Skip to content
Hexaa
What we automateIndustriesCase studiesAbout
Book a call
AutomateIndustriesCasesAbout
Hexaa

Document automation, built around your operations. Vendor-agnostic, and yours to own.

What we automate

  • The pipeline
  • Classification
  • Extraction
  • Validation
  • Routing and integration

Industries

  • Logistics and freight
  • Construction
  • Banking and financial services
  • Healthcare
  • All ten industries

Company

  • About
  • Case studies
  • Book a call

Legal

  • Privacy
  • Terms
  • Cookies
  • DPA
  • Accessibility
© Hexaa 2026. Austin · Brantford · Lahore.
hello@hexaa.aiLinkedIn

Legal

Data Processing Agreement

Last updated: 2026-05-16

This Data Processing Agreement forms part of the agreement between Hexaa, Inc. and the customer for the processing of personal data in connection with Hexaa services.

This Data Processing Agreement ("DPA") forms part of the agreement between Hexaa, Inc. ("Processor") and the customer ("Controller") for processing personal data in connection with Hexaa services.

1. Definitions

Personal Data, Processing, Controller, Processor, Sub-processor, Personal Data Breach, and Applicable Data Protection Law have the meanings given in GDPR, UK GDPR, and applicable privacy law.

2. Subject matter and duration

Hexaa processes Personal Data to provide the Service. Processing continues for the term of the principal agreement and any deletion-or-return period.

3. Nature and purpose of processing

Processing includes collection, storage, retrieval, analysis, transmission, deletion, and return for readiness assessment, booking, reporting, support, security, and procurement workflows.

4. Types of Personal Data

Personal Data may include name, work email, company, role, message, booking details, readiness-assessment answers, IP address, user agent, consent state, analytics identifiers, and redacted AI trace metadata.

5. Security measures

Hexaa applies access controls, encryption in transit, least-privilege service credentials, logging, PII redaction, rate limiting, and vendor review. Annex A may be expanded in an order form.

6. Sub-processors

Hexaa may use the following sub-processors and remains responsible for their acts and omissions.

VendorPurposeRegionTransfer mechanism
Vercel, Inc.Hosting, edge functions, deployment, and Speed InsightsUS multi-regionSCC + DPA
Supabase, Inc.Postgres database, storage, authentication, and operational audit dataUS project regionSCC + DPA
Sanity, Inc.CMS content lake for marketing and legal pagesEU dataset regionSCC + DPA
Google LLC (Google Tag Manager)Consent-aware analytics tag deliveryUSSCC + DPA
Microsoft Corporation (Clarity)Consent-aware product analytics and session diagnosticsUSSCC + DPA
Cloudflare, Inc.Turnstile bot-protection challenge verificationUSSCC + DPA
Resend, Inc.Transactional email deliveryUSSCC + DPA
Cal.com, Inc.Booking availability and schedulingUSSCC + DPA
Langfuse GmbHAI observability after PII redactionEU or US cloud regionSCC + DPA

Hexaa will provide at least 30 days advance notice before engaging a new sub-processor. The Controller may object on reasonable data-protection grounds.

7. International transfers

For EEA transfers, the parties incorporate the European Commission Standard Contractual Clauses under Implementing Decision 2021/914, Module 2. For UK transfers, the parties use the UK ICO IDTA or UK Addendum as applicable. This DPA does not cite the repealed SCCs.

8. Data subject requests

Hexaa will reasonably assist the Controller with data subject access, deletion, correction, portability, restriction, objection, and consent-withdrawal requests.

9. Personal data breach notification

Hexaa will notify the Controller without undue delay and, where feasible, within seventy-two (72) hours / 72 hours after becoming aware of a Personal Data Breach.

10. DPIA and prior consultation

Hexaa will reasonably assist with data protection impact assessment and prior consultation obligations. Operational records are available to procurement teams on request under appropriate confidentiality terms.

11. Audit

Hexaa will provide reasonable information necessary to demonstrate compliance and allow audit rights subject to confidentiality, security, and operational safeguards.

12. Deletion or return

At the Controller's choice, Hexaa will delete or return Personal Data after the Service ends, unless law requires retention.

13. Governing law

This DPA is governed by the laws of the State of Delaware, unless mandatory data-protection law requires otherwise.

14. Note on legal review

This DPA is maintained for procurement readiness and should be reviewed by counsel before signature or material legal reliance.

Questions? Email hello@hexaa.ai.