Data Processing Addendum

Last Updated: January 12, 2026

This Data Processing Addendum ("DPA") forms part of the Terms and Conditions and any other agreement governing access to or use of the Services (the "Agreement") between Hexel Studio, Inc. ("Hexel," "Processor," "we," "us") and the customer entity ("Customer," "Controller," "you").

This DPA applies to the extent Hexel processes Personal Data on behalf of Customer in connection with the Services.

1. Definitions

For purposes of this DPA:

  • "Applicable Data Protection Law" means all laws and regulations relating to the processing of Personal Data, including GDPR, UK GDPR, India's Digital Personal Data Protection Act, 2023 (DPDP Act), and similar laws.
  • "Controller" means the entity that determines the purposes and means of processing Personal Data.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" has the meaning given under Applicable Data Protection Law.
  • "Subprocessor" means any third party engaged by Hexel to process Personal Data on behalf of Customer.

2. Roles and Scope

2.1 Controller and Processor Roles

Customer acts as the Controller. Hexel acts as the Processor.

2.2 Customer Instructions

Hexel shall process Personal Data only:

  • To provide the Services,
  • In accordance with the Agreement,
  • In accordance with documented instructions from Customer,
  • As required by Applicable Data Protection Law.

2.3 Customer Responsibility

Customer represents and warrants that:

  • It has a lawful basis for processing Personal Data,
  • Its instructions comply with Applicable Data Protection Law,
  • It has obtained all necessary consents and authorizations.

3. Nature and Purpose of Processing

Hexel processes Personal Data solely for:

  • Operating and maintaining the Services
  • Executing agents under Customer-defined policies
  • Providing observability, auditability, and logging
  • Securing the platform and preventing abuse
  • Billing, metering, and compliance

Processing activities may include collection, storage, transmission, analysis, logging, and deletion.

4. Categories of Data Subjects and Personal Data

4.1 Data Subjects

  • Customer employees and contractors
  • Authorized users and administrators
  • End users whose data is processed by Customer-configured agents

4.2 Categories of Personal Data

  • Identification and contact data (e.g., name, email, role)
  • Authentication and access data
  • Usage logs, audit logs, and execution metadata
  • Data ingested or processed by agents at Customer's direction

Hexel does not intentionally process special categories of personal data unless explicitly instructed by Customer.

5. Hexel Obligations as Processor

Hexel shall:

  • 5.1 Process Personal Data only on documented instructions from Customer.
  • 5.2 Ensure personnel are bound by confidentiality obligations.
  • 5.3 Implement appropriate technical and organizational security measures.
  • 5.4 Not sell or monetize Personal Data.
  • 5.5 Assist Customer in complying with data subject rights.
  • 5.6 Notify Customer of Personal Data breaches without undue delay.
  • 5.7 Delete or return Personal Data upon termination as described herein.

6. Security Measures

Hexel implements appropriate security measures, including:

  • Encryption in transit and at rest
  • Role-based access controls
  • Environment-level isolation
  • Immutable audit logs
  • Continuous monitoring and incident response

Customer acknowledges that no system is completely secure and remains responsible for secure configurations and access control.

7. Subprocessors

7.1 Authorization

Customer grants general authorization for Hexel to engage Subprocessors.

7.2 Obligations

Hexel shall:

  • Enter into written agreements with Subprocessors imposing data protection obligations equivalent to this DPA
  • Remain responsible for Subprocessor compliance

7.3 Subprocessor List

A current list of Subprocessors is made available on Hexel's website. Hexel will notify Customer of material changes.

8. International Data Transfers

Personal Data may be processed in multiple jurisdictions. Where required, Hexel implements appropriate safeguards, including:

  • Standard Contractual Clauses
  • Equivalent lawful transfer mechanisms

9. Data Subject Rights Assistance

Hexel shall provide reasonable assistance to Customer in responding to:

  • Access requests
  • Correction requests
  • Deletion requests
  • Restriction or objection requests

Customer remains responsible for responding to data subjects.

10. Personal Data Breach Notification

Hexel shall notify Customer without undue delay after becoming aware of a Personal Data breach and provide:

  • Description of the breach
  • Likely consequences
  • Remedial actions taken or proposed

11. Audits and Compliance

Upon reasonable written request, Hexel shall make available information necessary to demonstrate compliance with this DPA, subject to confidentiality and security restrictions.

12. Data Retention and Deletion

12.1 During the Agreement

Personal Data is retained in accordance with Customer configuration and contractual obligations.

12.2 Upon Termination

Upon termination of the Agreement, Hexel shall delete or return Personal Data, unless retention is required by law.

13. Liability

Liability arising under this DPA shall be subject to the limitations of liability set forth in the Agreement.

14. Governing Law

This DPA shall be governed by and construed in accordance with the laws governing the Agreement.

15. Order of Precedence

In the event of conflict:

  1. This DPA
  2. The Privacy Policy
  3. The Terms of Service or Agreement

16. Entire Agreement

This DPA forms part of the Agreement and constitutes the entire understanding regarding Personal Data processing.