Data Processing Addendum (GDPR)

Version 2026.1

This Data Processing Addendum ("DPA") forms part of and is incorporated into the applicable Master Service Agreement, Terms of Service, Subscription Agreement, Order Form, or other written agreement (collectively, the "Agreement") entered into between Hyperzod Technologies Private Limited, a company incorporated under the laws of India with its registered office at 58, S.C. Mahanagar, Lucknow, Uttar Pradesh 226006, India ("Hyperzod", "Processor"), and the entity purchasing or using the Hyperzod Services ("Customer", "Controller").

This DPA governs the Processing of Personal Data by Hyperzod on behalf of the Customer in connection with the Services and is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR where applicable, and other applicable data protection laws.

If there is any conflict between this DPA and the Agreement with respect to the Processing of Personal Data, the provisions of this DPA shall prevail to the extent of such conflict.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings assigned to them in the Agreement.

Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with a party.

Applicable Data Protection Law means all laws and regulations applicable to the Processing of Personal Data under this DPA, including where applicable:

  • Regulation (EU) 2016/679 (General Data Protection Regulation);
  • the UK GDPR;
  • the UK Data Protection Act 2018;
  • the Swiss Federal Act on Data Protection (where applicable); and
  • any legislation implementing or supplementing the foregoing.

Controller means the entity which determines the purposes and means of Processing Personal Data.

Processor means the entity which Processes Personal Data on behalf of the Controller.

Customer Data means any information submitted to, stored within, transmitted through, or otherwise Processed by the Hyperzod Services on behalf of the Customer.

Data Subject means an identified or identifiable natural person whose Personal Data is Processed.

Personal Data means any information relating to an identified or identifiable natural person as defined under Applicable Data Protection Law.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

Processing, Process, and Processed shall have the meanings assigned under Applicable Data Protection Law and include any operation performed on Personal Data, whether or not by automated means.

Services means the software, applications, websites, APIs, support services, and related offerings provided by Hyperzod under the Agreement.

Subprocessor means any third party appointed by Hyperzod to Process Personal Data on behalf of the Customer for the purpose of providing the Services.

2. Scope of this DPA

This DPA applies whenever Hyperzod Processes Personal Data on behalf of the Customer in connection with the Services.

The Services covered by this DPA include, as applicable:

  • Hyperzod Ordering Website
  • Hyperzod Customer Applications
  • Hyperzod Merchant Applications
  • Hyperzod Driver Applications
  • Hyperzod Admin Panel
  • Autozod Dispatch Platform
  • Hyperzod APIs
  • Customer Support Services
  • Professional and implementation services related to the platform

This DPA does not apply where Hyperzod acts as an independent Controller for its own business operations, including:

  • administration of its own employees and contractors;
  • financial accounting and taxation;
  • fraud prevention;
  • legal compliance;
  • corporate governance;
  • maintaining security of its own infrastructure; or
  • communications relating to the administration of the Customer's account.

3. Roles of the Parties

The Parties acknowledge and agree that:

(a) The Customer acts as the Controller of Personal Data Processed through the Services.

(b) Hyperzod acts solely as a Processor with respect to such Personal Data.

(c) The Customer is responsible for determining:

  • the lawful basis for Processing;
  • the categories of Personal Data collected;
  • the purposes of Processing;
  • the categories of Data Subjects;
  • compliance with applicable privacy laws; and
  • providing all required privacy notices and obtaining any required consents.

(d) Hyperzod shall Process Personal Data only on behalf of and in accordance with the documented instructions of the Customer unless otherwise required by Applicable Law.

(e) Nothing in this DPA transfers ownership of Customer Data to Hyperzod.

(f) Hyperzod shall not sell, rent, disclose, or otherwise commercialize Customer Personal Data for its own independent purposes.

(g) The Customer is solely responsible for the accuracy, quality, legality, and means by which it acquires and provides Customer Personal Data to Hyperzod.

4. Processing Activities

The details relating to the Processing of Personal Data carried out by Hyperzod are set out in Appendix A, which forms an integral part of this Data Processing Addendum.

5. Confidentiality

5.1 Confidentiality Obligation

Hyperzod shall ensure that all personnel, employees, contractors, consultants, and authorized agents who Process Personal Data are subject to appropriate confidentiality obligations, whether by contract or under applicable law.

5.2 Authorized Access

Hyperzod shall limit access to Personal Data solely to individuals who require such access for the purpose of providing, maintaining, supporting, securing, or improving the Services in accordance with the Customer's documented instructions.

5.3 Training and Awareness

Hyperzod shall maintain appropriate internal policies and provide periodic security and privacy awareness training to personnel with access to Customer Personal Data.

5.4 Continuing Obligation

The confidentiality obligations described in this DPA shall survive termination of employment, contractual engagement, and this DPA.

6. Technical and Organisational Security Measures

6.1 Hyperzod shall implement and maintain appropriate technical and organisational measures as described in Appendix B.

7. Assistance to the Customer

7.1 Data Subject Requests

Taking into account the nature of the Processing, Hyperzod shall provide commercially reasonable assistance to the Customer, through appropriate technical and organisational measures where feasible, to enable the Customer to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law.

Such requests may include rights relating to:

  • access;
  • rectification;
  • erasure;
  • restriction of Processing;
  • data portability;
  • objection to Processing; and
  • other rights available under Applicable Data Protection Law.

7.2 Direct Requests

Unless prohibited by law, if Hyperzod receives a request directly from a Data Subject relating to Customer Personal Data, Hyperzod shall:

  • promptly notify the Customer;
  • refrain from responding directly except where required by law; and
  • provide commercially reasonable assistance to the Customer in responding to such request.

7.3 Regulatory Enquiries

Where Hyperzod receives an enquiry, investigation, or request from a supervisory authority relating specifically to Customer Personal Data, Hyperzod shall, unless legally prohibited, promptly inform the Customer and provide reasonable cooperation.

8. Personal Data Breaches

8.1 Incident Response

Hyperzod shall maintain appropriate incident detection, response, investigation, containment, remediation, and recovery procedures designed to identify and respond to Personal Data Breaches.

8.2 Notification

In the event Hyperzod becomes aware of a Personal Data Breach affecting Customer Personal Data, Hyperzod shall notify the Customer without undue delay and, where practicable, no later than seventy-two (72) hours after becoming aware of the breach where notification is required under Applicable Data Protection Law.

8.3 Contents of Notification

To the extent information is reasonably available, the notification shall include:

  • a description of the nature of the breach;
  • the categories and approximate number of affected Data Subjects;
  • the categories and approximate volume of Personal Data affected;
  • the likely consequences of the breach;
  • measures taken or proposed to mitigate the breach;
  • contact information for further communications.

8.4 Ongoing Cooperation

Where all relevant information is not immediately available, Hyperzod may provide information in phases as it becomes available.

Hyperzod shall reasonably cooperate with the Customer in investigating the incident and meeting any applicable legal obligations.

8.5 No Admission of Liability

Notification of a Personal Data Breach under this DPA shall not constitute an admission of fault or liability by Hyperzod.

9. Subprocessors

9.1 General Authorization

The Customer grants Hyperzod a general authorization to engage Subprocessors necessary for the provision of the Services.

9.2 Current Authorized Subprocessors

The Subprocessors authorized by Hyperzod as of the Effective Date are listed in Appendix C, which forms part of this DPA.

9.3 Subprocessor Obligations

Hyperzod shall ensure that each Subprocessor engaged to Process Customer Personal Data is subject to contractual obligations providing an appropriate level of protection substantially similar to those set forth in this DPA.

9.4 Changes to Subprocessors

Hyperzod may replace or appoint additional Subprocessors from time to time where reasonably necessary for the operation of the Services.

Hyperzod shall maintain an up-to-date list of authorized Subprocessors.

10. International Transfers

10.1 Hosting Location

Customer production data is primarily hosted within Amazon Web Services infrastructure located in the Europe (London) Region (United Kingdom).

10.2 Cross-Border Processing

Certain authorized Subprocessors may Process limited Customer Personal Data outside the European Economic Area or the United Kingdom where necessary for providing the Services.

10.3 Transfer Mechanisms

Where Personal Data is transferred internationally, Hyperzod shall implement appropriate safeguards required under Applicable Data Protection Law.

Such safeguards may include, where applicable:

  • adequacy decisions issued by competent authorities;
  • the European Commission's Standard Contractual Clauses;
  • the UK International Data Transfer Addendum;
  • or other lawful transfer mechanisms recognized under Applicable Data Protection Law.

10.4 AI Service Providers

Where the Customer enables AI-powered functionality provided through the Services, Hyperzod may engage third-party AI service providers, including those identified as authorized Subprocessors, solely for the purpose of providing the requested AI functionality.

Hyperzod shall not disclose Customer Personal Data to such providers except as necessary to deliver the requested feature, solely for the purpose of providing the AI functionality requested or enabled by the Customer, maintain and support the requested AI functionality, or as otherwise instructed by the Customer or required by law.

Certain AI Subprocessors may process Customer Personal Data solely as necessary to provide AI-enabled functionality requested or configured by the Customer and in accordance with their applicable data processing commitments.

10.5 Data Minimization

Hyperzod shall make commercially reasonable efforts to limit the Personal Data disclosed to Subprocessors to that which is necessary for the relevant Processing activity.

11. Compliance Assistance

Upon reasonable written request and taking into account the nature of the Processing and information available to Hyperzod, Hyperzod shall provide commercially reasonable assistance to the Customer in fulfilling its obligations relating to:

  • data protection impact assessments;
  • prior consultation with supervisory authorities;
  • implementation of appropriate security measures;
  • demonstrating compliance with Applicable Data Protection Law;
  • regulatory investigations relating to Customer Personal Data.

Such assistance may be subject to reasonable reimbursement where the request requires material additional effort beyond Hyperzod's standard obligations under the Agreement.

12. Compliance Information and Audit Rights

12.1 Demonstration of Compliance

Hyperzod shall maintain appropriate records, policies, procedures, and documentation reasonably necessary to demonstrate its compliance with this Data Processing Addendum and Applicable Data Protection Law.

Upon reasonable written request, Hyperzod shall make available information reasonably necessary to demonstrate compliance with its obligations as a Processor under Applicable Data Protection Law.

Such information may include, where appropriate:

  • security policies and procedures;
  • descriptions of technical and organizational security measures;
  • responses to reasonable security questionnaires;
  • summaries of independent security assessments or penetration testing, where available;
  • compliance documentation; and
  • other information reasonably necessary to demonstrate compliance.

Hyperzod shall not be required to disclose any information that, in its reasonable opinion:

  • would compromise the security, confidentiality, integrity, or availability of the Services;
  • would disclose confidential information relating to other customers;
  • would reveal trade secrets, proprietary information, or intellectual property;
  • would expose vulnerabilities or security-sensitive information; or
  • is otherwise protected from disclosure under applicable law or contractual obligations.

12.2 Alternative Means of Demonstrating Compliance

The Customer acknowledges that Hyperzod may satisfy its obligations under this Section by providing existing documentation, independent assessments, security reports, certifications (where available), policies, or other compliance materials reasonably demonstrating Hyperzod's compliance with this DPA.

The Customer agrees to review such documentation before requesting any further audit activities.

12.3 Audit Requests

Where the information provided under Sections 12.1 and 12.2 is reasonably insufficient to demonstrate Hyperzod's compliance with this DPA, the Customer may submit a written request identifying:

  • the specific compliance concern;
  • the Processing activities to be reviewed; and
  • the reasons why the information already provided is insufficient.

Hyperzod shall consider such requests in good faith and provide commercially reasonable assistance where required under Applicable Data Protection Law.

12.4 On-Site Audits

On-site audits shall not be conducted as a routine compliance mechanism.

An on-site audit may only occur where:

  • required by Applicable Data Protection Law;
  • required by a competent supervisory authority;
  • required pursuant to a legally binding order of a governmental authority; or
  • Hyperzod expressly agrees in writing that an on-site audit is reasonably necessary after alternative means of demonstrating compliance have proven insufficient.

Where an on-site audit is permitted:

  • the Customer shall provide at least thirty (30) days' prior written notice;
  • the audit shall be limited solely to matters relevant to the Processing of Customer Personal Data;
  • the audit shall occur during normal business hours;
  • the audit shall not unreasonably interfere with Hyperzod's business operations;
  • the audit shall not exceed one (1) audit during any twelve (12) month period unless otherwise required by Applicable Data Protection Law.

Hyperzod may implement reasonable measures necessary to protect its facilities, systems, personnel, confidential information, trade secrets, intellectual property, and the data of other customers during any audit.

12.5 Independent Auditors

Any third-party auditor engaged by the Customer shall:

  • possess appropriate professional qualifications and experience;
  • not be a direct competitor of Hyperzod;
  • be bound by written confidentiality obligations acceptable to Hyperzod before commencing any audit activities.

The Customer shall remain responsible for the acts and omissions of any auditor acting on its behalf.

12.6 Confidentiality of Audit Materials

All documentation, reports, policies, procedures, security information, audit findings, and other materials disclosed by Hyperzod in connection with this Section shall constitute Hyperzod's Confidential Information.

Such information shall be used solely for evaluating Hyperzod's compliance with this DPA and shall not be disclosed to any third party except where required by Applicable Data Protection Law.

12.7 Costs

Each party shall bear its own ordinary costs associated with any audit or compliance review.

Where the Customer requests additional audits, extensive security reviews, customized compliance documentation, or assistance materially exceeding Hyperzod's standard obligations under this DPA or the Agreement, Hyperzod may charge its reasonable costs incurred in responding to such requests. Hyperzod shall notify the Customer of any applicable charges in advance.

12.8 No Expansion of Rights

Nothing in this Section shall require Hyperzod to:

  • disclose proprietary software, source code, or algorithms;
  • provide unrestricted access to production systems or infrastructure;
  • disclose information relating to other customers;
  • weaken or bypass security controls;
  • provide information that would reasonably compromise the security of the Services; or
  • disclose information beyond what is required under Applicable Data Protection Law.

13. Return and Deletion of Personal Data

13.1 Customer Request

Upon termination or expiration of the Agreement, the Customer may request:

  • return of Customer Personal Data; or
  • secure deletion of Customer Personal Data.

13.2 Retention Period

Unless otherwise agreed in writing:

  • Customer production data shall remain available for retrieval for up to ninety (90) days following termination of the Agreement;
  • backup copies containing Customer Personal Data may be retained for up to ninety (90) days before being securely overwritten in accordance with Hyperzod's backup retention schedule.

13.3 Permanent Deletion

Following expiration of the applicable retention period, Hyperzod shall securely delete or render inaccessible Customer Personal Data unless continued retention is required by Applicable Law.

13.4 Legal Retention

Nothing in this DPA shall require Hyperzod to delete Personal Data where continued retention is required to:

  • comply with applicable law;
  • resolve disputes;
  • establish, exercise, or defend legal claims;
  • maintain system integrity and security;
  • preserve backup media pending scheduled deletion.

14. Liability

14.1 Application of Agreement

Except as expressly provided in this DPA, the liability of each party arising out of or relating to this DPA shall be governed by the liability limitations, exclusions, and remedies contained in the Agreement.

14.2 No Expansion of Liability

Nothing in this DPA shall be construed as expanding either party's liability beyond that agreed under the Agreement except where such limitation is prohibited under Applicable Law.

14.3 Regulatory Liability

Each party shall remain responsible for complying with its respective obligations under Applicable Data Protection Law.

The Customer remains responsible for determining the lawful basis for Processing Personal Data and ensuring that appropriate notices, consents, and permissions have been obtained where required.

Hyperzod remains responsible for Processing Personal Data in accordance with the Customer's documented instructions and the obligations applicable to Processors under Applicable Data Protection Law.

15. Term and Termination

15.1 Effective Date

This DPA shall become effective on the Effective Date of the Agreement or the date Personal Data is first Processed by Hyperzod on behalf of the Customer, whichever occurs first.

15.2 Duration

This DPA shall remain in force for as long as Hyperzod Processes Personal Data on behalf of the Customer.

15.3 Survival

The provisions relating to:

  • confidentiality;
  • liability;
  • deletion and return of Personal Data;
  • audit rights;
  • dispute resolution; and
  • any other provision intended by its nature to survive,

shall survive termination of this DPA.

16. Miscellaneous

16.1 Order of Precedence

In the event of any inconsistency between:

  1. this DPA; and
  2. the Agreement,

this DPA shall prevail solely with respect to matters concerning the Processing of Personal Data.

16.2 Amendments

Hyperzod may amend this DPA where reasonably necessary to:

  • comply with changes in Applicable Data Protection Law;
  • reflect changes in the Services;
  • update security practices;
  • update Subprocessors; or
  • address regulatory guidance.

Material amendments shall become effective upon reasonable prior notice to the Customer in accordance with the Agreement.

If the Customer reasonably believes that a material amendment would adversely affect its compliance obligations under Applicable Data Protection Law, the Customer may notify Hyperzod in writing. The parties shall work in good faith to address the concern.

16.3 Severability

If any provision of this DPA is determined to be invalid or unenforceable by a court of competent jurisdiction, the remaining provisions shall continue in full force and effect.

The invalid provision shall be replaced by a valid provision that most closely reflects the parties' original intent.

16.4 No Waiver

Failure by either party to enforce any provision of this DPA shall not constitute a waiver of that provision or any other rights.

16.5 Governing Law

This DPA shall be governed by the governing law specified in the Agreement.

Where Applicable Data Protection Law requires the application of mandatory provisions of another jurisdiction, those mandatory provisions shall apply solely to the extent required by law.

16.6 Entire Agreement

This DPA, together with the Agreement and any documents expressly incorporated by reference, constitutes the entire agreement between the parties regarding the Processing of Personal Data.

16.7 Notices

Any notices relating to this DPA shall be provided in accordance with the notice provisions of the Agreement.

Privacy-related enquiries may additionally be directed to:

Hyperzod Technologies Private Limited
58, S.C. Mahanagar
Lucknow, Uttar Pradesh 226006
India

Email: deployment@hyperzod.com

16.8 No Third-Party Beneficiaries

Except as expressly provided under Applicable Data Protection Law, this DPA does not create any rights for any third party.

17. Incorporation and Acceptance

17.1 Incorporation

This Data Processing Addendum forms part of and is incorporated into the Agreement between Hyperzod Technologies Private Limited and the Customer.

17.2 Acceptance

This Data Processing Addendum becomes effective automatically upon the Customer's acceptance of the Agreement through electronic acceptance, clickwrap, order form, subscription process, or any other legally recognized method of acceptance, and remains effective for so long as Hyperzod processes Customer Personal Data on the Customer's behalf.

17.3 Authority

The individual accepting the Agreement on behalf of the Customer represents and warrants that they have the legal authority to bind the Customer to this Data Processing Addendum.

17.4 Electronic Records

The parties agree that electronic acceptance of the Agreement, including acceptance through Hyperzod's website, applications, customer portal, or other electronic means, constitutes a legally binding agreement and shall have the same force and effect as execution by handwritten signature.

17.5 Updates

Where permitted under the Agreement and Applicable Data Protection Law, Hyperzod may update this Data Processing Addendum from time to time to reflect changes in applicable laws, regulatory guidance, the Services, security practices, or Subprocessors. Updated versions will be made available on Hyperzod's website or through the Customer's account, and shall become effective in accordance with the notice provisions set out in the Agreement.

APPENDIX A

DETAILS OF PROCESSING

This Appendix forms part of the Hyperzod Data Processing Addendum.

1. Subject Matter of Processing

Hyperzod Technologies Private Limited ("Hyperzod") provides a cloud-based Software-as-a-Service (SaaS) platform enabling businesses to operate digital commerce, hyperlocal commerce, marketplace, ordering, merchant management, dispatch, logistics, delivery management, customer engagement, and related services.

Hyperzod Processes Personal Data solely for the purpose of providing the Services to the Customer in accordance with the Agreement and this Data Processing Addendum.

2. Duration of Processing

Hyperzod shall Process Personal Data for the duration of the Agreement.

Following termination or expiration of the Agreement:

  • Customer production data may remain available for retrieval for up to ninety (90) days.
  • Backup copies may be retained for up to ninety (90) days as part of Hyperzod's standard backup rotation procedures.
  • Upon expiration of the applicable retention periods, Customer Personal Data shall be securely deleted or rendered inaccessible unless continued retention is required by Applicable Law.

3. Nature of Processing

Depending on the Customer's use of the Services, Processing activities may include:

  • collection;
  • recording;
  • organization;
  • structuring;
  • storage;
  • hosting;
  • retrieval;
  • consultation;
  • transmission;
  • synchronization;
  • disclosure by transmission where instructed by the Customer;
  • analysis;
  • use;
  • restriction;
  • anonymization where appropriate; and
  • deletion or destruction.

4. Purpose of Processing

Hyperzod Processes Personal Data solely for the purpose of providing and supporting the Services, including:

  • operating Customer storefronts;
  • operating Customer mobile applications;
  • merchant management;
  • driver management;
  • order processing;
  • dispatch management;
  • delivery tracking;
  • route optimization;
  • transactional communications;
  • customer support;
  • platform administration;
  • fraud prevention;
  • security monitoring;
  • infrastructure monitoring;
  • operational analytics;
  • service maintenance;
  • optional AI-powered functionality enabled by or configured for the Customer.

Hyperzod does not Process Customer Personal Data for independent marketing purposes or sell Customer Personal Data.

5. Categories of Data Subjects

Depending upon the Services used by the Customer, Personal Data may relate to:

  • End Customers;
  • Merchants and Merchant Representatives;
  • Delivery Drivers, Riders, or Fleet Personnel;
  • Customer-authorized Platform Users;
  • Recipients of transactional communications initiated by the Customer.

6. Categories of Personal Data

End Customers

  • Name
  • Email address
  • Telephone number
  • Delivery address
  • Billing address
  • Order information
  • Order history
  • Payment status (excluding full payment card details)
  • Device identifiers
  • IP address
  • Location data where required
  • Communication preferences

Merchants

  • Business name
  • Contact information
  • Store address
  • Settlement information where applicable
  • Product catalogue information
  • Store operational information

Drivers

  • Name
  • Contact information
  • Vehicle information
  • GPS location during active deliveries
  • Delivery history
  • Earnings information
  • Performance information

Customer-authorized Platform Users

  • Name
  • Business email address
  • Telephone number
  • User role
  • Permissions
  • Authentication credentials
  • Activity logs

7. Special Categories of Personal Data

Hyperzod does not intentionally require or Process Special Categories of Personal Data.

The Customer shall not submit Special Categories of Personal Data unless such Processing is expressly agreed in writing between the parties and appropriate safeguards have been implemented.

8. Processing Instructions

The Agreement, this Data Processing Addendum, and any documented written instructions issued by the Customer constitute the Customer's complete Processing instructions.

Hyperzod shall Process Personal Data only in accordance with those documented instructions unless otherwise required by Applicable Law.

APPENDIX B

TECHNICAL AND ORGANISATIONAL SECURITY MEASURES

This Appendix describes the technical and organisational measures implemented by Hyperzod to protect Customer Personal Data.

The measures described below represent Hyperzod's security practices as of the Effective Date.

Hyperzod may modify or enhance these measures from time to time provided that such modifications do not materially reduce the overall level of security provided to Customer Personal Data.

1. Information Security Program

Hyperzod maintains an information security program designed to protect the confidentiality, integrity, and availability of Customer Personal Data based on industry-standard security practices and the nature of the Services.

Hyperzod periodically reviews the effectiveness of its technical and organisational measures and updates them where appropriate to address evolving security risks.

2. Infrastructure Security

Hyperzod's production infrastructure is primarily hosted within Amazon Web Services (AWS) Europe (London) Region, United Kingdom.

Infrastructure protections include, where applicable:

  • network segmentation;
  • firewall protection;
  • Distributed Denial of Service (DDoS) mitigation;
  • secure DNS services;
  • infrastructure redundancy;
  • high availability architecture where appropriate.

3. Encryption

Hyperzod implements encryption controls including:

  • TLS encryption for data transmitted over public networks;
  • encryption at rest for production data where appropriate;
  • secure cryptographic key management practices.

4. Identity and Access Management

Access to Customer Personal Data is restricted based on business need and includes:

  • Role-Based Access Control (RBAC);
  • least-privilege access principles;
  • controlled administrative access;
  • authentication mechanisms for privileged accounts;
  • periodic review of privileged access.

5. Monitoring and Logging

Hyperzod maintains monitoring and logging systems designed to support security, availability, and operational integrity, including:

  • centralized logging;
  • infrastructure monitoring;
  • application monitoring;
  • error monitoring;
  • security monitoring;
  • audit logging;
  • operational alerting.

6. Backup and Business Continuity

Hyperzod maintains business continuity measures including:

  • daily backups;
  • disaster recovery procedures;
  • backup retention for up to ninety (90) days;
  • periodic restoration testing where appropriate.

7. Secure Development

Hyperzod maintains secure software development practices including:

  • secure software development lifecycle processes;
  • code review procedures;
  • vulnerability scanning;
  • security patch management;
  • periodic penetration testing.

8. Personnel Security

Hyperzod maintains personnel security measures including:

  • confidentiality obligations;
  • controlled access to Customer Personal Data;
  • security awareness and training appropriate to personnel responsibilities.

9. Incident Response

Hyperzod maintains documented procedures designed to:

  • identify security incidents;
  • investigate suspected incidents;
  • contain security events;
  • remediate vulnerabilities;
  • recover affected systems;
  • notify Customers of Personal Data Breaches in accordance with the Data Processing Addendum.

10. Data Minimization

Hyperzod endeavors to Process only the Personal Data reasonably necessary to provide the Services requested by the Customer.

11. Continuous Improvement

Hyperzod regularly reviews and updates its security controls to address evolving technology, operational requirements, emerging threats, and changes in Applicable Data Protection Law.

Nothing in this Appendix shall require Hyperzod to disclose confidential security information, proprietary security architecture, or information that could reasonably compromise the security of the Services.

Hyperzod may implement alternative security controls that provide an equivalent or greater level of protection.

APPENDIX C

AUTHORIZED SUBPROCESSORS

This Appendix identifies the Subprocessors authorized by Hyperzod to Process Customer Personal Data in connection with the Services.

Hyperzod may engage additional or replacement Subprocessors from time to time where reasonably necessary for the operation, maintenance, security, support, or improvement of the Services.

Hyperzod remains responsible for ensuring that each Subprocessor engaged to Process Customer Personal Data is subject to contractual obligations requiring appropriate confidentiality, security, and data protection measures consistent with Applicable Data Protection Law.

The most current version of this Subprocessor List shall be maintained by Hyperzod and made available through Hyperzod's website or another appropriate communication channel.

Hyperzod may add, remove, or replace Subprocessors from time to time as reasonably necessary to provide, maintain, support, secure, or improve the Services.

The latest version of this Appendix shall supersede previous versions.

SubprocessorPurpose
Amazon Web Services (AWS)Cloud infrastructure and hosting
MongoDBManaged database services
RedisDistributed caching
ClickHouseAnalytics database
CloudflareContent delivery network (CDN), DDoS protection, and network security
Amazon Route 53DNS management
SentryError monitoring and diagnostics
GrafanaInfrastructure monitoring and observability
IntercomCustomer support platform and customer communications
SendGridTransactional email delivery
OpenAIAI-powered functionality enabled by or configured for the Customer
Google GeminiAI-powered functionality enabled by or configured for the Customer
GroqAI inference services supporting Customer-enabled AI functionality
Mistral AIAI inference services supporting Customer-enabled AI functionality