Data Processing Agreement

1. Definitions

"GDPR" means the EU General Data Protection Regulation 2016/679.

"CCPA" means the California Consumer Privacy Act of 2018.

"Data Incident" means a breach of Hybrid Reply's security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of Customer Data.

2. Processing Obligations

2.1 Instructions

Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country.

2.2 Confidentiality

Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3. Security of Processing

Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:

• The pseudonymization and encryption of personal data at rest (AES-256) and in transit (TLS 1.2+).
• The ability to ensure the ongoing confidentiality, integrity, and availability of processing systems.
• A process for regularly testing, assessing, and evaluating the effectiveness of security measures.

4. Sub-processors

Controller provides a general authorization to Processor to engage onward sub-processors. Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.

5. Data Incident Management

Processor shall notify Controller without undue delay (and in any event within 72 hours) after becoming aware of a Data Incident. Processor shall take reasonable steps to mitigate the effects and to minimize any damage resulting from the Data Incident.

6. Deletion or Return of Data

Upon termination of the Service, Processor shall, at the choice of the Controller, delete or return all personal data to the Controller, unless applicable law requires continued storage of the personal data.