The contract that explains how we touch your data.

Section 01Introduction

This Data Processing Addendum (“DPA”) supplements the agreement between Habeo LLC (“Habeo,” “Processor”) and the institution identified in the relevant Order Form (“Customer,” “Controller”) (together, the “Agreement”).

This DPA reflects the parties’ agreement on the processing of personal data in the course of providing the Services. In the event of any conflict between the DPA and the Agreement, this DPA prevails as to the processing of personal data.

Section 02Definitions

• Data Protection LawsAll laws applicable to the processing of personal data under the Agreement, including the EU GDPR, UK GDPR, Swiss FADP, U.S. state privacy laws (including CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, OCPA, TDPSA, MCDPA), FERPA, and PIPEDA.
• Personal DataInformation relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws, that is processed by Habeo on Customer’s behalf under the Agreement.
• SubprocessorAny third party engaged by Habeo to process Personal Data on Customer’s behalf in connection with the Services. The current list is published at usehabeo.com/subprocessors.
• Restricted TransferA transfer of Personal Data from the EEA, UK, or Switzerland to a country that has not received an adequacy decision under the applicable law.
• SCCsThe Standard Contractual Clauses approved by the European Commission in Decision 2021/914, dated 4 June 2021, as may be amended or replaced.
• UK IDTAThe International Data Transfer Addendum to the EU Commission’s SCCs issued by the UK Information Commissioner.

Section 03Scope and roles

With respect to Personal Data, Customer is the Controller and Habeo is the Processor. Habeo will process Personal Data only on Customer’s documented instructions (the Agreement and any further documented instructions Customer provides) and only for the purposes set out in Annex I.

Habeo will inform Customer if, in its opinion, an instruction would infringe Data Protection Laws. Habeo will not be required to follow an instruction that conflicts with Data Protection Laws.

The duration, nature, purpose, categories of data subjects, and categories of Personal Data are set out in Annex I (Processing details).

Section 04Subprocessors

Customer provides general authorization for Habeo to engage Subprocessors, subject to this DPA. Habeo will:

• maintain an up-to-date list of Subprocessors at usehabeo.com/subprocessors;
• impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA;
• remain responsible for Subprocessors’ performance under this DPA;
• provide at least 30 days’ prior written notice (via email to security contacts and the subprocessors page RSS feed) before a new Subprocessor begins processing Personal Data.

Customer may object to a new Subprocessor on reasonable grounds (such as data protection) within 15 days of notice. If the parties cannot agree on a resolution within a further 30 days, Customer may terminate the affected portion of the Services and receive a pro-rated refund of any pre-paid fees for the unused portion of the Subscription Term.

Section 05Security measures

Habeo implements and maintains the technical and organizational measures set out in Annex II (Technical and organizational measures), which are designed to ensure a level of security appropriate to the risk of processing Personal Data.

Habeo will ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations and have received training appropriate to their role.

Section 06Data subject rights

Taking into account the nature of the Services, Habeo will provide Customer with functionality through the Services and reasonable assistance, by appropriate technical and organizational measures, to enable Customer to respond to requests from data subjects to exercise their rights under Data Protection Laws. If Habeo receives a data-subject request relating to Customer’s Personal Data, Habeo will, unless legally prohibited, promptly forward the request to Customer and will not respond directly unless instructed by Customer or required by law.

Section 07Personal data breach

Habeo will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach. Notification will be made to the security contact(s) Customer has provided and will include the information required by Article 33(3) GDPR to the extent then available.

Habeo will take reasonable steps to mitigate the effects of the Personal Data Breach and to assist Customer in meeting Customer’s notification obligations to supervisory authorities and affected data subjects.

Section 08International data transfers

To the extent that the Services involve a Restricted Transfer, the parties incorporate the following transfer mechanisms by reference:

• EU SCCs (Module Two: controller to processor). Annex I and Annex II of the SCCs are populated by the corresponding annexes to this DPA. For the purposes of clause 17 (governing law) the parties select the law of Ireland; for clause 18 (forum) the parties select the courts of Ireland. The optional docking clause (clause 7) and the optional redress mechanism in clause 11 are not selected.
• UK IDTA. The UK IDTA is incorporated by reference and forms part of this DPA. Table 1 (parties), Table 2 (selected SCCs), Table 3 (appendix information) and Table 4 (ending the addendum) are populated by the corresponding sections of this DPA and the Agreement.
• Swiss FADP. The EU SCCs apply with general and country-specific adjustments interpreted to give effect to the FADP, including extending protection to data subjects in Switzerland and to legal persons until the revised FADP fully removes that requirement.

Habeo additionally implements supplementary measures including envelope encryption at rest, TLS 1.3 in transit, and a government-request notification commitment as described in our Privacy Policy.

Section 09Audit rights

Habeo makes available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Customer may exercise its audit rights as follows:

• Standard auditsare satisfied by Habeo’s SOC 2 Type II report (audit closes Q3 FY26), the published HECVAT 2024 response (Lite + Full HECVAT 4.1.5 workbook at /compliance/hecvat), and penetration-test executive summaries, provided to Customer under NDA on request.
• On-site auditsmay be requested no more than once per 12-month period (and more often after a Personal Data Breach), with at least 30 days’ written notice, during normal business hours, by a mutually agreed auditor bound by confidentiality.

Audits must not unreasonably interfere with the operation of the Services or compromise the security or confidentiality of other Habeo customers’ data.

Section 10FERPA addendum (Schedule 3)

To the extent Habeo accesses or maintains personally identifiable information from education records as defined by the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g) and its implementing regulations (collectively, “Education Records”), Habeo is designated as a school official with a legitimate educational interest under 34 CFR § 99.31(a)(1)(i)(B) and agrees:

• Habeo will use Education Records only for the purposes specified in the Agreement and Customer’s documented instructions;
• Habeo is under the direct control of Customer with respect to the use and maintenance of Education Records;
• Habeo will not re-disclose Education Records except as the Customer directs in writing or as required by law;
• Habeo will provide reasonable assistance to Customer in responding to access requests under 34 CFR § 99.10 within the timelines set out in FERPA;
• Habeo will flow these requirements down to any Subprocessor that may handle Education Records;
• Habeo will not use Education Records to advertise to students and will not use Education Records to train general machine-learning models.

Section 11Return or deletion on termination

On termination or expiry of the Agreement, Habeo will, at Customer’s choice, return or delete Personal Data within the timelines set out in the Terms (30 days for primary systems; an additional 90 days for backups), unless retention is required by applicable law. Habeo will certify deletion in writing on request.

Section 12Liability

Each party’s liability under this DPA, taken together with all other liability under the Agreement, is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA limits any liability that cannot be limited by law, including liability to data subjects under Article 82 GDPR.

Annex IProcessing details

A. List of parties

Data exporter: Customer, identified in the relevant Order Form. Role: Controller. Contact: as set out in the Order Form (security contact).

Data importer: Habeo LLC, 4112 Manor Oaks Ct., Export, PA 15632, United States. Role: Processor. Contact: dpo@usehabeo.com.

B. Description of transfer

C. Competent supervisory authority

Where Customer is established in the EEA, the supervisory authority of the EU Member State of Customer’s main establishment. Where Customer is not established in the EEA but processes Personal Data of EEA data subjects, the Irish Data Protection Commission acts as the supervisory authority under Annex I.C of the SCCs.

Annex IITechnical and organizational measures

Habeo implements the following measures, which are reviewed at least annually and as part of Habeo’s SOC 2 audit cycle.

Pseudonymization and encryption

• AES-256-GCM encryption at rest with per-organization, HKDF-derived keys.
• TLS 1.3 in transit between clients and Habeo, and between Habeo and Subprocessors.
• Secrets and tokens stored using envelope encryption with keys held in AWS KMS.

Confidentiality, integrity, availability, and resilience

• Strict role-based access control with mandatory SSO and hardware-key MFA for Habeo personnel.
• Row-level tenant isolation enforced at the database layer and re-validated in the application layer.
• Multi-AZ active-active deployment in U.S. AWS regions with documented failover runbooks.
• Automated daily backups encrypted at rest, with restore tested at least quarterly.

Resilience and restoration

• Recovery time objective (RTO): 2 hours.
• Recovery point objective (RPO): 15 minutes for production database; 24 hours for object storage.

Process for testing and evaluation

• Quarterly third-party penetration testing of the production environment.
• Continuous static and dependency vulnerability scanning in the CI pipeline.
• Annual SOC 2 Type II audit (closes Q3 FY26).
• HECVAT 2024 response published at /compliance/hecvat (Lite narrative + full 331-question HECVAT 4.1.5 workbook). No NDA required.

User identification and authorization

• SAML SSO and SCIM provisioning via Clerk Enterprise (InCommon-compatible).
• JIT, time-bound, peer-approved production access for Habeo engineers.
• All production access actions logged to an append-only audit ledger.

Data minimization and quality

• Customers control which categories of Personal Data they load into the Services.
• Per-tenant data retention configuration is available on the Research University and System tiers.
• IP addresses in product analytics are truncated to /24 before persistence.

Incident management

• 24/7 on-call rotation; documented incident-response playbooks.
• Post-incident reviews with public root-cause writeups for SEV-1 incidents.

Subprocessor management

• Vendor security review and DPA in place before onboarding any new Subprocessor.
• Annual subprocessor re-assessment using a HECVAT-aligned questionnaire.

Annex IIIApproved subprocessors

The list of approved Subprocessors is published at usehabeo.com/subprocessors. This annex is updated whenever that list changes; the email-notification process described in section 4 applies.