Data Processing Agreement

1. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data
• "Data Subject" means the individual to whom Personal Data relates
• "GDPR" means the General Data Protection Regulation (EU) 2016/679
• "Services" means the Hectares.ai platform and related services
• "Sub-processor" means any processor engaged by us to process Personal Data

2. Details of Processing

2.1 Nature and Purpose

We process Personal Data solely to provide the Services as described in our Terms of Service, including:

• Hosting and managing project data
• Facilitating collaboration between users
• Providing analytics and reporting features
• Sending service-related communications
• Maintaining security and preventing fraud

2.2 Categories of Data Subjects

• Your employees and contractors
• Your customers and project stakeholders
• Other individuals whose data you input into the Services

2.3 Types of Personal Data

• Names and contact information
• Professional information and roles
• Project-related data you choose to input
• Usage data and system logs

3. Our Obligations as Processor

We shall:

• Process Personal Data only on your documented instructions
• Ensure persons processing Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational security measures
• Engage Sub-processors only with your consent and under written agreements
• Assist you in responding to Data Subject requests
• Assist with your compliance obligations regarding security, breach notifications, and impact assessments
• Delete or return Personal Data at the end of our services
• Make available information necessary to demonstrate compliance

4. Security Measures

We implement industry-standard security measures including:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Incident response procedures
• Employee security training
• Physical security of data centers
• Regular backups and disaster recovery procedures

5. Sub-processors

We use the following Sub-processors to provide our Services:

We will notify you of any changes to Sub-processors with at least 30 days notice. You may object to new Sub-processors by terminating the Services.

6. International Data Transfers

Personal Data may be transferred to and processed in the United States. We ensure appropriate safeguards for international transfers through:

• Standard Contractual Clauses approved by the European Commission
• Compliance with applicable data protection laws
• Implementation of supplementary security measures where required

7. Data Subject Rights

We will assist you in fulfilling Data Subject requests for:

• Access to their Personal Data
• Rectification of inaccurate data
• Erasure of Personal Data
• Restriction of processing
• Data portability
• Objection to processing

We will forward any Data Subject requests to you promptly and support your response within reasonable timeframes.

8. Personal Data Breach

In the event of a Personal Data breach, we will:

• Notify you without undue delay and within 72 hours of becoming aware
• Provide details of the nature and scope of the breach
• Communicate measures taken to address the breach
• Cooperate with you to mitigate any damage
• Document all breaches and actions taken

9. Audit and Inspection

You have the right to verify our compliance with this DPA through:

• Annual security certifications (SOC 2, ISO 27001)
• Security questionnaires and assessments
• On-site audits with 30 days notice and reasonable scope

10. Term and Termination

This DPA remains in effect for the duration of our Services. Upon termination, we will:

• Stop processing Personal Data
• Return or delete Personal Data as instructed
• Provide certification of deletion upon request

Contact Information