Hudo ← Back to Home

Data Processing Agreement (DPA)

Last updated: December 2024

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Agreement between Hudo.AI ("Processor") and the Customer ("Controller") for the provision of AI marketing services. This DPA sets out the terms that apply when Personal Data is processed by the Processor on behalf of the Controller.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.
  • "Applicable Data Protection Law" means all applicable laws relating to data protection, including GDPR, CCPA, and other relevant regulations.

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor shall process Personal Data on behalf of the Controller for the purpose of providing the AI marketing services as described in the main Agreement.

3.2 Nature of Processing

Processing activities include collection, storage, organization, analysis, use, and deletion of Personal Data as necessary to provide the services.

3.3 Categories of Data Subjects

Personal Data processed may relate to:

  • Controller's employees and authorized users
  • Controller's customers and prospects
  • Controller's business contacts
  • Website visitors and marketing campaign recipients

3.4 Types of Personal Data

Personal Data processed may include:

  • Contact information (name, email, phone number, address)
  • Professional information (job title, company, industry)
  • Online identifiers (IP address, device IDs, cookies)
  • Behavioral data (website interactions, campaign engagement)
  • Any other Personal Data submitted by the Controller

4. Processor Obligations

4.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required by law. The Processor shall inform the Controller if it believes an instruction violates Applicable Data Protection Law.

4.2 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

The Processor shall implement appropriate technical and organizational measures, including:

  • Encryption of Personal Data in transit and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Incident detection and response procedures
  • Business continuity and disaster recovery plans
  • Employee training on data protection

4.4 Sub-processors

The Processor shall not engage a Sub-processor without prior written authorization from the Controller. The Processor maintains a list of approved Sub-processors and shall notify the Controller of any intended changes. The Processor shall impose the same data protection obligations on Sub-processors.

4.5 Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.

4.6 Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach. The notification shall include all relevant details of the breach and the measures taken to address it.

5. Controller Obligations

The Controller warrants that:

  • It has obtained all necessary consents and legal bases for processing Personal Data
  • It has provided appropriate privacy notices to Data Subjects
  • Its instructions to the Processor comply with Applicable Data Protection Law
  • It will promptly inform the Processor of any relevant Data Subject requests or complaints

6. International Data Transfers

The Processor shall not transfer Personal Data to a country outside the European Economic Area unless appropriate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, or the transfer is to a country deemed adequate by the European Commission.

7. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA. The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to reasonable notice and confidentiality obligations.

8. Data Deletion and Return

Upon termination of the Agreement or upon the Controller's request, the Processor shall, at the Controller's choice, delete or return all Personal Data and delete existing copies unless applicable law requires retention. The Processor shall certify the deletion in writing upon request.

9. Liability

Each party shall be liable for damages caused by Processing that infringes this DPA or Applicable Data Protection Law. The Processor shall be liable for damages caused by Processing only where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to the Controller's lawful instructions.

10. Duration

This DPA shall remain in effect for the duration of the main Agreement. The obligations of confidentiality and data protection shall survive termination.

11. Governing Law

This DPA shall be governed by the same law as the main Agreement, unless Applicable Data Protection Law requires otherwise.

12. Contact

For questions regarding this DPA or data protection matters, please contact:

Data Protection Officer: dpo@hudo.ai
General Inquiries: privacy@hudo.ai