Data Processing Agreement

1. Definitions

• "HailBytes" means HailBytes, Inc., a Delaware corporation, the Processor under this DPA.
• "Customer" means the entity that has entered into the master agreement with HailBytes, the Controller under this DPA.
• "Personal Data," "Processing," "Controller," "Processor," "Sub-processor," "Data Subject" have the meanings given to them under GDPR Art. 4, with equivalent meanings under LGPD Art. 5º where the Brazilian regime applies.
• "Customer Personal Data" means Personal Data that HailBytes Processes on the Customer's behalf in the course of providing the products and services, as described in §3.
• "Applicable Data Protection Law" means GDPR; the UK GDPR and Data Protection Act 2018; LGPD; the California Consumer Privacy Act as amended; and any other data protection law applicable to the Processing of Customer Personal Data.
• "Standard Contractual Clauses" or "SCCs" means the European Commission's Standard Contractual Clauses for international transfers, adopted by Commission Implementing Decision (EU) 2021/914, and any successor instrument.
• "Sub-processor" means a third party engaged by HailBytes to Process Customer Personal Data, as listed in the subprocessor list.

2. Roles and scope of Processing

2.1. Customer is Controller. The Customer determines the purposes and means of Processing of Customer Personal Data. Where multiple controllers are involved on the Customer side, the Customer is responsible for ensuring its own arrangements with such controllers.

2.2. HailBytes is Processor. HailBytes Processes Customer Personal Data only on documented instructions from the Customer, including with respect to transfers to a third country, unless otherwise required by applicable law. Where HailBytes is required to Process Customer Personal Data for a purpose not covered by the Customer's instructions, HailBytes will notify the Customer before Processing unless the law prohibits such notice.

2.3. Scope. The Processing under this DPA is limited to what is necessary to provide the products and services, to provide customer support, to comply with the master agreement, and to comply with applicable law.

2.4. BYOC carve-out. The parties acknowledge that HailBytes ASM and HailBytes SAT are deployed as customer-controlled software inside the Customer's own cloud account. Personal Data Processed by such customer-deployed instances (including, without limitation, scanned-asset metadata, employee target lists, phishing-simulation results, and audit logs generated inside the Customer's tenant) is not received, stored, or transmitted by HailBytes. With respect to such data, HailBytes is neither Controller nor Processor and this DPA does not apply. This DPA applies to the limited categories described in §3 below.

3. Categories of Personal Data and Data Subjects

Categories of Personal Data Processed by HailBytes on the Customer's behalf:

• Customer Account Data: name, business email, business phone, role title, and similar business-contact information of the Customer's authorized users.
• Support Communications: any Personal Data the Customer chooses to include in support tickets, email threads, or chat sessions with HailBytes.
• Billing Data: billing contact, transaction history, and (where direct-checkout applies via Stripe) tokenized payment-method references. HailBytes does not store full payment card numbers.
• Marketing-list Contacts (consent-based, separable): business email and similar contact information of individuals who have opted in to HailBytes' marketing communications. The Customer may end any consent-based processing for any of its representatives at any time.

Categories of Data Subjects: the Customer's authorized users; the Customer's billing contacts; individuals who voluntarily contact HailBytes for support; individuals who opt in to marketing communications.

4. HailBytes' obligations as Processor

4.1. Confidentiality. HailBytes ensures that personnel authorized to Process Customer Personal Data are subject to confidentiality obligations sufficient to comply with GDPR Art. 28(3)(b) and equivalent provisions of other Applicable Data Protection Law.

4.2. Security measures. HailBytes implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with GDPR Art. 32 and LGPD Art. 46. Current measures are documented in HailBytes' security overview, the per-release security evidence package, and the BYOC architecture statement.

4.3. Assistance to the Customer. Taking into account the nature of the Processing, HailBytes assists the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests for exercising the Data Subject's rights under GDPR Chapter III and equivalent provisions.

4.4. Breach notification. HailBytes notifies the Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification includes (a) the nature of the breach, (b) the categories and approximate number of Data Subjects and records concerned, (c) the likely consequences, and (d) the measures taken or proposed to address the breach and mitigate effects. This 48-hour commitment is set to give the Customer time to satisfy its own 72-hour supervisory-authority notification obligation under GDPR Art. 33 and its "reasonable time" obligation under LGPD Art. 48.

4.5. Return or deletion at end of services. Upon termination or expiration of the master agreement, HailBytes, at the Customer's choice, deletes or returns all Customer Personal Data and deletes existing copies, unless retention is required by applicable law. Where the Customer has not indicated a choice within 30 days of termination, HailBytes deletes the data on the 31st day. Backups containing Customer Personal Data are overwritten on the standard backup-rotation schedule (which does not exceed 90 days).

4.6. DPO designation. HailBytes has designated David McHale as Encarregado (under LGPD) and Data Protection Officer (where required under GDPR Art. 37). Contact: dpo@hailbytes.com.

5. Sub-processing

5.1. General authorization. The Customer grants HailBytes a general authorization to engage Sub-processors. The current list is published at /partners/trust-package/subprocessor-list/ and is incorporated into this DPA by reference.

5.2. Notice of changes. HailBytes will notify the Customer of any intended addition or replacement of Sub-processors at least 30 days in advance, by updating the published subprocessor list and emailing the Customer's designated security contact. The Customer may object on reasonable grounds within 30 days of notification.

5.3. Flow-down. HailBytes imposes data-protection obligations on Sub-processors that are no less protective than those in this DPA, by way of a written contract.

5.4. Liability for Sub-processors. HailBytes remains fully liable to the Customer for the performance of Sub-processors' obligations under this DPA.

6. International transfers

6.1. EU/EEA and UK. Where Customer Personal Data is transferred from the EU/EEA or the UK to a country not subject to an adequacy decision, the parties enter into the relevant module of the SCCs (Commission Implementing Decision (EU) 2021/914) supplemented by the UK Addendum issued by the Information Commissioner's Office where the UK transfer applies. HailBytes acts under Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Sub-processor) as applicable. The SCCs are incorporated by reference and prevail over conflicting terms.

6.2. Brazil. Where Customer Personal Data is transferred from Brazil to a country whose data protection law has not been recognized by the ANPD as offering an adequate level of protection, the parties rely on contractual clauses consistent with ANPD Resolution CD/ANPD nº 19/2024 (or its successor) and subsequent ANPD guidance.

6.3. Data Privacy Framework. For United States Sub-processors that participate in the EU-U.S. Data Privacy Framework (currently including Microsoft/GitHub, AWS, Cloudflare, Stripe, Anthropic, and Google), the DPF certification serves as a complementary lawful transfer mechanism.

7. Audit

7.1. Information and audit rights. HailBytes makes available to the Customer the information necessary to demonstrate compliance with the obligations in this DPA, primarily through the published Trust Center (/trust/) and the trust-package documents. Once HailBytes' SOC 2 attestation is issued (anticipated 2027-Q1; see the compliance roadmap), the SOC 2 report will be the primary audit-information vehicle and will be made available under NDA on request.

7.2. On-site audit. Until the SOC 2 attestation is in hand, the Customer may request an on-site audit no more than once per twelve-month period, on at least 30 days' notice, conducted during normal business hours, at the Customer's cost, by the Customer or a qualified independent auditor not a competitor of HailBytes. Audit scope is limited to HailBytes' processing of Customer Personal Data under this DPA.

8. Liability, indemnity, and limitations

Liability under this DPA is governed by the liability and indemnity provisions of the master agreement, subject to mandatory provisions of Applicable Data Protection Law (including GDPR Art. 82 and LGPD Art. 42) which prevail to the extent of any conflict.

9. Term, termination, and updates

9.1. This DPA is effective on the effective date of the master agreement and remains in force for as long as HailBytes Processes Customer Personal Data on the Customer's behalf.

9.2. HailBytes may update this DPA on at least 30 days' notice. Updates that materially reduce HailBytes' obligations require the Customer's consent. Updates that are required to comply with new legal obligations or regulatory guidance take effect on the date stated in the notice and do not require consent.

9.3. The current version is published at hailbytes.com/legal/dpa/. Version history is preserved.

10. Counter-signature and contact

For a counter-signed standalone DPA, an executed copy of the SCCs with annexes completed, or to request changes for a specific procurement requirement, email contracts@hailbytes.com. For questions about data protection, exercising Data Subject rights, or breach notification, email dpo@hailbytes.com (David McHale, DPO / Encarregado).