Data Processing Agreement
This Data Processing Agreement (the "DPA") governs the processing of personal data by Hypersave (operated by Quiet Mountain Consulting Pte. Ltd., a Singapore-registered company) on behalf of business customers, and forms part of the Terms of Service for any customer subject to the GDPR, UK GDPR, Singapore PDPA, or comparable data protection law.
1. Roles
Where Hypersave processes personal data on behalf of a customer (the "Controller") in the course of providing the Service, Hypersave acts as a "Processor" within the meaning of Article 4(8) of the GDPR. The Controller is responsible for the lawfulness of the data it submits to the Service and for obtaining all necessary rights and consents from data subjects.
2. Subject matter and duration
Hypersave processes personal data solely to provide the Service to the Controller, for the duration of the Controller's subscription, and for any post-termination period required by law or expressly authorised by the Controller (for example, retention for billing or audit).
3. Nature and purpose of processing
Hypersave processes personal data submitted by the Controller as inputs to compute jobs (prompts, sandbox payloads, container images, configuration), data generated by the Service (logs, traces, billing records), and account-level data about Controller personnel (names, emails, role).
4. Categories of data subjects and personal data
The Controller determines what personal data, if any, is submitted. Typically this may include: the Controller's own personnel (administrators, developers), and any end-user data that the Controller chooses to send through the Service (for example, end-user prompts in a Controller-built application). Hypersave does not require special category data to be processed.
5. Sub-processors
The Controller provides general authorisation for Hypersave to engage the sub-processors listed at /security. Hypersave gives at least 30 days' notice of material sub-processor additions via email to the Controller's account contact and dashboard banner. The Controller may object to a new sub-processor on reasonable grounds, in which case Hypersave will either accommodate the objection or permit the Controller to terminate the affected portion of the Service without penalty.
6. Confidentiality
Hypersave ensures that personnel authorised to process personal data are bound by appropriate confidentiality obligations.
7. Security measures
Hypersave implements technical and organisational measures designed to protect personal data, including: encryption in transit and at rest, role-based access control, audit logging of administrative actions, secrets vault for customer credentials, network segmentation, vendor security review for sub-processors, and incident response procedures. Detailed measures are documented at /security.
8. Data subject requests
Hypersave provides reasonable assistance to the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection). Programmatic endpoints for account data export and deletion are available; requests to legal@hypersave.ai are acknowledged within 5 business days.
9. Personal data breach
Hypersave notifies the Controller without undue delay, and within 72 hours where feasible, of any personal data breach affecting the Controller's data, providing sufficient information for the Controller to meet its own notification obligations under applicable law.
10. International transfers
Where personal data is transferred out of the EEA, UK, or Switzerland, Hypersave relies on transfer mechanisms recognised by applicable law, including the EU Standard Contractual Clauses (2021 version) and UK International Data Transfer Addendum, applied to the relationship with the Controller and with sub-processors as appropriate.
11. Audits
The Controller may, on reasonable written notice and not more than once per year (except in case of a data incident), request information necessary to demonstrate Hypersave's compliance with this DPA. Hypersave responds with our most recent security assessment, sub-processor list, and answers to reasonable written questions. On-site audits may be agreed for enterprise customers subject to confidentiality and reasonable scope.
12. Return or deletion
On termination, Hypersave returns or deletes Controller personal data at the Controller's choice, except where retention is required by law (for example, financial records). Deletion is completed within 30 days of confirmation.
13. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits liability that cannot be excluded under applicable data protection law.
14. Order of precedence
To the extent of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to processing of personal data.
15. Contact
To request a signed DPA, raise concerns about a sub-processor, or initiate a data subject request: legal@hypersave.ai.