Last updated: 17 October 2025
This DPA forms part of the Agreement between Hay Labs LDA ("Processor" or "Hay") and the Customer ("Controller") for the hosted Service.
Controller determines the purposes and means of processing and instructs Hay to process personal data solely to provide the Service. Hay will not process personal data for its own purposes.
Hay ensures persons authorized to process personal data are bound by confidentiality obligations.
Hay implements technical and organizational measures appropriate to risk (Annex B), including TLS, RBAC, audit logging, and secure key management. Controller is responsible for configuration within its tenancy (roles, policies, IP allowlists).
Controller authorizes Hay to engage subprocessors listed in the Subprocessors List (updated online). Hay will impose data-protection obligations on subprocessors no less protective than this DPA and will notify Controller of material changes, allowing reasonable objection or termination rights where required.
Where subprocessors are outside the EEA/UK, Hay will ensure appropriate safeguards (e.g., SCCs, DPF). Upon request, Hay will provide information about transfer mechanisms for the current subprocessors.
Taking into account the nature of processing, Hay will assist Controller by providing appropriate technical/organizational measures to respond to requests under Arts. 15-22 GDPR (access, rectification, erasure, restriction, portability, objection), including available self-service tools or support channels. Hay does not respond directly to data subjects unless legally required and then only after notice to Controller (unless prohibited).
Hay will notify Controller without undue delay after becoming aware of a personal-data breach, providing information reasonably available to assist Controller's obligations under Arts. 33-34 GDPR.
Upon reasonable request, Hay will provide information necessary to demonstrate compliance and will allow audits by Controller or an independent auditor under confidentiality, at reasonable times, without disrupting operations unduly. Third-party audit reports or security summaries may satisfy this obligation.
Upon termination or at Controller's written request, Hay will delete or irreversibly anonymize personal data in active systems and, where feasible, return requested exports. Deleted data may persist in backups until overwritten by scheduled rotation; Hay will protect backups and prevent further processing.
Unless otherwise instructed, Hay will apply the following defaults:
Each party's liability under this DPA follows the Agreement's limitation of liability, except where prohibited by law.
This DPA is governed by Portuguese law with exclusive jurisdiction in Lisbon, Portugal.
This DPA incorporates the following annexes by reference:
Annex A – Processing Details: Detailed information about data categories, processing operations, retention periods, and data transfers.
Annex B – Technical & Organizational Measures (TOMs): Comprehensive list of security measures implemented by Hay in accordance with Art. 32 GDPR.
Annex C – Subprocessors List: Current list of subprocessors engaged by Hay, including their roles, locations, and safeguards in place.