DATA PROCESSING AGREEMENT
PERISKOPE (HASHLABS HOLDINGS INC.)
This Data Processing Agreement ("Agreement") forms part of the Principal Agreement, including the main Terms of Service, Software Services Agreement, Order Form, or other agreement governing Customer’s use of the Services ("Principal Agreement") between:
Hashlabs Holdings Inc., doing business as "Periskope", with mailing address at 2261 Market Street #4881, San Francisco, 94114, California, United States (the "Processor");
and
The customer entity that has entered into the Principal Agreement with Hashlabs Holdings Inc. (the "Customer");
(together, the "Parties").
WHEREAS
A. The Customer acts as a Data Controller.
B. The Customer wishes to engage the Processor to provide certain services which involve the processing of personal data, as more particularly described in the Principal Agreement.
C. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (the "GDPR").
D. The Parties acknowledge that the Processor is established in the United States and that the provision of the Services involves transfers of personal data to the United States, and onward to India and other countries where the Processor, its affiliates, or Subprocessors process personal data, which transfers the Parties wish to lawfully authorise and protect by way of this Agreement.
E. The Parties wish to lay down their respective rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1. Unless otherwise defined herein, capitalised terms used in this Agreement shall have the following meanings:
1.1.1. "Agreement" means this Data Processing Agreement and all Schedules;
1.1.2. "Customer Personal Data" means any Personal Data Processed by the Processor or a Subprocessor on behalf of the Customer pursuant to or in connection with the Principal Agreement;
1.1.3. "Data Protection Laws" means EU Data Protection Laws, the UK GDPR, the DPDP Act, and, to the extent applicable, the data protection or privacy laws of any other relevant jurisdiction;
1.1.4. "EEA" means the European Economic Area;
1.1.5. "EU Data Protection Laws" means the GDPR and all national laws implementing or supplementing the GDPR, as amended, replaced, or superseded from time to time;
1.1.6. "GDPR" means Regulation (EU) 2016/679;
1.1.7. "Services" means the WhatsApp business communication management, multi-agent inbox, workflow automation, ticketing, analytics, AI-enabled assistance, and related software-as-a-service offerings provided by the Processor under the Principal Agreement;
1.1.8. "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Implementing Decision (EU) 2021/914;
1.1.9. "Subprocessor" means any person appointed by or on behalf of the Processor to Process Personal Data on behalf of the Customer in connection with this Agreement, including the Processor’s affiliate Hashlabs India Private Limited.
1.1.10. "UK GDPR" means the GDPR as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended or superseded from time to time;
1.2. The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", and "Supervisory Authority" shall have the meanings given to them in the GDPR, and cognate terms shall be construed accordingly.
2. Processing of Customer Personal Data
2.1. The Processor shall:
2.1.1. comply with all applicable Data Protection Laws in the processing of Customer Personal Data; and
2.1.2. not Process Customer Personal Data other than on the Customer’s documented instructions, unless required to do otherwise by applicable law, in which case the Processor shall, to the extent permitted by law, inform the Customer of such legal requirement before processing.
2.2. The Customer instructs the Processor to process Customer Personal Data for the purposes of providing, securing, maintaining, supporting, troubleshooting, and improving the Services, as more particularly described in the Principal Agreement and Schedule 1 to this Agreement.
2.3. The Customer is responsible for ensuring that it has all required rights, notices, permissions, consents, and lawful bases to collect, use, disclose, and provide Customer Personal Data to the Services, including where the Customer uses the Services to communicate with Data Subjects through WhatsApp or other communication channels.
2.4. The Services are not designed to require the submission of special category data or sensitive personal data. However, the Customer acknowledges that the Customer, its users, Data Subjects, or other third parties may submit such data through WhatsApp messages, attachments, media, or other content processed through the Services. The Customer is responsible for ensuring that any such Processing complies with applicable Data Protection Laws.
2.5. Where the Customer enables or uses AI features, the Processor and its authorised Subprocessors may process Customer Personal Data to generate AI responses, summaries, automations, suggestions, classifications, or related outputs. The Processor does not use Customer Personal Data to train its own AI models unless expressly agreed otherwise in writing.
3. Processor Personnel
The Processor shall take reasonable steps to ensure the reliability of any employee, agent, contractor, or affiliate personnel who may have access to Customer Personal Data, ensuring that such access is strictly limited to individuals who need to know or access the relevant Customer Personal Data as necessary for the purposes of the Principal Agreement, and ensuring that all such individuals are subject to confidentiality undertakings or statutory obligations of confidentiality no less protective than this Agreement.
4. Security
4.1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, TLS encryption for data in transit, AES-256 encryption at rest, multi-factor authentication for internal systems, role-based access controls, least-privilege access, restricted production access, logging and monitoring, backup controls, secure deletion procedures, incident response procedures, personnel confidentiality obligations, vendor review processes, and other measures described in Schedule 1 and Schedule 2.
4.2. In assessing the appropriate level of security, the Processor shall take account in particular of the risks presented by Processing, including from a Personal Data Breach.
5. Subprocessing
5.1. The Customer grants the Processor general written authorisation to engage Subprocessors, including affiliates, for the performance of the Services, including infrastructure, hosting, platform-integration, messaging, analytics, support, email, and AI service providers, provided that the Processor:
(a) maintains an up-to-date list of Subprocessors at https://periskope.app/legal/subprocessors or such other URL as the Processor may make available from time to time;
(b) imposes data protection obligations on each Subprocessor that are no less protective of Customer Personal Data than the obligations set out in this Agreement;
(c) remains fully liable to the Customer for the performance of each Subprocessor’s obligations in relation to the Processing of Customer Personal Data; and
(d) provides the Customer with at least fifteen (15) days’ prior written notice of the appointment of any new Subprocessor, which may be provided by updating the Subprocessor list or by other written notice, during which period the Customer may object on reasonable data protection grounds, in which case the Parties shall discuss in good faith a reasonable resolution.
5.2. The Processor’s Services are principally performed by its wholly-owned affiliate, Hashlabs India Private Limited ("HI"), having its registered office at D-16/13 SF, Orchid Floors, Ardee City, Gurgaon – 122011, Haryana, India, which acts as a Subprocessor for the development, support, and operational delivery of the Services. HI is bound by data protection and confidentiality obligations no less protective than those set out in this Agreement, pursuant to a written intra-group data processing arrangement between the Processor and HI.
5.3. Notwithstanding the engagement of HI or any other Subprocessor, the Processor shall remain fully and directly liable to the Customer for the performance of the Services and compliance with this Agreement and the Data Protection Laws, as if the Processor had performed the Services itself.
6. Data Subject Rights
6.1. Taking into account the nature of the Processing, the Processor shall assist the Customer, by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer’s obligations to respond to requests from Data Subjects exercising their rights under the Data Protection Laws.
6.2. The Processor shall:
6.2.1. promptly notify the Customer if it receives a request from a Data Subject in respect of Customer Personal Data; and
6.2.2. not respond to any such request except on the documented instructions of the Customer, or as required by applicable law, in which case the Processor shall, to the extent permitted by law, inform the Customer of that legal requirement before responding.
7. Personal Data Breach
7.1. The Processor shall notify the Customer without undue delay and, where feasible, within forty-eight (48) hours, upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing the Customer with sufficient information reasonably available to the Processor to allow the Customer to meet its obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Where complete information is not immediately available, the Processor may provide information in phases as it becomes available.
7.2. The Processor shall co-operate with the Customer and take reasonable commercial steps as directed by the Customer to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
The Processor shall provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with Supervisory Authorities which the Customer reasonably considers to be required by Articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to processing of Customer Personal Data by the Processor, and taking into account the nature of the processing and information available to the Processor.
9. Deletion or Return of Customer Personal Data
9.1. Subject to clause 9.2, the Processor shall promptly, and in any event within thirty (30) days of the date of cessation of any Services involving the processing of Customer Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of Customer Personal Data, save that the Processor may retain Customer Personal Data contained in encrypted backup systems for a maximum additional period of thirty (30) days, after which such backups shall be securely overwritten or deleted in the ordinary course, unless retention is required by applicable law or otherwise permitted under the Principal Agreement.
9.2. The Processor shall provide written certification to the Customer that it has fully complied with this clause 9 within ten (10) business days of the expiry of the periods referred to in clause 9.1, upon the Customer’s written request.
10. Audit Rights
10.1. Subject to clause 10.2, the Processor shall make available to the Customer on reasonable written request information reasonably necessary to demonstrate compliance with this Agreement. The Processor may satisfy such requests by providing security documentation, certifications, penetration test summaries, responses to security questionnaires, or other relevant information. Any direct audit or inspection shall be subject to reasonable prior notice, confidentiality obligations, reasonable scope, and shall not unreasonably interfere with the Processor’s business operations. Direct audits shall be limited to cases where required by applicable Data Protection Laws or where the documentation provided by the Processor is not reasonably sufficient.
10.2. The Customer’s information and audit rights under clause 10.1 shall not arise to the extent that the Principal Agreement otherwise affords the Customer information and audit rights meeting the relevant requirements of the Data Protection Laws.
11. Data Transfer
11.1. The Parties acknowledge that the Processor is established in the United States and that the performance of the Services may involve transfers of Customer Personal Data to the United States, and onward to India and other countries where the Processor, its affiliates, or Subprocessors Process Customer Personal Data.
11.2. For transfers of Customer Personal Data from the EEA to a country that has not been recognised as providing an adequate level of protection, the Parties agree that the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 shall apply and are incorporated by reference into this Agreement. For such transfers, Module Two (Controller to Processor) shall apply, with the Customer as data exporter and the Processor as data importer.
11.3. For transfers of Customer Personal Data subject to the UK GDPR, the Parties agree that the UK International Data Transfer Addendum to the EU Standard Contractual Clauses shall apply and is incorporated by reference into this Agreement.
11.4. Where the Processor engages a Subprocessor located outside the EEA or the United Kingdom in connection with the Processing of Customer Personal Data, including HI, the Processor shall ensure that an onward transfer mechanism compliant with the Data Protection Laws, including the Standard Contractual Clauses or UK Addendum where applicable, is in place prior to such transfer.
11.5. In the event of any conflict between this Agreement and the applicable Standard Contractual Clauses or UK Addendum, the Standard Contractual Clauses or UK Addendum (as applicable) shall prevail to the extent of such conflict.
12. General Terms
12.1. Confidentiality. Each Party shall keep this Agreement, the Customer Personal Data, and any information it receives about the other Party in connection with this Agreement confidential, and shall not use or disclose such confidential information without the prior written consent of the other Party, except to the extent that: (a) disclosure is required by applicable law; or (b) the relevant information is already, or subsequently becomes, part of the public domain other than through breach of this clause.
12.2. Liability. Each Party’s liability arising out of or in connection with this Agreement shall be subject to the limitation of liability provisions set out in the Principal Agreement, save that nothing in this clause shall limit or exclude any liability which cannot be limited or excluded under applicable Data Protection Laws, or HI's obligations under clause 12.3.
12.3. DPDP Act. HI, as the Subprocessor performing the Services in India, shall comply with its obligations as a data fiduciary or data processor, as applicable, under the DPDP Act and rules made thereunder, to the extent applicable to its Processing of Customer Personal Data.
12.4. Notices. All notices and communications under this Agreement shall be in writing and delivered by email to the email address set out in the Principal Agreement, or such other address as a Party may notify to the other from time to time.
13. Governing Law and Jurisdiction
13.1. This Agreement is governed by the governing law set out in the Principal Agreement.
13.2. Any dispute arising in connection with this Agreement which the Parties are unable to resolve amicably within thirty (30) days shall be submitted to the jurisdiction set out in the Principal Agreement.
This Agreement forms part of the Principal Agreement and applies to the extent Customer uses the Services and the Processing of Customer Personal Data is subject to Data Protection Laws. This Agreement is effective as of the effective date of the Principal Agreement, unless otherwise agreed in writing by the Parties.
SCHEDULE 1 — DETAILS OF PROCESSING
Subject matter: Provision of Periskope’s WhatsApp business communication management, shared inbox, multi-agent inbox, workflow automation, ticketing, analytics, collaboration, AI-enabled assistance, and related software-as-a-service offerings by the Processor to the Customer.
Duration: The term of the Principal Agreement, together with the period from expiry until deletion of all Customer Personal Data by the Processor in accordance with clause 9.
Nature and purpose of Processing: Collection, recording, storage, retrieval, access, display, transmission, organisation, structuring, analysis, use, disclosure to authorised Subprocessors, deletion, support, troubleshooting, security monitoring, and automated processing of Customer Personal Data to provide, secure, maintain, support, troubleshoot, improve, and operate the Services in accordance with the Principal Agreement and the Customer’s instructions.
Categories of Data Subjects: The Customer’s users, employees, agents, representatives, customers, prospective customers, vendors, suppliers, business contacts, WhatsApp contacts, group participants, end-users, and other individuals who communicate with the Customer through connected phones or whose Personal Data is submitted to the Services.
Categories of Personal Data: Names, phone numbers, WhatsApp identifiers, profile names, profile photos where available, message content, attachments, media, documents, images, files, group names, group metadata, chat metadata, timestamps, tickets, assignments, internal notes, tags, labels, user account information, access logs, usage metadata, analytics data, support data, and other Personal Data submitted to the Services by or on behalf of the Customer.
Special categories of data (if any): The Services do not require special category data or sensitive personal data. However, such data may be included in messages, attachments, media, or other content submitted by the Customer, the Customer’s users, Data Subjects, or other third parties. The Customer is responsible for ensuring that such data is processed lawfully.
Frequency of transfer: Continuous, for the duration of the Services.
Retention: Customer Personal Data is retained for the duration of the Services and deleted in accordance with the Agreement, the Principal Agreement, and applicable retention settings. Logs are generally retained for thirty (30) days. Backups are generally retained for thirty (30) days.
SCHEDULE 2 — INTERNATIONAL TRANSFER MECHANISMS
EU SCCs. For transfers of Customer Personal Data from the European Economic Area to a country that has not been recognised as providing an adequate level of protection, the Parties agree that the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 shall apply and are incorporated by reference into this Agreement. For such transfers, Module Two (Controller to Processor) shall apply, with the Customer as data exporter and the Processor as data importer.
UK Addendum. For transfers of Customer Personal Data subject to the UK GDPR, the Parties agree that the UK International Data Transfer Addendum to the EU Standard Contractual Clauses shall apply and is incorporated by reference into this Agreement.
Conflict. In the event of any conflict between this Agreement and the applicable Standard Contractual Clauses or UK Addendum, the Standard Contractual Clauses or UK Addendum (as applicable) shall prevail to the extent of such conflict.
ANNEX I — DETAILS OF TRANSFER
A. List of Parties
Data exporter: The Customer.
Address and contact details are as set out in the Principal Agreement or Order Form.
Activities relevant to the data transferred: Use of Periskope’s WhatsApp business communication management platform and related Services to communicate with the Customer’s customers, prospective customers, end-users, and other contacts.
Role: Controller.
Data importer: Hashlabs Holdings Inc., doing business as Periskope.
Mailing address: 2261 Market Street #4881, San Francisco, 94114, California, United States.
Contact person: Swapnika Nag, CEO.
Activities relevant to the data transferred: Provision of Periskope’s WhatsApp business communication management platform and related Services, including storage, transmission, processing, support, security, and AI-enabled assistance, on behalf of the Customer.
Role: Processor.
B. Description of Transfer
Categories of data subjects: The Customer’s users, employees, agents, representatives, customers, prospective customers, vendors, suppliers, business contacts, WhatsApp contacts, group participants, end-users, and other individuals who communicate with the Customer through connected phones or whose Personal Data is submitted to the Services.
Categories of personal data: Names, phone numbers, WhatsApp identifiers, profile names, profile photos where available, message content, attachments, media, documents, images, files, group names, group metadata, chat metadata, timestamps, tickets, assignments, internal notes, tags, labels, user account information, access logs, usage metadata, analytics data, support data, and other Personal Data submitted to the Services by or on behalf of the Customer.
Sensitive data transferred and applied restrictions: The Services do not require special category data or sensitive personal data. However, such data may be included in messages, attachments, media, or other content submitted by the Customer, the Customer’s users, Data Subjects, or other third parties. The Customer is responsible for ensuring that such data is processed lawfully.
Frequency of transfer: Continuous, for the duration of the Services.
Nature of processing: Collection, recording, storage, retrieval, access, display, transmission, organisation, structuring, analysis, use, disclosure to authorised Subprocessors, deletion, support, troubleshooting, security monitoring, and automated processing of Customer Personal Data.
Purpose(s) of transfer and further processing: To provide, secure, maintain, support, troubleshoot, improve, and operate the Services in accordance with the Principal Agreement and the Customer’s instructions, including AI-enabled responses, summaries, automations, suggestions, classifications, or related outputs where AI features are enabled.
Retention period: For the duration of the Services and thereafter in accordance with clause 9 of the Agreement and the Principal Agreement. Logs are generally retained for thirty (30) days. Backups are generally retained for thirty (30) days.
C. Competent Supervisory Authority
The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses, based on the Customer’s establishment or other applicable criteria under the SCCs.
ANNEX II — TECHNICAL AND ORGANISATIONAL MEASURES
The Processor implements and maintains technical and organisational measures designed to protect Customer Personal Data, including:
Encryption: Customer Personal Data is encrypted in transit using TLS and encrypted at rest using AES-256 or equivalent cloud-provider encryption controls.
Access control: Access to production systems and Customer Personal Data is restricted to authorised personnel based on least privilege and business need.
Authentication: Multi-factor authentication is enabled for internal systems where supported.
Authorization: Role-based access controls are used to limit access to systems and data according to job responsibilities.
Logging and monitoring: The Processor maintains logs and monitoring for relevant system activity, access, and security events. Logs are generally retained for thirty (30) days.
Backup and recovery: Backups are maintained to support service continuity and recovery. Backups are generally retained for thirty (30) days and deleted or overwritten in the ordinary course.
Incident response: The Processor maintains incident response procedures for detecting, escalating, investigating, mitigating, and notifying Customers of Personal Data Breaches.
Secure development: The Processor uses secure development and deployment practices, including code review, controlled deployments, and security testing where appropriate.
Vendor management: The Processor reviews vendors and Subprocessors that process Customer Personal Data and requires appropriate contractual, confidentiality, and data protection commitments.
Personnel confidentiality: Personnel with access to Customer Personal Data are subject to confidentiality obligations.
Testing and assurance: The Processor performs security reviews and has penetration testing available under confidentiality. ISO 27001 certification is currently in process.
ANNEX III — SUBPROCESSORS
The Processor maintains an up-to-date list of Subprocessors at https://periskope.app/legal/subprocessors or such other URL as the Processor may make available from time to time.
The Subprocessor list includes the name, purpose, and relevant processing details for Subprocessors used to provide the Services. This list includes, at minimum, Hashlabs India Private Limited, which performs development, support, and operational delivery of the Services from India, pursuant to clause 5.2 of this Agreement.Welcome to Perisclaw.