Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the agreement between HOPE (“Processor”) and the customer (“Controller”) for use of the HOPE Workspace platform (the “Service”), and applies where we process personal data on the Controller’s behalf.
1. Roles
The Controller determines the purposes and means of processing Customer Personal Data; HOPE processes it only on the Controller’s documented instructions, including as set out in this DPA and the Service’s features.
2. Scope & nature of processing
- Subject matter: provision of the Service.
- Duration: the term of the agreement, plus the limited deletion window.
- Categories of data subjects: the Controller’s personnel, clients, and contacts.
- Categories of data: business contact details, project/task/finance records, and any personal data the Controller chooses to store.
3. Confidentiality
HOPE ensures that personnel authorised to process Customer Personal Data are bound by confidentiality obligations.
4. Security measures
HOPE maintains technical and organisational measures appropriate to the risk, including encryption of data in transit and at rest, logical isolation of each customer workspace, authentication and least-privilege access controls, audit logging, and regular review of security practices.
5. Subprocessors
The Controller authorises HOPE to engage subprocessors to provide the Service, currently including Supabase (database & authentication), Stripe (payments), Vercel (hosting), and Cloudflare (storage & network); and, where the Controller connects an integration, the relevant provider (Google, Slack, Asana, Frame.io). HOPE imposes data-protection terms on each subprocessor no less protective than this DPA and remains responsible for their performance. We will give notice of new subprocessors and an opportunity to object.
6. Data subject requests
Taking into account the nature of the processing, HOPE will assist the Controller by appropriate technical and organisational measures, insofar as possible, to respond to data-subject requests (access, correction, deletion, portability). The Service provides self-service export and deletion for workspace administrators.
7. Personal data breach
HOPE will notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably required for the Controller to meet its notification obligations.
8. Return & deletion
On termination, and at the Controller’s choice, HOPE will delete or return Customer Personal Data within the wind-down window, except where retention is required by law (e.g. payment/invoice records held by our payment processor).
9. Audits
HOPE will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, subject to reasonable confidentiality and security constraints.
10. International transfers & governing law
Where personal data is transferred across borders, the parties will rely on a lawful transfer mechanism as required by applicable law. This DPA is governed by the same law as the agreement. Contact: privacy@thehope.io.