Data Processing Addendum (DPA)

Effective date: 2026-06-02 Last updated: 2026-06-02

Plain-language summary. This Data Processing Addendum (“DPA”) sets the rules for how HackZero handles personal data that we process on your behalf while delivering the Service, mainly the personal data that our autonomous testing agents read in your source code and encounter in your live application during a penetration test. In that activity you are the controller (the business) and HackZero is your processor (your service provider). We process personal data only on your documented instructions. We do not sell it. We do not combine it across customers. We do not use your data to train, fine-tune, or improve any AI or machine-learning model. This DPA also gives you the transfer protections (EU/UK/Brazilian Standard Contractual Clauses and equivalents), breach-notification commitments, deletion and audit rights, and a list of our subprocessors at /legal/subprocessors. This DPA is incorporated into and forms part of the Terms of Service or the negotiated Master Services Agreement between you and HackZero. This summary is provided for convenience and is not legal advice.

1. Introduction, parties, and incorporation

1.1 Parties

This DPA is entered into between:

HackZero and Customer are each a “Party” and together the “Parties”.

1.2 Relationship to the Agreement

This DPA is incorporated by reference into, and forms part of:

(each, with this DPA, the “Agreement”). This DPA applies only to the extent HackZero processes Personal Data on Customer’s behalf as a processor / service provider in the course of providing the Service.

Capitalized terms used and not defined in this DPA have the meanings given in the Agreement, including the MSA. In particular, “Service”, “Engagement”, “Execution”, “Authorized Asset”, “Authorized Party”, “Authorized User”, “ROE”, “Findings”, and “Final Report” have the meanings given in the MSA, and “Customer Data” and “Customer Source Code” have the meanings given in MSA section 5.1.

1.3 Order of precedence

If there is a conflict between documents, the following order of precedence governs the subject matter of this DPA (highest first):

  1. the Standard Contractual Clauses and other transfer instruments in Section 13 and the Annexes referenced there, as to the matters they govern;
  2. this DPA;
  3. the body of the MSA (or, where there is no MSA, the Terms of Service); and
  4. any other document forming part of the Agreement.

This precedence applies only to data-protection matters. The Agreement continues to govern all other matters, including the limitation of liability, except as Section 16 modifies it.

1.4 Roles consistent with the MSA

This DPA operationalizes, and does not displace, MSA section 5 (“Data, Confidentiality, and AI-Training Prohibition”), including the AI-Training Prohibition in MSA section 5.3, the data-retention and destruction cadence in MSA section 5.5, the data-residency rule in MSA section 5.6, and the subprocessor commitment in MSA section 5.7. Where this DPA states a more specific or more protective obligation, the more protective obligation controls as to Personal Data.

2. Definitions

For this DPA:

  1. “Applicable Data Protection Law” means all laws and regulations applicable to a Party’s processing of Personal Data under the Agreement, including, as applicable:

    • GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation);
    • UK GDPR: the GDPR as incorporated into the law of the United Kingdom by the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018, together with that Act;
    • CCPA/CPRA: the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020, Cal. Civ. Code sections 1798.100 to 1798.199.100, and its implementing regulations at 11 C.C.R. sections 7000 to 7304;
    • other U.S. state privacy laws to the extent applicable, including the Virginia Consumer Data Protection Act (Va. Code sections 59.1-575 to 59.1-585), the Colorado Privacy Act (Colo. Rev. Stat. sections 6-1-1301 to 6-1-1313), the Connecticut Data Privacy Act (Conn. Gen. Stat. sections 42-515 to 42-525), the Texas Data Privacy and Security Act (Tex. Bus. & Com. Code sections 541.001 to 541.205), the Utah Consumer Privacy Act (Utah Code sections 13-61-101 to 13-61-404), the Oregon Consumer Privacy Act (ORS 646A.570 to 646A.589), and the Montana Consumer Data Privacy Act (Mont. Code Ann. sections 30-14-2801 et seq.);
    • PIPEDA: Canada’s Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, and the substantially similar provincial statutes (Alberta PIPA, S.A. 2003, c. P-6.5; British Columbia PIPA, S.B.C. 2003, c. 63);
    • Quebec Law 25: the Act respecting the protection of personal information in the private sector, CQLR c. P-39.1, as amended by S.Q. 2021, c. 25;
    • LGPD: Brazil’s Lei Geral de Proteção de Dados Pessoais, Lei nº 13.709/2018;
    • LFPDPPP: Mexico’s Ley Federal de Protección de Datos Personales en Posesión de los Particulares (DOF 20-Mar-2025, in force 21-Mar-2025);
    • Argentina’s Ley 25.326 (Ley de Protección de los Datos Personales) and Decreto 1558/2001;
    • Colombia’s Ley 1581 de 2012 and Decreto 1377 de 2013;
    • Chile’s Ley 19.628 and, from 1 December 2026, Ley 21.719;
    • Peru’s Ley 29733 and its regulation DS 016-2024-JUS; and, in each case, any successor or implementing instrument.

  2. “Controller” means the natural or legal person that, alone or jointly with others, determines the purposes and means of the processing of Personal Data. The term includes a “business” under the CCPA/CPRA, a “responsable” / “responsable de archivo” under LFPDPPP, Argentine, Colombian, Chilean, and Peruvian law, a “controlador” under the LGPD, and an “organization” under PIPEDA and an “enterprise” under Quebec Law 25.

  3. “Processor” means the natural or legal person that processes Personal Data on behalf of the Controller. The term includes a “service provider” or “contractor” under the CCPA/CPRA, an “encargado” / “encarregado” under LATAM law and the LGPD, and a “third party” or “service provider” under PIPEDA.

  4. “Subprocessor” means any third party engaged by HackZero (or by an affiliate of HackZero acting as a subprocessor) to process Personal Data on HackZero’s behalf in connection with the Service.

  5. “Personal Data” means any information relating to an identified or identifiable natural person, and any information that constitutes “personal information”, “personal data”, “datos personales”, or “dados pessoais” under Applicable Data Protection Law, in each case that HackZero processes on Customer’s behalf under the Agreement. Personal Data includes “Sensitive Personal Information” (CCPA/CPRA, Cal. Civ. Code section 1798.140(ae)), “special categories of personal data” (GDPR Article 9), “sensitive data” under U.S. state and LATAM law, and “datos personales sensibles”.

  6. “Processing” (and “process”) means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, access, retrieval, use, disclosure, transmission, alignment, combination, restriction, erasure, or destruction.

  7. “Customer Personal Data” means Personal Data within Customer Data, including Personal Data within Customer Source Code, and Personal Data that Authorized Parties (including HackZero’s autonomous AI agents) observe, capture, or record in the course of an Engagement, for example Personal Data appearing in source code, configuration files, production data, captured request/response artifacts, or exploit reproductions.

  8. “Data Subject” means the identified or identifiable natural person to whom Personal Data relates.

  9. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by HackZero. The term is read to include a “confidentiality incident” under Quebec Law 25 (Art. 3.6) and a “breach of security safeguards” under PIPEDA (s. 10.1).

  10. “SCCs” means the Standard Contractual Clauses for the transfer of personal data, as set out in Section 13 (the EU SCCs, the UK Addendum, and the Brazilian SCCs).

  11. “Business Purpose”, “Sell”, “Share”, and “Commercial Purpose” have the meanings given in the CCPA/CPRA (Cal. Civ. Code section 1798.140).

Terms such as “controller”, “processor”, “data subject”, “supervisory authority”, and “special categories of personal data” have the meanings in the GDPR where the GDPR applies, and the equivalent meanings under other Applicable Data Protection Law.

3. Roles of the Parties

3.1 Customer as Controller, HackZero as Processor

The Parties acknowledge that, for Customer Personal Data processed under the Agreement:

Under the CCPA/CPRA, Customer is the business and HackZero is a service provider processing Personal Data pursuant to a written contract that meets the requirements of Cal. Civ. Code section 1798.140(ag) and 11 C.C.R. section 7051.

Where Customer acts as a processor for an onward controller, this DPA applies between Customer and HackZero on the same terms, with HackZero as subprocessor, and Customer remains responsible for the instructions it gives.

3.2 HackZero as independent controller for limited data

HackZero acts as an independent controller, not as Customer’s processor, for the limited Personal Data it processes for its own account, including: account-registration and authentication data of Authorized Users (name, email, hashed password, role, session data); workspace and billing-contact data; ROE and contract-signing metadata used as evidence of authorization (typed legal name, IP address, user-agent, timestamp, hash-chained audit events); and website-visitor data. HackZero’s processing of that data is governed by its Privacy Policy at /legal/privacy and is outside the scope of this DPA, except that the AI-Training Prohibition in Section 11 also applies to HackZero’s processing of that data. The signing-metadata and audit-log category is treated as HackZero’s independent-controller data, consistent with the Privacy Policy, because HackZero generates and retains it for its own evidentiary defense.

3.3 CCPA service-provider restrictions

As a service provider, HackZero will not, and certifies that it understands and will comply with the restriction that it will not:

(a) Sell or Share Customer Personal Data (as those terms are defined in the CCPA/CPRA);

(b) retain, use, or disclose Customer Personal Data for any purpose other than the Business Purposes specified in this DPA and the Agreement, including not retaining, using, or disclosing it for a commercial purpose other than providing the Service, or outside the direct business relationship between the Parties;

(c) combine Customer Personal Data with personal information that HackZero receives from or on behalf of another person, or collects from its own interaction with a consumer, except as permitted by 11 C.C.R. section 7050(b) (for example, to perform a Business Purpose under Cal. Civ. Code section 1798.140(e)(1) to (8)); or

(d) use Customer Personal Data to train, fine-tune, or otherwise develop any AI or machine-learning model, including any model that is or could be used to provide services to other persons (this restriction is stated in full in Section 11 and applies under the CCPA and all other Applicable Data Protection Law).

HackZero will notify Customer if it determines that it can no longer meet its obligations as a service provider under the CCPA/CPRA. Customer may, on notice, take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

3.4 LATAM and Canada role mapping

3.5 Self-hosted deployments

Where Customer subscribes to the Compliance or Enterprise tier and elects to run the Service inside Customer’s own virtual private cloud (VPC), Customer Personal Data does not leave Customer’s perimeter and HackZero does not process Customer Personal Data as a Processor in that mode, except for any telemetry, license, or support data the Parties expressly agree HackZero may receive. In a self-hosted deployment, Sections 4 to 14 apply only to data HackZero actually receives; Customer is responsible for the security and configuration of its own perimeter. The Parties will confirm the applicable subprocessors (which may be limited to the upstream foundation-model provider) in the Order Form.

4. Subject matter, duration, nature, and purpose of processing

The subject matter, duration, nature, purpose, categories of Personal Data, and categories of Data Subjects are set out in Annex I. In summary:

5. Processing only on documented instructions

5.1 Documented instructions

HackZero will process Customer Personal Data only on Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law to which HackZero is subject. Customer’s documented instructions are constituted by:

(a) this DPA and the Agreement (including the MSA, the Deal Sheet, the Order Form, and the ROE); (b) the scope, Authorized Assets, permitted techniques, and schedules Customer configures in the Service or sets in the ROE; (c) each On-Demand Execution Customer triggers and each Scheduled Execution Customer pre-configures; and (d) any further written instructions Customer gives through the Service or to [email protected] that the Parties agree are consistent with the Agreement.

Customer warrants that its instructions, including its designation of Authorized Assets and scope, comply with Applicable Data Protection Law and that Customer has a lawful basis and any required consent for the processing it instructs.

5.2 Notice of unlawful instructions and of legally required processing

HackZero will inform Customer if, in HackZero’s reasonable opinion, an instruction infringes Applicable Data Protection Law (GDPR Article 28(3), final paragraph), unless prohibited from doing so by law. Where HackZero is required by applicable law to process Customer Personal Data other than on Customer’s instructions, HackZero will, unless that law prohibits it on important grounds of public interest, inform Customer of that legal requirement before processing.

If HackZero receives a legally binding request from a public authority (including a law-enforcement, intelligence, or regulatory authority) for disclosure of Customer Personal Data, HackZero will, to the extent legally permitted: (a) notify Customer promptly so Customer may seek a protective order or other remedy; (b) inform the requesting authority that HackZero is a processor and that the request should be directed to Customer; (c) challenge any request that HackZero judges to be unlawful or overbroad; and (d) disclose only the minimum Personal Data necessary to respond. HackZero does not grant any government authority direct, blanket, or unfettered access to Customer Personal Data. HackZero will keep a record of such requests and provide a summary to Customer where lawful. This commitment supports Customer’s transfer-impact assessments under GDPR, Quebec Law 25 Art. 17, and equivalent LATAM rules, in light of U.S. legal authorities including the CLOUD Act (18 U.S.C. sections 2701 et seq.), FISA section 702 (50 U.S.C. section 1881a), Executive Order 12333, and Executive Order 14086.

6. Confidentiality of personnel

HackZero will ensure that any person it authorizes to process Customer Personal Data (its personnel, contractors, and its autonomous AI agents’ operators) is subject to a duty of confidentiality, whether contractual or statutory, no less protective than MSA section 5.4, and has access to Customer Personal Data only on a need-to-know basis to provide the Service. HackZero limits access to Customer Personal Data to authorized staff accounts and applies the access controls in Annex II. This obligation survives termination of the relevant person’s engagement with HackZero.

7. Security of processing (Annex II)

7.1 Technical and organizational measures

HackZero implements and maintains the technical and organizational measures set out in Annex II, designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risk to Data Subjects (GDPR Article 32; CCPA/CPRA reasonable-security duty; LGPD Article 46; PIPEDA cl. 4.7; Quebec Law 25 Art. 10). Annex II measures include encryption in transit (TLS 1.3 at every hop) and at rest, network isolation of the database, scram-sha-256 database authentication, session-only authentication (no long-lived API tokens), tamper-evident off-host audit logging, tested nightly backups, and the AI safeguards in Section 11.

7.2 Sensitivity of testing data

The Parties acknowledge that Findings, exploit reproductions, captured request/response artifacts, and Customer Source Code may contain highly sensitive Customer confidential data and Personal Data, including credentials, tokens, and data appearing in production traffic. HackZero treats this category with heightened care, including data minimization (extracting only what is necessary to prove a Finding), and HackZero’s audit-logging configuration is engineered to escalate logging where a data class is identified as Personal Data, payment data, or health data.

7.3 Updates to measures

HackZero may update the Annex II measures from time to time provided the updates do not materially reduce the overall level of security. Annex II reflects HackZero’s security posture as of the Last updated date; HackZero’s current security overview is published at /legal/security. HackZero’s compliance posture is a SOC 2 Type II audit in progress and an ISO/IEC 27001 audit planned; HackZero does not describe itself as “certified”.

8. Subprocessors

8.1 General authorization with notice

Customer provides general written authorization for HackZero to engage Subprocessors to process Customer Personal Data, subject to this Section 8. HackZero’s current Subprocessors are listed in Annex III and, in the authoritative and maintained form, at /legal/subprocessors. The Subprocessor list identifies, for each Subprocessor, its name, the processing activity, the categories of data processed, and the region.

8.2 Change notice and objection

HackZero will give Customer at least thirty (30) days’ advance notice of any addition or replacement of a Subprocessor that will process Customer Personal Data, by updating /legal/subprocessors and, where Customer has subscribed to notifications, by email or other notice (consistent with MSA section 5.7). Within that period, Customer may object on reasonable, data-protection grounds. The Parties will work in good faith to resolve the objection. If they cannot, Customer may terminate the portion of the Service that requires the objected-to Subprocessor, without penalty for the terminated portion, as Customer’s sole remedy.

8.3 Flow-down

Before a Subprocessor processes Customer Personal Data, HackZero will enter into a written agreement with the Subprocessor imposing data-protection obligations no less protective than those in this DPA, including the security measures, confidentiality, the AI-Training Prohibition (Section 11), and (for international transfers) the relevant SCCs or equivalent. HackZero remains fully liable to Customer for the performance of each Subprocessor’s data-protection obligations (GDPR Article 28(4)).

8.4 Upstream foundation-model provider

HackZero uses one or more enterprise-grade foundation models, provided by reputable third parties and/or operated by HackZero, to power its autonomous testing agents and to generate report narratives. HackZero selects, configures, and maintains these models, and the specific models and configurations may evolve over time as the technology matures. Whichever model is used, the data-protection and confidentiality commitments stated here apply. Each third-party foundation-model provider HackZero engages (identified generically in Annex III and on /legal/subprocessors as a foundation-model provider) is a Subprocessor configured for zero data retention and no model training on Customer Personal Data, consistent with MSA section 5.3 and Section 11 of this DPA. HackZero flows the no-training and zero-retention commitments down to each such provider and will provide written evidence of the configuration on Customer’s reasonable request, subject to confidentiality.

9. Assistance with Data-Subject requests

9.1 Routing of requests

Because HackZero is a Processor for Customer Personal Data, requests by Data Subjects to exercise their rights (access, correction/rectification, deletion/erasure, portability, objection, restriction, opt-out of sale/share, limit use of sensitive data, withdraw consent, and the right not to be subject to solely automated decisions, as applicable) are the Controller’s responsibility. If HackZero receives such a request directly from a Data Subject in respect of Customer Personal Data, HackZero will not respond to it on the merits except on Customer’s documented instruction, and will, without undue delay, direct the Data Subject to Customer and notify Customer, unless prohibited by law.

9.2 Assistance

Taking into account the nature of the processing, HackZero will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer’s obligation to respond to Data-Subject requests (GDPR Article 28(3)(e); equivalent LGPD, LFPDPPP, PIPEDA, Quebec Law 25 Art. 27 portability, and LATAM rights). Assistance includes helping Customer locate, access, correct, export, restrict, or delete Customer Personal Data within HackZero’s systems. HackZero provides reasonable assistance at no additional charge for the level of effort contemplated by the Service; the Parties will agree on reasonable fees for assistance that is excessive or repetitive.

9.3 Individuals observed during testing

For Personal Data of Customer’s own users, employees, or third parties that HackZero’s agents observe during an Engagement, Customer is the Controller and any request by such an individual must be made to Customer. HackZero will assist Customer in responding but will not itself respond on the merits.

10. Data protection impact assessments, breach notification, and prior consultation

10.1 DPIAs and prior consultation

Taking into account the nature of the processing and the information available to HackZero, HackZero will provide reasonable assistance to Customer with: (a) data protection impact assessments (GDPR Articles 35 and 36; the equivalent assessment obligations under Colorado, Connecticut, Texas, Oregon, Virginia, and Montana law; and the LGPD Article 38 report); and (b) any prior consultation with a supervisory authority that those laws require. HackZero will, on request, provide information about the Service, the security measures, the Subprocessors, and the international transfers reasonably necessary for such assessments. This assistance also supports Customer’s transfer-impact assessment under Quebec Law 25 Art. 17 (see Section 13.5).

10.2 Personal Data Breach notification

HackZero will notify Customer of a Personal Data Breach affecting Customer Personal Data without undue delay and in any event within seventy-two (72) hours of HackZero becoming aware of the breach. The clock runs from HackZero’s awareness, not from HackZero’s internal confirmation, so that the notice preserves the strictest applicable controller deadlines, including Peru’s 48-hour and Brazil’s 3-business-day windows that themselves run from the Controller’s awareness. HackZero’s notice will describe, to the extent then known and as it becomes known:

(a) the nature of the Personal Data Breach, including, where possible, the categories and approximate number of Data Subjects and records affected; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach and to mitigate its adverse effects; and (d) the name and contact details of a HackZero point of contact for more information.

Where HackZero cannot provide all information at once, it may provide it in phases without undue further delay. HackZero will send the breach notice to the breach/security contact Customer has registered in the Service, with a copy to the notices address in the Agreement. Customer is responsible for notifying supervisory authorities and Data Subjects where the Controller is required to do so. The Parties acknowledge the regime-specific timelines that may apply to Customer as Controller, including PIPEDA “as soon as feasible”, Quebec Law 25 “with diligence” (broader trigger: unauthorized access alone), Alberta PIPA “without unreasonable delay”, LGPD ANPD notification (initial notice within three (3) business days, with a supplement within twenty (20) business days, per Resolução CD/ANPD nº 15/2024), Peru ANPDP within forty-eight (48) hours, and the GDPR 72-hour controller timeline; HackZero’s 72-hour, awareness-based notice timing is set to enable Customer to meet the strictest applicable timeline. The Brazil ANPD processor-to-controller phrasing (initial notice within 3 business days, supplement within 20 business days, per Resolução CD/ANPD nº 15/2024) operates consistently with the 72-hour, awareness-based processor-to-controller clock above, which is set so as not to consume the Controller’s statutory window.

10.3 No independent breach assessment by HackZero

HackZero’s notice is not an acknowledgment of fault or liability. HackZero will cooperate with Customer and take reasonable steps to investigate, contain, and remediate the breach, and will preserve relevant tamper-evident logs.

11. AI-Training Prohibition; ownership of Input and Output; no-training assurance

11.1 No training on Customer data (material term)

No training on your data. We do not use your Customer Data, source code, or findings to train or fine-tune foundation models, and we require any third-party model provider we engage to apply the same restriction. You retain ownership of your Inputs and of the findings and reports the Services generate for you. Specifically, and consistent with MSA section 5.3:

HackZero shall not use Customer Data, including Customer Source Code, Customer Personal Data, or any derivative information, to train, fine-tune, or otherwise improve any machine-learning or artificial-intelligence model, except as strictly necessary to perform the Service for Customer within an isolated and non-persistent execution environment. HackZero will use Customer Data only for the purpose of providing the contracted Service to Customer.

Service quality and evaluation. We may process de-identified and aggregated information derived from use of the Services to operate, secure, evaluate, benchmark, and improve the quality, accuracy, and reliability of the Services, including our detection capabilities and our internal model and system evaluations. De-identified and aggregated information does not identify you, your organization, or any individual, and is not used to train third-party foundation models on your identifiable data.

11.2 Isolated, non-persistent execution environment

“Isolated and non-persistent execution environment” means: processing is inference-time only (no training, no fine-tuning, and no retrieval-augmented indexing that permits cross-tenant retrieval); each Engagement uses an isolated workspace; context is held in memory for the Engagement and not in a persistent vector store indexed by Customer identity; and any third-party foundation-model provider is configured for zero data retention and no training. HackZero passes these commitments through to the foundation-model provider(s) in Annex III.

11.3 Scope of “Customer Source Code”

“Customer Source Code” includes any source code observed during the Engagement, including code retrieved from in-scope infrastructure that Customer did not explicitly hand over (for example, a configuration file pulled from a server during testing). All such code is Customer Data subject to this Section 11.

11.4 Narrow R&D carve-out

HackZero may use only aggregated and anonymized information that does not identify Customer, Customer Data, Customer Personal Data, any Data Subject, or any Authorized Asset, for Service improvement, research, and benchmarking, consistent with MSA sections 5.2(d) and 6.2 (for example, abstracted vulnerability patterns and detection metrics). HackZero will never use Customer Source Code, customer-specific configurations, or customer-identifying network data outside the Engagement.

11.5 Evidence and audit of the no-training posture

On Customer’s reasonable request, no more than once per year (and additionally following a Personal Data Breach affecting Customer Personal Data), HackZero will provide written evidence of its no-training and zero-retention configuration, including a SOC 2 or ISO 27001 report or equivalent third-party attestation when available, and the relevant provider configuration evidence, subject to confidentiality. Section 14 governs audits, including the right to obtain evidence that no Customer Data has been used in model training.

11.6 Liability

Breach of this Section 11 is a material breach not subject to the liability cap in the Agreement and entitles Customer to immediate termination plus uncapped direct damages, consistent with MSA sections 5.3 and 9.2. HackZero selected the Subprocessors and bears uncapped liability for breach of the no-training and Subprocessor obligations to the extent the Agreement so provides.

12. Return and deletion on termination

12.1 Election

At termination or expiration of the Agreement, HackZero will, at Customer’s written election, return Customer Data (including Customer Personal Data) to Customer in a commonly used format, or delete it, except to the extent retention is required by applicable law or a legal hold. If Customer makes no election within thirty (30) days of termination, HackZero will delete Customer Data in the ordinary course under this Section 12.

12.2 Destruction cadence

Consistent with MSA section 5.5, HackZero will permanently destroy all copies of Customer Source Code within thirty (30) days after the return/destruction request (or earlier on request). Backups that are not immediately editable are purged in the ordinary course within sixty (60) days after the initial destruction.

12.3 Retained records

HackZero retains ROE and contract-signing audit records and hash-chained audit events for seven (7) years for evidentiary purposes (MSA section 5.5). These records are retained as HackZero’s independent-controller data (Section 3.2), are minimized, and may be exempt from deletion to the extent retention is required for legal or evidentiary reasons. HackZero will, on request, certify in writing that it has completed deletion in accordance with this Section 12, subject to the retained records described here.

13. International transfers

13.1 Processing location and primary mechanism

HackZero processes Customer Personal Data in the United States (Fly.io, San Jose, California), consistent with MSA section 5.6. Where HackZero (or a Subprocessor) transfers Customer Personal Data across a border in a way that requires a transfer mechanism under Applicable Data Protection Law, the applicable instrument in this Section 13 applies, namely the Standard Contractual Clauses or the equivalent approved clauses for the relevant country. Where the Service is self-hosted in Customer’s VPC, Customer Personal Data does not leave Customer’s perimeter and no HackZero-side transfer occurs (Section 3.5).

13.2 EU Standard Contractual Clauses (Module Two)

For transfers of Personal Data subject to the GDPR from the European Economic Area to HackZero in a country without an adequacy decision, the Parties incorporate by reference the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and select Module Two (Controller to Processor), with the following choices:

Where this DPA and the EU SCCs conflict as to transfers governed by the EU SCCs, the EU SCCs prevail. The EEA is not a market HackZero serves today, and HackZero has not appointed an EU/UK Article 27 representative; this module is included for forward-looking coverage and for EU subsidiaries of U.S. customers.

13.3 UK International Data Transfer Addendum

For transfers subject to the UK GDPR, the Parties incorporate the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the UK Information Commissioner under section 119A of the Data Protection Act 2018 and in force 21 March 2022 (the “UK Addendum”). The EU SCCs in Section 13.2 apply as amended by the UK Addendum. Table 1 (parties), Table 2 (selected SCCs and modules), and Table 3 (appendix information) are populated by the parties and Annexes of this DPA; Table 4 (ending the Addendum) selects the importer and the exporter as the parties that may end the Addendum as set out in Section 19.

13.4 Brazilian Standard Contractual Clauses (mandatory)

For transfers of Personal Data subject to the LGPD from Brazil to HackZero in the United States (which has no ANPD adequacy decision), the Parties incorporate and adopt, in their entirety and without contradiction, the Brazilian Standard Contractual Clauses adopted by Resolução CD/ANPD nº 19/2024, which are mandatory for such transfers since the end of the grace period on 23 August 2025. The Annexes to the Brazilian SCCs are populated by the Annexes to this DPA, and the executed Brazilian SCC form is controlling in Portuguese. Where this DPA and the Brazilian SCCs conflict as to transfers governed by the LGPD, the Brazilian SCCs prevail.

13.5 Quebec Law 25 transfer support (Art. 17)

For Personal Data subject to Quebec Law 25, HackZero will support Customer’s Article 17 transfer-impact assessment before any communication of Personal Data outside Quebec (which, under Law 25, includes the rest of Canada), by providing information on: the sensitivity of the data; the purposes of use; the protective measures, including the contractual measures in this DPA; and the legal framework of the destination (the United States), including the U.S. authorities listed in Section 5.3. The transfer is the subject of this written DPA, which reflects the assessed mitigations (encryption, minimization, purpose limitation, Subprocessor flow-down, and a government-request notice protocol).

13.6 Mexico (LFPDPPP) transfer instrument

For transfers subject to the LFPDPPP, HackZero acts as an encargado under a “remisión” and the transfer is governed by this DPA, which binds HackZero to process only on the responsable’s instructions, to maintain confidentiality and security, and not to process for distinct purposes (LFPDPPP transfer and remisión rules). The Aviso de Privacidad maintained by Customer should disclose this processing.

13.7 Other LATAM transfers

Where a local data-protection officer or database registration is required (for example, in Peru), HackZero complies with that requirement.

14. Audits and evidence of compliance

14.1 Information and audit right

HackZero will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA and the obligations in GDPR Article 28 (and equivalent provisions), and will allow for and contribute to audits, including inspections, conducted by Customer or an independent auditor Customer mandates (GDPR Article 28(3)(h)).

14.2 How the audit right is exercised

Customer’s audit right is satisfied, in the first instance, by HackZero providing: (a) this DPA and the Annexes; (b) the most recent SOC 2 Type II report or ISO 27001 certification when available, or, until available, a description of the controls and their pre-audit status (Section 7.3); (c) evidence of the Subprocessor flow-downs; and (d) evidence of the no-AI-training and zero-retention configuration (Section 11.5). If that information is insufficient to address a specific, documented concern, Customer may request an on-site or remote audit, on at least thirty (30) days’ notice, no more than once per year (except following a Personal Data Breach or a regulator’s requirement), during business hours, subject to confidentiality, and in a manner that does not compromise the security of other customers or HackZero’s testing toolchain.

14.3 Right to evidence of no AI training

For clarity, Customer’s audit right expressly includes the right to audit, no more than annually, to confirm that no Customer Data has been used to train, fine-tune, or improve any AI or machine-learning model, and to obtain the attestations described in Section 11.5. Breach of the no-training obligation discovered through an audit carries uncapped liability (Section 11.6).

14.4 Costs

Each Party bears its own costs of an audit, except that Customer reimburses HackZero’s reasonable costs for an on-site audit that exceeds the scope or frequency contemplated here, and HackZero bears its own costs where an audit reveals a material breach by HackZero.

15. Cooperation, records, and contact

15.1 Records of processing

HackZero maintains records of its processing of Customer Personal Data as required by GDPR Article 30(2) and equivalent law and will make them available to Customer or a supervisory authority on reasonable request.

15.2 Privacy contact

Data-protection notices to HackZero under this DPA may be sent to [email protected] (privacy) and [email protected] (legal and notices), with a copy as required by the notices clause of the Agreement, addressed to Agentic Security, Inc. (d/b/a HackZero), 2810 N Church St STE 88242, Wilmington, Delaware 19802, United States. Customer should keep its registered notification contact current in the Service so that breach and Subprocessor notices reach the right person.

16. Liability, precedence, and miscellaneous

16.1 Liability

Each Party’s liability under this DPA is subject to the limitations and exclusions in the Agreement, including the liability cap and its carve-outs, except that the carve-outs preserve uncapped liability where the Agreement and this DPA so provide, including for breach of Section 11 (AI-Training Prohibition) and of the Subprocessor and security obligations to the extent stated. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Law, including a Data Subject’s non-waivable rights and remedies. The SCCs allocate liability as between the Parties for transfers they govern; where they require greater liability than the Agreement, the SCCs prevail for those transfers.

16.2 Precedence

In the event of a conflict, Section 1.3 governs the order of precedence. Except as expressly modified here, the Agreement remains in full force.

16.3 Changes to this DPA

HackZero may update this DPA to reflect changes in Applicable Data Protection Law, Subprocessors, or the Service. HackZero will give reasonable advance notice of material changes by updating /legal/dpa and, where required, by notice to Customer. Continued use of the Service after the effective date of an update constitutes acceptance, except that changes to the SCCs require any signature or re-acceptance those clauses prescribe.

16.4 Governing law

This DPA is governed by the law of the State of Delaware, United States of America, without regard to its conflict-of-laws principles, consistent with MSA section 11.1, except that (a) the SCCs are governed by the law their terms specify, and (b) Applicable Data Protection Law and a Data Subject’s non-waivable home-jurisdiction rights apply where they are mandatory.

16.5 Severability and survival

If any provision of this DPA is held invalid, the remainder continues in effect. Sections 11, 12, 14, and 16, and any obligation that by its nature should survive, survive termination of the Agreement.

Annex I: Details of processing

A. List of Parties

B. Description of the transfer / processing

ItemDetail
Categories of Data SubjectsCustomer’s end users, customers, employees, contractors, and other individuals whose Personal Data appears in Customer Source Code, configuration, production data, or captured artifacts within the Authorized Assets; Authorized Users to the extent their data is processed as Customer Personal Data.
Categories of Personal DataPersonal Data appearing in source code, configuration files, secrets/credentials, production data, and captured request/response artifacts within scope, which may include: names, email addresses, usernames, identifiers, IP addresses, authentication tokens, session data, and any other Personal Data present in the tested environment. The exact categories are determined by Customer’s environment and scope, not by HackZero.
Sensitive dataMay be present incidentally (for example, special-category data under GDPR Article 9, Sensitive Personal Information under CCPA/CPRA, or sensitive data under LATAM law) if it exists in the Authorized Assets. HackZero applies the heightened-care and minimization measures in Section 7.2 and Annex II. The Parties do not intend the Service to process sensitive data, and Customer should scope to avoid it where possible.
Nature of processingReading Customer Source Code through a read-only integration; running autonomous, LLM-driven penetration tests against Authorized Assets; capturing and validating exploit evidence; generating Findings, the Final Report, and compliance-framework mappings; storage of artifacts, logs, reports, and backups; and related support.
PurposeTo provide the Service to Customer (Business Purpose under CCPA/CPRA: performing services on behalf of the business, including security testing).
FrequencyContinuous and/or on-demand during the Term, per On-Demand and Scheduled Executions.
Duration / retentionFor the Term and the post-termination periods in Section 12 and MSA section 5.5: Customer Source Code destroyed within 30 days of request; non-editable backups purged within 60 days after initial destruction; signing/audit records retained 7 years.
Subject matter and duration for SubprocessorsAs set out in Annex III and at /legal/subprocessors; for the duration of the Service or the relevant Subprocessor engagement.

C. Competent supervisory authority (for EU SCC Annex I.C)

The competent supervisory authority for the EU SCCs is the Irish Data Protection Commission, consistent with the choice of Irish law under Clause 17 (Section 13.2).

Annex II: Technical and organizational measures

HackZero implements at least the following measures (drawn from HackZero’s compliance program; see /legal/security):

  1. Encryption in transit. TLS 1.3 at every hop (browser to CDN, CDN to compute, application to database). HSTS preload on public domains.
  2. Encryption at rest. Database volumes encrypted at rest (LUKS); all backups, logs, contracts, and reports in object storage encrypted with per-object server-side encryption.
  3. Access control and authentication. Session-based authentication with HttpOnly, SameSite=Lax, Secure cookies; no long-lived API tokens. Database authentication uses scram-sha-256. Administrative access restricted to staff accounts on a need-to-know basis. MFA and SSO available.
  4. Network isolation. The database is not exposed to the public internet (reachable only over a private network); production traffic must pass through the CDN and is origin-locked (direct connections to the origin are rejected).
  5. Audit logging and tamper-evidence. Database role and schema changes are logged with timestamp and actor and shipped off-host within seconds to tamper-evident storage; signing actions (ROE/contracts) are recorded as hash-chained audit events. Logging is engineered to escalate where a data class is identified as Personal Data, payment data, or health data.
  6. Backups and recovery. Nightly backups, restore-tested weekly; a measured recovery time of approximately three minutes.
  7. Data minimization in testing. Agents extract the minimum data necessary to prove a Finding; no bulk exfiltration. Scope is a hard technical boundary; agents pause on scope deviation per the kill-switch protocol.
  8. AI safeguards. The upstream foundation-model provider is configured for zero data retention and no model training on Customer Personal Data; inference-time-only processing in an isolated, non-persistent environment (Section 11).
  9. Vendor security. HackZero uses vetted infrastructure providers; the primary host publishes a SOC 2 Type II report. Subprocessor flow-downs per Section 8.3.
  10. Confidentiality and personnel. Personnel and contractors bound by confidentiality obligations; access on a need-to-know basis (Section 6).
  11. Compliance program status. SOC 2 Type II audit in progress (technical controls live, pre-audit); ISO/IEC 27001 audit planned; HIPAA technical safeguards in place (HIPAA gated to the Compliance tier; Business Associate Agreements and policies pending). HackZero describes these as “in progress” or “planned” and not as “certified” or “compliant”.

Annex III: Subprocessors

The authoritative, maintained list of Subprocessors, with name, processing activity, categories of data, and region, is published at /legal/subprocessors. Customer should treat /legal/subprocessors as the controlling version. As of the Last updated date, HackZero’s Subprocessors include:

SubprocessorRole / processing activityData categoriesRegionStatus
Fly.io, Inc.Cloud compute and managed PostgreSQL hostingAll application, account, and product dataUnited States (San Jose, California)In use
TigrisS3-compatible object storage (backups, shipped logs, contract PDFs, reports)Backups, audit logs, signed contracts, reports (may contain Personal Data)United StatesIn use
Cloudflare, Inc.DNS, CDN, TLS termination, WAF / origin-lockTraffic metadata, IP address, user-agentGlobal edge networkIn use
Foundation-model provider(s)Foundation-model inference for autonomous agents and report narrativeTarget/scan context, source excerptsUnited StatesIn use; zero retention, no training
ResendTransactional and confirmation emailRecipient email, message metadataUnited StatesIn use
Google LLC (Workspace / OAuth)OAuth sign-in; staff emailEmail, profile (auth)GlobalIn use (optional)
GitHub, Inc.Read-only GitHub App for source-code accessRepository contents the customer authorizesGlobalIn use
StripePayment processing and subscription billingBilling contact and payment dataUnited StatesPlanned / launching

The entity-name convention is synchronized with /legal/subprocessors: Fly.io, Inc.; Cloudflare, Inc.; Google LLC; and GitHub, Inc. are stated with their corporate suffix, while Tigris, Resend, and Stripe are shown by product name only and the foundation-model provider(s) is shown generically. The foundation-model provider(s) is not named, consistent with the generic foundation-model description in Section 8.4 and Section 11. Transactional email is delivered through Resend. Any future change to this list is made through the 30-day change-notice and objection mechanism in Section 8.2, and /legal/subprocessors remains the controlling version.

Cross-references: Privacy Policy (/legal/privacy), Terms of Service (/legal/terms), Cookie Policy (/legal/cookies), Acceptable Use Policy (/legal/acceptable-use), Subprocessor List (/legal/subprocessors), AI Transparency Notice (/legal/ai), Vulnerability Disclosure Policy (/legal/security), Refund & Cancellation Policy (/legal/refunds).