Enterprise Addendum to Terms of Service

Effective Date: 2025-10-25 Version: 5.0.0

Document Purpose and Scope

This Enterprise Addendum ("Addendum") supplements and modifies the ThisOne AI Platform Terms of Service ("Consumer Terms") for customers who purchase a Business/Team subscription plan or execute a written Order Form with Hashed Horizon Sp. z o.o. ("Hashed Horizon").

Applicability

This Addendum applies only when you:

Purchase a Business/Team Plan: You subscribe to a Business, Team, or Enterprise pricing tier via our website or sales team, OR
Execute an Order Form: You sign a written Order Form, Master Service Agreement (MSA), or Enterprise Agreement with Hashed Horizon, OR
Explicitly Agree: You click "I Accept" on this Addendum during account setup for a business plan

For Consumer Users: If you use ThisOne AI Platform for personal, non-commercial purposes and have not purchased a Business/Team plan, this Addendum does not apply. The standard Consumer Terms govern your use.

Document Hierarchy and Conflicts

In case of conflict between documents, the order of precedence is:

This Enterprise Addendum (highest priority)
Data Processing Agreement (DPA) (if signed and applicable)
Order Form or MSA (if executed)
Privacy Policy (for data protection matters)
Consumer Terms of Service (as modified by this Addendum)
Cookie Policy (for cookie and tracking disclosures)

Modification Rule: Where this Addendum conflicts with the Consumer Terms, this Addendum prevails. All provisions of the Consumer Terms not explicitly modified by this Addendum remain in full force and effect.

Key Definitions

For purposes of this Enterprise Addendum:

"Business/Team Plan": Any non-consumer subscription tier offered by Hashed Horizon, including plans labeled Business, Team, Enterprise, or similar designations.

"Customer": The business entity or organization that has purchased a Business/Team Plan or executed an Order Form. If you are an individual purchasing on behalf of a company, "Customer" refers to your employing organization.

"End Users": Individuals who access ThisOne AI Platform Services through Customer's account, including Customer's employees, contractors, clients, or other authorized users.

"Order Form": A written agreement executed between Customer and Hashed Horizon specifying pricing, subscription term, custom terms, and other commercial details.

"Service Level Agreement (SLA)": The uptime, availability, and support commitments specified in Service Level Agreement (SLA) of this Addendum.

"Data Processing Agreement (DPA)": The agreement incorporated by reference in Data Processing Agreement Incorporation that governs Hashed Horizon's role as Data Processor for Customer's end-user Personal Data.

What Changes from Consumer Terms

This Addendum modifies the following aspects of the Consumer Terms:

1. Enhanced Service Levels (Service Level Agreement)

Uptime Guarantee: 99% uptime target monthly uptime commitment
Support Response: Priority support with 4-hour target response time (business hours)
Service Credits: Downtime credits for SLA breaches

2. Increased Liability Protections (Liability Protections and Caps)

Liability Cap: €1000 per incident (vs. €100 for consumers)
Alternative Cap: 12 months of fees paid

3. Data Processing Relationship (Data Processing Agreement)

Customer Role: Data Controller for end-user Personal Data
Hashed Horizon Role: Data Processor acting on Customer's instructions
Compliance: GDPR Art. 28 Data Processing Agreement incorporated

5. Enhanced Termination Rights

Notice Period: Longer termination notice periods
Data Export: Comprehensive data export upon termination
Wind-Down Period: Extended wind-down period for service migration

Acceptance and Effective Date

Automatic Acceptance: By purchasing a Business/Team Plan or signing an Order Form, you automatically accept this Enterprise Addendum. No separate signature is required unless specified in an Order Form.

Effective Date: This Addendum becomes effective on the earlier of:

The date you complete purchase of a Business/Team Plan, OR
The "Effective Date" specified in an executed Order Form, OR
The date you click "I Accept" during enterprise account setup

Term: This Addendum remains in effect for the duration of your Business/Team Plan subscription or as specified in an Order Form, plus any renewal terms.

Contact for Enterprise Questions

For questions about this Enterprise Addendum, contact:

Enterprise Sales: support@hashedhorizon.com with subject "Enterprise Addendum Question"
Account Management: Your dedicated Customer Success Manager (if assigned)
Legal/Contracts: support@hashedhorizon.com with subject "Enterprise Legal Question"
Data Processing/DPA: dpo@hashedhorizon.com with subject "DPA Question"

Response Time: We respond to enterprise inquiries within 24 business hours (vs. 48-72 hours for consumer support).

Amendments to This Addendum

Material Changes: We will provide at least 60 days advance notice of material changes to this Enterprise Addendum (vs. 30 days for Consumer Terms). Notice will be sent to the administrative email address on your Business/Team account.

Objection Right: If you object to material changes, you may terminate your Business/Team Plan within the notice period and receive a pro-rated refund for unused subscription time.

Order Form Override: If you have an executed Order Form with a specified term, changes to this Addendum do not apply until your Order Form renewal date, unless both parties agree otherwise in writing.

Sections that follow: The remaining sections of this Enterprise Addendum detail specific modifications to the Consumer Terms, including service levels, support commitments, liability protections, data processing obligations, and termination rights.

Service Level Agreement (SLA)

Overview

Hashed Horizon commits to the following Service Level Agreement for Business/Team Plan customers. These commitments replace and supersede any availability or uptime statements in the Consumer Terms.

Uptime Commitment

Monthly Uptime Percentage: 99% uptime target

Measurement Period: Calendar month (12:00 AM UTC on the first day to 11:59 PM UTC on the last day)

Calculation:

Monthly Uptime % = (Total Minutes in Month - Downtime Minutes) / Total Minutes in Month × 100

Excluded Downtime

The following events do not count as Downtime for SLA purposes:

Scheduled Maintenance: Maintenance windows announced at least 48 hours in advance
Emergency Maintenance: Critical security patches or urgent infrastructure updates
Force Majeure: Natural disasters, wars, pandemics, government actions, internet backbone failures
Customer-Caused: Downtime resulting from Customer's actions, configurations, or integrations
Third-Party Services: Failures of Customer's internet service, DNS providers, or other third-party services
Planned Upgrades: Service interruptions for version upgrades or feature rollouts (with 7 days notice)

Scheduled Maintenance Windows

Maximum Frequency: Once per month Maximum Duration: 4 hours per maintenance window Timing: Non-peak hours (typically Saturday 12:00 AM - 4:00 AM UTC) Advance Notice: Minimum 48 hours via email to administrative contact

Support Response Times

Support Level: Priority support with 4-hour target response time (business hours)

Priority Level	Target Response Time	Availability	Support Channels
P1 - Critical (Service down, data loss risk)	4 hours	Business hours (weekdays 9am-6pm CET)	Email, Live Chat, Dedicated Slack
P2 - High (Major feature unavailable, significant performance degradation)	8 hours	Business hours	Email, Live Chat, Dedicated Slack
P3 - Medium (Feature partially unavailable, minor performance issues)	12 hours	Business hours	Email, Support Portal
P4 - Low (General questions, feature requests, documentation)	24 hours	Business hours	Email, Support Portal

Target Response Times: These are best-effort targets, not guaranteed SLAs. We make commercially reasonable efforts to meet these targets but do not guarantee response times or issue service credits for delays.

Business Hours: Monday-Friday, 9:00 AM - 6:00 PM Central European Time (CET)

After-Hours: Issues reported outside business hours begin processing on the next business day

Service Credits

If Hashed Horizon fails to meet the Monthly Uptime Percentage commitment, Customer is eligible for Service Credits as follows:

Monthly Uptime Percentage	Service Credit (% of Monthly Subscription Fee)
< 99% but ≥ 98%	10%
< 98% but ≥ 95%	15%
< 95%	25%

Maximum Service Credit: Up to 25% of monthly subscription fees per billing cycle.

Claiming Service Credits

Request Deadline: Customer must request Service Credits within 30 days of the end of the affected calendar month.

Request Method: Submit via Enterprise Support Portal or email to support@hashedhorizon.com with subject "SLA Service Credit Request - [Month/Year]"

Required Information:

Account name and subscription ID
Affected calendar month
Description of Downtime events (dates/times in UTC)
Impact on Customer's operations

Credit Issuance: Service Credits will be applied to Customer's next monthly invoice within 15 business days of approval. Credits cannot be refunded as cash.

Maximum Credits: Total Service Credits in any 12-month period cannot exceed 100% of Customer's total subscription fees paid during that period.

Performance Metrics

In addition to uptime, Hashed Horizon commits to the following performance targets:

AI Processing Performance

Metric	Target	Measurement
API Response Time (median)	< 2 seconds	95th percentile
Image Processing Time	< 10 seconds	95th percentile
Batch Processing Throughput	≥ 100 images/minute	Average
API Rate Limit	1,000 requests/minute (per account)	Rolling 60-second window

Infrastructure Performance

Metric	Target	Measurement
API Availability	99% uptime target	Monthly
Page Load Time (web UI)	< 3 seconds	95th percentile
Data Replication Lag	< 5 minutes	Maximum
Backup Success Rate	100%	Daily backups

Monitoring and Transparency

Incident Notifications: Automatic notifications for service incidents via:

Email to administrative contacts
SMS to designated on-call contacts (P1 incidents only)
Dedicated Slack channel (if integrated)

Historical Uptime: Monthly uptime reports available in Enterprise Dashboard within 5 business days of month end

Quarterly Business Reviews: For customers on annual contracts, quarterly reviews including:

Service performance metrics
Incident post-mortems
Feature roadmap updates
Optimization recommendations

Remedies and Limitations

Exclusive Remedy: Service Credits are Customer's sole and exclusive remedy for Hashed Horizon's failure to meet the SLA commitments.

No Stacking: Service Credits do not stack with other refund or credit provisions in the Consumer Terms or this Addendum.

Good Faith Requirement: Hashed Horizon will use commercially reasonable efforts to meet or exceed SLA commitments but does not guarantee uninterrupted or error-free service.

Third-Party Dependencies: SLA commitments do not cover performance issues caused by:

Third-party API providers (OpenAI, Google AI, etc.)
Cloud infrastructure providers (AWS, Vercel, etc.)
Customer's network or internet service provider
DDoS attacks or other malicious activity beyond Hashed Horizon's reasonable control

Contact for SLA Issues

Incident Reporting: Report service availability issues via:

Emergency Phone: Provided during onboarding
Email: support@hashedhorizon.com with subject "P1 - Service Down"
Enterprise Support Portal (Priority P1 ticket)

SLA Questions: Contact your Customer Success Manager or email support@hashedhorizon.com with subject "SLA Question"

Response Time: Acknowledgment of SLA-related inquiries within 1 business hour during business hours, 4 hours during off-hours.

Liability Protections and Caps

Overview

This section modifies and supersedes the liability limitations in the "Limitation of Liability" section of the Consumer Terms to provide enhanced protections appropriate for enterprise use of ThisOne AI Platform Services.

Increased Liability Caps

Hashed Horizon's total aggregate liability to Customer for all claims arising from or related to this Addendum, the Consumer Terms, or use of the Services is capped at:

Primary Cap: €1000 per incident

Definition of "Incident"

For purposes of these liability limitations, an "Incident" means: Single technical or security event with common root cause, regardless of duration, number of users affected, or number of complaints received

Example: If our database experiences an outage affecting 1,000 Enterprise customers for 6 hours, this constitutes one Incident, not 1,000 separate incidents, for liability calculation purposes.

Aggregate Annual Liability Cap

Notwithstanding the per-Incident cap above, Hashed Horizon's total aggregate liability to all Business Users combined for all claims arising from all Incidents in any 12 months shall not exceed:

Aggregate Cap: €10000

Description: Total aggregate liability to all Enterprise customers for all non-breach claims arising from all Incidents in any 12-month period (excluding data breach claims which are subject to separate breach cap)

Rationale: This aggregate cap protects Hashed Horizon from catastrophic liability exposure during widespread system failures affecting multiple customers simultaneously. This cap applies to non-breach claims only; data breach claims are subject to a separate €10000 per-breach cap. Once this aggregate cap is reached in any 12 months, no additional liability will be incurred for that period for non-breach claims.

Period Calculation: Each 12 months is calculated on a rolling basis from the date of the first claim in that period.

Custom Enterprise Agreements: Higher liability limits are available through custom Enterprise agreements. Contact support@hashedhorizon.com to discuss your specific liability requirements and negotiate custom terms tailored to your business needs.

Comparison to Consumer Terms

Customer Type	Liability Cap	Basis
Enterprise (this Addendum)	€1000 per incident	Commercial use justification
Consumer (Consumer Terms)	€100 total OR 12 months of fees paid (if higher)	Nominal consumer use

Exceptions to Liability Caps

The liability caps above do not apply to the following categories of claims, for which Hashed Horizon's liability is unlimited:

1. Data Breaches and Security Incidents

Capped at €10000 per data breach Incident: Maximum liability for GDPR data protection violations per data breach Incident, regardless of the number of users affected.

Rationale: This recognizes the serious nature of data breaches while providing operational protection for startups. The cap applies per data breach Incident (as defined above), not per affected user.

Included Damages:

Regulatory fines and penalties (GDPR, CCPA, etc.)
Notification costs to affected data subjects
Credit monitoring services
Forensic investigation costs
Legal fees defending against regulatory actions

Conditions:

Breach must result from Hashed Horizon's failure to implement reasonable security measures
Customer must have complied with its obligations under the DPA
Customer must provide timely notice and cooperate with Hashed Horizon's investigation

2. Intellectual Property Indemnification

No Cap: Hashed Horizon's obligation to indemnify Customer against third-party IP infringement claims (Intellectual Property Indemnification below) is not subject to the liability cap.

Covered Claims:

Patent infringement claims related to ThisOne AI Platform Services
Copyright infringement (excluding Customer's uploaded content)
Trade secret misappropriation
Trademark infringement by Hashed Horizon marks or branding

3. Willful Misconduct and Gross Negligence

No Cap: Claims arising from Hashed Horizon's intentional wrongdoing, fraud, gross negligence, or willful violation of law.

Examples:

Intentional deletion of Customer data
Willful breach of confidentiality obligations
Fraud in billing or service delivery
Knowing violation of GDPR or other data protection laws

4. Death or Personal Injury

No Cap: Claims for death or personal injury caused by Hashed Horizon's negligence (as required by law in many jurisdictions).

5. Indemnification Obligations

No Cap: Hashed Horizon's indemnification obligations under Sections 4 (IP Indemnification) and 5 (Data Breach Indemnification) are not subject to the general liability cap.

Types of Damages Covered

Subject to the caps and exceptions above, Hashed Horizon's liability includes:

Direct Damages (Covered)

Included:

Cost of replacement or alternative services during outages
Lost subscription fees due to service unavailability
Cost of data recovery or restoration
Reasonable costs to mitigate service disruptions

Calculation: Based on actual, documented costs incurred by Customer

Consequential Damages (Excluded)

Excluded (except in cases of gross negligence or willful misconduct):

Lost profits, revenue, or business opportunities
Loss of goodwill or reputation
Cost of procuring substitute goods or services (beyond direct replacement costs)
Downtime losses not directly tied to service fees
Indirect, incidental, special, or punitive damages

Rationale: Consequential damages are inherently unpredictable and could result in liability disproportionate to subscription fees paid.

Intellectual Property Indemnification

Hashed Horizon will defend Customer against third-party claims that ThisOne AI Platform Services infringe or misappropriate third-party intellectual property rights, and will indemnify Customer for damages and costs awarded (subject to conditions below).

Covered Claims

Infringement Types:

Patents (utility and design patents issued in the USA or EU)
Copyrights (Hashed Horizon-created software, documentation, UI/UX)
Trade secrets (Hashed Horizon's proprietary technology)
Trademarks (Hashed Horizon and ThisOne AI Platform marks)

Geographic Scope: USA, EU member states, UK, and Customer's country of primary operations (as specified in Order Form)

Excluded Claims

Hashed Horizon has no indemnification obligation for claims arising from:

Customer Modifications: Modifications to Services made by Customer or third parties
Customer Content: Infringement by content uploaded, created, or processed by Customer or end users
Combination Use: Use of Services in combination with non-Hashed Horizon products, if infringement would not occur but for the combination
Non-Compliance: Customer's failure to use the latest version of Services when updates were provided to avoid infringement
Unauthorized Use: Use of Services in violation of the Consumer Terms or this Addendum

Customer Obligations

To receive indemnification, Customer must:

Prompt Notice: Notify Hashed Horizon in writing within 10 business days of receiving infringement claim
Control: Grant Hashed Horizon sole control of defense and settlement
Cooperation: Provide reasonable assistance and information at Hashed Horizon's expense
No Admissions: Not admit liability or settle the claim without Hashed Horizon's written consent

Hashed Horizon Remedies

If Services are or may become subject to an infringement claim, Hashed Horizon may (at its option):

Obtain Rights: Procure the right for Customer to continue using Services
Replace: Replace infringing component with non-infringing alternative
Modify: Modify Services to make them non-infringing while maintaining substantially equivalent functionality
Terminate & Refund: If none of the above are commercially reasonable, terminate Customer's subscription and refund pro-rated fees for unused service period

Customer Election: If multiple remedies are feasible, Customer may choose preferred remedy (1, 2, or 3) over termination.

Data Breach Indemnification

Hashed Horizon will indemnify Customer for third-party claims arising from data breaches caused by Hashed Horizon's failure to maintain reasonable security measures as specified in the DPA.

Covered Losses

Included:

Regulatory fines and penalties (GDPR Art. 83, CCPA § 1798.155, etc.)
Mandatory notification costs to data subjects
Credit monitoring or identity theft protection services
Legal fees defending against regulatory enforcement actions
Third-party claims by affected data subjects

Conditions:

Breach resulted from Hashed Horizon's negligence or failure to implement DPA security measures
Customer complied with its obligations as Data Controller (lawful basis, privacy notices, etc.)
Customer cooperated with Hashed Horizon's incident response

Excluded Losses

Not Covered:

Breaches caused by Customer's employees, contractors, or end users
Breaches resulting from Customer's failure to implement required security (MFA, access controls, etc.)
Regulatory fines for Customer's own GDPR violations unrelated to the breach
Damages for Customer's own reputational harm or business losses

Limitation Period and Statute of Limitations

Claims Deadline: All claims under this Addendum must be brought within 2 years from the date the claim accrues (when Customer knew or should have known of the claim basis).

Extension for Latent Defects: For claims related to data breaches or security vulnerabilities not reasonably discoverable, the limitation period begins when Customer actually discovers or reasonably should have discovered the issue.

Jurisdictional Override: If applicable law requires a longer statute of limitations, that longer period applies.

Allocation of Risk and Insurance

Risk Allocation: The liability caps reflect the allocation of risk between parties. Customer acknowledges that the subscription fees are set in reliance on these limitations.

Customer Insurance: Customer is encouraged to obtain appropriate business insurance covering:

Cyber liability and data breach coverage
Business interruption insurance
Errors and omissions (E&O) insurance

Hashed Horizon Insurance: Hashed Horizon maintains appropriate cyber liability insurance. Certificate of insurance may be available upon request for qualifying enterprise contracts.

Contact for Liability Questions

Legal Claims: support@hashedhorizon.com with subject "Legal Claim - [Nature of Claim]"

Insurance Inquiries: support@hashedhorizon.com with subject "Insurance Certificate Request"

IP Indemnification: support@hashedhorizon.com with subject "IP Indemnification Claim"

Note: This section modifies Consumer Terms "Limitation of Liability" and "Disclaimers and Warranties" sections to provide enhanced protections appropriate for commercial enterprise use. All other provisions of those sections remain applicable except as explicitly modified herein.

Data Processing Agreement Incorporation

Controller-Processor Relationship

When Customer uses ThisOne AI Platform Services to process end-user Personal Data (data belonging to Customer's clients, employees, or other third parties), the following data processing relationship applies:

Party	Role	Responsibilities
Customer	Data Controller	Determines purposes and means of processing end-user Personal Data; ensures lawful basis; handles data subject rights requests
Hashed Horizon	Data Processor	Processes end-user Personal Data ONLY as instructed by Customer in the DPA; maintains security; assists with data subject requests

Key Distinction: This Controller-Processor relationship applies only to end-user Personal Data that Customer processes through ThisOne AI Platform Services. For Customer's own company data (employee accounts, billing information, etc.), Hashed Horizon remains the Data Controller per our Privacy Policy.

Data Processing Agreement (DPA)

Incorporation by Reference

Hashed Horizon's Data Processing Agreement (GDPR Art. 28 compliant) is incorporated by reference into this Enterprise Addendum and forms a binding part of the agreement between parties.

DPA Version: 1.0.0 DPA Effective Date: Access: View complete DPA at /legal/dpa

Automatic Application

The DPA applies automatically when:

Customer purchases a Business/Team Plan, AND
Customer processes end-user Personal Data through ThisOne AI Platform Services

No Separate Signature Required: By purchasing a Business/Team Plan and processing end-user Personal Data, Customer agrees to the DPA. No separate DPA execution is required unless Customer specifically requests a custom DPA.

DPA Key Provisions

The incorporated DPA includes:

1. Subject Matter and Duration (DPA Parties to Agreement)

Subject Matter: Processing of end-user Personal Data through ThisOne AI Platform AI processing, image storage, and related services

Duration: For the term of Customer's Business/Team Plan subscription, plus any wind-down period

Nature of Processing:

AI-powered image processing (enhancement, generation, editing)
Cloud storage of uploaded images and AI outputs
Metadata processing (file names, timestamps, processing parameters)
Usage analytics related to end-user activity

Categories of Data Subjects: Customer's end users (clients, employees, customers, or other third parties using ThisOne AI Platform through Customer's account)

Types of Personal Data:

End-user account information (if Customer creates sub-accounts)
Images uploaded by end users (may contain faces, locations, metadata)
AI prompts and generation parameters
Processing history and preferences
Technical data (IP addresses, device information, timestamps)

2. Customer Obligations as Controller (DPA Scope of Processing)

Customer warrants that:

It has a lawful basis for processing end-user Personal Data (consent, contract, legitimate interest, etc.)
It has provided adequate privacy notices to end users about Hashed Horizon acting as processor
It will handle data subject rights requests (access, deletion, portability) from end users
It has obtained any required consent for using AI processing on end-user data
It will conduct Data Protection Impact Assessments (DPIAs) if required for high-risk processing

Example Privacy Notice Language (for Customer to use):

"We use ThisOne AI Platform, provided by Hashed Horizon, to process your images using AI technology. Hashed Horizon acts as our data processor and processes your images only as instructed by us. For more information about Hashed Horizon's data processing practices, see their Privacy Policy."

3. Hashed Horizon Obligations as Processor (DPA Processing Instructions)

Hashed Horizon commits to:

Process ONLY as instructed: We process end-user Personal Data only as documented in the DPA and Customer's service configuration
Confidentiality: Our employees and subprocessors are bound by confidentiality obligations
Security: We implement appropriate technical and organizational measures (GDPR Art. 32):
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Role-based access controls and audit logging
- Regular security assessments and penetration testing
Subprocessor Management: Notify Enterprise Customer of material subprocessor changes with 14 days' advance notice and allow objections (DPA Sub-processors)
Data Subject Assistance: Assist Customer with data subject rights requests within 72 hours (DPA Data Subject Rights Assistance)
Breach Notification: Notify Customer of Personal Data breaches within 24 hours (GDPR Art. 33)
Data Deletion: Delete or return Personal Data upon contract termination or Customer instruction (DPA Termination and Data Return)
Audit Rights: Allow Customer audits and provide information for compliance verification (DPA Audit Rights)

4. Subprocessors (DPA Sub-processors)

Hashed Horizon engages the following subprocessors to provide the Services:

Google Cloud AI (Gemini)

Purpose: AI photo conversion and enhancement
Location: EU/USA
Safeguards: Data Processing Agreement with GDPR-equivalent protections
DPA: Google Cloud AI (Gemini) DPA

Vercel

Purpose: Application hosting and CDN
Location: EU
Safeguards: Data Processing Agreement with GDPR-equivalent protections
DPA: Vercel DPA

Neon

Purpose: PostgreSQL database hosting
Location: EU
Safeguards: Data Processing Agreement with GDPR-equivalent protections
DPA: Neon DPA

Sentry

Purpose: Error tracking and crash diagnostics
Location: EU/USA
Safeguards: Data Processing Agreement with GDPR-equivalent protections
DPA: Sentry DPA

Stripe

Purpose: Payment processing and subscription management
Location: EU/USA
Safeguards: Data Processing Agreement with GDPR-equivalent protections
DPA: Stripe DPA

Apple (App Store / Apple Pay)

Purpose: iOS in-app purchases and Apple Pay transactions
Location: USA
Safeguards: Data Processing Agreement with GDPR-equivalent protections
DPA: Apple (App Store / Apple Pay) DPA

Google (Play Store / Google Pay)

Purpose: Android in-app purchases and Google Pay transactions
Location: USA
Safeguards: Data Processing Agreement with GDPR-equivalent protections
DPA: Google (Play Store / Google Pay) DPA

Change Notification: Hashed Horizon will notify you of material Subprocessor changes:

Enterprise Customers: At least 14 days advance notice via email to administrative contact
Consumer Customers: Updated subprocessor list available on our DPA page

Emergency Changes: In cases of security incidents, service discontinuation, or legal requirements, we may change Subprocessors with shorter notice (minimum 24 hours).

Objection Right: Enterprise Customer may object to new subprocessors on reasonable grounds related to data protection. If objection is reasonable and Hashed Horizon cannot provide an alternative, Customer may terminate the subscription with 30 days' written notice. We are not obligated to provide migration assistance or maintain alternative subprocessors for objecting customers.

5. International Data Transfers (DPA Security Measures)

Transfer Safeguards: Hashed Horizon ensures appropriate safeguards for international data transfers as required by GDPR Art. 44-50. Contact dpo@hashedhorizon.com for details on specific transfer mechanisms.

6. Data Subject Rights Assistance (DPA Data Subject Rights Assistance)

When Customer receives a data subject rights request from an end user, Hashed Horizon will assist by:

Request Type	Hashed Horizon Assistance	Response Time
Access (Art. 15)	Provide copy of end-user data in machine-readable format (JSON/CSV)	72 hours
Rectification (Art. 16)	Update or correct end-user data as instructed by Customer	48 hours
Erasure (Art. 17)	Delete all end-user Personal Data and confirm deletion	48 hours
Portability (Art. 20)	Export end-user data in JSON format	72 hours
Restriction (Art. 18)	Mark end-user data for restricted processing only	48 hours
Objection (Art. 21)	Stop processing end-user data (except for legal compliance)	Immediate

Request Process:

Customer receives data subject request from end user
Customer submits assistance request via Enterprise Support Portal or email to dpo@hashedhorizon.com
Hashed Horizon provides requested data or takes requested action within stated timeframe
Customer fulfills data subject request using Hashed Horizon-provided information

Important: Hashed Horizon will not respond directly to end users. All communication with data subjects is Customer's responsibility as the Data Controller.

7. Data Breach Notification (DPA Data Breach Notification)

In the event of a Personal Data breach affecting end-user data processed on Customer's behalf:

Hashed Horizon Obligations:

Immediate Detection: Continuous monitoring and alerting for security incidents
Rapid Notification: Notify Customer within 24 hours of becoming aware of breach
Detailed Information: Provide nature of breach, affected data categories, estimated number of data subjects, likely consequences, and mitigation measures
Ongoing Updates: Continue to inform Customer as investigation progresses
Cooperation: Assist Customer with breach notification to supervisory authorities and data subjects (GDPR Art. 33-34)

Customer Obligations:

Supervisory Authority Notification: Notify relevant supervisory authority within 72 hours of awareness (GDPR Art. 33)
Data Subject Notification: Notify affected end users if high risk to their rights and freedoms (GDPR Art. 34)
Documentation: Maintain records of breaches and notifications per GDPR Art. 33(5)

Not Considered Breaches (no notification required):

Unsuccessful breach attempts (blocked by security controls)
Data not actually accessed or exfiltrated
Data rendered unintelligible due to encryption (encrypted backups)

8. Audit Rights (DPA Audit Rights)

Customer has the right to audit Hashed Horizon's compliance with the DPA:

Audit Options:

SOC 2 Type II Report: Hashed Horizon provides annual SOC 2 Type II audit report upon request (under NDA)
ISO 27001 Certification: Hashed Horizon maintains ISO 27001 certification; certificates available upon request
Third-Party Audit: Customer may engage independent auditor (at Customer's expense, maximum once per year) with 30 days' notice
Questionnaire: Annual data protection questionnaire completed by Hashed Horizon covering DPA compliance

Audit Scope: Audits may cover processing activities, security measures, subprocessor management, and data breach procedures.

Confidentiality: Auditors must sign Hashed Horizon's standard NDA before accessing facilities or systems.

Costs: Hashed Horizon does not charge for providing SOC 2 reports or questionnaires. Third-party audits are at Customer's expense.

9. Data Deletion and Return (DPA Termination and Data Return)

Upon termination or expiration of Customer's Business/Team Plan:

Customer's Choice:

Return Data: Hashed Horizon returns all end-user Personal Data in JSON format within 30 days
Delete Data: Hashed Horizon deletes all end-user Personal Data within 30 days and provides written certification of deletion

Retention Exception: Hashed Horizon may retain data only if required by applicable law (e.g., tax records for 7 years). Customer will be notified of any legally mandated retention.

Backup Deletion: Data in encrypted backups will be deleted within 90 days following standard backup rotation cycles.

No Access After Termination: Customer loses access to Services immediately upon termination; data export should be requested before termination date.

Custom DPA Terms

Negotiation Option: Customers with annual contracts exceeding €50.000 may request custom DPA terms including:

Custom data localization (EEA-only, USA-only, etc.)
Enhanced security measures (dedicated infrastructure, advanced encryption)
Custom audit rights or reporting frequencies
Specific subprocessor restrictions

Process: Contact support@hashedhorizon.com with subject "Custom DPA Request" to begin negotiation.

DPA Questions and Updates

DPA Questions: dpo@hashedhorizon.com with subject "DPA Question"

DPA Updates: Material changes to the DPA will be notified 60 days in advance. Customer may object to changes and terminate if changes are unacceptable.

Latest DPA Version: Always available on our DPA page

Order of Precedence

In the event of any conflict or inconsistency between legal documents, the following order of precedence applies (highest to lowest):

Enterprise Addendum - Controls enhanced terms for Enterprise Customers
Data Processing Agreement (DPA) - Controls data processing terms for Business Customers
Order Form (if any) - Controls service-specific terms and pricing
Privacy Policy - Controls personal data processing and privacy rights (for data protection matters)
Terms of Service - Controls general use, liability, and dispute resolution
Cookie Policy - Controls cookie use and consent management

Interpretation Rules:

Specific Prevails Over General: More specific provisions prevail over general provisions
Later Prevails Over Earlier: In case of amendments, the most recent version prevails
Mandatory Law Prevails: Nothing in these documents limits rights granted by mandatory consumer protection, data protection, or other applicable laws

For Business Customers: The DPA and Enterprise Addendum (if applicable) take precedence over consumer-focused provisions in the Terms of Service and Privacy Policy.

For Consumer Customers: Consumer protection laws (GDPR, ePrivacy Directive, national consumer laws) prevail over any conflicting contractual terms.