Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between the customer ("Customer," "Controller") and Hokku LLC ("Hokku," "Processor") and applies where Hokku processes Personal Data on the Customer's behalf in providing the Service. If there is a conflict with the Terms regarding the processing of Personal Data, this DPA controls.

1. Definitions

"Personal Data," "Processing," "Controller," "Processor," "Sub-processor," and "Data Subject" have the meanings given in applicable data-protection laws, including the EU and UK GDPR and the California Consumer Privacy Act ("Data Protection Laws"). "Customer Data" has the meaning given in the Terms.

2. Roles of the Parties

For Customer Data, the Customer is the Controller and Hokku is the Processor, processing Personal Data only on the Customer's behalf. For account, billing, and usage data relating to the Customer's own use of the Service, Hokku acts as Controller as described in the Privacy Policy.

3. Details of Processing

• Subject matter: provision of the Hokku Service.
• Duration: the term of the Terms, plus the deletion period described below.
• Nature and purpose: hosting, storing, and processing Customer Data to operate, secure, and support the Service.
• Data Subjects: the Customer's Authorized Users and the Customer's own end customers.
• Categories of Personal Data: as determined and submitted by the Customer, which may include names, email addresses, support communications, and any other data the Customer chooses to include in tickets, comments, attachments, and custom fields.

The Customer is responsible for ensuring it has a lawful basis and any required notices and consents for the Personal Data it submits, and for not submitting special-category data except where the Service is designed for it.

4. Processor Obligations

Hokku will: (a) process Personal Data only on the Customer's documented instructions, including as set out in the Terms and through the Customer's use of the Service, unless required by law; (b) ensure persons authorized to process Personal Data are bound by confidentiality; (c) implement appropriate technical and organizational security measures as described in the Privacy Policy; (d) assist the Customer, taking into account the nature of processing, in responding to Data Subject requests and in meeting its security, breach-notification, and impact-assessment obligations; and (e) make available information reasonably necessary to demonstrate compliance with this DPA.

5. Sub-processors

The Customer authorizes Hokku to engage the Sub-processors listed in the Privacy Policy (for example, payment, hosting, email, and AI providers). Hokku imposes data-protection obligations on each Sub-processor that are substantially similar to those in this DPA and remains responsible for their performance. Hokku will give notice of new Sub-processors and a reasonable opportunity to object on legitimate data-protection grounds.

6. International Transfers

Where Hokku transfers Personal Data across borders in a manner regulated by Data Protection Laws, it will rely on an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable), which are incorporated by reference.

7. Data Subject Requests

If Hokku receives a request from a Data Subject regarding Customer Data, it will, where permitted, direct the request to the Customer and assist the Customer in responding. The Customer, as Controller, is responsible for responding to such requests.

8. Personal Data Breach

Hokku will notify the Customer without undue delay after becoming aware of a Personal Data breach affecting Customer Data and will provide information reasonably available to assist the Customer in meeting its notification obligations.

9. Return and Deletion

On termination of the Service, the Customer may export Customer Data using the Service's export tools, and Hokku will delete Customer Data in accordance with the Terms and Privacy Policy (generally within 30 days), except where retention is required by law and for routine backups deleted on the standard cycle.

10. Audits

Hokku will, on reasonable request and no more than once per year (or as required by a supervisory authority), make available information necessary to demonstrate compliance with this DPA, which may take the form of summaries or third-party reports where available, subject to confidentiality.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms.

12. Contact

Hokku LLC
support@hokku.app · support page