DATA PROCESSING AGREEMENT

Last Updated: September 12, 2025

Version: 1.0

This Data Processing Agreement ("DPA") supplements and forms part of the Terms of Service or other agreement ("Service Agreement") between Halogen AI, Inc. ("Halogen AI", "we", "us", or "our") and our customers ("Customer", "you", or "your") governing the use of Halogen AI's services.

This DPA applies when Customer Data processed through our services includes Personal Data as defined under applicable data protection laws. By using our services, you agree to the terms of this DPA.

1. DEFINITIONS

"Applicable Laws" means all applicable data protection and privacy laws, regulations, and regulatory requirements applicable to the processing of Personal Data, including without limitation:

  • General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • California Consumer Privacy Act ("CCPA")
  • Personal Information Protection and Electronic Documents Act ("PIPEDA")
  • Other applicable federal, state, provincial, and international privacy laws

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Halogen AI on behalf of the Customer through the services.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

"Security Incident" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

"Sub-processor" means any third party engaged by Halogen AI to process Personal Data on behalf of our Customers.

2. SCOPE OF PROCESSING

2.1 Relationship of the Parties

Halogen AI acts as a data processor with respect to Personal Data processed on behalf of Customers, who act as data controllers. This DPA defines the responsibilities and obligations of both parties regarding data protection.

2.2 Nature and Purpose of Processing

Halogen AI processes Personal Data for the following purposes:

  • Providing our SaaS platform services for go-to-market intelligence and analytics
  • User account management and authentication
  • Service delivery, maintenance, and support
  • Service improvement and development
  • Compliance with legal obligations

2.3 Categories of Data and Data Subjects

Types of Personal Data we process:

  • Identification data (names)
  • Contact information (email addresses)
  • Business context information for go-to-market analytics
  • Account and authentication credentials
  • Usage and analytics data

Categories of Data Subjects:

  • Customer's end users
  • Customer's employees and contractors
  • Customer's business contacts and prospects

2.4 Duration of Processing

Personal Data is processed for the duration of the Service Agreement and retained for up to twelve (12) months following termination, unless a different retention period is required by law or agreed upon in writing.

3. HALOGEN AI'S OBLIGATIONS

3.1 Compliance with Instructions

We commit to:

  • Process Personal Data only in accordance with documented instructions from our Customers
  • Notify Customers if we believe an instruction violates Applicable Laws
  • Not process Personal Data for our own purposes except as permitted under the Service Agreement

3.2 Confidentiality

All Halogen AI personnel authorized to process Customer Personal Data are:

  • Subject to confidentiality obligations
  • Trained on data protection and security requirements
  • Granted access only on a need-to-know basis

3.3 Security Measures

We implement technical and organizational measures to protect Personal Data, including:

Current Security Measures:

  • HTTPS/TLS encryption for all data in transit
  • Access control systems with unique user authentication
  • Regular security updates and patch management
  • Secure development practices
  • System access logging and monitoring
  • Physical security at our Seattle and Kansas City offices
  • Quarterly security awareness training for all personnel

Security Enhancement Roadmap:

Phase 1 (0-90 days):

  • Documented incident response plan
  • Enterprise agreements for all AI processing services
  • Formalized security training program

Phase 2 (3-6 months):

  • Encryption at rest for all databases
  • Cyber liability insurance evaluation
  • Enhanced monitoring capabilities

Phase 3 (6-12 months):

  • Multi-factor authentication implementation
  • Third-party security assessment
  • Enhanced disaster recovery procedures

Phase 4 (12-18 months):

  • SOC 2 Type II certification
  • Annual penetration testing program
  • Mature security operations

3.4 Security Incident Management

In the event of a Security Incident:

  • We will notify affected Customers within 48 hours of becoming aware
  • Notifications will include the nature of the incident, affected data categories, potential consequences, and mitigation measures
  • We will cooperate fully in investigation and remediation efforts
  • We are developing a comprehensive Incident Response Plan (target: 60 days)

4. SUB-PROCESSORS

4.1 Current Sub-processors

We currently use the following sub-processors to deliver our services:

Sub-processorPurposeLocationSecurity Status
Google Cloud PlatformInfrastructure and storageUnited StatesEnterprise DPA in place
Gemini (Google)AI processingUnited StatesEnterprise agreement pending (90 days)
Stripe, Inc.Payment processingUnited StatesPCI DSS compliant with DPA
Vercel, Inc.Application hostingUnited StatesSOC 2 Type II certified with DPA

4.2 Sub-processor Management

  • We maintain written agreements with all sub-processors imposing appropriate data protection obligations
  • Customers will be notified at least 30 days before adding or changing sub-processors
  • Customers may object to new sub-processors within 14 days of notification
  • We remain fully liable for our sub-processors' compliance with data protection obligations

5. YOUR RIGHTS AND OBLIGATIONS

5.1 Customer Responsibilities

As the data controller, you are responsible for:

  • Ensuring you have legal bases for collecting and sharing Personal Data with us
  • Providing necessary notices and obtaining required consents from Data Subjects
  • Ensuring your instructions comply with Applicable Laws
  • Maintaining your own records of processing activities

5.2 Data Subject Rights

We will assist you in responding to Data Subject requests regarding:

  • Access to their Personal Data
  • Correction or deletion of Personal Data
  • Data portability
  • Objection to processing
  • Restriction of processing

Assistance is provided at no additional charge for reasonable requests. We will not respond directly to Data Subjects unless instructed by you.

5.3 Audit Rights

You have the right to verify our compliance through:

  • Annual audits upon 30 days' notice
  • Security questionnaires and self-assessments
  • Review of our security certifications (once obtained)
  • Inspection of relevant compliance documentation

6. INTERNATIONAL DATA TRANSFERS

6.1 Data Location

Primary data processing occurs in the United States (Seattle and Kansas City). We use data centers and sub-processors located in the United States.

6.2 Transfer Safeguards

For international data transfers, we implement appropriate safeguards:

  • Canada to US transfers: Permitted under PIPEDA with the safeguards in this DPA
  • EU/EEA to US transfers: Standard Contractual Clauses are available upon request
  • Other jurisdictions: Appropriate transfer mechanisms based on Applicable Laws

7. DATA RETENTION AND DELETION

7.1 Retention Periods

  • Active accounts: Personal Data retained while services are active
  • Post-termination: Maximum 12 months retention after account closure
  • Legal requirements: Extended retention only when required by law

7.2 Data Deletion

Upon termination:

  • Customers may request export of their data in standard formats
  • All Personal Data deleted within 30 days (unless legal retention required)
  • Deletion certificates available upon request

8. LIABILITY AND COMPLIANCE

8.1 Compliance Commitment

We are committed to:

  • Maintaining compliance with Applicable Laws
  • Achieving industry-standard security certifications
  • Continuous improvement of our data protection practices
  • Transparency about our security posture and roadmap

8.2 Liability

  • Liability for data protection breaches is governed by the Service Agreement
  • Each party is responsible for its own compliance with Applicable Laws
  • We maintain appropriate measures to minimize risks

8.3 Insurance

We are actively evaluating cyber liability insurance options, with a decision expected within 6 months. Updates on our insurance coverage will be available in our Trust Center.

9. PRIVACY IMPACT ASSESSMENTS

We will provide reasonable assistance for:

  • Data Protection Impact Assessments (DPIAs)
  • Prior consultations with supervisory authorities
  • Risk assessments related to our processing activities

10. UPDATES TO THIS DPA

We may update this DPA to:

  • Reflect changes in Applicable Laws
  • Accommodate new services or features
  • Improve security measures
  • Add or change sub-processors

Updates will be posted on this page with a new version number and date. Material changes will be communicated via email or through our service dashboard.

11. CONTACT INFORMATION

For questions about this DPA or our data protection practices:

Data Protection Contact:

Halogen AI, Inc.
Email: privacy@halo-gen.ai
Address: 1545 NE 90th St, Seattle, WA 98115

12. JURISDICTION-SPECIFIC PROVISIONS

12.1 European Economic Area (EEA)

For Customers in the EEA:

  • Halogen AI acts as a data processor under GDPR Article 28
  • Standard Contractual Clauses are available as an addendum
  • You may appoint an EU representative if required

12.2 California

For California residents' Personal Data:

  • We act as a service provider under CCPA
  • We do not sell Personal Data
  • We assist with consumer rights requests

12.3 Canada

For Canadian Personal Data:

  • We comply with PIPEDA requirements
  • Data may be processed in the United States
  • We maintain comparable protection standards

13. TRANSPARENCY COMMITMENT

We believe in transparency about our data protection practices. This DPA reflects our current capabilities and our commitment to continuous improvement. We acknowledge areas where we are still developing our capabilities and provide clear timelines for enhancements.

Security Transparency Report

We publish quarterly updates on:

  • Progress toward security milestones
  • New certifications obtained
  • Sub-processor changes
  • General security improvements

Questions? If you have questions about this DPA or would like to discuss specific requirements for your organization, please contact our team at privacy@halo-gen.ai.

Note: This DPA reflects our current capabilities and commitment to continuous improvement in data protection practices. We provide transparent timelines for security enhancements and maintain open communication about our data protection posture.