This DPA governs how hiflo processes Customer Personal Data on behalf of Customer through the hiflo platform, websites, applications, APIs, AI features and related services, provided by Dripex Labs Inc.
This Data Processing Addendum (the “DPA”) forms part of the hiflo Terms of Service, any applicable Order Form, master subscription agreement or other written agreement between Dripex Labs Inc., a Delaware corporation doing business as hiflo (“hiflo”, “we”, “us” or “our”), and the customer that uses the Services (“Customer”, “you” or “your”).
This DPA applies when hiflo processes Customer Personal Data on behalf of Customer through the hiflo platform, websites, applications, APIs, AI features and related services (the “Services”). It works alongside our Terms of Service and our Privacy Policy.
By using the Services, signing an Order Form or accepting the Terms, Customer agrees to this DPA.
1.1“Agreement” means the Terms of Service, this DPA, any applicable Order Form and any other written agreement governing Customer's use of the Services.
1.2“Applicable Data Protection Laws” means all privacy, security and data-protection laws applicable to the processing of Customer Personal Data under the Agreement, including, where applicable, U.S. state privacy laws, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the Colorado Privacy Act, the Connecticut Data Privacy Act, the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, similar U.S. state privacy laws, and the South African Protection of Personal Information Act, 2013 (“POPIA”).
1.3“Authorized User” means an employee, contractor, administrator, agent or other individual authorized by Customer to access the Services.
1.4“Controller” means the entity that determines the purposes and means of processing Personal Data. This includes similar terms under Applicable Data Protection Laws, such as “business” under the CCPA and “responsible party” under POPIA.
1.5“Customer Data” means all data, content, records, files, documents, prompts, AI inputs, AI outputs and other information submitted to, stored in or processed through the Services by or on behalf of Customer or its Authorized Users.
1.6“Customer Personal Data” means Personal Data contained in Customer Data that hiflo processes on behalf of Customer.
1.7“Data Subject” means an identified or identifiable individual to whom Customer Personal Data relates. This includes similar terms under Applicable Data Protection Laws, such as “consumer” under U.S. state privacy laws and “data subject” under POPIA.
1.8“Personal Data” or “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an identified or identifiable individual, household or device.
1.9“Processor” means the entity that processes Personal Data on behalf of a Controller. This includes similar terms under Applicable Data Protection Laws, such as “service provider” or “contractor” under the CCPA and “operator” under POPIA.
1.10“Security Incident” means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by hiflo. Security Incident does not include unsuccessful attempts or activities that do not compromise Customer Personal Data, such as unsuccessful login attempts, pings, port scans, denial-of-service attacks, firewall events or other network attacks on systems that do not result in unauthorized access to Customer Personal Data.
1.11“Sensitive Personal Data” means Customer Personal Data that Applicable Data Protection Laws treat as sensitive, including certain government identifiers, account credentials, precise geolocation, health information, biometric information, genetic information, contents of communications, racial or ethnic origin, religious or philosophical beliefs, union membership, citizenship or immigration status, sexual orientation, and children's data.
1.12“Subprocessor” means a third party engaged by hiflo to process Customer Personal Data on behalf of Customer in connection with the Services.
2.1Customer role. Customer is the Controller of Customer Personal Data and determines the purposes and means of processing Customer Personal Data through the Services.
2.2hiflo role. hiflo processes Customer Personal Data as a Processor on behalf of Customer. Under the CCPA, hiflo acts as a service provider or contractor for Customer Personal Data. Under POPIA, hiflo acts as an operator for Customer Personal Data.
2.3Independent controller activities. hiflo may process certain Personal Data as an independent Controller for its own business purposes, such as account administration, billing, security, fraud prevention, legal compliance, marketing, website analytics and business operations. That processing is described in hiflo's Privacy Policy and is not Customer Personal Data under this DPA.
2.4Affiliates. If Customer allows its affiliates to use the Services, Customer is responsible for those affiliates' compliance with the Agreement and this DPA. Customer represents that it has authority to give instructions to hiflo on behalf of those affiliates.
3.1Documented instructions. hiflo will process Customer Personal Data only on Customer's documented instructions, including instructions in the Agreement, Order Forms, product settings, account configurations, support requests and Authorized User actions.
3.2Permitted processing. Customer instructs hiflo to process Customer Personal Data as necessary to:
3.3Unlawful instructions. hiflo will notify Customer if hiflo believes an instruction violates Applicable Data Protection Laws, unless prohibited by law. hiflo is not required to follow an instruction that hiflo reasonably believes would violate law, create a security risk, infringe third-party rights or breach the Agreement.
4.1Compliance. Customer will comply with Applicable Data Protection Laws in connection with Customer Personal Data and its use of the Services.
4.2Notices and consents. Customer is responsible for providing all required privacy notices, obtaining all required consents, establishing lawful bases for processing, honoring Data Subject rights and ensuring that Customer may lawfully provide Customer Personal Data to hiflo for processing through the Services.
4.3Employment and HR data. Customer is responsible for compliance with employment, labor, anti-discrimination, workplace privacy, automated decision-making, notice, consent, recordkeeping, works council, union consultation and similar laws that apply to Customer's use of the Services.
4.4Accuracy and suitability. Customer is responsible for the accuracy, quality, legality and suitability of Customer Personal Data submitted to the Services.
4.5Configuration and access. Customer is responsible for configuring the Services appropriately, assigning roles and permissions, managing Authorized Users, disabling access when no longer needed and protecting Customer's own systems, devices and credentials.
4.6Prohibited data. Customer will not submit Prohibited Regulated Data to the Services except as expressly permitted under Section 7.
5.1Purpose limitation. hiflo will process Customer Personal Data only for the purposes described in this DPA, the Agreement, Customer instructions and Applicable Data Protection Laws.
5.2Confidentiality. hiflo will ensure that personnel authorized to process Customer Personal Data are subject to confidentiality obligations or professional duties of confidentiality.
5.3No sale or sharing of Customer Personal Data. hiflo will not sell Customer Personal Data. hiflo will not share Customer Personal Data for cross-context behavioral advertising or process Customer Personal Data for targeted advertising.
5.4No unrelated use. hiflo will not retain, use or disclose Customer Personal Data outside the direct business relationship with Customer, except as permitted by Applicable Data Protection Laws and this DPA.
5.5No combining. hiflo will not combine Customer Personal Data with Personal Data that hiflo receives from or on behalf of another person, or collects from its own interaction with individuals, except as permitted by Applicable Data Protection Laws.
5.6No third-party AI model training without opt-in. hiflo will not use Customer Personal Data, HR data, AI prompts or AI outputs to train third-party foundation models or general-purpose AI models unless Customer has expressly opted in or agreed in writing.
5.7Assistance. Taking into account the nature of the processing and information available to hiflo, hiflo will provide reasonable assistance to Customer to help Customer comply with obligations relating to Data Subject requests, security, breach notifications, data protection assessments, privacy impact assessments and consultations with regulators.
5.8Compliance notification. hiflo will notify Customer if hiflo determines that it can no longer meet its obligations under Applicable Data Protection Laws or this DPA.
5.9Remediation. If hiflo notifies Customer under Section 5.8, or Customer reasonably believes hiflo is processing Customer Personal Data in an unauthorized manner, Customer may take reasonable and appropriate steps to stop and remediate unauthorized processing, including by contacting legal@hiflo.io.
6.1Security program. hiflo will maintain commercially reasonable technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
6.2Measures. The security measures include the measures described in Schedule 2, as updated from time to time, provided that updates will not materially reduce the overall level of protection for Customer Personal Data during the applicable subscription term.
6.3Customer responsibilities. Customer is responsible for implementing appropriate access controls, authentication requirements, device security, network security, user training, role-based permissions and internal policies for its Authorized Users and Customer systems.
6.4No absolute security. hiflo does not guarantee that unauthorized third parties will never be able to defeat security measures. hiflo is not responsible for Security Incidents caused by Customer systems, Customer credentials, Customer configurations, Customer-selected integrations or unauthorized actions by Customer's Authorized Users.
7.1Excluded data types. Customer will not submit the following data to the Services unless an Order Form, product documentation or written addendum expressly permits the applicable data type:
7.2No HIPAA BAA by default. hiflo is not a business associate under HIPAA and does not agree to receive protected health information unless hiflo signs a separate business associate agreement.
7.3No FCRA consumer-reporting service. hiflo is not a consumer reporting agency and the Services are not intended to be used to obtain, provide or make decisions based on consumer reports.
7.4Customer responsibility. Customer is responsible for determining whether Customer Personal Data is suitable for processing through the Services and whether any additional agreement, consent, notice, assessment or safeguard is required.
8.1Notification. hiflo will notify Customer without undue delay after confirming a Security Incident and, where feasible, within 72 hours after confirmation.
8.2Content of notice. To the extent known and permitted by law, hiflo's notice will include relevant information about the nature of the Security Incident, affected Customer Personal Data, likely consequences, mitigation steps and contact information for follow-up.
8.3Investigation and mitigation. hiflo will take reasonable steps to investigate, contain and mitigate the Security Incident.
8.4Customer notices. Customer is responsible for determining whether the Security Incident triggers any notification obligations to Data Subjects, employees, regulators, Customers, unions, works councils or other third parties, unless the Agreement states otherwise.
8.5No admission. hiflo's notification of or response to a Security Incident is not an acknowledgement of fault or liability.
9.1Authorization. Customer authorizes hiflo to engage Subprocessors to process Customer Personal Data in connection with the Services.
9.2Subprocessor list. hiflo will maintain a list of Subprocessors or Subprocessor categories and make it available on request at legal@hiflo.io or through a webpage, trust center or documentation if hiflo publishes one.
9.3Notice of new Subprocessors. hiflo will provide reasonable notice of material new Subprocessors where required by Applicable Data Protection Laws or a signed agreement. Notice may be provided by email, in-app notice, website update or other reasonable method.
9.4Objections. Customer may object to a new Subprocessor on reasonable data-protection grounds by notifying hiflo within 10 days after receiving notice. The parties will work in good faith to resolve the objection. If hiflo cannot reasonably resolve the objection, Customer may terminate the affected Services and receive a pro rata refund of prepaid unused fees for the terminated portion, unless a signed agreement states otherwise.
9.5Subprocessor obligations. hiflo will enter into a written agreement with each Subprocessor requiring the Subprocessor to protect Customer Personal Data in a manner materially consistent with this DPA.
9.6Responsibility. hiflo remains responsible for Subprocessors' performance of their obligations relating to Customer Personal Data, subject to the limitations of liability in the Agreement.
10.1Requests received by Customer. hiflo will provide reasonable assistance to Customer, taking into account the nature of processing, to help Customer respond to Data Subject requests to access, delete, correct, opt out, restrict, limit, obtain a copy of or otherwise exercise rights regarding Customer Personal Data.
10.2Requests received by hiflo. If hiflo receives a request directly from a Data Subject relating to Customer Personal Data, hiflo may direct the Data Subject to contact Customer. hiflo will not respond to the request except to confirm that the request relates to Customer or as required by law, Customer instructions or the Agreement.
10.3Verification. Customer is responsible for verifying the identity and authority of Data Subjects and authorized agents making requests relating to Customer Personal Data.
10.4Deletion and correction. Where Customer cannot delete or correct Customer Personal Data through the Services, hiflo will provide reasonable assistance upon request, subject to technical feasibility, legal requirements and backup limitations.
11.1During the term. Customer may access, export, delete or modify Customer Personal Data through the Services where functionality is available.
11.2After termination. Unless the Agreement states otherwise, hiflo will make Customer Data available for export for 30 days after termination or expiration of the Services. After that period, hiflo may delete Customer Data in accordance with the Agreement, this DPA, backup cycles, retention policies and applicable law.
11.3Backups. Customer Personal Data may remain in backups, archives, logs or disaster-recovery systems for a limited period until overwritten or deleted in the ordinary course, provided that hiflo continues to protect the data under this DPA and does not actively process it except for restoration, security, legal or compliance purposes.
11.4Legal retention. hiflo may retain Customer Personal Data where required by law, legal process, tax, accounting, audit, compliance, dispute-resolution, security or enforcement obligations.
12.1Compliance information. Upon reasonable request and subject to confidentiality, hiflo will make available information reasonably necessary to demonstrate compliance with this DPA, such as security documentation, policies, questionnaires, summaries of controls or third-party reports if available.
12.2Audit limitations. Any audit must be limited to information relevant to Customer Personal Data, conducted no more than once per year unless required by law or following a confirmed Security Incident, performed during normal business hours, subject to reasonable notice, and conducted in a manner that does not disrupt hiflo's operations or compromise the security or confidentiality of other customers.
12.3No access to other customers. Customer may not access data, systems, code, logs, architecture, personnel records or confidential information relating to other hiflo customers or third parties.
12.4Security testing. Customer may not conduct penetration testing, vulnerability scanning or similar testing of the Services without hiflo's prior written authorization.
12.5Costs. Customer will bear its own audit costs and reimburse hiflo for reasonable costs of supporting an audit, unless prohibited by Applicable Data Protection Laws or otherwise agreed in writing.
13.1Permitted use. hiflo may create and use aggregated, anonymized or de-identified data derived from Customer Data to operate, analyze, benchmark, improve and market the Services, provided that the data does not identify Customer, Authorized Users or any individual.
13.2No re-identification. hiflo will not attempt to re-identify de-identified data except to test whether de-identification measures are effective or as permitted by law.
13.3CCPA de-identified data. To the extent required by the CCPA, hiflo will maintain and use de-identified data without attempting to re-identify it, publicly commit to maintaining and using it in de-identified form, and contractually obligate recipients to comply with applicable de-identification requirements.
14.1AI features. If Customer uses Flo or other AI features, Customer instructs hiflo to process Customer Personal Data, prompts, AI inputs, files, outputs and related metadata as necessary to provide those AI features.
14.2Human review. Customer is responsible for reviewing AI outputs and for all decisions made using or informed by AI outputs.
14.3No automated employment decision compliance service. Unless expressly stated in an Order Form or product documentation, hiflo does not provide automated employment decision tools, bias audits, legal determinations, employment-law compliance services or professional HR advisory services.
14.4Third-party AI providers. hiflo may use AI providers as Subprocessors to provide AI features. hiflo will impose contractual restrictions on those providers materially consistent with this DPA.
14.5Model training. hiflo will not use Customer Personal Data, HR data, AI prompts or AI outputs to train third-party foundation models or general-purpose AI models unless Customer has expressly opted in or agreed in writing.
15.1Processing locations. Customer authorizes hiflo and its Subprocessors to process Customer Personal Data in the United States, South Africa and other countries where hiflo or its Subprocessors operate.
15.2Transfer safeguards. Where Applicable Data Protection Laws require safeguards for cross-border transfers, hiflo will use appropriate safeguards for such transfers.
15.3EU, UK and Swiss data. This DPA is designed primarily for the United States market. If Customer requires GDPR, UK GDPR, Swiss FADP or Standard Contractual Clauses coverage, the parties should execute a separate international data transfer addendum or signed agreement addressing those requirements.
16.1Service provider and processor restrictions. For Customer Personal Data subject to U.S. state privacy laws, hiflo will:
16.2Customer monitoring rights. Customer has the right to take reasonable and appropriate steps to help ensure that hiflo uses Customer Personal Data in a manner consistent with Customer's obligations under Applicable Data Protection Laws. The audit and compliance information process in Section 12 satisfies this right unless Applicable Data Protection Laws require otherwise.
16.3Stopping unauthorized use. Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data. Customer may contact legal@hiflo.io to exercise this right.
16.4Sensitive data. hiflo will process Sensitive Personal Data only as necessary to provide the Services, comply with law, maintain security, or as otherwise instructed by Customer. hiflo will not use Sensitive Personal Data to infer characteristics except as permitted by law or Customer instructions.
16.5Consumer requests. hiflo is not required to respond directly to a consumer request received in its role as a Processor, service provider or contractor, except as required by law. hiflo will assist Customer as described in Section 10.
17.1Operator obligations. To the extent POPIA applies to Customer Personal Data, hiflo acts as an operator and will process Personal Information only with Customer's knowledge or authorization, treat Personal Information as confidential, and implement appropriate security safeguards.
17.2Security compromise. hiflo will notify Customer as soon as reasonably practicable after becoming aware of a confirmed security compromise affecting Customer Personal Data, so Customer can assess any notification obligations under POPIA.
18.1If there is a conflict between this DPA and the Terms, this DPA controls with respect to the processing of Customer Personal Data.
18.2If there is a conflict between this DPA and a signed agreement or Order Form that expressly modifies this DPA, the signed agreement or Order Form controls to the extent of the conflict.
18.3The liability limitations, exclusions, disclaimers, indemnities, governing law and dispute-resolution provisions in the Agreement apply to this DPA unless expressly modified in a signed agreement.
hiflo may update this DPA from time to time. If hiflo makes material changes that materially reduce protections for Customer Personal Data, hiflo will provide notice through the Services, by email, by posting an updated version or by another reasonable method. Continued use of the Services after the effective date constitutes acceptance of the updated DPA, unless a signed agreement states otherwise.
Questions about this DPA may be sent to:
| Item | Description |
|---|---|
| Subject matter | hiflo's processing of Customer Personal Data to provide the Services. |
| Duration | For the subscription term and any post-termination retention period described in the Agreement, this DPA or Customer instructions. |
| Nature of processing | Hosting, storage, transmission, retrieval, access, organization, structuring, use, analysis, display, support, deletion, export, security monitoring, AI processing where enabled, and other processing necessary to provide the Services. |
| Purpose of processing | To provide, secure, support, maintain and improve the Services; process HR workflows; authenticate Authorized Users; provide AI features where enabled; comply with law; and follow Customer instructions. |
| Frequency | Continuous during Customer's use of the Services. |
| Categories of Data Subjects | Customer's employees, contractors, applicants, administrators, Authorized Users, HR personnel, managers, service providers and other individuals whose Personal Data is submitted to the Services by or on behalf of Customer. |
| Categories of Customer Personal Data | Names, contact details, business email addresses, roles, departments, employment details, onboarding data, leave records, documents, survey responses, skills, performance data, usage data, account data, prompts, AI inputs, AI outputs, support data and other information submitted by Customer. |
| Sensitive Personal Data | Customer may submit Sensitive Personal Data depending on its configuration and use of the Services. Customer must not submit Prohibited Regulated Data unless expressly permitted in writing. |
| Customer instructions | The Agreement, Order Forms, product settings, account configurations, Authorized User actions, support requests and other documented instructions. |
hiflo will maintain commercially reasonable technical and organizational measures appropriate to the nature of Customer Personal Data and the Services, which may include:
1. Governance and policies
2. Access controls
3. Encryption and data protection
4. Application and infrastructure security
5. Availability and resilience
6. Subprocessor security
hiflo may use Subprocessors in the following categories to provide the Services:
| Category | Purpose |
|---|---|
| Cloud hosting and infrastructure | Hosting, compute, networking, availability and infrastructure security. |
| Database and storage providers | Storage, backup, retrieval and management of Customer Data. |
| AI model and AI infrastructure providers | Providing Flo and other AI-assisted features where enabled by Customer. |
| Email and communications providers | Transactional email, notifications and customer communications. |
| Support and customer-success tools | Support tickets, troubleshooting and customer communications. |
| Billing and payment processors | Subscription billing, payments, invoices and fraud prevention. |
| Analytics and monitoring providers | Product analytics, error monitoring, logging, security and reliability. |
| Identity and authentication providers | Login, single sign-on, authentication and account security. |
| Professional advisers | Legal, accounting, audit, compliance, insurance and advisory services. |
A current Subprocessor list may be requested at legal@hiflo.io.
This Schedule applies where Customer Personal Data is subject to U.S. state privacy laws that require a contract between a Controller and Processor, or between a business and service provider or contractor.
1. CCPA service provider and contractor terms
For Customer Personal Data subject to the CCPA:
2. Other U.S. state privacy laws
For Customer Personal Data subject to other U.S. state privacy laws requiring Controller-Processor contract terms:
Need a signed DPA, our Subprocessor list or an international transfer addendum? Reach our legal team at legal@hiflo.io.