Data Processing Addendum (DPA)

Effective date: July 1, 2026 Last updated: July 1, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Hoppflow ("Hoppflow", "Processor") and the customer ("Customer", "Controller") for the use of the Services (the "Agreement"). It applies where Hoppflow processes Personal Data on the Customer's behalf and where data protection law (including the EU GDPR, UK GDPR, and the CCPA/CPRA) applies.

Current status. Hoppflow is in pre-launch and is not yet processing Customer Personal Data through a live application. This DPA sets out the terms that will apply once Hoppflow processes Customer Personal Data on a Customer's behalf; the security measures, sub-processor details, and transfer mechanisms below will be completed and in force before that processing begins.

1. Definitions

Terms such as "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Supervisory Authority" have the meanings in the GDPR. "Customer Personal Data" means Personal Data within Customer Data that Hoppflow processes on the Customer's behalf. "Data Protection Laws" means all applicable privacy and data protection laws.

2. Roles and scope

  • The Customer is the Controller (or a processor acting for another controller) of Customer Personal Data; Hoppflow is the Processor (or sub-processor).
  • Hoppflow processes Customer Personal Data only to provide the Services and on the Customer's documented instructions, including as set out in the Agreement, this DPA, and the Customer's use of the Services. Hoppflow will inform the Customer if an instruction infringes Data Protection Laws.

3. Processor obligations

Hoppflow will:

  1. Process only on instructions and for the purposes in Annex 1, and not for its own independent purposes; in particular Hoppflow will not sell Customer Personal Data and will not use it to train third-party foundation models.
  2. Confidentiality: ensure personnel authorized to process Customer Personal Data are bound by confidentiality.
  3. Security: implement and maintain the technical and organizational measures in Annex 2, appropriate to the risk.
  4. Sub-processors: the Customer authorizes Hoppflow to engage the sub-processors listed in Annex 3 and others on notice. Hoppflow will impose data protection obligations on sub-processors no less protective than this DPA and remains responsible for their performance. Hoppflow will give advance notice of new sub-processors (by email or via our sub-processor page); the Customer may object on reasonable data protection grounds, and the parties will work in good faith to resolve.
  5. Data subject requests: assist the Customer, by appropriate measures and taking into account the nature of processing, to respond to data subject requests (access, rectification, erasure, restriction, portability, objection). If Hoppflow receives such a request directly, it will refer the data subject to the Customer.
  6. Assistance: assist the Customer with security, breach notification, data protection impact assessments, and prior consultations, taking into account the information available to Hoppflow.
  7. Personal data breach: notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, with available details to help the Customer meet its obligations.
  8. Deletion or return: on termination, delete or return Customer Personal Data at the Customer's choice, except where retention is required by law; backups are purged on a rolling schedule.
  9. Audits: make available information necessary to demonstrate compliance and allow for audits or inspections by the Customer or an auditor it mandates, subject to reasonable confidentiality, notice, frequency, and security conditions. Hoppflow may satisfy audit rights through third-party reports or certifications where available.

4. International transfers

Where Hoppflow transfers Customer Personal Data outside the EEA, UK, or other restricted regions, it will use a valid transfer mechanism, including the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, which will be incorporated by reference and completed (including module selection and the required annex details) before any Customer Personal Data is transferred, or another lawful mechanism.

5. CCPA / CPRA (United States)

For Personal Information subject to the CCPA/CPRA, Hoppflow acts as a "service provider". Hoppflow will not: (a) sell or share such Personal Information; (b) retain, use, or disclose it except as necessary to perform the Services or as permitted by the CCPA; or (c) combine it with data from other sources except as permitted. Hoppflow certifies it understands and will comply with these restrictions.

6. Liability

Each party's liability under this DPA is subject to the limitations and exclusions in the Agreement.

7. Term and conflict

This DPA applies for as long as Hoppflow processes Customer Personal Data. If there is a conflict between this DPA and the Agreement on data protection, this DPA controls.


Annex 1: Details of processing

  • Subject matter: provision of the Hoppflow Services.
  • Duration: the term of the Agreement plus any retention period.
  • Nature and purpose: hosting, processing, transmitting, organizing, indexing (including vector embeddings), summarizing, and otherwise processing Customer Data to deliver the Services and the AI/automation features the Customer enables.
  • Types of Personal Data: names, email addresses, profile data, and the content of messages, documents, calendar events, tasks, and other data the Customer chooses to provide or connect.
  • Categories of data subjects: the Customer's personnel, contractors, customers, prospects, and contacts whose data appears in the Workspace.
  • Special categories: none intended; the Customer should not submit special category data unless necessary and lawful.

Annex 2: Technical and organizational measures (TOMs)

As of the availability of the Hoppflow application, Hoppflow will maintain measures including:

  • Encryption of data in transit (TLS) and at rest, including encryption of stored third-party access tokens.
  • Logical tenant isolation between Workspaces.
  • Role-based access control and least-privilege administrative access.
  • Audit logging of significant actions.
  • Secret management separating credentials from application code.
  • Network and application security controls and monitoring.
  • Backup and recovery processes.
  • Personnel confidentiality obligations and security practices.

Annex 3: Sub-processors

Hoppflow will publish and maintain its current sub-processor list and notify customers of changes as described in Section 3(4). As of the effective date, the Hoppflow application is in pre-launch; the operative sub-processor list — covering cloud infrastructure, AI processing, transactional email, and payments — will be completed and made available before the application processes Customer Personal Data. The current sub-processors for the Hoppflow website are listed in our Privacy Policy.


Acceptance

This DPA is accepted electronically when the Customer accepts the Agreement (the Terms of Service) and applies to the extent Hoppflow processes Customer Personal Data on the Customer's behalf.

Notices and data-protection queries under this DPA may be sent to legal@hoppflow.com (copying privacy@hoppflow.com).