Hopx Data Processing Agreement (DPA)

Applicable Data Protection Law means all applicable privacy, data protection, and cybersecurity laws, rules, and regulations, including: the EU GDPR (Reg. 2016/679); the UK GDPR and UK Data Protection Act 2018; the Swiss FADP; the CCPA/CPRA and other U.S. state privacy laws; and any binding guidance from competent authorities.

Client Personal Data means Personal Data processed by Hopx on behalf of Client under the Agreement.

Controller / Processor (or Business / Service Provider) have the meanings given in Applicable Data Protection Law.

Personal Data means any information relating to an identified or identifiable natural person (or equivalent under Applicable Data Protection Law).

Processing means any operation performed on Personal Data.

Security Incident means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Personal Data.

SCCs means:

• EU SCCs: Commission Implementing Decision (EU) 2021/914 (Module 2: Controller→Processor), as amended/replaced; and
• UK Addendum: ICO International Data Transfer Addendum (21 March 2022), as amended/replaced.

Subprocessor means any subcontractor engaged by Hopx to Process Client Personal Data.

2.1 Roles. For Client Personal Data, Client is the Controller/Business and Hopx is the Processor/Service Provider.

2.2 Scope & Purpose. Hopx will Process Client Personal Data solely to provide, secure, support, and improve the Services for Client under the Agreement (e.g., code execution in sandboxes, storage, networking, logging, support, billing, security and availability), and in accordance with Client's documented instructions (this DPA, the Agreement, and Client-configured settings).

2.3 Restrictions. Hopx will not:

• sell or share Client Personal Data (as "sell/share" may be defined by U.S. laws);
• use Client Personal Data for targeted advertising or cross-context behavioral advertising;
• combine Client Personal Data with personal data from other customers or Hopx's own data, except as permitted by law to detect security incidents or improve service integrity without building customer profiles inconsistent with this DPA;
• Process Client Personal Data for any purpose other than providing the Services or as required by law.

2.4 Deidentified Data. If Hopx receives or generates deidentified data, Hopx will not reidentify it and will maintain it in deidentified form as required by law.

2.5 Client Responsibilities. Client is responsible for (i) the accuracy, quality, and lawfulness of Client Personal Data and the means by which it was obtained; (ii) establishing a legal basis and providing any required notices; (iii) honoring Data Subject Requests within Client's systems where applicable; and (iv) not instructing Hopx to Process categories of data that the Agreement prohibits (e.g., Sensitive Personal Data, unless expressly agreed in writing).

Hopx shall comply with Applicable Data Protection Law. If Hopx reasonably believes an instruction violates law or the Agreement, Hopx will notify Client and may suspend such instruction pending clarification.

4.1 Authorization. Client authorizes Hopx to use Subprocessors to provide the Services. Hopx remains responsible for each Subprocessor's performance of data-protection obligations.

4.2 Requirements. Hopx will enter into written agreements with Subprocessors imposing data-protection obligations no less protective than those in this DPA.

4.3 List & Updates. Hopx maintains a current list of Subprocessors (and locations) at https://hopx.ai/legal/subprocessors. Hopx will provide notice of material changes as described there. If Client has a reasonable, documented data-protection objection to a new Subprocessor, the parties will discuss in good faith; if unresolved, Client may terminate the affected Services as its sole remedy.

5.1 Mechanisms. Where Hopx's Processing involves a restricted transfer of Client Personal Data, the SCCs (Module 2) and, if applicable, the UK Addendum (together, "Transfer Mechanisms") apply and are incorporated by reference. The SCCs will be completed as set out in Exhibit A (Annex I), Exhibit B (Annex II TOMs), and Exhibit C (Subprocessors/Annex III).

5.2 Swiss FADP. References to "Member State" and "EU" will be read to include Switzerland; Swiss data subjects may bring claims in Switzerland per SCC Clause 18(c).

5.3 Other Jurisdictions. For other restricted transfers, Hopx and Client will cooperate in good faith to implement appropriate safeguards (e.g., SCCs, addenda, local model clauses, or other lawful mechanisms).

6.1 Technical & Organizational Measures (TOMs). Hopx will implement and maintain appropriate TOMs described in Exhibit B, considering the nature, scope, context, and purposes of Processing and the risks to individuals.

6.2 Confidentiality. Hopx ensures personnel (including Subprocessors) with access to Client Personal Data are bound by confidentiality and receive appropriate security and privacy training.

6.3 Certifications & Audits. Hopx operates an ISMS aligned with SOC 2 and ISO/IEC 27001. Upon request and under NDA, Hopx will make available third-party audit reports/certificates or summaries sufficient to demonstrate compliance. These materials satisfy Client's audit rights to the extent permitted by law. On-site inspections are permitted only if required by law and after the parties agree on scope, duration, and reimbursement of Hopx's reasonable costs.

Hopx will notify Client without undue delay after becoming aware of a Security Incident affecting Client Personal Data. Such notice may include available details on the nature of the incident, categories of data affected, likely consequences, measures taken or proposed to address it, and recommended steps for Client. Notification may be delayed if law enforcement requests or if delay is reasonably necessary for containment and investigation. Hopx will cooperate with Client's reasonable requests to meet applicable breach-notification obligations.

Taking into account the nature of Processing and Hopx's access to information, Hopx will provide reasonable assistance to Client to:

(a) respond to Data Subject Requests;

(b) perform DPIAs and prior consultations with authorities; and

(c) demonstrate compliance and security obligations.

Where such assistance is not included in standard Services and imposes significant burden, Hopx may charge reasonable, documented time-and-materials fees unless required by law or caused by Hopx's breach.

At termination/expiry of the Agreement or upon Client request, Hopx will delete or return Client Personal Data (at Client's election) and delete existing copies, unless retention is required by law (in which case Hopx will continue to protect the data per this DPA and law). Deletion timelines follow Hopx's standard secure-deletion schedules and backup cycles.

Unless legally prohibited, Hopx will promptly notify Client of any lawful request, inquiry, or order from a government or third party seeking disclosure of Client Personal Data, and will limit disclosure to what is legally required after complying with this DPA.

Each party is responsible for fines imposed directly on it by a supervisory authority. Hopx's liability remains subject to the limitations in the Agreement, except to the extent prohibited by Applicable Data Protection Law.

If any provision of this DPA is held invalid, the remainder remains in force. This DPA may be executed or accepted electronically. No separate signature is required—acceptance of the Terms of Service binds this DPA.