This Data Processing Addendum (“DPA“) forms part of and is incorporated by reference into the Hyvery Terms of Service or other written agreement between Hyvery, Inc. (“Hyvery“, “Processor“) and the customer entity that accepts the Terms (“Customer“, “Controller“) governing Customer’s use of the Hyvery SaaS platform (the “Agreement“). Capitalized terms not defined in this DPA have the meanings in the Agreement.
This DPA reflects the parties’ agreement regarding the Processing of Personal Data by Hyvery on behalf of Customer in connection with the Service. The parties will comply with all Data Protection Laws applicable to their respective roles, including without limitation: EU/EEA GDPR, UK GDPR and the Data Protection Act 2018, the Swiss FADP, and U.S. state privacy laws such as the California Consumer Privacy Act as amended by the CPRA (collectively, “Data Protection Laws“).
Roles. Customer is the Controller (or a Processor acting on behalf of a third-party controller); Hyvery is the Processor (or sub‑processor where Customer acts as a Processor).
Processing. Hyvery will Process Personal Data solely to provide the Service and as otherwise documented in this DPA, the Agreement, and Customer’s written instructions.
Hyvery will Process Personal Data only on documented instructions from Customer, including as set forth in Annex I‑Band the Agreement, unless Processing is required by law, in which case Hyvery will inform Customer (unless the law prohibits such notice). Customer is responsible for the lawfulness of its instructions and for the accuracy, quality, and legality of Customer Data.
Customer provides general authorization for Hyvery to engage Sub‑Processors to support delivery of the Service. Hyvery will:
impose data protection terms on Sub‑Processors that provide at least the level of protection required by this DPA and applicable SCCs;
remain responsible for each Sub‑Processor’s performance; and
maintain an up‑to‑date Sub‑Processor list (e.g., on Hyvery’s trust/status page) and provide advance notice (≥30 days) of material changes.
Objection. Customer may object in writing to a new Sub‑Processor for reasonable data protection grounds within the notice period. If the parties cannot agree on a mitigation in good faith, Customer may suspend or terminate the affected Service (without penalty) and receive a pro‑rated refund for prepaid, unused fees.
Hyvery will implement and maintain appropriate technical and organizational measures (“TOMs“) to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as described in Annex II and aligned to industry standards (e.g., SOC 2). Hyvery will ensure that personnel with access to Personal Data are bound by confidentiality obligations and receive security/privacy training.
Taking into account the nature of Processing, Hyvery will provide reasonable assistance to Customer by appropriate technical and organizational measures to enable Customer to respond to requests from Data Subjects to exercise rights under Data Protection Laws (e.g., access, rectification, deletion, portability, restriction, objection). Where a request is made directly to Hyvery, Hyvery will promptly (and no later than 10 business days) notify Customer and not respond except to confirm that the request relates to Customer.
Hyvery will notify Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach impacting Customer Personal Data. Such notice will include information available at the time regarding the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address the breach. Hyvery will keep Customer reasonably informed of material developments and cooperate in breach investigations, notifications, and remediation.
Hyvery will provide reasonable assistance to Customer with data protection impact assessments, prior consultations with supervisory authorities, and security/incident documentation to the extent required by Data Protection Laws and relating to the Services, taking into account the nature of Processing and the information available to Hyvery.
Upon written request no more than once per 12‑month period (and additionally following a confirmed Personal Data Breach), Hyvery will make available reasonable information necessary to demonstrate compliance with this DPA (e.g., SOC 2 reports, penetration test summaries, security policy summaries). If such materials are insufficient, Customer may conduct an audit (onsite or remote) of Hyvery’s relevant systems and facilities, subject to: (a) 30 days’ notice; (b) execution of a mutually agreeable audit plan, confidentiality undertakings, and reasonable time/place limits; (c) non‑interference with Hyvery operations; and (d) responsibility for Customer’s audit costs. Third‑party auditors must be independent, qualified, and not competitors of Hyvery.
Upon termination or expiry of the Agreement, Hyvery will—at Customer’s choice—return or delete Customer Personal Data, unless retention is required by law or permitted for legal defense, dispute resolution, fraud prevention, or to meet accounting obligations. Unless otherwise agreed, Hyvery will make Customer Data available for export for 30 dayspost‑termination and then commence deletion in accordance with Hyvery’s retention schedule and secure deletion procedures.
To the extent Hyvery transfers Personal Data subject to EU, UK, or Swiss data protection law to a country that does not provide an adequate level of protection, the parties agree the following transfer mechanisms are incorporated by reference:
EU SCCs (Commission Implementing Decision (EU) 2021/914). The parties adopt the Standard Contractual Clauses as follows:
Module 2 (Controller→Processor) and/or Module 3 (Processor→Processor), as applicable.
Clause 7 (Docking Clause): Applicable.
Clause 9 (Use of Sub‑Processors): General Authorization with advance notice per §3 above.
Clause 11 (Redress): Optional language not adopted.
Clause 12 (Liability): As per SCCs.
Annex I–III: As completed in this DPA.
UK Addendum (ICO). For transfers subject to UK GDPR, the International Data Transfer Addendum to the EU SCCs (version B.1.0) is incorporated; Part 1 tables are completed by reference to the SCCs and Annexes herein; Part 2 is the mandatory text.
Swiss Addendum. For transfers subject to the Swiss FADP, the SCCs apply with (i) references to the GDPR read as references to the FADP; (ii) references to “Member State” replaced with “Switzerland”; and (iii) the competent authority set as the Swiss FDPIC.
Unless otherwise agreed in writing, primary hosting and processing are in the United States, with limited processing in Canada as disclosed. Customer authorizes Hyvery and its Sub‑Processors to perform international transfers as necessary to provide the Service, subject to the above mechanisms.
For Personal Information subject to the CPRA (and analogous U.S. state laws), the parties agree that Hyvery acts as a Service Provider/Processor and shall: (a) process Personal Information solely for the Business Purpose of providing the Service; (b) not sell or share Personal Information; (c) not retain, use, or disclose Personal Information outside the direct business relationship except as permitted by law; (d) implement reasonable security procedures; (e) enable Customer to fulfill consumer requests; and (f) flow down these obligations to Sub‑Processors.
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement, provided that nothing limits either party’s liability to the extent such limitation is prohibited by the SCCs or applicable law. In the event of conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict regarding data protection.
This DPA becomes effective on the DPA effective date and remains in force for the duration of the Agreement and thereafter as long as Hyvery Processes Personal Data on behalf of Customer. This DPA may be updated by Hyvery per the change mechanism in the Agreement, provided that material adverse changes will not apply during a then‑current Subscription Term without Customer’s consent.
A. Parties
Controller: Customer entity identified in the Order Form.
Processor: Hyvery, Inc., 4004 Sunburst View Cir., Kissimmee, FL 34746, USA; contact: privacy@hyvery.com.
Data Protection Contact: privacy@hyvery.com.
B. Processing Details
Subject Matter: Provision of the Hyvery SaaS platform and related support.
Duration: Term of the Agreement plus 30 days for export unless a longer period is agreed or required by law.
Nature and Purpose: Hosting, storage, transmission, display, search, analytics, and processing of Customer Data to enable facility/operations workflows, tickets, work orders, invoicing, campaigns, assessments, floor plans, and events.
Types of Personal Data: Business contact data (names, emails, phone numbers); account credentials/identifiers; usage telemetry; role/permission metadata; location identifiers; support interactions; file attachments (as provided by Customer). No payment card PAN or special category data is required for the Service.
Categories of Data Subjects: Customer’s employees/contractors; owner/operators; support staff; end users authorized by Customer.
Special Categories: Not intended. If Customer chooses to upload such data, Customer is responsible for lawfulness and special safeguards.
Frequency of Transfers: Continuous as necessary to provide the Service.
Retention: As configured by Customer and per the Agreement; backups per retention schedule.
C. Competent Supervisory Authority
For EU SCCs: the supervisory authority of (i) Customer’s main EU establishment or (ii) the EU Member State where data subjects are located, as designated by Customer. If not designated, Irish DPC by default.
For Swiss transfers: the FDPIC.
For UK transfers: the ICO.
Hyvery maintains TOMs appropriate to the risk, which include (non‑exhaustive):
Information Security Program: Written policies aligned to SOC 2; risk assessments; management oversight.
Access Control: RBAC, least privilege, MFA for privileged roles; quarterly access reviews; unique credentials; SSO/SCIM options.
Asset & Configuration Management: Baseline hardening (CIS); infrastructure as code; change control; secure configuration; vulnerability scanning and patch management with SLAs.
Network Security: Segmented VPCs; firewall/security groups default‑deny; Kubernetes NetworkPolicies; load balancers with TLS; flow logs.
Encryption: TLS 1.2+ in transit; AES‑256 at rest across databases, volumes, object storage, and backups; key management with restricted access.
Monitoring & Logging: Centralized logging; audit trails for access and admin actions; alerting for anomalies and IOCs; time sync.
Application Security: Secure SDLC; SAST/DAST/dependency/container scans; secret detection; code reviews; CI/CD controls; SBOM maintenance.
Business Continuity & Backups: Encrypted, isolated backups with separate credentials; periodic restore testing; documented RTO/RPO objectives.
Incident Response: 24×7 on‑call for Sev‑1; defined playbooks; breach notification within 72 hours of awareness; post‑incident reviews.
Physical Security: Cloud provider data center controls; logical access only; vendor audits reviewed annually.
Third‑Party Risk: Sub‑Processor diligence; contractual flow‑down; annual re‑assessments.
Data Minimization & Retention: Configurable retention; deletion and anonymization routines; secure wipe of media per provider standards.
Customer Controls: Administrative features for RBAC, audit logs, backups/export, and API rate limiting; Customer-managed IdP/SSO optional.
Hyvery may use the following categories of Sub‑Processors to deliver the Service (specific vendors and scope are available on request or on the trust page):
Cloud Hosting & Networking: primary U.S. regions; limited operations in Canada.
Database & Storage Services
Monitoring/Logging & Error Tracking
Email/Notifications & Messaging
Identity/Access Management (SSO/2FA)
Support & Ticketing
Hyvery will maintain an updated list including legal entity names, purpose, and region, and will provide notice of changes per §3.
The parties agree that the EU SCCs (2021/914) (Modules 2 and/or 3), the UK IDTA Addendum, and the Swiss Addendum are incorporated by reference and completed by the information in Annex I–III above. Execution of the Agreement (or this DPA) is deemed execution of the SCCs/Addenda to the extent required for international transfers.