Hebbia Data Processing Agreement

This Data Processing Agreement ("DPA") is incorporated into and forms part of the Master Services Agreement (the "Agreement") between the entity identified as customer in the signature block to this DPA ("Customer") and Hebbia Inc. ("Hebbia"). All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement. For the purpose of this DPA only, and except where the context otherwise requires, the term "Customer" will include Customer and its Authorized Affiliates.

1. Definitions

2. In this DPA, the following terms shall have the following meanings:

   "Applicable Data Protection Law" means all worldwide data protection and privacy laws and regulations applicable to the Processor Data, including, where applicable, EU/UK Data Protection Law and/or US Data Protection Laws.

   "Controller", "processor", "data subject", "personal data" and "processing" (and "process") shall have the meanings given in EU/UK Data Protection Law. If and to the extent that Applicable Data Protection Laws do not define such terms, then the definitions given in the GDPR will apply.

3. "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CPRA") and including any further amendments and its implementing regulations that become effective on or after the effective date of this DPA.

4. "EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time.

5. "Personal Data" means information, which is protected as "personal data", "personally identifiable information" or "personal information" under any applicable Data Protection Laws. For the avoidance of doubt, with respect to US Data Protection Laws, “Personal Data” does not include de-identified data, or publicly available information as such terms are defined in applicable Data Protection Laws.

6. "Processor Data" means any Personal Data that is processed by Hebbia on behalf of Customer in the course of providing the Services, as more particularly described in Annex I of this DPA.

7. "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

8. "Standard Contractual Clauses" or ("SCCs") means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 ("UK Addendum").

   "Sub-Processor" means any third party processor engaged by Hebbia to process any Processor Data (but shall not include Hebbia employees, contractors or consultants).

9. "US Data Protection Laws" means the CCPA, the Colorado Privacy Act ("CPA"), the Connecticut Data Privacy Act ("CTDPA"), the Utah Consumer Privacy Act ("UCPA"), and the Virginia Consumer Data Protection Act ("VCDPA").

10. Scope and Applicability of this DPA

    1. This DPA applies where and only to the extent that Hebbia processes Processor Data in connection with the provision of Services and such processing is protected by Applicable Data Protection Laws.

11. Role and Scope of Processing

    1. Roles of the Parties. The parties acknowledge and agree that for the purposes of this DPA Customer is the controller with respect to the processing of Processor Data, and Hebbia shall process Processor Data only as a processor on behalf of Customer, as further described in Annex I of this DPA. Each party shall comply with the obligations that apply to it under Applicable Data Protection Laws.

    2. Processing Instructions and Purpose Limitation. Hebbia shall process Processor Data for the purposes described in Annex I of this DPA as necessary to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Customer (the "Permitted Purpose"), except where otherwise required by law(s) that are not incompatible with applicable Data Protection Law. Hebbia shall promptly inform Customer if it becomes aware that such processing instructions infringe applicable Data Protection Law (but without obligation to actively monitor Customer's compliance with applicable Data Protection Law).

    3. Customer Responsibilities. Customer shall have sole responsibility for the accuracy, quality, and legality of Processor Data and the means by which Customer acquired Processor Data. Customer represents and warrants that: (i) it has provided, and will continue to provide all notices and has obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws, for Hebbia to lawfully process Processor Data for the purposes contemplated by this DPA; (ii) it has complied and will comply with all Applicable Data Protection Laws in the collection and provision to Hebbia and its Sub-Processors of such Processor Data; and (iii) it shall ensure its processing instructions comply with Applicable Data Protection Laws and that the processing of Processor Data by Hebbia in accordance with Customer's instructions will not cause Hebbia to be in breach of Applicable Data Protection Laws.

    4. Prohibited Data. Customer shall not disclose any special categories of Processor Data to Hebbia for processing except where and to the extent expressly set out in Annex I of this DPA.

    5. Location of Processing. Processor Data that Hebbia processes under the Agreement may be processed in any country in which Hebbia, its Affiliates, partners and authorized Sub-Processors maintain facilities to perform the Services. Hebbia shall not process or transfer (directly or via onward transfer) Processor Data (nor permit such data to be processed or transferred) outside of its country of origin unless the transfer is in compliance with Applicable Data Protection Laws.

    6. Confidentiality of Processing. Hebbia shall ensure that any person that it authorises to process the Processor Data (including Hebbia's staff, agents and Sub-Processors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Processor Data who is not under such a duty of confidentiality.

12. Authorized Sub-Processors

    1. Customer acknowledges and agrees that Hebbia may (1) engage its Affiliates as well as the Authorized Sub-Processors on the List (defined below) to access and process Personal Data in connection with the Services and (2) from time to time engage additional third parties for the purpose of providing the Services, including without limitation the processing of Personal Data. By way of this DPA, Customer provides general written authorization to Hebbia to engage Sub-Processors as necessary to perform the Services.

       2. A list of Hebbia’s current Authorized Sub-Processors (the “List”) is available to Customer at https://trust.hebbia.ai/subprocessors. Such List may be updated by Hebbia from time to time. Hebbia will provide a mechanism to subscribe to notifications (which may include but are not limited to email notifications) of new Authorized Sub-Processors and Customer, if it wishes, will subscribe to such notifications where available. If Customer does not subscribe to such notifications, Customer waives any right it may have to receive prior notice of changes to Authorized Sub-Processors. At least ten (10) days before enabling any third party other than existing Authorized Sub-Processors to access or participate in the processing of Personal Data, Hebbia will add such third party to the List and notify subscribers, including Customer, via the aforementioned notifications. Customer may object to such an engagement by informing Hebbia in writing within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Customer acknowledges that certain Sub-Processors are essential to providing the Services and that objecting to the use of a Sub-Processor may prevent Hebbia from offering the Services to Customer.

          3. If Customer reasonably objects to an engagement in accordance with Section 4.2, and Hebbia cannot provide a commercially reasonable alternative within a reasonable period of time, Customer may discontinue the use of the affected Service by providing written notice to Hebbia. Discontinuation shall not relieve Customer of any fees owed to Hebbia under the Agreement.

          4. If Customer does not object to the engagement of a third party in accordance with Section 4.2 within ten (10) days of notice by Hebbia, that third party will be deemed an Authorized Sub-Processor for the purposes of this DPA.

          5. Hebbia will enter into a written agreement with the Authorized Sub-Processor imposing on the Authorized Sub-Processor data protection obligations comparable to those imposed on Hebbia under this DPA with respect to the protection of Personal Data.

          6. If Customer and Hebbia have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), (i) the above authorizations will constitute Customer’s prior written consent to the subcontracting by Hebbia of the processing of Personal Data if such consent is required under the Standard Contractual Clauses, and (ii) the parties agree that the copies of the agreements with Authorized Sub-Processors that must be provided by Hebbia to Customer pursuant to Clause 9(c) of the EU SCCs may have commercial information, or information unrelated to the Standard Contractual Clauses or their equivalent, removed by the Hebbia beforehand, and that such copies will be provided by the Hebbia only upon request by Customer.

13. Transfers of European Processor Data

    1. Scope and Role of the Parties. This Clause 5 shall only apply with respect to Processor Data subject to EU/UK Data Protection Law.

    2. Restricted Transfers. The parties agree that where and to the extent the transfer of Processor Data from Customer (as "data exporter") to Hebbia (as "data importer") is deemed a Restricted Transfer and EU/UK Data Protection Law requires that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses as follows:

       1. in relation to Processor Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

          1. Module Two will apply;

             2. in EU SCC Clause 7, the optional docking clause will apply;

             3. in EU SCC Clause 9, Option 2 will apply, and the time period for prior notice of Sub-Processor changes shall be as set out in Clause 4 of this DPA;

             4. in EU SCC Clause 11, the optional language will not apply;

             5. in EU SCC Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

             6. in EU SCC Clause 18(b), disputes shall be resolved before the courts of the Ireland;

             7. Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this Agreement;

             8. Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this Agreement;

          2. in relation to Processor Data that is protected by the UK GDPR, the UK Addendum will apply completed as follows:

             1. The EU SCCs, completed as set out above in clause 5.2(a) of this DPA shall also apply to transfers of such Processor Data, subject to sub-clause (ii) below; and

             2. Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options "neither party" shall be deemed checked in Table 4. The start date of the UK Addendum (as set out in Table 1) shall be the date of this DPA.

    3. Standard Contractual Clauses prevail. In the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

14. Additional Provisions for Processor Data that is Subject to the CCPA

    1. Scope and Role of Parties. This Clause 6 shall only apply with respect to Processor Data that is subject to the CCPA. When processing Processor Data subject to the CCPA under this DPA, the parties acknowledge and agree that Customer is a Business and Hebbia is a Service Provider for the purposes of the CCPA. For the purpose of this Clause 6, "Business", "Business Purpose", "Commercial Purpose", "Consumer," "Personal Information", "Process," "Sell", "Service Provider", and "Share" have the meanings given to them in the CCPA.

    2. Responsibilities. Customer discloses or otherwise makes available Processor Data to Hebbia for the limited and specific purpose of Hebbia carrying out the Permitted Purposes. Hebbia shall: (i) comply with its applicable obligations under the CCPA; (ii) provide the same level of protection as required under the CCPA; (iii) notify Customer if it can no longer meet its obligations under the CCPA; (iv) not “sell” or “share” (as such terms are defined by the CCPA) Processor Data; (v) not retain, use, or disclose Processor Data for any purpose (including any commercial purpose) other than the Permitted Purpose or as otherwise permitted under the CCPA; (vi) not retain, use, or disclose Processor Data outside of the direct business relationship between Customer and Hebbia or as otherwise permitted under the CCPA; and (vii) unless otherwise permitted by the CCPA, not combine Processor Data with Personal Information that Hebbia: (a) receives from, or on behalf of, another person, or (b) collects from its own, independent consumer interaction. Hebbia will permit Customer, upon reasonable request, to take reasonable and appropriate steps to ensure that Hebbia processes Processor Data in a manner consistent with the obligations applicable to a “Business” under the CCPA by requesting that Hebbia attest to its compliance with this Section 6.2 of the DPA. Following any such request, Hebbia will promptly provide that attestation or notice about why it cannot provide it. If Customer reasonably believes that Hebbia is engaged in the processing of Processor Data that is not authorized under this DPA, Customer will immediately notify Hebbia of such belief, and the parties will work together in good faith to remediate the allegedly violative processing activities, if necessary.

15. Security

    1. Security Measures. Hebbia shall implement appropriate technical and organisational measures designed to protect the Processor Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a "Security Incident"). At a minimum, such measures shall include the measures set out in Annex II. Customer acknowledges that such measures are subject to technical progress and development and that Hebbia may update or modify such measures from time to time, provided that such updates and modifications do not degrade or diminish overall security of the Services under the Agreement.

    7.2 Security Incident Response. Upon becoming aware of a Security Incident, Hebbia shall inform Customer without undue delay and provide all such timely information and cooperation as required by Applicable Data Protection Law in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law.

16. Cooperation and Data Subject Rights

17. Hebbia shall provide reasonable assistance to Customer (at Customer's expense) to assist Customer in Customer’s response to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Processor Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Hebbia, Hebbia shall promptly inform Customer providing full details of the same unless prohibited by applicable law.

18. Data Protection Impact Assessment

19. Hebbia shall provide Customer with all such reasonable and timely assistance as Customer may require in order to enable it to conduct a data protection assessment/data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, to assist Customer to consult with its relevant data protection authority.

20. Deletion or Return of Data

21. Upon termination or expiry of the Agreement, Hebbia shall (at Customer's election) destroy or return to Customer all Processor Data (including all copies of the Processor Data) in its possession or control without undue delay. This requirement shall not apply to the extent that Hebbia is required by any applicable law to retain some or all of the Processor Data, in which case Hebbia shall isolate and protect the Processor Data from any further processing except to the extent required by such law until deletion is possible.

22. Audit

23. Hebbia shall permit Customer or its appointed third party auditors to audit Hebbia's compliance with this DPA, and shall make available to Customer all relevant information, policies, procedures, records, and staff necessary for Customer or its third party auditors to conduct such audit. Customer will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Customer believes a further audit is necessary due to a Security Incident suffered by Hebbia.

24. Limitation of Liability

    1. Each party’s and all of its Affiliates’ liability taken together in the aggregate arising out of or related to this DPA (including, where applicable, the Standard Contractual Clauses) shall be subject to the exclusions and limitations of liability set forth in the main body of the Agreement.

    2. Any claims against Hebbia or its Affiliates under or in connection with this DPA (including, where applicable, the Standard Contractual Clauses) shall be brought solely by the Customer entity that is a party to the Agreement.

25. Relationship with the Agreement

    1. Unless otherwise agreed by the parties, the parties agree that this DPA shall replace any existing data processing agreement or similar document that the parties may have previously entered into in connection with the Services.

    2. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict or inconsistency between this DPA and the Agreement, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this DPA; and then (c) the main body of the Agreement.

    3. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless otherwise required by Applicable Data Protection Laws.

Annex I

Data Processing Description

This Annex I forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.

A. LIST OF PARTIES

Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]

В. DETAILS OF PROCESSING

Nature and Purpose of Processing: Company will process Customer’s Personal Data as necessary to provide the Services under the Agreement, for the purposes specified in the Agreement and this DPA, and in accordance with Customer’s instructions as set forth in this DPA.

The nature of processing includes, without limitation:

• Receiving data, including collection, accessing, retrieval, recording, and data entry
• Protecting data, including restricting, encrypting, and security testing
• Holding data, including storage, organization, and structuring
• Erasing data, including destruction and deletion
• Analyzing data, including product usage assessment
• Sharing data, including disclosure to Sub-Processors as permitted in this DPA

Duration of Processing: Company will process Customer’s Personal Data as long as required (i) to provide the Services to Customer under the Agreement; (ii) for Company’s legitimate business needs; or (iii) by applicable law or regulation. Company Account Data and Company Usage Data will be processed and stored as set forth in Company’s privacy policy.

Categories of Data Subjects: Customer’s employees, consultants, contractors, and/or agents.

Categories of Personal Data: Company processes Personal Data contained in Company Account Data, Company Usage Data, and any Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes through its use of the Services) or collected by Company in order to provide the Services or as otherwise set forth in the Agreement or this DPA. Categories of Personal Data include name, email, job title, username, Company device identifiers (e.g. serial number), IP address for company device, installed applications for company device, background check verification records (at discretion of Controller), security training records.

Sensitive Data or Special Categories of Data: Customers are prohibited from providing sensitive personal data or special categories of data to Company, including without limitation, any data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

C. DESCRIPTION OF TRANSFER

D. COMPETENT SUPERVISORY AUTHORITY

Annex II

Technical and Organizational
Security Measures

Description of the technical and organizational measures implemented by Hebbia.

Annex III

Sub-Processors

Amazon Web Services, Inc.

Auth0

Elastic

Google

OpenAI

Microsoft

Anthropic

Cerebras

Baseten

Groq

Fireworks.ai

Modal

Merge

MongoDB

Reducto

Datadog