Last updated: April 30, 2026
This Data Processing Agreement (“DPA”) is made between:
This DPA outlines the terms under which personal data will be processed by the Processor on behalf of the Controller, in compliance with relevant data protection laws. This DPA forms part of, and is incorporated into, the Hiro Analytics Terms of Service between the parties (the “Agreement”). In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA shall prevail. Capitalized terms not defined in this DPA have the meanings given in the Agreement or, where used in the context of European data protection, in the GDPR. “Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including (as applicable) the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK Data Protection Act 2018 and UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), and other U.S. state privacy laws. “Personal Data,” “Controller,” “Processor,” “Sub-processor,” “Data Subject,” “Process/Processing,” and “Personal Data Breach” have the meanings given in the GDPR, and equivalent terms under other Applicable Data Protection Laws have corresponding meanings.
The subject of this DPA is the processing of Personal Data by Hiro Analytics for the purpose of providing analytics and retention marketing services. This agreement is effective for the duration of the Controller’s use of the services, including any period thereafter during which the Processor retains Personal Data in accordance with Section 8 (Data Retention and Deletion) or as required by Applicable Data Protection Laws. The duration, nature, purpose, types of Personal Data, and categories of Data Subjects are further described in Annex 1 (Description of Processing) attached to this DPA.
The Processor shall Process Personal Data only on the documented instructions of the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by law to which the Processor is subject. The Agreement, this DPA, and the Controller’s use of the configuration options made available within the services constitute the Controller’s complete and final documented instructions to the Processor for the Processing of Personal Data. Any additional or alternate instructions must be agreed in writing. The Processor shall promptly inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Laws, without obligation to actively monitor the Controller’s compliance with such laws.
The data processing activities involve collecting, storing, organizing, and analyzing:
These processing activities are conducted solely to deliver the services contracted by the Controller, such as generating reports, tracking marketing attribution, and analyzing sales trends. The Processor shall not (i) Sell or Share Personal Data (as those terms are defined in the CCPA); (ii) retain, use, or disclose Personal Data outside of the direct business relationship with the Controller, except as permitted by Applicable Data Protection Laws; (iii) combine Personal Data received from or on behalf of the Controller with Personal Data received from or on behalf of any other person, or collected from the Processor’s own interaction with any individual, except as permitted under 11 CCR § 7050(b); (iv) use Personal Data to train, develop, or improve generalized or third-party artificial intelligence or machine learning models; or (v) use Personal Data for cross-context behavioral advertising. The Processor certifies that it understands and will comply with the restrictions set forth in this Section. Data is never shared with any third party except for the sub-processors listed in Section 5 or as required by law in accordance with Section 6.7.
All data is processed in the United States. The Processor ensures that adequate measures are in place to protect the data transferred, in compliance with applicable data protection laws. Where the Processor processes Personal Data originating from the European Economic Area, the United Kingdom, or Switzerland in a country that has not received an adequacy decision, the parties agree that such transfers shall be governed by the Standard Contractual Clauses approved by the European Commission in Decision 2021/914 (the “EU SCCs”), which are hereby incorporated by reference, with Module Two (Controller-to-Processor) applying when the Controller is itself a controller and Module Three (Processor-to-Processor) applying when the Controller acts as a processor for its own customer. For transfers from the United Kingdom, the parties agree to the UK International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner (the “UK Addendum”). For transfers from Switzerland, the EU SCCs apply with the modifications set out in the FDPIC’s guidance, including treating references to the GDPR as references to the Swiss FADP and the FDPIC as the competent supervisory authority. Where required, the parties shall complete and sign Annex 2 (Transfer Mechanisms) setting out the SCC modules selected, the docking, frequency, and other operational details, and the supplementary measures applied.
The Processor engages the following sub-processors for data processing:
The Controller hereby grants the Processor a general written authorization to engage the Sub-processors listed above and any additional Sub-processors notified to the Controller in accordance with this Section. The Processor shall maintain an up-to-date list of Sub-processors at hiroanalytics.com/sub-processors and shall provide the Controller with at least thirty (30) days’ prior notice (by email to the Controller’s administrator contact, in-product notification, or update to the published list with a subscription mechanism) before engaging any new Sub-processor that will Process Personal Data. The Controller may object to the engagement of a new Sub-processor on reasonable grounds relating to the protection of Personal Data by notifying the Processor in writing within fifteen (15) days of receipt of the notice. If the parties cannot reach a mutually acceptable resolution within a reasonable period, the Controller may, as its sole and exclusive remedy, terminate the affected services without penalty by providing written notice to the Processor and shall be entitled to a pro-rata refund of any prepaid fees for the unused portion of the term. The Processor shall enter into a written agreement with each Sub-processor containing data protection obligations no less protective than those in this DPA, including obligations sufficient to satisfy Article 28(3) GDPR and the requirements of the CCPA applicable to service providers and contractors. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor’s obligations.
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
6.1 Confidentiality. The Processor shall ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations (whether contractual or statutory) and have received appropriate training regarding their responsibilities.
6.2 Personal Data Breach Notification. The Processor shall notify the Controller without undue delay, and in any event no later than seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA. Such notice shall, to the extent then known, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects. The Processor shall provide reasonable cooperation and information to assist the Controller in fulfilling its own breach notification obligations to supervisory authorities and Data Subjects. Notification of, or response to, a Personal Data Breach shall not be construed as an acknowledgment by the Processor of any fault or liability.
6.3 Assistance with DPIAs and Prior Consultations. Taking into account the nature of the Processing and the information available to it, the Processor shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, in each case to the extent required by Articles 35 and 36 GDPR.
6.4 Audits and Information Rights. The Processor shall make available to the Controller, on reasonable written request and no more than once per calendar year (except where required by Applicable Data Protection Laws or following a Personal Data Breach), the information necessary to demonstrate compliance with Article 28 GDPR, including (i) summaries of its most recent third-party audits or certifications (such as SOC 2, ISO 27001, or equivalent), and (ii) responses to a reasonable security questionnaire. Where the foregoing is not sufficient to demonstrate compliance, or where required by a competent supervisory authority, the Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an independent third-party auditor mandated by the Controller and bound by appropriate confidentiality obligations. Audits shall be conducted during regular business hours, with reasonable advance notice (not less than thirty (30) days, except in the case of an emergency or regulatory requirement), in a manner that does not unreasonably interfere with the Processor’s business or compromise the security or confidentiality of other customers’ data. Each party shall bear its own costs unless the audit reveals a material non-compliance by the Processor.
6.5 Updates to Security Measures. The Processor may update or modify the security measures from time to time, provided that such updates do not materially diminish the overall level of security afforded to Personal Data.
6.6 Notification of Inability to Comply. The Processor shall notify the Controller promptly if it determines that it can no longer meet its obligations under this DPA or under Applicable Data Protection Laws, and the Controller may, upon notice, take reasonable and appropriate steps to stop and remediate any unauthorized Processing.
6.7 Government and Third-Party Requests. If the Processor receives a legally binding request from a government authority or other third party for disclosure of Personal Data Processed on behalf of the Controller, the Processor shall, unless legally prohibited, (i) promptly notify the Controller, (ii) request that the requesting authority direct its request to the Controller, and (iii) challenge any over-broad or unlawful request and disclose only the minimum amount of Personal Data necessary to comply.
The Processor shall, taking into account the nature of the Processing and to the extent reasonably possible, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Laws (including rights to access, correct, delete, restrict, port, opt out of sale or sharing, opt out of profiling, limit use of sensitive personal information, and object to Processing). If the Processor receives a request directly from a Data Subject relating to Personal Data Processed under this DPA, the Processor shall, unless legally prohibited, promptly forward the request to the Controller and shall not respond directly except to acknowledge receipt and direct the Data Subject to the Controller. Where the Processor provides functionality enabling the Controller to act on Data Subject requests within the services, the Controller shall use such functionality before requesting additional assistance. The Processor may charge a reasonable fee for assistance that requires significant engineering or operational effort beyond standard support.
Upon termination or expiration of the Agreement, the Processor shall, at the Controller’s choice (to be exercised in writing within thirty (30) days of termination, after which deletion shall be the default), delete or return all personal data, except where retention is required by law. The Controller’s access to Personal Data Processed under this DPA shall be disabled immediately upon termination. The Processor shall complete deletion (including from backup media in accordance with its standard backup rotation) within sixty (60) days of termination, and shall, on request, certify in writing that such deletion has been completed. Where Applicable Data Protection Laws require continued retention, the Processor shall isolate and protect the retained Personal Data from any further Processing other than as required by such laws and shall delete it once the legal obligation no longer applies. This Section 8 supersedes any contrary retention or deletion period set forth in the Agreement.
Liability arising under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, except to the extent such limitations are prohibited by Applicable Data Protection Laws, the EU SCCs, the UK Addendum, or liability owed directly to Data Subjects.
The Controller shall indemnify the Processor against any claims, fines, or damages to the extent arising from (a) the Controller’s instructions that infringe Applicable Data Protection Laws, or (b) the Controller’s failure to comply with its own obligations under Applicable Data Protection Laws.
Subject matter: Provision of retention-marketing analytics services. Duration: For the term of the Agreement plus the wind-down period set out in Section 8. Nature and purpose: Collection, hosting, organization, structuring, analysis, and reporting of marketing-engagement and order data sourced from the Controller’s connected platforms, to provide attribution, performance, cohort, retention, and lifetime-value analytics. Categories of Data Subjects: The Controller’s end customers, prospects, subscribers, and account contacts. Categories of Personal Data: As described in Section 3 of this DPA. Special categories: None intended; the Processor does not request or knowingly Process special-category data or sensitive personal information. Frequency: Continuous via API integrations.
This Annex 2 sets out the binding terms applicable to transfers of Personal Data subject to the GDPR, the UK GDPR, or the Swiss FADP from the Controller (as data exporter) to the Processor (as data importer). By accepting the DPA, the parties agree to and execute the transfer mechanisms described below. This Annex 2 is incorporated into the DPA and forms an integral part of it.
1. Module selection (EU SCCs, Decision 2021/914)
The parties incorporate the Standard Contractual Clauses approved by the European Commission in Decision (EU) 2021/914 (the “EU SCCs”) on the following basis:
No further election is required. The applicable Module is determined by the Controller’s actual role with respect to the Personal Data and may differ across data sets within a single account.
2. Optional and elective clauses
The parties make the following elections under the EU SCCs:
| Clause 7 (Docking Clause) | Included. Additional entities may accede to the EU SCCs as data exporter or data importer with the agreement of all existing parties. |
| Clause 9 (Use of Sub-processors) | Option 2 (general written authorization) applies. The notice period for changes is thirty (30) days, as set out in Section 5 of the DPA. |
| Clause 11 (Redress) | The optional independent dispute-resolution body language is not selected. Data subjects retain all rights set out in Clause 11(a)–(c). |
| Clause 17 (Governing law) | The EU SCCs are governed by the law of Ireland. |
| Clause 18 (Choice of forum and jurisdiction) | Disputes arising out of the EU SCCs shall be resolved by the courts of Ireland. |
3. Annex I to the EU SCCs
Annex I.A — List of parties
Data exporter (Controller):
| Name | The Customer identified in the Order Form, online sign-up record, or other written record evidencing acceptance of the Agreement and the DPA. |
| Address | As recorded in the Order Form or sign-up record. |
| Contact details | The administrative contact (or equivalent privacy or billing contact) recorded in the Order Form or sign-up record. |
| Role | Controller (Module Two) or Processor (Module Three), as applicable to the Personal Data transferred. |
| Activities relevant to the transfer | Use of the Processor’s analytics and retention-marketing services as described in the Agreement. |
| Signature and date | Captured electronically at the time of acceptance of the DPA. |
Data importer (Processor):
| Name | Hiro Analytics Inc. |
| Address | 1111b S Governors Ave STE 25084, Dover, DE 19904, USA |
| Contact details | help@hiroanalytics.com |
| Role | Processor (Module Two) or Sub-processor (Module Three) |
| Activities relevant to the transfer | Provision of analytics and retention-marketing services as described in the Agreement and in Annex 1 to the DPA. |
| Signature and date | Captured electronically at the time the DPA is made available for acceptance. |
Annex I.B — Description of transfer
| Categories of data subjects | As described in Section 3 of the DPA and Annex 1 to the DPA: the Controller’s end customers, prospects, subscribers, and account contacts. |
| Categories of personal data | As described in Section 3 of the DPA and Annex 1 to the DPA, including: (a) anonymized profile identifiers and associated subscription/consent status, channel preferences, source properties, and custom properties or behavioral tags; (b) message and campaign metadata and engagement metrics; and (c) order and transaction data. The Processor does not request, and configures its integrations not to ingest, direct identifiers (e.g., email addresses, phone numbers, names, postal addresses, dates of birth, government identifiers, payment-card data, order notes, or refund reasons). |
| Sensitive data | None intended. The Processor does not request or knowingly Process special-category data (Article 9 GDPR) or sensitive personal information (CCPA). |
| Frequency of transfer | Continuous, via API integrations with the Controller’s connected platforms. |
| Nature of the processing | Collection, hosting, organization, structuring, analysis, and reporting of marketing-engagement and order data. |
| Purpose of the transfer and processing | To provide attribution, performance, cohort, retention, and lifetime-value analytics to the Controller, as further described in Section 2 of the DPA. |
| Retention period | For the term of the Agreement plus the wind-down period set out in Section 8 of the DPA. |
| Sub-processors | Transfers to sub-processors are governed by Section 5 of the DPA and the sub-processor list referenced in Annex III below. |
Annex I.C — Competent supervisory authority
The competent supervisory authority for the EU SCCs is the Irish Data Protection Commission (DPC), 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland.
Where the Controller is established in an EEA Member State and Article 56 GDPR identifies a different lead supervisory authority for the Controller’s processing, that authority shall be the competent supervisory authority for purposes of the EU SCCs in respect of that Controller.
4. Annex II to the EU SCCs — Technical and organizational measures
The technical and organizational measures implemented by the Processor are set out in Section 6 of the DPA and are incorporated into this Annex II by reference. Without limiting Section 6, the measures include:
5. Annex III to the EU SCCs — List of sub-processors
The Controller has authorized the use of the sub-processors listed in Section 5 of the DPA and as updated from time to time at hiroanalytics.com/sub-processors in accordance with Section 5. The information required by Annex III (name, address, contact, description of processing) is maintained at that location and is incorporated into this Annex III by reference.
6. UK International Data Transfer Addendum
For transfers of Personal Data subject to the UK GDPR, the parties incorporate the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under section 119A of the UK Data Protection Act 2018 (the “UK Addendum”), version B1.0, in force from 21 March 2022, on the following basis:
| Table 1 (Parties) | Populated by reference to Section 3 of this Annex 2 above (data exporter and data importer). |
| Table 2 (Selected SCCs, Modules and Selected Clauses) | The EU SCCs as incorporated and elected in Sections 1 and 2 of this Annex 2 above. Where the EU SCCs refer to EU law, those references are read as references to UK law as required by the UK Addendum. |
| Table 3 (Appendix Information) | Populated by reference to Sections 3, 4, and 5 of this Annex 2 above (Annex I, Annex II, and Annex III to the EU SCCs). |
| Table 4 (Ending the Addendum when the Approved Addendum changes) | Neither Party may end the UK Addendum as set out in Section 19 of the UK Addendum. |
| Governing law and forum | The UK Addendum is governed by the laws of England and Wales. Disputes arising out of the UK Addendum shall be resolved by the courts of England and Wales. |
| Competent supervisory authority | The UK Information Commissioner’s Office (ICO). |
7. Switzerland
For transfers of Personal Data subject to the Swiss Federal Act on Data Protection (FADP), the EU SCCs apply with the following modifications, consistent with guidance issued by the Swiss Federal Data Protection and Information Commissioner (FDPIC):
8. Order of precedence
In the event of any conflict between this Annex 2 and the EU SCCs, the UK Addendum, or the Swiss modifications above (each as applicable), the EU SCCs, the UK Addendum, or the Swiss modifications shall prevail with respect to transfers governed by them. In the event of any conflict between this Annex 2 and the body of the DPA, this Annex 2 shall prevail with respect to the matters governed by it.
9. Execution
This Annex 2, including the EU SCCs, the UK Addendum, and the Swiss modifications incorporated above, is executed by the parties at the time the DPA is accepted, whether by signature or by electronic acceptance through the Processor’s online order, sign-up, or in-product flow. No separate signature is required.
For detailed information about our Data Storage and Collection practices, visit this link
