A Data Protection Addendum (DPA) is an additional document that is often attached to an existing agreement, such as a Terms of Service or Privacy Policy, to address data protection and privacy matters specifically.

Data Protection Addendum

This Data Protection Addendum ("Addendum") is entered into between Insightly Analytics, Inc., a company registered under the laws of Delaware, with its principal place of business at 7545 Perennial Street, Frisco, TX 75035, USA, hereinafter referred to as the "Company," and the user of the website located at  www.hivel.ai, hereinafter referred to as the "User."

Background

Whereas, the User desires to access and use the services provided by the Company through its website; and

Whereas, the Company may process certain personal data in the course of providing its services to the User;

Now, therefore, the parties agree as follows:

1. Applicability and Incorporation

This Addendum is incorporated into and forms an integral part of the existing [Terms of Service/Privacy Policy] between the parties (the "Agreement"). In the event of any conflict between the terms of this Addendum and the Agreement, the terms of this Addendum shall prevail solely to the extent necessary to address data protection and privacy matters.

2. Definitions

In this Addendum, the following terms shall have the meanings assigned to them below:

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation or set of operations which is performed on personal data.

"Data Protection Laws" means any applicable data protection and privacy laws and regulations, including but not limited to the General Data Protection Regulation (GDPR) and any corresponding national implementations thereof.

3. Data Processing

‍

3.1. The Company shall process Personal Data on behalf of the User solely for the purpose of providing the services as described in the Agreement and in accordance with the User's documented instructions.

3.2. The User acknowledges that they are the data controller, and the Company is the data processor with respect to the Personal Data processed under this Addendum.

4. Data Security and Confidentiality

4.1. The Company shall implement appropriate technical and organizational measures to ensure the security and confidentiality of the Personal Data processed under this Addendum.

4.2. The Company shall ensure that its personnel engaged in the processing of Personal Data are subject to appropriate confidentiality obligations.

5. Data Subject Rights

The Company shall, to the extent possible, assist the User in responding to requests from data subjects exercising their rights under Data Protection Laws, including but not limited to access, rectification, erasure, restriction of processing, and data portability.

6. Sub processing

The User acknowledges and agrees that the Company may engage third-party sub processors to process Personal Data, provided that the Company shall impose data protection obligations on such sub processors that are substantially similar to those set forth in this Addendum.

7. International Data Transfers

In the event that the Company processes Personal Data in a jurisdiction that does not provide an adequate level of data protection, the Company shall implement appropriate safeguards in accordance with Data Protection Laws to ensure the lawful transfer of Personal Data.

8. Audit and Compliance

The Company shall make available to the User all information necessary to demonstrate compliance with its obligations under this Addendum and shall allow for and contribute to audits, including inspections, conducted by the User or another auditor mandated by the User.

9. Data Protection Officer

If applicable under Data Protection Laws, the Company shall designate a Data Protection Officer (DPO) and provide the User with the contact details of the DPO. The DPO shall be responsible for monitoring the Company's compliance with Data Protection Laws and serving as the primary point of contact for data protection inquiries.

10. Records of Processing Activities

The Company shall maintain accurate and up-to-date records of its processing activities, including but not limited to the categories of processing, purposes of processing, categories of data subjects, and any cross-border transfers of Personal Data. The User may request access to these records to ensure compliance with Data Protection Laws.

11. Changes to Sub processors

The User acknowledges that the Company may engage new sub processors or replace existing sub processors. The Company shall provide prior written notice to the User of any intended changes to sub processors, allowing the User a reasonable opportunity to object to such changes. If the User raises a reasonable objection, the Company shall either not engage the new sub processor or provide the User with the option to terminate the Agreement.

12. Governing Law and Jurisdiction

This Addendum shall be governed by and construed in accordance with the laws of the USA. Any disputes arising under or in connection with this Addendum shall be subject to the exclusive jurisdiction of the courts of the USA

13. Entire Agreement

This Addendum constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior agreements, understandings, negotiations, and discussions, whether oral or written.

By accepting the Terms of Service/Privacy Policy and using the Company's website, the User acknowledges that they have read, understood, and agreed to the terms and conditions of this Data Protection Addendum.

‍

Sudheer Bandaru 

Founder & CEO 

Insightly Analytics, Inc.

6th January, 2023

‍

Annex 1 – Details of Processing

A. List of Parties

Data exporter:

Name: The Customer, as defined in the Insightly Analytics Inc. Customer Terms of Service (on behalf of itself and Permitted Affiliates) 

Address: The Customer’s address, as set out in the Order Form

Contact person’s name, position and contact details: The Customer’s contact details, as set out in the Order Form and/or as set out in the Customer’s Hivel Account

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Hivel Subscription Services under the Insightly Analytics Inc. Customer Terms of Service

Role (controller/processor): Controller

Data importer:

Name: Insightly Analytics, Inc 

Address: 7545 Perennial Street, Frisco, TX 75035, USA

Contact person’s name, position and contact details: Niranjan Pujari, Data Protection Officer, Insightly Analytics, Inc., niranjan@hivel.ai

Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer’s use of the Hivel Subscription Services under the Insightly Analytics Inc. Customer Terms of Service

Role (controller/processor): Processor

B.  Description of Transfer

‍

Categories of Data Subjects whose Personal Data is Transferred

You may submit Personal Data in the course of using the Subscription Service, the extent of which is determined and controlled by you in your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

Your Contacts and other end users including your employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to your end users.

Categories of Personal Data Transferred

You may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data: 

a. Contact Information (as defined in the General Terms).

b. Any other Personal Data submitted by, sent to, or received by you, or your end users, via the Subscription Service.

Sensitive Data transferred and applied restrictions or safeguards

The parties do not anticipate the transfer of sensitive data.

Frequency of the transfer

Continuous

Nature of the Processing

Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities: 

1. Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to you; and/or

2. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.

Purpose of the transfer and further processing

We will Process Personal Data as necessary to provide the Subscription Services pursuant to the Agreement, as further specified in the Order Form, and as further instructed by you in your use of the Subscription Services.

Period for which Personal Data will be retained

Subject to the ‘Deletion or Return of Personal Data’ section of this DPA, we will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

C.Competent Supervisory Authority

For the purposes of the Standard Contractual Clauses, the supervisory authority that will act as competent supervisory authority will be determined in accordance with GDPR.

Annex 2 – Security Measures

We currently observe the Security Measures described in this Annex 2. All capitalized terms not otherwise defined herein will have the meanings as set forth in the General Terms. 

a) Access Control

i)  Preventing Unauthorized Product Access

Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.

Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers’ data centers. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.

Authorization: Customer Data is stored in single-tenant storage system separated on an organizational level and accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.

ii)  Preventing Unauthorized Product Use

We implement industry standard access controls and detection capabilities for the internal networks that support its products.

Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure  providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.

Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.

Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for four annual penetration tests. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. Penetration tests are performed against the application layers and infrastructure layers of the Insightly Analytics Inc. technology stack.

Bug bounty: A bug bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. We implement a bug bounty program in an effort to widen the available opportunities to engage with the security community and improve the product defences against sophisticated attacks.

iii)    Limitations of Privilege & Authorization Requirements

Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, product development and research, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through “just in time” (JITA) requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Administrative or high risk access permissions are reviewed at least once every six months.

Background checks: Where permitted by applicable law,  Insightly Analytics Inc. employees undergo a third-party background or reference checks. In the United States, employment offers are contingent upon the results of a third-party background check. All Insightly Analytics Inc. employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.

b) Transmission Control

In-transit: We require HTTPS encryption (also referred to as SSL or TLS)  on all login interfaces and for free on every customer site hosted on the Insightly Analytics Inc. products. Our HTTPS implementation uses industry standard algorithms and certificates.

At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest. 

c) Input Control

Detection: We designed our infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement. 

d) Availability Control

Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and heating, ventilation and air conditioning (HVAC) services.

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.

Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.

Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes.

Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.

Annex 3 – Sub Processors

To help Insightly Analytics, Inc. deliver the Subscription Service, we engage Sub-Processors (vendors) to assist with our data processing activities. A list of our Sub-Processors and our purpose for engaging them is located on our Hivel Sub-Processors Page, which is incorporated into this DPA. Link to Gagler Sub-Processors

‍

Subprocessors

Updated on 30th August,2023

Insightly Analytics, Inc. (“Insightly Analytics”) uses certain sub-processors and content delivery networks to assist it in providing the Insightly Analytics Services as described in the Terms of Service (“Terms”). Defined terms used herein shall have the same meaning as defined in the Terms.

What is a Subprocessor

A subprocessor is a third party data processor engaged by Insightly Analytics, who has or potentially will have access to or process Service Data (which may contain Personal Data). Insightly Analytics engages different types of sub-processors to perform various functions as explained in the tables below. Insightly Analytics refers to third parties that do not have access to or process Service Data but who are otherwise used to provide the Services as “subcontractors” and not subprocessors.

Due Diligence

Insightly Analytics undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or process Service Data.

Contractual Safeguards

Insightly Analytics requires its sub-processors to satisfy equivalent obligations as those required from Insightly Analytics (as a Data Processor) as set forth in Insightly Analytics’s Data Processing Agreement (“DPA”), including but not limited to the requirements to:

• Process Personal Data in accordance with data controller’s (i.e. Subscriber’s) documented instructions (as communicated in writing to the relevant subprocessor by Insightly Analytics);
• in connection with their subprocessing activities, use only personnel who are reliable and subject to a contractually binding obligation to observe data privacy and security, to the extent applicable, pursuant to applicable data protection laws;
• provide regular training in security and data protection to personnel to whom they grant access to Personal Data;
• implement and maintain appropriate technical and organizational measures (including measures consistent with those to which Insightly Analytics is contractually committed to adhere insofar as they are equally relevant to the subprocessor’s processing of Personal Data on Insightly Analytics’s behalf) and provide an annual certification that evidences compliance with this obligation. In the absence of such certification, Insightly Analytics reserves the right to audit the subprocessor;
• promptly inform Insightly Analytics about any actual or potential security breach;
• and cooperate with Insightly Analytics in order to deal with requests from data controllers, data subjects or data protection authorities, as applicable.

This policy does not give Subscribers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Insightly Analytics’s engagement process for sub-processors as well as to provide the actual list of third-party sub-processors and content delivery networks used by Insightly Analytics as of the date of this policy (which Insightly Analytics may use in the delivery and support of its Services).

If you are an Insightly Analytics Subscriber and wish to enter into our DPA, please email us at web@hivel.ai.

Process to Engage New Subprocessors

For all Subscribers who have executed Insightly Analytics’s standard DPA, Insightly Analytics will provide notice via this policy of updates to the list of sub-processors that are utilized or which Insightly Analytics proposes to utilize to deliver its Services. Insightly Analytics undertakes to keep this list updated regularly to enable its Subscribers to stay informed of the scope of subprocessing associated with the Insightly Analytics Services.

Pursuant to the DPA, a Subscriber can object in writing to the processing of its Personal Data by a new subprocessor within thirty (30) days after updating of this policy and shall describe its legitimate reasons to object. If a Subscriber does not object during such time period the new subprocessor(s) shall be deemed accepted.

If a Subscriber objects to the use of a subprocessor pursuant to the process provided under the DPA, Insightly Analytics shall have the right to cure the objection through one of the following options (to be selected at Insightly Analytics’s sole discretion):

(a) Insightly Analytics will cease to use the subprocessor with regard to Personal Data;

(b) Insightly Analytics will take the corrective steps requested by Subscriber in its objection (which remove Subscriber’s objection) and proceed to use the subprocessor to process Personal Data; or

(c) Insightly Analytics may cease to provide or Subscriber may agree not to use (temporarily or permanently) the particular aspect of an Insightly Analytics Service that would involve the use of the subprocessor to process Personal Data.

Termination rights, as applicable and agreed, are set forth exclusively in the DPA.

The following is an up-to-date list (as of the date of this policy) of the names and locations of Insightly Analytics sub-processors and content delivery networks:

Infrastructure Sub-processors – Service Data Storage

Insightly Analytics owns or controls access to the infrastructure that Insightly Analytics uses to host Service Data submitted to the Services, other than as set forth below. Currently, the Insightly Analytics production systems for the Services are located in co-location facilities in the United States. The Subscriber’s Service Data remains in that region, but may be shifted among data centers within a region to ensure performance and availability of the Services. The following table describes the countries and legal entities engaged in the storage of Service Data by Insightly Analytics.