Data Processing Agreement

In this Data Processing Agreement (“DPA”):

• Controller — the Client identified on the Order Form, who determines the purposes and means of processing Client Data.
• Data Protection Officer — Nico Henry (Co-founder & CTO), contactable at data@hemerascope.com.
• Processor — Hemera Intelligence Ltd (“Hemera”), company number 17198795, registered office 167-169 Great Portland Street, London, W1W 5PF, England.
• Data Protection Laws — the UK GDPR (the retained EU law version of GDPR as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR), each as amended or replaced from time to time.
• Client Data — any personal data that the Controller uploads to, or that is generated within, HemeraScope and that Hemera processes on the Controller's behalf.
• Sub-processor — any third party engaged by Hemera to process Client Data.
• Agreement — the HemeraScope Subscription Terms to which this DPA is a schedule.

Capitalised terms not defined in this DPA have the meaning given in the Agreement. In the event of conflict between this DPA and the Agreement, this DPA prevails to the extent of the conflict on data protection matters.

This DPA applies to all processing of Client Data by Hemera in connection with the Services. It takes effect on the Effective Date of the Agreement and continues until all Client Data has been deleted or returned in accordance with Section 11.

The Controller warrants that:

• it has a lawful basis under Data Protection Laws for the processing described in Section 3;
• it has provided all required notices to, and obtained all required consents from, data subjects whose personal data is uploaded to HemeraScope;
• the Client Data does not include special category data (Article 9) or criminal offence data (Article 10) unless the Controller has notified Hemera in writing in advance and the parties have agreed appropriate additional safeguards;
• its instructions to Hemera comply with Data Protection Laws.

Hemera will:

• process Client Data only on the Controller's documented instructions, including with respect to transfers outside the UK, unless required to do so by law — in which case Hemera will inform the Controller before processing unless prohibited by law from doing so;
• ensure that persons authorised to process Client Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• implement and maintain the technical and organisational security measures described in Section 7;
• comply with the conditions in Sections 6 and 8 for engaging sub-processors and assisting with data subject rights;
• taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures with the Controller's obligation to respond to data subject requests;
• assist the Controller in ensuring compliance with its obligations under Articles 32–36 of the UK GDPR (security, breach notification, DPIAs, prior consultation), taking into account the nature of processing and the information available to Hemera;
• at the Controller's choice, delete or return all Client Data after the end of the Services in accordance with Section 11;
• make available to the Controller all information necessary to demonstrate compliance with the obligations in UK GDPR Article 28, and allow for and contribute to audits and inspections as described in Section 10.

Hemera will immediately inform the Controller if, in Hemera's opinion, an instruction from the Controller infringes Data Protection Laws.

The Controller provides general written authorisation for Hemera to engage the sub-processors listed on the Sub-processor List.

Before engaging a new sub-processor, Hemera will:

• notify the Controller at least 30 days in advance by email to the address on the Order Form;
• provide the sub-processor's name, processing description, and location;
• give the Controller the opportunity to object on reasonable data protection grounds.

If the Controller objects within 15 days and the parties cannot resolve the objection within a further 15 days, either party may terminate the affected Services on 30 days' written notice without penalty. If the Controller does not object within 15 days, the Controller is deemed to have accepted the new sub-processor.

Hemera will impose on each sub-processor, by way of contract, data protection obligations no less protective than those in this DPA. Hemera remains fully liable for the acts and omissions of its sub-processors.

Hemera will implement and maintain technical and organisational measures appropriate to the risk, including as a minimum:

• Encryption in transit — TLS 1.2 or higher on all connections.
• Encryption at rest — AES-256 for database storage.
• Authentication — via Clerk (SOC 2 Type II certified); multi-factor authentication available for all accounts.
• Access control — role-based access control (RBAC) with least-privilege principle; data isolation between workspaces.
• Infrastructure — hosted on Render (US, Oregon) with automated backups and Vercel (global CDN) for the frontend.
• Logging and monitoring — security event logging with 12-month retention.
• Vulnerability management — regular dependency updates; pursuing Cyber Essentials certification.
• Personnel — all staff with access to Client Data are bound by confidentiality obligations and receive data protection training.

Full details are available on the Security & Trust page. Hemera will review these measures periodically and may update them provided the overall level of protection is not materially reduced.

Hemera will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures with fulfilling the Controller's obligation to respond to requests from data subjects exercising their rights under Chapter III of the UK GDPR (access, rectification, erasure, restriction, portability, objection).

If Hemera receives a request directly from a data subject, Hemera will promptly redirect the request to the Controller and will not respond to the data subject directly unless instructed by the Controller or required by law.

On becoming aware of a personal data breach affecting Client Data, Hemera will notify the Controller without undue delay and in any event within 72 hours, providing:

• a description of the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned;
• the name and contact details of the point of contact at Hemera;
• a description of the likely consequences of the breach;
• a description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

Hemera will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. Hemera will document all breaches, including the facts, effects, and remedial action taken.

On reasonable written notice (not less than 30 days), and no more than once per calendar year unless required by a supervisory authority, the Controller may audit Hemera's compliance with this DPA. Audits will be conducted during normal business hours, subject to reasonable confidentiality obligations, and at the Controller's expense.

Where Hemera holds a relevant third-party certification or audit report (e.g. Cyber Essentials, SOC 2), Hemera may offer that report to satisfy the audit right in the first instance. The Controller retains the right to conduct its own audit if the report does not reasonably address its concerns.

For 30 days after termination or expiry of the Agreement, the Controller may export Client Data through the HemeraScope interface. After that period, Hemera will delete all remaining Client Data (including copies in backups within the next scheduled backup rotation cycle) and certify deletion in writing on request, except:

• where Hemera is required by applicable law to retain certain data, in which case Hemera will isolate and protect that data and limit processing to the minimum required by law;
• aggregated and irreversibly anonymised statistical information retained under Section 6.3 of the Agreement, which by definition is not personal data and falls outside the scope of this DPA.

Client Data may be transferred to sub-processors located outside the United Kingdom as described on the Sub-processor List. For each transfer, Hemera will ensure an appropriate safeguard is in place under UK GDPR Article 46, which may include:

• the UK Extension to the EU–US Data Privacy Framework;
• the UK International Data Transfer Agreement (IDTA);
• the UK Addendum to the EU Standard Contractual Clauses;

together with any supplementary technical and organisational measures necessary in light of the transfer risk assessment. Hemera will provide the Controller with details of the safeguard relied on for each transfer on request.

The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not limit either party's liability for breaches of Data Protection Laws to the extent such limitation is not permitted by applicable law.

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising under or in connection with this DPA.