data compromised

Not Required If:

1. Appropriate technical/organizational protection measures were applied (e.g., encryption), OR
2. You have taken subsequent measures ensuring high risk is no longer likely, OR
3. It would involve disproportionate effort (may use public communication instead)

Hashed Horizon's Assistance

We will assist you in notifying Data Subjects by:

1. Risk Assessment: Providing our assessment of risk level to help you determine if notification is required
2. Contact Information: Extracting email addresses or contact details of affected Data Subjects (if available)
3. Draft Communications: Providing template notification text (subject to your review and customization)
4. Delivery: Optionally, sending notifications on your behalf (if instructed)

Your Responsibility: The decision to notify Data Subjects is yours as the Data Controller. Hashed Horizon will provide recommendations but final decision rests with you.

Notification Contents (GDPR Art. 34(2))

Data Subject notifications must include:

1. Nature of Breach: Clear and plain language description
2. Contact Point: Your contact details (or Hashed Horizon's if delegated)
3. Likely Consequences: Potential impact on the individual
4. Measures Taken: Steps to mitigate adverse effects
5. Recommended Actions: What the individual should do (e.g., change passwords, monitor credit reports)

Example Template:

Subject: Important Security Notice - Data Breach Notification

Dear [Name],

We are writing to inform you of a data security incident that may affect your personal information.

What Happened: On [date], we discovered that [brief description of breach].

What Information Was Affected: The following categories of your personal data may have been accessed: [list categories].

What We Are Doing: We have [containment measures] and [remediation steps].

What You Should Do: We recommend you [specific actions like changing passwords, monitoring accounts].

For More Information: Contact us at support@hashedhorizon.com with any questions.

We sincerely apologize for this incident and are committed to protecting your personal data.

Sincerely,
Hashed Horizon Sp. z o.o.

Breach Documentation (GDPR Art. 33(5))

Hashed Horizon maintains documentation of all Personal Data Breaches, including:

1. Breach Details: Facts, effects, and remedial action taken
2. Notification Records: When and to whom notifications were sent
3. Risk Assessment: Evaluation of risks and consequences
4. Lessons Learned: Post-incident review and improvements implemented

Supervisory Authority Access: Documentation available for supervisory authority inspection upon request

Your Access: You may request breach documentation by emailing dpo@hashedhorizon.com

Breach Prevention

Hashed Horizon employs the following measures to prevent breaches:

• Security Measures: See Security Measures (Security) for comprehensive list
• Employee Training: Annual security awareness training, phishing simulations
• Vulnerability Management: Regular security assessments, penetration testing
• Incident Drills: Annual breach response simulation exercises
• Continuous Monitoring: 24/7 SOC monitoring for threats

Continuous Improvement: Post-breach reviews identify and implement improvements

Sub-processor Breaches

If a Sub-processor notifies Hashed Horizon of a breach:

1. Relay Notification: We will relay the Sub-processor's notification to you within 24 hours
2. Investigation: We will investigate and assess the impact on your Customer Data
3. Coordination: We will coordinate with the Sub-processor to contain and remediate
4. Liability: Hashed Horizon remains liable for Sub-processor breaches under GDPR Art. 28(4)

Your Rights: You may request direct communication with the Sub-processor (subject to confidentiality obligations)

No Breach Fee

Hashed Horizon does NOT charge fees for breach notifications or assistance with breach response. All breach-related assistance is provided at no cost to you.

Testing Breach Response

Annual Drills: Hashed Horizon conducts annual breach response simulation exercises

Customer Participation: You may request to participate in breach response testing to validate notification procedures

Test Notifications: We will clearly label any test breach notifications to avoid confusion

Audit, DPIA Assistance, and Inspection Rights

Data Protection Impact Assessment (DPIA) Assistance (GDPR Art. 35(2))

Legal Requirement: Under GDPR Art. 35(2), Hashed Horizon as Data Processor shall assist you (the Data Controller) in carrying out Data Protection Impact Assessments (DPIAs) when required.

When DPIAs Are Required

Under GDPR Art. 35(1), a DPIA is required when Processing is likely to result in high risk to Data Subjects, particularly when using:

• Systematic and extensive profiling with automated decision-making
• Processing special categories of data (GDPR Art. 9) or criminal conviction data (GDPR Art. 10) on a large scale
• Systematic monitoring of publicly accessible areas on a large scale
• New technologies that pose high data protection risks

Your Responsibility: As Data Controller, you determine whether a DPIA is required. Hashed Horizon assists but does not conduct the DPIA on your behalf.

DPIA Assistance We Provide

When you conduct a DPIA, Hashed Horizon will provide the following assistance:

1. Processing Information (GDPR Art. 35(7))

We will provide documentation describing:

• Nature, Scope, Context, Purpose of the Processing (GDPR Art. 35(7)(a))
• Personal Data Categories: Types of Customer Data we Process
• Data Retention Periods: How long we retain Customer Data (Termination and Data Return)
• Data Flows: How Customer Data moves through our systems and Sub-processors
• Automated Decision-Making: Whether any automated decisions affect Data Subjects (if applicable)

Delivery: Within 30 days of your DPIA assistance request

2. Security Measures Assessment (GDPR Art. 35(7)(d))

We will provide detailed information on:

• Technical Measures: Encryption, access controls, pseudonymization (see Security Measures)
• Organizational Measures: Policies, training, incident response procedures
• Compliance Certifications: ISO 27001, SOC 2 Type II (if applicable)
• Penetration Testing: Results of recent security assessments (subject to NDA)
• Sub-processor Security: Security measures implemented by Sub-processors

Assessment: Security measures description aligned with GDPR Art. 32 requirements

3. Risk Mitigation Measures (GDPR Art. 35(7)(d))

We will explain how our Processing design mitigates data protection risks:

• Data Minimization: How we Process only necessary Customer Data
• Purpose Limitation: How we restrict Processing to your documented instructions
• Storage Limitation: How we implement retention limits and deletion
• Confidentiality: Access controls limiting who can access Customer Data
• Integrity: Measures preventing unauthorized alteration or loss
• Availability: Backup and disaster recovery procedures

4. Processor-Specific Risk Information

We will identify any Processing risks specific to our Services:

• International Transfers: Risks from transfers to third countries (Standard Contractual Clauses - SCCs)
• Sub-processor Risks: Risks from Sub-processor Processing and mitigations
• Technology Risks: Risks from AI/ML Processing (if applicable)
• Vendor Risks: Supply chain risks and vendor management practices

5. Expert Consultation

If you require additional DPIA assistance:

• Security Expert Consultation: Our Data Protection Officer or security team can participate in DPIA discussions
• Technical Clarifications: Answer technical questions about our Processing
• Risk Assessment Support: Provide input on likelihood and severity of Processing risks

Availability: Subject to reasonable advance notice (minimum 14 days) and scheduling

DPIA Assistance Request Process

How to Request DPIA Assistance:

1. Email: dpo@hashedhorizon.com
2. Subject Line: "DPIA Assistance Request"
3. Include:
   • Brief description of the Processing requiring DPIA
   • Specific information needed from Hashed Horizon
   • Deadline for information delivery (minimum 30 days)
   • Contact person for follow-up questions

Response Timeline:

• Acknowledgment: Within 5 business days
• Information Delivery: Within 30 days (or as agreed)
• Follow-up Questions: Responded to within 10 business days

No Cost: DPIA assistance is provided at no additional cost as part of this DPA

Confidentiality of DPIA Information

Information provided for DPIA purposes is confidential and may only be used for:

• Conducting your DPIA
• Demonstrating GDPR compliance to supervisory authorities
• Internal data protection compliance assessments

Non-Disclosure: You agree not to publicly disclose DPIA assistance information provided by Hashed Horizon without our written consent

Consultation with Supervisory Authority (GDPR Art. 36)

If your DPIA indicates high residual risks and you must consult your supervisory authority (GDPR Art. 36), Hashed Horizon will:

• Cooperate with you in providing information to the supervisory authority
• Respond to supervisory authority questions about our Processing (with your consent)
• Implement any additional safeguards recommended by the supervisory authority (if reasonable and technically feasible)

Notification: Please notify us if you intend to consult a supervisory authority regarding Processing we perform as Processor

Audit and Inspection Rights (GDPR Art. 28(3)(h))

You (the Data Controller) have the right to audit Hashed Horizon's compliance with this DPA as required by GDPR Art. 28(3)(h).

Audit Rights

Scope of Audit

You may audit Hashed Horizon's:

1. Data Processing Activities: How Customer Data is Processed
2. Security Measures: Implementation of GDPR Art. 32 security measures (see Security Measures)
3. Sub-processor Management: Compliance of Sub-processors with data protection obligations
4. Breach Response: Incident response procedures and breach notification processes
5. Data Subject Rights: Procedures for assisting with Data Subject requests
6. Record Keeping: GDPR Art. 30(2) Processing records

Limitations: Audits must be:

• Conducted during business hours (9 AM - 5 PM local time)
• With reasonable advance notice (minimum 30 days)
• Limited to your Customer Data and related Processing activities
• Subject to confidentiality obligations

Excluded from Audit:

• Other customers' data or configurations
• Hashed Horizon's confidential business information (pricing, roadmaps, etc.)
• Security measures unrelated to Customer Data Protection
• Source code or proprietary algorithms

Audit Frequency

Standard Frequency: Once per 12-month period at no cost

Additional Audits: Additional audits may be conducted:

• With Hashed Horizon's written consent
• Subject to reasonable fees to cover Hashed Horizon's costs
• In response to a Security Incident affecting your Customer Data (no additional fee)

Supervisory Authority Audits: Audits requested by supervisory authorities are not subject to frequency limits

Audit Methods

You may choose from the following audit methods:

1. Self-Assessment Questionnaire (SAQ)

Process:

1. Hashed Horizon provides detailed questionnaire covering GDPR compliance
2. You review responses and supporting documentation
3. Follow-up questions permitted

Timeline: Completed within 30 days of request

Cost: Free (included in Service)

Frequency: Unlimited

Best For: Annual compliance checks, low-risk Processing

2. Third-Party Audit Reports

Available Reports:

• SOC 2 Type II: Service Organization Control report (if applicable)
• ISO 27001: Information Security Management System certification
• Penetration Test Reports: Annual third-party security assessments
• GDPR Compliance Audit: Independent GDPR audit report

Process:

1. Request report from dpo@hashedhorizon.com
2. Sign Non-Disclosure Agreement (NDA)
3. Receive report within 14 days

Cost: Free for standard reports

Frequency: As often as reports are updated (typically annually)

Best For: Demonstrating compliance to auditors, regulators, or customers

3. Remote Audit

Process:

1. Schedule video conference with Hashed Horizon team
2. Review documentation, policies, and procedures
3. Interview personnel responsible for data protection
4. Receive findings report within 14 days

Timeline: Scheduled within 45 days of request

Cost: Free for first remote audit per year; reasonable fee for additional audits

Frequency: Once per year (free); additional audits subject to fees

Best For: Cost-effective compliance verification, complex Processing

4. On-Site Audit

Process:

1. Submit audit plan and scope 60 days in advance
2. Hashed Horizon approves scope and logistics
3. Conduct on-site inspection at Hashed Horizon facilities
4. Receive findings report within 30 days

Timeline: Scheduled within 90 days of request (subject to availability)

Cost:

• Your Costs: Travel, accommodation, and auditor fees
• Hashed Horizon Costs: Reasonable fee for staff time and facilities (if audit exceeds 2 days)

Frequency: Once per year (subject to Hashed Horizon approval)

Limitations:

• Maximum 2 auditors
• Maximum 3 business days on-site
• Non-intrusive methods only (no Production system access)
• Photography and recording require prior approval

Best For: High-risk Processing, regulatory requirements, due diligence

5. Appointed Auditor

Process:

1. You appoint an independent third-party auditor (subject to Hashed Horizon approval)
2. Auditor conducts audit on your behalf
3. Auditor provides report to you and Hashed Horizon

Auditor Requirements:

• Professional auditing firm with GDPR expertise
• Sign confidentiality and non-disclosure agreements
• No conflicts of interest with Hashed Horizon or competitors
• Appropriate insurance coverage

Timeline: Scheduled within 60 days of auditor approval

Cost: You bear all auditor fees; Hashed Horizon may charge reasonable fees for staff time if audit exceeds 2 days

Best For: Large-scale audits, regulatory compliance, high-risk Processing

Audit Scheduling and Logistics

Audit Request Process

1. Submit Audit Request:

   • Email dpo@hashedhorizon.com with subject line "DPA Audit Request"
   • Include:
     • Proposed audit date(s)
     • Audit method (SAQ, remote, on-site, etc.)
     • Scope and objectives
     • Auditor names and affiliations (if applicable)
     • Special requirements or accommodations

2. Hashed Horizon Response (within 14 days):

   • Approve audit request, or
   • Propose alternative dates/scope, or
   • Decline (with written explanation of reasons)

3. Audit Planning:

   • Finalize scope, timeline, and logistics
   • Execute necessary NDAs
   • Schedule interviews with Hashed Horizon personnel
   • Coordinate access to documentation and systems

4. Conduct Audit: According to agreed plan

5. Findings Report:

   • Auditor prepares report
   • Hashed Horizon reviews for accuracy and confidentiality
   • Final report delivered to you

Advance Notice Requirements

Expedited Audits: In case of Security Incidents or regulatory investigations, Hashed Horizon will accommodate expedited audits with shorter notice periods

Confidentiality

Audit Information: All information disclosed during audits is confidential and subject to:

1. Non-Disclosure Agreement (NDA): You and your auditors must sign Hashed Horizon's standard NDA
2. Permitted Use: Audit information may only be used for data protection compliance purposes
3. No Public Disclosure: Audit findings may not be publicly disclosed without Hashed Horizon's written consent
4. Return of Materials: All confidential materials must be returned or destroyed after audit completion

Exceptions: Confidentiality does not prevent disclosure to:

• Supervisory authorities (as required by law)
• Your legal or compliance advisors (subject to confidentiality obligations)
• Courts or regulators (pursuant to legal process)

Audit Findings and Remediation

Findings Report

Audit reports will include:

1. Executive Summary: High-level findings and recommendations
2. Detailed Findings: Specific compliance gaps or security issues identified
3. Risk Rating: Critical, high, medium, or low risk for each finding
4. Recommendations: Actionable steps to remediate findings
5. Positive Findings: Acknowledgment of strong compliance practices

Remediation Process

If audits identify compliance gaps:

1. Acknowledgment: Hashed Horizon will acknowledge findings within 7 days
2. Remediation Plan: Within 30 days, Hashed Horizon will provide:
   • Proposed remediation actions
   • Timeline for completion
   • Responsible parties
3. Implementation: Execute remediation plan according to timeline
4. Verification: Provide evidence of remediation completion
5. Follow-Up Audit: You may conduct follow-up audit to verify remediation

Timeline: Critical findings remediated within 30 days; high-risk within 90 days; medium/low within 180 days

Unresolved Findings

If Hashed Horizon disagrees with audit findings:

1. Written Response: Hashed Horizon will provide written explanation within 14 days
2. Evidence: Supporting evidence demonstrating compliance
3. Discussion: Good faith discussion to resolve disagreement
4. Escalation: If unresolved, may escalate to executive management
5. Independent Review: Engage independent expert for binding determination (costs shared equally)

Supervisory Authority Audits

Direct Supervisory Authority Access

Supervisory authorities (e.g., Dutch DPA, Estonian DPI) have the right to:

• Conduct inspections of Hashed Horizon's facilities (GDPR Art. 58(1)(f))
• Access all Customer Data and Processing records (GDPR Art. 58(1)(e))
• Obtain information from Hashed Horizon (GDPR Art. 58(1)(a))

Coordination: Hashed Horizon will notify you within 24 hours of any supervisory authority inspection request (unless legally prohibited)

Your Participation: You may request to participate in supervisory authority audits related to your Customer Data

Regulatory Requests

If a supervisory authority requests information about your Customer Data:

1. Notification: We will notify you within 24 hours (unless prohibited by law)
2. Consultation: We will consult with you before disclosing information (where legally permitted)
3. Objection: You may object to disclosure on data protection grounds
4. Disclosure: We will comply with lawful regulatory requests, even if you object
5. Documentation: We will document all regulatory requests and responses

Certification and Compliance Documents

Hashed Horizon will provide the following upon request:

Compliance Certifications

• ISO 27001 certificate (if applicable)
• SOC 2 Type II report (subject to NDA)
• GDPR compliance attestations
• Security assessment reports

Policies and Procedures

• Information Security Policy
• Data Protection Policy
• Incident Response Plan
• Business Continuity Plan
• Vendor Management Policy

Processing Records (GDPR Art. 30(2))

• Categories of Processing activities
• Categories of Personal Data Processed
• Categories of Data Subjects
• Sub-processor list with safeguards
• International transfer mechanisms
• Retention periods
• Security measures description

Request Process: Email dpo@hashedhorizon.com specifying documents needed

Delivery: Within 14 days; subject to NDA for confidential documents

Audit Fees

Reasonable Fees: If fees apply, Hashed Horizon will provide cost estimate before audit; fees cover:

• Staff time for interviews and documentation
• Facility access and logistics
• Technical support for auditor access

Fee Waiver: Fees waived for audits triggered by Security Incidents affecting your Customer Data

Record Retention

Hashed Horizon will retain audit records (requests, reports, findings, remediation) for:

• Active DPA: Duration of DPA plus 7 years
• Terminated DPA: 7 years after termination

Your Access: You may request copies of audit records at any time

Termination and Data Return (GDPR Art. 28(3)(g))

This section governs what happens to your Customer Data when this DPA or the Services terminate, as required by GDPR Art. 28(3)(g).

Termination Events

This DPA terminates when:

1. Service Termination: You terminate your Account or subscription to ThisOne AI Platform Services
2. Contract Expiration: The Terms of Service expire without renewal
3. Breach: Either party terminates for material breach of this DPA
4. Insolvency: Either party becomes insolvent or files for bankruptcy
5. Mutual Agreement: Both parties agree in writing to terminate
6. Sub-processor Objection: You object to a new Sub-processor and we cannot accommodate (see Sub-processors)
7. Legal Requirement: Termination required by law or court order

Notice Period: Unless otherwise specified, either party may terminate with 30 days' written notice

Effect of Termination: Upon termination, Hashed Horizon's Processing of Customer Data ceases (except as required for data return or legal compliance)

Your Choice: Data Return or Deletion

Within 30 days of termination, you must instruct Hashed Horizon to either:

Option 1: Data Return

What You Receive:

• Complete copy of all Customer Data
• In structured, commonly used, machine-readable format
• Formats available: CSV, JSON, XML, or database dump

Delivery Methods:

• Download Portal: Secure web interface for self-service download
• Cloud Storage: Upload to your AWS S3, Google Cloud Storage, or Azure Blob
• Encrypted Hard Drive: Physical encrypted drive shipped to your address (for large datasets >100GB)
• SFTP: Secure File Transfer Protocol to your server

Timeline: Data available for download within 30 days of termination

Retention After Return: After successful data return confirmation, Hashed Horizon will delete all Customer Data (see Option 2)

Your Responsibility: Verify integrity and completeness of returned data; Hashed Horizon not liable for data loss after confirmation of successful return

Option 2: Data Deletion

What is Deleted:

• All Customer Data from Production systems
• All backups (deleted within up to 90 days)
• All logs containing Customer Data (where feasible)
• Data from Sub-processor systems

Deletion Method:

• Overwriting: Multi-pass overwrite (DoD 5220.22-M standard or equivalent)
• Cryptographic Erasure: Destruction of encryption keys rendering data unrecoverable
• Physical Destruction: For physical media, shredding or degaussing

Timeline:

• Production Systems: Deleted within 30 days of instruction
• Backups: Deleted within up to 90 days of instruction
• Sub-processors: Deleted within 60 days (per Sub-processor DPA obligations)

Deletion Certificate: Hashed Horizon will provide written certification of deletion upon request

Exceptions - Data NOT Deleted:

• Data required for legal compliance (tax, accounting, regulatory)
• Data necessary to establish, exercise, or defend legal claims
• Anonymized data (no longer Personal Data under GDPR Art. 4(1))

No Instruction Provided

If you do NOT provide deletion/return instructions within 30 days of termination:

1. Automatic Deletion: Hashed Horizon will automatically delete Customer Data after 90 days
2. Final Notice: We will send final notice 7 days before automatic deletion
3. No Liability: Hashed Horizon not liable for data loss if no timely instruction provided

Your Responsibility: Provide clear written instructions to avoid unintended data loss

Retention for Legal Compliance

Hashed Horizon may retain minimal Customer Data if required by:

Legal Obligations

• Tax and Accounting: Transaction records, invoices (typically 7 years per EU/national law)
• Anti-Money Laundering: Customer due diligence records (typically 5 years)
• Data Retention Laws: Industry-specific retention requirements

Minimization: Only minimum data necessary for legal compliance is retained

Restriction: Retained data is restricted to compliance purposes only (no active Processing)

Deletion After Retention Period: Data deleted at end of legal retention period

Legal Claims

If there are pending or threatened legal claims involving Customer Data:

1. Litigation Hold: Hashed Horizon may retain Customer Data necessary for legal defense
2. Notification: We will notify you of litigation hold within 14 days
3. Scope: Only data relevant to the legal claim is retained
4. Deletion After Resolution: Data deleted within 90 days of final claim resolution

Your Rights: You may object to retention and request deletion subject to legal risk assessment

Backup Retention

Retention Period: Backups containing Customer Data are retained for up to 90 days after termination

Restoration Prohibited: Backups will NOT be restored to Production systems after termination

Automatic Deletion: Backups automatically deleted at end of retention period

Exceptions: Backups retained longer only if:

• Required for legal compliance (e.g., litigation hold)
• Necessary to investigate Security Incidents
• You specifically request backup retention (subject to fees)

Your Control: You may request expedited backup deletion by contacting dpo@hashedhorizon.com

Data Return Process

Step-by-Step Process

1. Initiate Request (Within 30 days of termination):

   • Email dpo@hashedhorizon.com with subject "DPA Data Return Request"
   • Specify return method (download portal, cloud storage, etc.)
   • Provide delivery details (cloud credentials, shipping address)

2. Preparation (7-14 days):

   • Hashed Horizon prepares data export
   • Data compiled in requested format
   • Integrity checks performed (checksums, validation)

3. Notification (Within 14 days):

   • We notify you when data is ready for download/delivery
   • Provide access credentials or tracking information

4. Download/Delivery (Within 30 days):

   • You download data or receive physical shipment
   • Access Window: Download access available for 30 days

5. Verification (Recommended):

   • Verify data integrity using checksums provided
   • Confirm all expected data is present
   • Test data import into your systems

6. Confirmation:

   • You confirm successful data return
   • Hashed Horizon proceeds with deletion

No Confirmation: If you do not confirm within 30 days, Hashed Horizon will assume successful return and proceed with deletion

Data Return Formats

Metadata Included: All exports include:

• Schema documentation
• Data dictionary (field definitions)
• Relationships between data entities
• Export timestamp and version

Large Dataset Handling

For Customer Data >100GB:

• Split Archives: Data split into manageable chunks (e.g., 10GB each)
• Incremental Export: Export in batches over multiple days
• Physical Shipment: Encrypted hard drives shipped via courier
• Dedicated Transfer: SFTP to your server with bandwidth throttling

Costs: Hashed Horizon may charge reasonable fees for physical shipment or dedicated transfer bandwidth

Post-Termination Obligations

After termination and data return/deletion:

Hashed Horizon's Obligations

1. Deletion Completion: Delete all Customer Data (except legal retention)
2. Sub-processor Notification: Instruct Sub-processors to delete Customer Data
3. Certification: Provide deletion certificate upon request
4. No Further Use: Cease all Processing of Customer Data (except legal retention)
5. Confidentiality: Continue to maintain confidentiality of Customer Data

Duration: Confidentiality obligations survive termination indefinitely

Your Obligations

1. Final Invoice: Pay any outstanding fees for Services rendered
2. Return of Materials: Return any Hashed Horizon confidential materials
3. Cease Use: Stop using ThisOne AI Platform Services
4. Sub-processor Access: Revoke access to any Sub-processors you engaged directly

Deletion Certification

Upon request, Hashed Horizon will provide written certification that:

1. All Customer Data has been deleted from Production systems
2. Deletion process followed secure deletion standards (DoD 5220.22-M or equivalent)
3. Sub-processors have been instructed to delete Customer Data
4. Backups will be deleted within up to 90 days

Certification Contents:

• Date of deletion
• Systems from which data was deleted
• Deletion method used
• Exceptions (legal retention, if any)
• Authorized signatory

Request: Email dpo@hashedhorizon.com with subject "DPA Deletion Certificate Request"

Delivery: Within 14 days of data deletion completion

Survival Provisions

The following provisions survive termination of this DPA:

1. Confidentiality: Obligations to protect confidential information (indefinite)
2. Limitation of Liability: Liability caps and exclusions (indefinite)
3. Indemnification: Indemnity obligations (for claims arising during DPA term)
4. Audit Rights: Right to audit compliance with deletion obligations (2 years post-termination)
5. Governing Law: Jurisdiction and dispute resolution (indefinite)

Legal Retention: Obligations related to legally required data retention survive until retention period expires

Re-Engagement

If you re-subscribe to ThisOne AI Platform Services after termination:

1. No Automatic Restoration: Deleted Customer Data will NOT be automatically restored
2. New DPA: A new DPA will be required
3. Backup Limitations: Backups deleted during termination period cannot be recovered

Data Migration: You must upload Customer Data again from your own backup/return copy

Fees

Data Return: Generally free of charge

Exceptions (Fees May Apply):

• Physical shipment of encrypted hard drives (shipping and media costs)
• Expedited data return (<7 days)
• Custom export formats not listed above
• Datasets >1TB requiring specialized handling

Fee Estimate: Hashed Horizon will provide cost estimate before proceeding with fee-based services

Deletion: Always free of charge (no fees for deletion)

Termination for Cause

Material Breach by Hashed Horizon

If Hashed Horizon materially breaches this DPA, you may:

1. Notice: Provide written notice specifying breach
2. Cure Period: Allow 30 days to cure breach
3. Termination: If not cured, terminate immediately with written notice
4. Data Return: Request immediate data return (no 30-day wait)
5. Refund: Receive pro-rated refund of prepaid fees

Material Breach Examples:

• Unauthorized disclosure of Customer Data
• Failure to implement required security measures
• Processing outside documented instructions
• Failure to notify of Personal Data Breach

Material Breach by You

If you materially breach this DPA, Hashed Horizon may:

1. Suspend Processing: Immediately suspend access to Customer Data
2. Notice: Provide written notice of breach
3. Cure Period: Allow 14 days to cure breach
4. Termination: If not cured, terminate and delete Customer Data
5. No Refund: No refund of prepaid fees

Material Breach Examples:

• Unauthorized access attempts
• Failure to pay fees
• Violation of acceptable use policy
• Submission of unlawful data (e.g., Special Categories without authorization)

Contact for Termination

All termination notices and data return/deletion instructions should be sent to:

• Email: dpo@hashedhorizon.com
• Subject Line: "DPA Termination - Hashed Horizon Sp. z o.o."
• Required Information:
  • Account details
  • Termination effective date
  • Data return or deletion instruction
  • Delivery method (if data return)

Confirmation: Hashed Horizon will acknowledge termination notice within 7 business days

Standard Contractual Clauses (SCCs)

This section incorporates the Standard Contractual Clauses (SCCs) approved by the European Commission for the transfer of Personal Data to third countries under GDPR Art. 46(2)(c).

Legal Basis for International Transfers

When Customer Data is transferred to countries outside the European Economic Area (EEA) that do not have an adequacy decision under GDPR Art. 45, such transfers must be subject to appropriate safeguards under GDPR Art. 46.

Hashed Horizon's Transfers: Customer Data may be transferred to:

• Google Cloud AI (Gemini) (EU/USA) - AI photo conversion and enhancement

• Sentry (EU/USA) - Error tracking and crash diagnostics

• Stripe (EU/USA) - Payment processing and subscription management

• Apple (App Store / Apple Pay) (USA) - iOS in-app purchases and Apple Pay transactions

• Google (Play Store / Google Pay) (USA) - Android in-app purchases and Google Pay transactions

Transfer Mechanism: Standard Contractual Clauses (EU Commission Decision 2021/914/EU)

Applicable SCC Modules

The SCCs consist of four modules for different transfer scenarios. The following modules apply to ThisOne AI Platform Services:

Module Two: Controller-to-Processor (C2P)

Applies When: You (Data Controller) transfer Customer Data to Hashed Horizon (Data Processor), and Hashed Horizon or its Sub-processors are located outside the EEA.

Parties:

• Data Exporter (Controller): You
• Data Importer (Processor): Hashed Horizon

Incorporation: Module Two of the SCCs (EU Decision 2021/914/EU) is incorporated by reference into this DPA and applies to:

• Your submission of Customer Data to ThisOne AI Platform Services
• Processing by Hashed Horizon outside the EEA
• Transfers to Sub-processors outside the EEA

Module Three: Processor-to-Processor (P2P)

Applies When: Hashed Horizon (acting as Processor on your behalf) transfers Customer Data to Sub-processors located outside the EEA.

Parties:

• Data Exporter (Processor): Hashed Horizon
• Data Importer (Sub-processor): Sub-processors listed in Sub-processors

Incorporation: Module Three of the SCCs applies to:

• Transfers from Hashed Horizon to Sub-processors in third countries
• Onward transfers between Sub-processors

Hashed Horizon has ensured all relevant Sub-processors have signed Module Three SCCs.

SCC Terms and Clauses

The full text of the Standard Contractual Clauses (Decision 2021/914/EU) is available at:

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

Key Provisions (summarized):

Clause 1: Purpose and Scope

The SCCs apply to the transfer of Personal Data to ensure GDPR-level protection in third countries.

Clause 2: Effect and Invariability

The SCCs are directly effective and cannot be modified except as permitted (e.g., selecting optional clauses, adding commercial clauses that do not contradict).

Clause 3: Third-Party Beneficiaries

Data Subjects are third-party beneficiaries and can enforce the SCCs against Hashed Horizon or Sub-processors.

Clause 4: Interpretation

Terms defined in GDPR have the same meaning in the SCCs.

Clause 5: Hierarchy

In case of conflict, the SCCs take precedence over other contract terms.

Clause 6: Description of Transfer(s)

Details of Transfer (Module Two):

• Data Subjects: See Scope of Processing (Scope) for categories of Data Subjects
• Categories of Personal Data: See Scope of Processing (Scope) for types of Personal Data
• Sensitive Data: Special Categories (GDPR Art. 9) - only if authorized by Data Controller
• Frequency: Continuous during Service usage
• Nature of Processing: See Scope of Processing (Scope) for Processing activities
• Purpose: Service provision as described in Terms of Service
• Retention: See Scope of Processing (Scope) for retention periods

Clause 7: Docking Clause

Additional parties may accede to the SCCs by executing an Accession Form.

Clause 8: Data Protection Safeguards

Module Two - Processor Obligations:

Hashed Horizon warrants that it has no reason to believe laws in the third country prevent compliance with the SCCs. If laws conflict, Hashed Horizon will:

1. Notify you without undue delay
2. Suspend transfer until safeguards can be implemented
3. If suspension not possible, terminate the DPA

Practical Experience: Hashed Horizon has NO knowledge of:

• Government or law enforcement requests for Customer Data access, OR
• Laws requiring disclosure without legal process

If Disclosure Required: If Hashed Horizon receives a government request for Customer Data:

1. Notification: Notify you within 24 hours (unless legally prohibited)
2. Challenge: Challenge overly broad or unlawful requests
3. Minimize: Limit disclosure to minimum necessary
4. Transparency: Publish transparency reports annually (where permitted)

Clause 9: Documentation and Compliance

Hashed Horizon maintains documentation demonstrating compliance with SCCs, including:

• Processing activities records (GDPR Art. 30(2))
• Security measures documentation
• Data breach records
• Sub-processor agreements

Availability: Documentation available upon your request or supervisory authority request

Clause 10: Data Subject Rights

Hashed Horizon will assist you in responding to Data Subject rights requests (see Data Subject Rights Assistance of this DPA).

Direct Requests: If Data Subjects contact Hashed Horizon directly, we will refer them to you (the Data Controller) unless legally required to respond.

Clause 11: Redress

Data Subject Remedies:

1. Complaint to Supervisory Authority: Data Subjects may lodge complaints with:

   • Any EEA supervisory authority: https://edpb.europa.eu/about-edpb/board/members_en

2. Judicial Redress: Data Subjects may bring legal proceedings against Hashed Horizon in EEA courts

Indemnification: Hashed Horizon will indemnify you for damages caused by Hashed Horizon's violation of the SCCs

Clause 12: Liability

Liability Allocation:

• Hashed Horizon: Liable for damages caused by Processing in violation of SCCs or GDPR
• Sub-processors: Each Sub-processor liable for its own violations
• Joint and Several: You and Hashed Horizon jointly and severally liable to Data Subjects

Limitation: Liability limited to actual damages (excluding indirect/consequential damages) subject to Terms of Service limitations

Clause 13: Supervision

Competent Supervisory Authority:

Or: The supervisory authority in your Member State (where you are established or where Data Subjects reside)

Clause 14: Local Laws and Practices

Assessment Obligation: Hashed Horizon has assessed laws in third countries where Processing occurs and confirms:

1. No Conflicting Obligations: No laws prevent compliance with SCCs
2. Government Access Laws: Laws governing government access to Personal Data are compatible with GDPR and SCCs
3. Practical Experience: No government requests received that would violate SCCs

Ongoing Monitoring: Hashed Horizon continuously monitors legal developments in third countries and will notify you of material changes

Clause 15: Obligations in Case of Government Access

If Government Requests Access:

1. Notify Data Controller: Notify you immediately (unless prohibited by law)
2. Challenge: Use best efforts to challenge unlawful or overly broad requests
3. Minimize: Limit disclosure to minimum necessary
4. Document: Maintain records of all government requests
5. Transparency: Provide annual transparency reports

Prohibited Disclosures: Hashed Horizon will NOT:

• Provide direct access to authorities without legal process
• Create backdoors or weaken encryption
• Disclose encryption keys (unless compelled by court)
• Voluntarily cooperate beyond legal requirements

Clause 16: Non-Compliance

Breach Notification: If Hashed Horizon cannot comply with SCCs (e.g., due to conflicting laws), we will:

1. Immediate Notification: Notify you without delay
2. Suspension: Suspend transfers until compliance can be ensured
3. Termination Option: You may terminate the DPA without penalty

Sub-processor Non-Compliance: If a Sub-processor cannot comply with SCCs:

1. We will terminate the Sub-processor agreement
2. Engage alternative Sub-processor with adequate safeguards
3. Notify you of Sub-processor change

Clause 17: Governing Law

SCCs Governed By: The law of an EU Member State that allows third-party beneficiary rights

Choice: The law of the EU Member State where you (Data Controller) are established

Clause 18: Choice of Forum and Jurisdiction

Disputes Under SCCs: Resolved in the courts of the EU Member State specified in Clause 17

Data Subject Litigation: Data Subjects may bring claims in any EEA Member State court

SCC Annexes

Annex I: Data Transfer Details

Module Two (Controller-to-Processor):

A. List of Parties:

• Data Exporter: You (the Account holder/Data Controller)
• Data Importer: Hashed Horizon Sp. z o.o.
• Contact: dpo@hashedhorizon.com

B. Description of Transfer:

• See Scope of Processing (Scope) of this DPA for:
  • Categories of Data Subjects
  • Categories of Personal Data
  • Special Categories (if authorized)
  • Frequency and nature of Processing
  • Purpose and duration

C. Competent Supervisory Authority:

• The supervisory authority in your EU Member State

Annex II: Technical and Organizational Measures

See Security Measures (Security Measures) of this DPA for comprehensive description of:

• Encryption (TLS 1.3, AES-256)
• Access controls (RBAC, MFA)
• Network security (firewalls, DDoS protection)
• Application security (code review, penetration testing)
• Organizational measures (training, policies, incident response)

Annex III: Sub-processor List

See Sub-processors (Sub-processors) of this DPA for:

• Current Sub-processor list
• Processing activities
• Locations and transfer safeguards
• Change notification process

Optional Clauses

The following optional clauses from the SCCs are selected:

Clause 7 (Docking): Enabled - Additional parties may accede Clause 11(a) (Independent Dispute Resolution): Not selected - Disputes resolved through courts only Clause 17 (Governing Law): The law of your EU Member State Clause 18 (Jurisdiction): Courts of the Member State selected in Clause 17

Additional Safeguards Beyond SCCs

In addition to SCCs, Hashed Horizon implements supplementary measures:

Technical Measures:

• End-to-end encryption where feasible
• Pseudonymization of Personal Data before transfer
• Data minimization (transfer only necessary data)
• Secure deletion upon retention period expiration

Organizational Measures:

• Contractual provisions prohibiting government access without legal process
• Transparency obligations for government requests
• Regular Transfer Impact Assessments
• Data protection training for all personnel

Legal Measures:

• Challenge unlawful government requests
• Notify Data Controllers of requests (unless prohibited)
• Publish transparency reports
• Engage local legal counsel in third countries

Transfer Impact Assessment (TIA)

Hashed Horizon has conducted Transfer Impact Assessments for all transfers to third countries, evaluating:

1. Applicable Laws: Laws in destination countries governing government access to Personal Data
2. Practical Experience: Whether government requests have been received
3. Safeguards Effectiveness: Whether SCCs and supplementary measures provide essentially equivalent protection
4. Risks: Likelihood and severity of risks to Data Subjects

TIA Conclusion: Based on current assessments, transfers to Sub-processors with SCCs and supplementary measures provide essentially equivalent protection to GDPR standards.

Ongoing Monitoring: TIAs reviewed annually and whenever legal/factual circumstances change (e.g., new surveillance laws, Schrems III ruling)

SCC Amendment and Updates

Commission Updates: If the European Commission updates or replaces the SCCs:

1. Hashed Horizon will adopt new clauses within 90 days
2. Notify you of changes via email
3. Update this DPA to reflect new clauses

No Action Required: Continued use of Services constitutes acceptance of updated SCCs

Full SCC Text

The complete Standard Contractual Clauses (Decision 2021/914/EU) are incorporated by reference and available at:

Official EUR-Lex: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

Hashed Horizon Copy: You may request a copy of the SCCs with Annexes completed by emailing dpo@hashedhorizon.com

Language: The English version of the SCCs is authoritative. Translations provided for convenience only.

Order of Precedence

In the event of any conflict or inconsistency between legal documents, the following order of precedence applies (highest to lowest):

1. Enterprise Addendum - Controls enhanced terms for Enterprise Customers
2. Data Processing Agreement (DPA) - Controls data processing terms for Business Customers
3. Order Form (if any) - Controls service-specific terms and pricing
4. Privacy Policy - Controls personal data processing and privacy rights (for data protection matters)
5. Terms of Service - Controls general use, liability, and dispute resolution
6. Cookie Policy - Controls cookie use and consent management

Interpretation Rules:

• Specific Prevails Over General: More specific provisions prevail over general provisions
• Later Prevails Over Earlier: In case of amendments, the most recent version prevails
• Mandatory Law Prevails: Nothing in these documents limits rights granted by mandatory consumer protection, data protection, or other applicable laws

For Business Customers: The DPA and Enterprise Addendum (if applicable) take precedence over consumer-focused provisions in the Terms of Service and Privacy Policy.

For Consumer Customers: Consumer protection laws (GDPR, ePrivacy Directive, national consumer laws) prevail over any conflicting contractual terms.

Effective: 2025-10-25 | Version: 5.0.0