Data Processing Addendum

Last Updated: 07.11.2019

This agreement governs the processing of personal data that the Customer provides to Hala in connection with the Agreement.


  • “Agreement” means Hala’s Terms of Use, which govern the provision of the Services to Customer, as such terms may be updated by Hala from time to time.
  • “Customer Data” means any Personal Data that Hala processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.
  • “Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
  • “Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.
  • “Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.
  • “EU Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
  • “Personal Data” means any information relating to an identified or identifiable natural person.
  • “Data Subject” means a natural person, whose Personal Data is processed under this Agreement.
  • “Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.
  • “Security Incident” means a high-risk breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data transmitted, stored or otherwise processed.
  • “Services” means any product or service provided by Hala to Customer pursuant to the Agreement.
  • “Sub-processor” means any Data Processor engaged by Hala to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.
  • “Supervisory Authority” means Estonian Data Inspectorate.

2. Relationship with the Agreement

2.1 The parties agree that DPA shall replace any existing DPA the parties may have previously entered in connection with the Services.

2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.

2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.

2.4 Any claims against Hala under this DPA shall be brought solely against the entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by Hala in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Hala’s liability under the Agreement as if it were the liability of the Customer under the Agreement.

2.5 No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.

2.6 As between Hala and Customer, Customer is the Data Controller of Customer Data, and Hala shall process Customer Data only as a Data Processor acting on behalf of Customer.

3. Customer obligations

Customer agrees to:

3.1 Provide instructions to Hala and determine the purposes and general means of Hala’s processing of Customer Personal Data in accordance with the Agreement.

3.2 Comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Hala.

3.3 Provide notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Hala to process Customer Data and provide the Services pursuant to the Agreement and this DPA.

3.4 Comply with its protection, security and other obligations with respect to Customer Personal Data prescribed by Data Protection Requirements for data controllers by: (a) establishing and maintaining a procedure for the exercise of the rights of the individuals whose Customer Personal Data are processed on behalf of Customer; (b) processing only data that has been lawfully and validly collected and ensuring that such data will be relevant and proportionate to the respective uses; and (c) ensuring compliance with the provisions of this Agreement by its personnel or by any third-party accessing or using Customer Personal Data on its behalf.

3.5 Customer acknowledges that in connection with the performance of the Services, Hala employs the use of cookies, unique identifiers, web beacons and similar tracking technologies (“Tracking Technologies”). Customer shall maintain appropriate notice, consent, opt-in and opt-out mechanisms as are required by Data Protection Laws to enable Hala to deploy Tracking Technologies lawfully on, and collect data from, the devices of Data Subjects in accordance with and as described in the Hala Cookie Statement.

4. Hala obligations

4.1 Processing Requirements. Hala shall:

a. Process Customer Personal Data (i) only for the purpose of providing, supporting and improving Hala’s services, using appropriate technical and organizational security measures; and (ii) in compliance with the instructions received from Customer. Hala will promptly inform Customer if it cannot comply with the requirements under this DPA, in which case Customer may terminate the Agreement or take any other reasonable action, including suspending data processing operations;
b. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Hala in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Hala;
c. Inform Customer promptly if, in Hala’s opinion, an instruction from Customer violates applicable Data Protection Requirements;
d. Take commercially reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged to perform on Hala’s behalf comply with the terms of the Agreement;
e. Ensure that its employees, authorized agents and any Sub-processors are required to comply with and acknowledge and respect the confidentiality of the Customer Personal Data, including after the end of their respective employment, contract or assignment;
f. Upon request, provide Customer with a summary of Hala’s privacy and security policies; and
g. Inform Customer if Hala undertakes an independent security review.

4.2 Notice to Customer. Hala will inform Customer if Hala becomes aware of:

a. Any non-compliance by Hala or its employees with this DPA relating to the protection of Customer Personal Data processed under this DPA;
b. Any legally binding request for disclosure of Customer Personal Data by a law enforcement authority, unless Hala is otherwise forbidden by law to inform Customer, for example to preserve the confidentiality of an investigation by law enforcement authorities;
c. Any notice, inquiry or investigation by a Supervisory Authority with respect to Customer Personal Data; or
d. Any complaint or request (in particular, requests for access to, rectification or blocking of Customer Personal Data) received directly from Data Subjects of Customer. Hala will not respond to any such request without Customer’s prior written authorization.

4.3 Assistance to Customer. Hala will provide reasonable assistance to Customer regarding:

a. Any requests from Customer Data Subjects in respect of access to or the rectification, erasure, restriction, portability, blocking or deletion of Customer Personal Data that Hala processes for Customer. In the event that a Data Subject sends such a request directly to Hala, Hala will promptly send such request to Customer;
b. The investigation of Security Incident and the notification to the Supervisory Authority and Customer’s Data Subjects regarding such Personal Data Breaches; and
c. Where appropriate, the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.

4.4 Hala agrees to process Personal Data received under the Agreement only for the purposes set forth in the Agreement. For the avoidance of doubt, the categories of Personal Data processed are described in Annex C to this DPA.

5. Sub-processing

5.1 Authorized Sub-processors. Customer agrees that Hala may engage Sub-processors to process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Hala and authorized by Customer are listed in Annex A.

5.2 Sub-processor Obligations. Hala shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Hala to breach any of its obligations under this DPA.

6. Security

6.1 Security Measures. Hala shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data, in accordance with Hala’s security standards described in Annex B (“Security Measures”).

6.2 Updates to Security Measures. Customer is responsible for reviewing the information made available by Hala relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Hala may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

6.3 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.

7. Security Reports, Audits and Liability

7.1 Hala shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires that are necessary to confirm Hala’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year.

7.2 Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which Hala processes Customer Personal Data in order to ascertain or monitor Customer’s compliance with EU Data Protection Law, Hala will cooperate with such audit. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Hala expends for any such audit, in addition to the rates for services performed by Hala.

7.3 The parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations is entitled to receive compensation from the Customer for the damage suffered.

8. Additional Security

8.1 Confidentiality of processing. Hala shall ensure that any person who is authorized by Hala to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

8.2 Security Incident Response. Upon becoming aware of a Security Incident, Hala shall notify Customer within 48 hours and shall provide information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.

9. Changes to Sub-processors

9.1 Hala shall (i) provide an up-to-date list of the Sub-processors it has appointed upon written request from Customer; and (ii) notify Customer (for which email shall suffice) if it adds or removes Sub-processors at least 10 days prior to any such changes.

9.2 Customer may object in writing to Hala’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).

10. Return or Deletion of Data

10.1 Upon termination or expiration of the Agreement, Hala shall (at Customer’s election) delete or return to Customer all Customer Data (including copies) in its possession or control, this requirement shall not apply to the extent Hala is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Hala shall securely isolate and protect from any further processing, except to the extent required by applicable law.

11. Cooperation

11.1 In the event that a Data Subject or Supervisory Authority made a request relating to the processing of Personal Data under the Agreement to Hala. Hala shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Hala is required to respond to such a request, Hala shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

11.2 If a Supervisory Authority or law enforcement agency sends Hala a demand for Customer Data (for example, through a subpoena or court order), Hala shall attempt to redirect the Supervisory Authority or law enforcement agency to request that data directly from Customer. As part of this effort, Hala may provide Customer’s basic contact information to the Supervisory Authority or law enforcement agency. If compelled to disclose Customer Data to Supervisory Authority or law enforcement agency, then Hala shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Hala is legally prohibited from doing so.

11.3 To the extent Hala is required under EU Data Protection Law, Hala shall (at Customer’s expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

12. Term

12.1 This DPA shall remain in effect as long as Hala carries out Personal Data processing operations on behalf of Customer or until the termination of the Agreement (and all Personal Data has been returned or deleted in accordance with this DPA).

13. Governing law, jurisdiction, and venue

13.1 Notwithstanding anything in the Agreement to the contrary, this DPA shall be governed by the laws of Republic of Estonia, and any action or proceeding related to this DPA (including those arising from non-contractual disputes or claims) will be brought in Harju County Court, Estonia.

Annex A - List of Hala Sub-processors

Hala uses third-party Sub-processors to assist it in providing the Services (as described in the Agreement). These Sub-processors set out below provide cloud hosting and storage services; content delivery and review services; artificial intelligence technologies; assist in providing customer support; as well as incident tracking, response, diagnosis and resolution services.

Amazon Web Services (Washington, USA) Google (California, USA) Slack (California, USA) IBM (New York, USA) Atlassian (California, USA) HubSpot (Massachusetts, USA) Mailchimp (Atlanta, USA)

Annex B – Security Measures

Description of the technical and organizational security measures implemented by Hala.

  • Hala uses SSL encryption to encrypt all data transferred to and from and
  • All source code is automatically tested for vulnerabilities relating to Auth, Cross-Site Request Forgery (CSRF), command injection, cryptography, denial of service (DOS), file access, HTTP, SQL injection, SSL, XSS, and more before being deployed onto our production environment.
  • We enforce a strict password policy and use 2FA (two-factor authentication) for server access
  • We limit access to the production server and database to a small number of people and locations.

Annex C- description of the transfer

  1. Data Subjects. The personal data transferred concern the following categories of Data Subjects:

Any individual accessing and/or using the Services through the Customer’s account and any individual: whose email address is included in the Customer’s Distribution List and whose information is stored on or collected via the Services, or to whom Data Subjects send emails or otherwise engage or communicate with via the Services.

  1. Purposes of the Transfer. The transfer is made for the following purposes.

The transfer is intended to enable the Customer to do the following:

The purpose of the data processing is the provision of the Services to the Customer and the performance of Hala’s obligations under the Agreement and to use the Service Hala provides as an AI platform for the automation of IT and Business processes and other related services.

  1. Categories of Data. The personal data transferred concern the following categories of data.

Data Subjects: identification and contact data (name, email address, title, contact details, username in enterprise software); employment details (employer, job title, geographic location, area of responsibility); IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data).

  1. Recipients. The personal data transferred may be disclosed only to the following recipients or categories of recipients:

Employees and other representatives of Hala, who have a legitimate business purpose for the processing of such personal data.

  1. Additional Useful Information (storage limits and other relevant information).

The list of Sub-processors is provided in Annex A.