Skip to content

LEGAL

Data Processing Agreement

Last updated: May 7, 2026 · Version 1.0-draft

This Data Processing Agreement (the “DPA”) forms part of the agreement between Hashproof, Inc. (“Hashproof”, “we”, the “Processor”) and the customer (“you”, the “Controller”) for use of the Hashproof API, SDKs, dashboard, and related services (the “Service”). It is incorporated by reference into our Terms of Service and applies whenever your use of the Service involves processing of personal data subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”), the UK GDPR, the Swiss Federal Act on Data Protection, or analogous regimes (collectively, “Data Protection Laws”).

By using the Service, you accept this DPA on behalf of yourself and any entity for which you act. If you require a counter-signed copy for your records, request one from privacy@hashproof.ai.

1. Definitions

Capitalized terms not defined here have the meaning given in the applicable Data Protection Laws. For clarity:

“Personal Data”
any information relating to an identified or identifiable natural person processed by Hashproof on your behalf in connection with the Service.
“Processing”
any operation performed on Personal Data, including collection, storage, transmission, retrieval, deletion, and the cryptographic operations the Service performs on submitted content.
“Sub-processor”
a third party engaged by Hashproof to process Personal Data on our behalf (the current list is in Annex II).
“Standard Contractual Clauses” or “SCCs”
the European Commission's standard contractual clauses for the transfer of personal data to third countries adopted on 4 June 2021 (Implementing Decision (EU) 2021/914), Module Two (Controller to Processor).

2. Roles and scope

For Personal Data submitted to or generated through the Service:

  • You are the Controller of Personal Data you upload, sign, or attest to using the Service.
  • Hashproof is the Processor for that data and processes it only on your documented instructions, which include the use of the Service in accordance with our Terms and your account configuration.
  • Hashproof is an independent Controller for limited account-administration data (e.g., your billing address, support correspondence) covered separately by our Privacy Policy.

3. Subject matter, nature, purpose, and duration

The subject matter of processing is content provenance: signing, storing, resolving, and verifying C2PA manifests for content you submit. The nature and purpose are described in Annex I. The duration is the term of your subscription plus the deletion window described in Section 11.

4. Processor obligations

Hashproof will:

  • Process Personal Data only on your documented instructions, including with regard to international transfers, unless required to do so by Union or Member State law (in which case we will inform you of that legal requirement before processing, unless the law prohibits such notice on grounds of public interest).
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures (TOMs) as described in Annex III.
  • Engage Sub-processors only under the conditions in Section 5.
  • Assist you in fulfilling your obligations to respond to data subject requests (Section 7).
  • Assist you in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, prior consultation), taking into account the nature of the processing and the information available to us.
  • On termination, delete or return Personal Data per Section 11.
  • Make available all information necessary to demonstrate compliance with Article 28 GDPR and contribute to audits as described in Section 9.

5. Sub-processors

You authorize Hashproof to engage Sub-processors to process Personal Data on the conditions in this DPA. The current Sub-processors are listed in Annex II. We will inform you of intended changes (additions or replacements) at least 30 days before the change takes effect by updating Annex II and emailing the account's primary contact. You may object on reasonable data-protection grounds within 30 days; if we cannot accommodate your objection, you may terminate the affected portion of the Service for the period covered by your objection and receive a pro-rata refund for unused fees.

Hashproof remains liable to you for the acts and omissions of Sub-processors to the same extent we would be liable for our own. Each Sub-processor is engaged under a written contract that imposes data-protection obligations no less onerous than those in this DPA.

6. Security

Hashproof maintains the technical and organizational measures described in Annex III, which include at minimum:

  • Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.3).
  • Logical separation between tenants, role-based access controls, and least-privilege production access.
  • Audit logging of administrative actions and security-relevant events.
  • A documented incident response process with internal escalation paths.
  • Regular backup, restore testing, and continuity planning.

The full description of TOMs is published on the Security page and forms Annex III to this DPA. Hashproof may update TOMs from time to time, provided the security level of the Service is not materially diminished.

7. Data subject rights

Hashproof will, taking into account the nature of the processing, assist you with appropriate technical and organizational measures to fulfill your obligations to respond to requests from data subjects exercising their rights under Articles 15 to 22 GDPR. You can fulfill most requests directly through the dashboard (data export, deletion, account closure). For requests that require Hashproof intervention, contact privacy@hashproof.ai. Where Hashproof receives a data subject request directly, we will refer the data subject to you.

8. Personal data breach notification

Hashproof will notify you of any Personal Data breach affecting your data without undue delay and in any event within 72 hours of becoming aware of it. Notification will include the nature of the breach, the categories and approximate number of data subjects and records affected (where known), the likely consequences, and the measures we are taking to address it. We will provide additional information as it becomes available, in line with Article 33(3) GDPR.

9. Audits

Hashproof will make available to you all information reasonably necessary to demonstrate compliance with Article 28 GDPR. To avoid concurrent on-site audits across our customer base, we satisfy this obligation by (i) providing our most recent third-party security audit report, penetration test summary, or equivalent attestation under NDA; (ii) responding to a reasonable annual security questionnaire; and (iii) on 30 days' written notice, permitting an on-site audit if the foregoing is insufficient under applicable law or your supervisory authority has so directed. Audits will be at your cost and conducted in a manner that minimizes disruption.

10. International transfers

Where processing involves a transfer of Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a third country that has not received an adequacy decision, the parties agree that:

  • The Standard Contractual Clauses, Module Two (Controller to Processor), are incorporated by reference and apply to that transfer. You are the data exporter; Hashproof is the data importer. Clause 7 (docking) is included. The optional redress in Clause 11(a) is not selected. The governing law under Clause 17 is Ireland. The forum under Clause 18 is Ireland.
  • For UK transfers, the UK International Data Transfer Addendum (issued by the ICO) applies, with the SCCs forming the approved transfer mechanism.
  • For Swiss transfers, references to the GDPR are read as references to the Swiss Federal Act on Data Protection, and references to the EU and Member State law are read as references to Switzerland and Swiss law.
  • Hashproof maintains supplementary measures (encryption in transit and at rest, scoped access controls, breach notification commitments) as required by Schrems II (Case C-311/18).

11. Deletion or return on termination

On termination of the Service, Hashproof will, at your choice, delete or return all Personal Data processed on your behalf, along with any existing copies, unless Union or Member State law requires storage of the Personal Data. The default is deletion within 30 days of termination, with manifest records preserved in read-only form for the retention window in our Privacy Policy so that previously issued verifications still resolve. Backups continue to expire on the standard backup schedule (point-in- time recovery windows of 7, 30, or 90 days depending on tier).

12. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in our Terms of Service or the relevant negotiated MSA. Nothing in this DPA limits a party's liability where such limitation is prohibited by applicable law (including under Article 82 GDPR for damages suffered by data subjects).

13. Order of precedence

In the event of conflict, the order of precedence is: (i) the SCCs (where they apply); (ii) this DPA; (iii) the Terms of Service; (iv) the Privacy Policy. A negotiated MSA, if one exists, supersedes the Terms of Service and may modify this DPA by written agreement of the parties.

14. Term and termination

This DPA enters into force on the effective date of your Terms of Service or MSA and remains in force for as long as Hashproof processes Personal Data on your behalf. Provisions intended to survive termination (including Sections 8 to 12) survive.

15. Updates

Hashproof may update this DPA to reflect changes in Data Protection Laws, regulatory guidance, or our processing activities. Material updates that affect your rights will be notified at least 30 days in advance to the account's primary contact. The version and last-updated date appear at the top of this page.

Annex I: Description of processing

Subject matter
Provision of the Service: cryptographic signing, storage, resolution, and verification of C2PA content provenance manifests, plus the supporting account and billing infrastructure.
Nature of processing
Collection, storage, structured retrieval, transmission, cryptographic transformation (hashing, signing, verification), perceptual-hash indexing, deletion.
Purpose
Operating the Service in accordance with your account configuration; metering and billing; security and abuse prevention; compliance with applicable law.
Duration
The term of your subscription plus the deletion window in Section 11.
Categories of data subjects
Your end users, employees, contractors, contributors, and any other natural person whose Personal Data may be embedded in content you submit to the Service or in account-side configuration.
Categories of Personal Data
Identifiers (email, OAuth provider ID, account name); content metadata (titles, manifest claims, signer identity); technical data (IP address, request logs, rate-limit counters); content you submit, which may itself contain Personal Data depending on what you sign.
Special-category data
Hashproof does not require special-category data to operate the Service. If you submit content containing special- category data (Article 9 GDPR), you are responsible for having a lawful basis under Article 9(2) and for any additional safeguards required.
Frequency of processing
Continuous, on a per-API-call basis, for the duration of your subscription.

Annex II: Sub-processors

The following Sub-processors are engaged as of the last-updated date. We mirror this list on the Security page. Changes are notified per Section 5.

VendorPurposeDataRegionDPA
SupabaseAuthentication, Postgres database (users, API keys, manifest metadata)Email, OAuth identity, API key metadata, manifest recordsAWS us-east-1 (US); EU residency available on EnterpriseView ↗
VercelWeb hosting (hashproof.ai), analytics, edge cachingAnonymized page-view metrics, request logs, static assetsGlobal edge; primary iad1 (US-East)View ↗
CloudflareDNS, WAF, DDoS protection, R2 object storage for hashproof.ai and api.hashproof.aiRequest IP, URL, TLS handshake metadata, manifest blob storageGlobal edge networkView ↗
UpstashRedis-backed rate limiting and ephemeral session dataAPI key identifier, per-minute request countersAWS us-east-1 (US)View ↗
RailwayApplication container hosting for the Hashproof APIRuntime logs, request metadataus-west2 (US)View ↗

Annex III: Technical and organizational measures

Hashproof maintains the following measures, described in detail on the Security page and summarized here for incorporation into this DPA:

  • Pseudonymization and encryption. AES-256 at rest, TLS 1.3 in transit, mTLS for federation, SHA-256 hashing of API keys at rest.
  • Confidentiality, integrity, availability, resilience. Logical tenant isolation, redundant infrastructure across providers, hourly Merkle anchoring of manifest roots to a public ledger for tamper-evidence.
  • Restoration of availability and access. Point-in-time recovery (7, 30, or 90 days by tier), 11-nines durability for object storage, RPO 5 minutes / RTO 1 hour for Scale and above.
  • Regular testing. Automated test suite gating every deploy; periodic restore drills; planned third-party penetration testing.
  • Access management. Least-privilege RBAC over production systems, weekly audit-review of production access, SSO and SCIM available on Enterprise.
  • Personnel security. Confidentiality undertakings, security awareness training, background checks where permitted by local law.
  • Vendor management. Sub-processors are reviewed against equivalent standards before engagement; the current list is in Annex II.
  • Incident response. Defined escalation paths, breach notification within 72 hours per Section 8, post-mortem and remediation tracking.

Contact

Questions about this DPA, requests for a counter-signed copy, or objections to a Sub-processor change go to privacy@hashproof.ai.