Hypedata/ Legal/ Data Processing Agreement

Data processing agreement.

This DPA supplements the Terms of Service and governs the processing of personal data by HypeLabs, LLC on behalf of Customer, in compliance with the GDPR (EU 2016/679), the UK GDPR, the Swiss FADP, and, where relevant, the CCPA/CPRA.

Versionv2.4 · 2026.04
EffectiveApril 20, 2026
ProcessorHypeLabs, LLC
Counter-signaturedpa@hypelabs.llc

01Definitions

Capitalized terms have the meaning given to them in the GDPR unless defined otherwise. For the purposes of this DPA:

Customer
The entity that has entered into the Terms of Service with HypeLabs and acts as data controller for Customer Personal Data.
Customer Personal Data
Personal data processed by HypeLabs on behalf of Customer under the Agreement, including data contained in scraped content Customer elects to extract.
Processor
HypeLabs, LLC.
Applicable Law
The EU GDPR, UK GDPR, Swiss FADP, CCPA/CPRA, LGPD, PIPEDA, and any analogous data-protection law in a jurisdiction relevant to the processing.
SCCs
The Standard Contractual Clauses adopted by European Commission Decision 2021/914 of 4 June 2021.
UK Addendum
The International Data Transfer Addendum to the SCCs issued by the UK ICO under s.119A of the UK Data Protection Act 2018.

02Scope & roles

This DPA applies to all processing of Customer Personal Data carried out by HypeLabs in the course of providing the Service.

For the purposes of the GDPR: Customer is the controller and HypeLabs is the processor. For the purposes of the CCPA/CPRA: Customer is the business and HypeLabs is the service provider. HypeLabs certifies that it will not sell Customer Personal Data and will not use it outside the direct business purpose of providing the Service.

Where Customer sends URLs that return personal data, Customer warrants that: (i) it has identified a valid lawful basis for the processing; (ii) the scrape complies with applicable law including the AUP; and (iii) where required, appropriate notices have been given to, and consents obtained from, data subjects.

03Processing details

The details of the processing are set out in Schedule 1. In summary:

  • Subject matter: the provision of the Hypedata web data extraction Service.
  • Duration: the term of the Agreement.
  • Nature and purpose: routing requests via proxy infrastructure, rendering pages, parsing HTML, returning structured output to Customer.
  • Categories of data subjects and data: as set out in Schedule 1.

04Processing on documented instructions

HypeLabs will process Customer Personal Data only on documented instructions from Customer, including transfers to a third country or an international organization, unless required to do so by Applicable Law. The Agreement, this DPA, and Customer’s use of the Service constitute Customer’s documented instructions.

HypeLabs will inform Customer if, in its opinion, an instruction infringes the GDPR or other Applicable Law.

05Confidentiality

HypeLabs will ensure that personnel authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and undergo regular training on data protection and information security.

06Security of processing

HypeLabs will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Schedule 2. These measures include pseudonymisation and encryption, resilience of processing systems, a process for regular testing, and a process for the restoration of availability following an incident.

07Sub-processors

Customer provides a general written authorization for HypeLabs to engage sub-processors to provide the Service, subject to the following:

  • HypeLabs maintains a current list of sub-processors, including name, processing activity, and country of operation, at hypedata.io/legal/sub-processors.
  • HypeLabs will notify Customer of any intended addition or replacement of sub-processors at least thirty (30) days in advance by email and on the sub-processor page. Customer may object on reasonable grounds relating to data protection.
  • HypeLabs will impose on each sub-processor, by contract, data-protection obligations no less protective than those in this DPA. HypeLabs remains fully liable to Customer for the performance of each sub-processor.

08International transfers

HypeLabs is established in the United States and processes personal data globally via sub-processors in multiple jurisdictions. Where transfers of Customer Personal Data from the EEA, UK, or Switzerland to a third country without an adequacy decision are necessary, the following apply:

  • the parties enter into the SCCs — Module 2 (controller-to-processor) applies where Customer is a controller; Module 3 (processor-to-processor) applies where Customer is itself a processor. The SCCs are hereby incorporated by reference and completed as set out in Schedule 3;
  • for UK transfers, the parties apply the UK Addendum; for Swiss transfers, the SCCs are adjusted in accordance with the guidance of the FDPIC;
  • HypeLabs has carried out and documented a transfer impact assessment and applies supplementary technical measures (e.g. end-to-end encryption in transit, key management, access logging, challenge of over-broad law-enforcement requests).

09Data-subject requests

Taking into account the nature of the processing, HypeLabs will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests for the exercise of data-subject rights under the GDPR (access, rectification, erasure, restriction, portability, objection).

If HypeLabs receives a request directly from a data subject, it will not respond except to acknowledge receipt and redirect the data subject to Customer, unless legally required to respond directly.

10Personal data breach notification

HypeLabs will notify Customer without undue delay, and in any event within seventy-two (72) hours after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of data subjects and records concerned, likely consequences, and measures taken or proposed to address it.

HypeLabs will cooperate with Customer to meet any obligation Customer may have to notify supervisory authorities or data subjects. Customer remains responsible for its own external notifications.

11Audits & inspections

HypeLabs will make available to Customer all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.

  • Customer may request a copy of HypeLabs’ most recent SOC 2 Type II report and security whitepaper, which shall normally satisfy audit obligations.
  • Where Customer reasonably requires an on-site audit, it will be conducted no more than once per year, at Customer’s cost, with at least thirty (30) days’ written notice, during business hours, and subject to reasonable confidentiality undertakings.
  • Audits may not unreasonably interfere with HypeLabs’ business operations.

12Return and deletion

On termination of the Agreement, HypeLabs will, at Customer’s choice, delete or return all Customer Personal Data, and delete existing copies, unless Applicable Law requires storage of the personal data. Deletion will be completed within sixty (60) days of the termination date and confirmed in writing on request.

Back-up media cycled through standard retention schedules will be overwritten in the normal course, and remain protected by this DPA until overwritten.

13Liability

The liability regime of the Terms of Service applies to this DPA. Nothing in this DPA limits any right a data subject may have under the GDPR or other Applicable Law.

14Schedules

Schedule 1 — Processing details

Subject matterProvision of the Hypedata web data extraction API.
DurationTerm of the Agreement + up to 60 days of deletion window.
Nature & purposeRouting HTTP requests via proxy infrastructure; rendering JavaScript; parsing HTML/JSON; returning structured data; logging for security and billing.
Types of personal dataAs determined by Customer’s URLs and parsing instructions. May include names, contact details, public professional data, reviews, publicly listed identifiers. Sensitive categories (Art. 9 GDPR) are prohibited absent explicit Customer attestation of a valid legal basis.
Categories of data subjectsAs determined by Customer’s targets, typically: website visitors, customers, professionals, public figures, authors of publicly accessible content.
FrequencyContinuous, on-demand via API.
Retention by processorResponse content is processed in memory and not retained beyond the response life-cycle, unless Customer enables caching or snapshots. Metadata (timestamps, target host, byte size) is retained for 90 days.
DisposalCryptographic wipe of cached data; standard backup rotation; deletion certificates available on request.

Schedule 2 — Technical & organizational measures

  • Encryption — TLS 1.3 for all data in transit; AES-256 at rest; customer-managed keys available on Scale plans.
  • Access control — SSO enforced for all personnel; MFA mandatory; least-privilege RBAC; quarterly access reviews.
  • Network security — WAF and DDoS protection at edge; segmented production VPCs; no public admin interfaces.
  • Software development — peer-reviewed merges; SAST and dependency scanning in CI; quarterly penetration tests.
  • Personnel — background checks on production-access roles; confidentiality agreements; annual security training.
  • Logging & monitoring — 24/7 SIEM; immutable audit logs retained 12 months; anomaly detection on proxy egress and billing endpoints.
  • Business continuity — multi-region deployments; daily backups; documented DR runbooks; RPO 1 hour, RTO 4 hours on Scale.
  • Compliance — SOC 2 Type II, GDPR, CCPA, PCI-DSS via payment processor. See Security Statement.

Schedule 3 — SCCs completion

Clause 7 (docking)
Does not apply.
Clause 9 (sub-processors)
Option 2 — general written authorization; 30 days’ notice.
Clause 11(a)
Optional independent dispute resolution body not selected.
Clause 17 (governing law)
The law of Ireland.
Clause 18(b)
Courts of Ireland.
Annex I.A (parties)
Controller: Customer identified in the account. Processor: HypeLabs, LLC, 30 North Gould Street, Sheridan, WY 82801, USA.
Annex I.B
As per Schedule 1 above.
Annex I.C (supervisory authority)
The competent authority of the EU Member State in which the Customer’s EU representative is designated, or, failing that, Ireland’s Data Protection Commission.
Annex II (measures)
As per Schedule 2 above.
Annex III (sub-processors)
As published at hypedata.io/legal/sub-processors and updated in accordance with Section 07.
Processor
HypeLabs, LLC
30 North Gould Street
Sheridan, WY 82801 · United States
dpa@hypelabs.llc
Counter-signature
DPA@HYPELABS.LLC
EIN
35-2851293

This DPA is automatically incorporated into the Agreement when Customer processes personal data through the Service. Customers requiring a counter-signed copy may request one from dpa@hypelabs.llc.

Related legal documents
Terms of Service
Master agreement
Privacy Policy
Data controller obligations
Data Processing Agreement
→ You’re reading it
Security
Technical & org measures