Data Processing Agreement

This DPA applies when Hyperleap AI processes Personal Data on behalf of the Customer through the provision of its AI chatbot and automation platform (“Services”).

Hyperleap AI acts as a Processor when processing end-user data submitted through Customer's chatbots (conversations, leads, contact information).

Hyperleap AI acts as a Controller for its own operational data, including Customer account information, billing data, and usage analytics (where consent has been given).

The Processor shall only process Personal Data:

• As instructed by the Controller through the use of the Services
• For the purpose of providing, maintaining, and improving the Services
• In accordance with applicable data protection laws, including GDPR, DPDP Act (India), and CCPA
• As required by applicable law, in which case the Processor shall inform the Controller unless prohibited

The Processor implements appropriate technical and organizational measures, including:

• Encryption in transit: TLS 1.2+ for all data transmission
• Encryption at rest: AES-256 for stored data
• Access controls: Role-based access with multi-factor authentication
• Network security: Firewalls, intrusion detection, and DDoS protection
• Regular audits: Periodic security assessments and vulnerability scanning
• Incident response: Documented procedures for security incident handling
• Employee training: Regular data protection training for all staff

The Controller authorizes the use of sub-processors listed at /subprocessors.

The Processor will notify the Controller 30 days before adding new sub-processors or making material changes. The Controller may object to changes by contacting legal@hyperleap.ai within the notice period.

The Processor ensures that all sub-processors are bound by data protection obligations no less protective than those in this DPA.

Personal Data is primarily processed and stored in India on Microsoft Azure infrastructure. Some sub-processors may process data in other jurisdictions (see /subprocessors).

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor ensures appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms governing the transfer of Personal Data to third countries, as set out in Commission Implementing Decision (EU) 2021/914.
• Technical safeguards: Encryption in transit (TLS 1.2+) and at rest (AES-256) for all Personal Data, regardless of processing location.
• Access controls: Strict role-based access with multi-factor authentication, ensuring only authorized personnel can access Personal Data.
• Sub-processor obligations: All sub-processors are contractually bound to equivalent data protection standards.

The Controller may request a copy of the applicable Standard Contractual Clauses by contacting legal@hyperleap.ai.

The Processor will assist the Controller in responding to Data Subject requests, including:

• Right of access (Article 15)
• Right to rectification (Article 16)
• Right to erasure (Article 17)
• Right to restriction of processing (Article 18)
• Right to data portability (Article 20)
• Right to object (Article 21)

The Processor provides tools within the Services for the Controller to manage Data Subject requests. For requests that cannot be fulfilled through the Services, the Processor will provide reasonable assistance within 30 days.

The Processor will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach that affects the Controller's data.

The notification will include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

Upon termination of the Services or at the Controller's request, the Processor will:

• Delete or return all Personal Data processed on behalf of the Controller within 30 days
• Delete existing copies unless retention is required by applicable law
• Provide written confirmation of deletion upon request

The Controller may export their data at any time through the platform's built-in export features or by contacting support.

The Controller may audit the Processor's compliance with this DPA once per year with 30 days' written notice.

The Processor will provide all information reasonably necessary to demonstrate compliance and allow for and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller.

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

The Processor will indemnify the Controller for any damages directly resulting from the Processor's breach of this DPA or applicable data protection law, subject to the liability cap in the Terms of Service.