Data Processing Agreement

1. Definitions

The terms "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Appropriate Technical and Organizational Measures" shall have the meanings given to them in Applicable Data Protection Law.

2. Scope and Responsibility

Customer acts as a Data Controller and HulloDesk acts as a Data Processor. HulloDesk shall process Personal Data only on behalf of and in accordance with the Customer's documented instructions.

3. Data Protection

HulloDesk shall implement and maintain appropriate technical and organizational security measures to protect Personal Data, including:

• Encryption of personal data at rest (AES-256) and in transit (TLS 1.3).
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.
• Measures to restore availability and access to personal data in a timely manner in the event of a physical or technical incident.
• A process for regularly testing, assessing, and evaluating the effectiveness of security measures.

4. Subprocessors

Customer provides a general authorization to HulloDesk to engage subprocessors. HulloDesk shall:

• Maintain a current list of subprocessors (available at hullodesk.com/subprocessors).
• Enter into a written agreement with each subprocessor containing data protection obligations no less protective than those in this DPA.
• Remain liable for the acts and omissions of its subprocessors.

5. Data Subject Rights

HulloDesk shall, to the extent legally permitted, promptly notify Customer if HulloDesk receives a request from a Data Subject to exercise their rights. HulloDesk shall assist Customer in fulfilling its obligations to respond to such requests.

6. Audit Rights

HulloDesk shall make available to Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer.