Hexense HR

Data Processing Agreement

Last updated: 4 July 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Hexense Tech OÜ, registry code 17371031, registered address Gonsiori tn 29, Kesklinna linnaosa, 10147 Tallinn, Harju maakond, Estonia (the “Processor”) and the Customer (the “Controller”), and governs the Processor’s processing of personal data contained in Customer Data on behalf of the Controller, as required by Article 28(3) of the GDPR.

1. Details of processing

2. Instructions

The Processor processes Customer Data only on the Controller’s documented instructions — namely the Terms, this DPA, and the Controller’s configuration and use of the Service — unless required otherwise by EU or member state law, in which case the Processor informs the Controller before processing unless the law prohibits it. The Processor will inform the Controller if, in its opinion, an instruction infringes the GDPR.

3. Confidentiality

The Processor ensures that persons authorized to process Customer Data are bound by contractual or statutory confidentiality obligations, and that access is limited to what is necessary to operate and support the Service.

4. Security (Article 32)

The Processor implements and maintains appropriate technical and organizational measures, including:

5. Subprocessors

The Controller grants general authorization to engage the subprocessors listed at /legal/subprocessors. The Processor will give at least 30 days’ notice of intended additions or replacements (via the Service or email), during which the Controller may object on reasonable data protection grounds; if the objection cannot be resolved, the Controller may terminate the affected subscription. The Processor imposes data protection obligations on subprocessors equivalent to those in this DPA and remains liable for their performance.

6. International transfers

Customer Data is stored in the European Union. Where a subprocessor processes personal data outside the EEA, the transfer is protected by an adequacy decision (including the EU–US Data Privacy Framework) or the European Commission’s Standard Contractual Clauses, with supplementary measures as appropriate.

7. Assistance to the Controller

8. Personal data breaches

The Processor notifies the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Customer Data, providing the information reasonably required for the Controller’s obligations under Articles 33 and 34 GDPR, supplemented as more information becomes available.

9. Deletion and return

During the subscription, the Controller’s admins can export Customer Data via the Service’s export and reporting features. After the end of the subscription and a 30-day grace period, the Processor deletes Customer Data, including from backups on the backup provider’s rotation schedule, unless EU or member state law requires continued storage.

10. Audit and information

The Processor makes available the information reasonably necessary to demonstrate compliance with Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by the Controller or its mandated auditor — no more than once per 12 months unless required by a supervisory authority or following a breach, on at least 30 days’ notice, during business hours, under confidentiality, and at the Controller’s cost. Third-party certifications and audit reports of the Processor’s infrastructure providers may be used to satisfy audit requests where adequate.

11. Liability and order of precedence

Liability under this DPA is subject to the limitations in the Terms of Service. In case of conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.

12. Contact

Data protection inquiries: privacy@hex-tech.xyz