Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the Terms of Service between Context Hints Labs Inc. ("Context Hints") and a business customer ("Customer"). It governs the processing of personal data by Context Hints on Customer's behalf and is intended to satisfy the requirements of GDPR Article 28, UK GDPR, the Swiss FADP, and applicable US state privacy laws (including CPRA, VCDPA, CPA, CTDPA, and UCPA).
1. Preamble
By accepting the Terms of Service for any paid engagement, or by signing an order form that references this DPA, Customer accepts this DPA. The terms of this DPA apply only to processing that Context Hints performs on behalf of Customer. The DPA does not apply to processing by Context Hints for its own purposes (such as billing, fraud prevention, or improving its own services in ways permitted by applicable law).
2. Definitions
Terms not defined here have the meanings given in the GDPR, UK GDPR, or applicable US state privacy law, interpreted consistently across them. Key terms:
- Controller — the party that determines the purposes and means of processing.
- Processor — the party that processes personal data on behalf of the Controller.
- Customer Personal Data — personal data submitted to or generated within the Service by or on behalf of Customer, which Context Hints processes on Customer's instructions.
- Sub-processor — any processor engaged by Context Hints to assist in processing Customer Personal Data.
- Restricted Transfer — a transfer of personal data from an EEA, UK, or Swiss jurisdiction to a country without an adequacy decision from the relevant authority.
- Standard Contractual Clauses — the European Commission's Standard Contractual Clauses (EU SCCs) and the UK International Data Transfer Addendum, as applicable.
3. Scope and roles
For the personal data Customer submits through the Service:
- Customer is the Controller (or the processor acting on behalf of another controller).
- Context Hints is the Processor (or sub-processor, as applicable).
The subject matter and duration of processing, the nature and purpose of processing, the types of personal data, and the categories of data subjects are described in Annex A to this DPA. The default Annex A is below; Customer may modify it in a signed order form for a specific engagement.
4. Customer instructions
Context Hints will process Customer Personal Data only on Customer's documented instructions, including those set out in the Terms of Service, an order form, this DPA, and any further written instructions Customer provides. If Context Hints believes an instruction infringes applicable data protection law, Context Hints will inform Customer and may suspend that processing pending resolution.
5. Personnel
Context Hints ensures that personnel authorized to process Customer Personal Data are bound by appropriate contractual or statutory confidentiality obligations, have received reasonable data-protection training, and have access only to the data they need to perform their work.
6. Security measures
Context Hints implements and maintains technical and organizational measures appropriate to the risk of processing, including the measures described in Annex B. These measures cover, at minimum:
- Encryption of Customer Personal Data in transit using current TLS, and at rest where supported by the underlying service.
- Logical access controls based on least privilege.
- Multi-factor authentication for all administrative accounts.
- Separation of production data from development and test environments.
- Vulnerability management, including timely patching of known vulnerabilities.
- Logging and monitoring of security-relevant events.
- Backup procedures sufficient to recover the Service in the event of operational disruption.
- Personnel onboarding and offboarding procedures, including credential revocation on departure.
- An incident-response plan covering detection, containment, notification, and post-incident review.
7. Sub-processors
Customer grants Context Hints general authorization to engage sub-processors to assist in providing the Service, subject to the obligations in this section. The current list of sub-processors is published at Annex C below and is updated when changes are made.
- Context Hints will impose data-protection obligations on each sub-processor that are no less protective than those in this DPA.
- Context Hints remains liable to Customer for the acts and omissions of each sub-processor.
- When Context Hints intends to engage a new sub-processor or replace an existing one, Context Hints will give Customer at least fifteen days' advance notice (by updating Annex C and notifying customer contacts on file).
- Customer may object on reasonable data-protection grounds within ten days of the notice. If the objection cannot be resolved within thirty days, Customer may terminate the affected portion of the Service for cause.
8. International transfers
For Restricted Transfers, the parties incorporate the relevant Standard Contractual Clauses by reference:
- For transfers from the EEA to a country without an adequacy decision, the EU SCCs (Module 2: Controller to Processor, or Module 3: Processor to Processor, as applicable) are incorporated, with Annexes I, II, and III completed using the corresponding annexes to this DPA.
- For transfers from the UK, the UK International Data Transfer Addendum is incorporated, supplementing the EU SCCs.
- For transfers from Switzerland, the EU SCCs are interpreted to provide protection for Swiss data subjects with references adjusted as required by the Swiss FADP.
9. Data-subject rights
Context Hints will, to the extent reasonably possible, assist Customer in fulfilling its obligations to respond to data-subject requests, including requests for access, rectification, erasure, restriction, portability, and objection. If a data subject contacts Context Hints directly with such a request, Context Hints will forward it to Customer and not respond substantively unless Customer instructs otherwise.
10. Breach notification
Context Hints will notify Customer without undue delay, and in any event within seventy-two hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include the information required by applicable law to the extent it is then known, including the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.
11. Audits
Context Hints will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including by responding to written questionnaires once per calendar year. On reasonable prior notice, no more than once every twelve months (except where required by a supervisory authority or in response to a suspected breach), Customer may conduct an audit of Context Hints' compliance with this DPA. Audits will be conducted during business hours, by a mutually agreed independent auditor, subject to confidentiality and at Customer's expense.
12. Return or deletion
Upon termination of the engagement, Context Hints will, at Customer's choice, return or delete all Customer Personal Data within thirty days, except where Context Hints is required by law to retain it for a longer period (for example, tax record-keeping obligations). Context Hints will continue to protect any retained data in accordance with this DPA until it is deleted.
13. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service or the applicable order form. Where the EU SCCs apply, nothing in this section limits a data subject's rights under the SCCs.
14. Term
This DPA takes effect on the effective date of the engagement that incorporates it and continues until the engagement ends and all Customer Personal Data has been returned or deleted in accordance with Section 12.
15. How to sign
If your procurement process requires a counter-signed copy of this DPA, write to legal@contexthints.com with your company name, the relevant order form or engagement, and the details to populate Annex A. We will return a signed copy within five business days.
Annex A — Description of processing
- Subject matter. Provision of the Service to Customer.
- Duration. The term of the engagement plus any post-termination retention required by law.
- Nature and purpose. Performing the Service, including hosting, communication, billing, and providing advisory deliverables.
- Categories of data. Business contact information (name, email, role, company), correspondence content, usage data, and any other Customer Personal Data Customer submits to the Service.
- Categories of data subjects. Customer's authorized users, Customer's customers and prospects where Customer chooses to share that information with Context Hints, and any other individual whose data Customer chooses to submit.
- Sensitive categories. Not processed by default. If a specific engagement requires processing of sensitive categories, additional safeguards will be agreed in the order form.
Annex B — Technical and organizational measures
The measures described in Section 6 of this DPA. A more detailed security overview is available on request to security@contexthints.com.
Annex C — Sub-processors
The current list of sub-processors used in providing the Service, with the country of processing and the function each performs. Updated as changes occur.
| Sub-processor | Country | Function |
|---|---|---|
| Vercel Inc. | USA | Edge hosting and content delivery |
| Calendly LLC | USA | Discovery-call scheduling |
| Email provider | USA | Transactional email and correspondence |
| Payment processor | USA | Invoicing and payment, for paid engagements only |