Data Processing Agreement
HEMA AI INC.
Data Processing Agreement
Last Updated: June 13, 2026
This Data Processing Agreement (this "DPA") is incorporated into and forms part of the Master Subscription Agreement or other written agreement between Hema AI Inc. ("Hema AI") and Customer that references this DPA (the "Agreement"). Hema AI is a corporation incorporated under the laws of the State of Delaware, United States of America, with its registered office at 131 Continental Dr, Suite 305, Newark, Delaware 19713. Capitalized terms used but not defined in this DPA shall have the meanings ascribed to them in the Agreement.
Table of Contents
1. Data Processing, Subject Matter, and Roles
2. Processing Instructions
3. Personnel
4. CCPA and U.S. State Privacy Law Limitations on Processing
5. Security and Security Incidents
6. Subprocessing
7. Assistance
8. Audit Rights
9. International Data Transfers
10. Return and Deletion of Customer Personal Data
Annex I – Description of the Transfer
Annex II – Technical and Organizational Security Measures
Annex III – List of Approved Subprocessors
1. Data Processing, Subject Matter, and Roles
1.1 Data Processing
In the course of providing the Services to Customer pursuant to the Agreement, Hema AI may Process Customer Data that constitutes "personal data," "personal information," "personally identifiable information," or an analogous term as defined under applicable law ("Customer Personal Data"). The Parties agree to comply with this DPA and all applicable privacy and data protection laws governing the Processing of Customer Personal Data in connection with the Agreement, including, as applicable, those of the European Union, the European Economic Area ("EEA") and their member states, Switzerland, the United Kingdom ("UK"), and the United States — including the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable U.S. state privacy laws (collectively, "Data Protection Laws").
1.2 Subject Matter
The subject matter, nature, and purpose of the Processing, the types of Customer Personal Data Processed, and the categories of data subjects ("Data Subjects") whose personal data is processed are set out in Annex I to this DPA, which is incorporated herein by reference and forms an integral part of this DPA.
1.3 Roles of the Parties
Customer is a "Controller" or "Business" (as those terms are defined under applicable Data Protection Law) and hereby appoints Hema AI as a "Processor" or "Service Provider" (as those terms are defined under applicable Data Protection Law) to Process Customer Personal Data on behalf of Customer. Customer remains responsible for compliance with all requirements of Data Protection Laws applicable to Controllers and Businesses, including ensuring that it has a lawful basis for transferring Customer Personal Data to Hema AI for Processing. If Customer is itself acting as a Processor on behalf of a third-party Controller ("Third-Party Controller"), then Customer: (a) shall serve as the single point of contact for Hema AI with respect to all matters relating to this DPA; (b) must obtain all necessary authorizations, consents, and approvals from such Third-Party Controller prior to transferring Customer Personal Data to Hema AI; and (c) undertakes to issue all instructions and exercise all rights under this DPA on behalf of such Third-Party Controller.
2. Processing Instructions
Hema AI shall Process Customer Personal Data solely on behalf of Customer and only in accordance with Customer's documented instructions. Hema AI is authorized to Process Customer Personal Data for the following purposes: (a) Processing in accordance with this DPA, the Agreement, and the applicable Order Form(s); (b) Processing initiated by Users in their use of the Services; and (c) Processing in accordance with other documented, reasonable instructions provided by Customer in writing (including by email) where such instructions are consistent with the terms of the Agreement. If Hema AI is required by applicable Law to Process Customer Personal Data in a manner that deviates from Customer's instructions, Hema AI shall notify Customer of such legal requirement before Processing (unless prohibited by applicable Law from doing so on grounds of public interest). Hema AI shall promptly inform Customer if, in Hema AI's reasonable opinion, any instruction from Customer infringes applicable Data Protection Laws.
3. Personnel
Hema AI shall ensure that all personnel who are authorized to Process Customer Personal Data: (a) are subject to enforceable written obligations of confidentiality with respect to such Customer Personal Data; (b) Process Customer Personal Data only as necessary for the purposes contemplated by this DPA and the Agreement; and (c) have received appropriate training on their data protection obligations. Hema AI shall ensure that access to Customer Personal Data is limited to those personnel who require such access for the purposes of performing the Services.
4. CCPA and U.S. State Privacy Law Limitations on Processing
To the extent Customer Personal Data is subject to the CCPA/CPRA or other applicable U.S. state privacy laws, and except as expressly permitted by this DPA, the Agreement, or applicable Data Protection Law, Hema AI is prohibited from:
(a) retaining, using, or disclosing Customer Personal Data for any purpose other than the specific business purposes of performing the Services and in accordance with Customer's documented instructions, including retaining, using, or disclosing Customer Personal Data for a commercial purpose other than providing the Services;
(b) retaining, using, or disclosing Customer Personal Data outside of the direct business relationship between the Parties;
(c) combining Customer Personal Data received from, or on behalf of, Customer with personal information that Hema AI receives from, or on behalf of, any other person or persons, or that Hema AI collects from its own interactions with any individual, except as permitted under applicable Data Protection Law;
(d) "Selling" or "Sharing" (as those terms are defined under applicable Data Protection Laws, including the CCPA/CPRA) Customer Personal Data; and
(e) using Customer Personal Data to build or modify household or consumer profiles for use in providing services to any entity other than Customer, or to develop, improve, or train a general-purpose artificial intelligence or machine learning model.
Hema AI hereby certifies that it understands the restrictions set forth in this Section 4 and will comply with them. The Parties acknowledge and agree that the transfer of Customer Personal Data from Customer to Hema AI is not a "Sale" or "Share" as those terms are defined under applicable U.S. state privacy law.
5. Security and Security Incidents
5.1 Security Measures
Hema AI shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect Customer Personal Data from unauthorized access, acquisition, use, disclosure, destruction, alteration, accidental loss, or damage, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, at a minimum, the security safeguards described in Annex II to this DPA, and shall meet the standards set forth in SOC 2, ISO 27001, NIST 800-53, or a substantially equivalent information security standard during the Term of the Agreement.
5.2 Security Incident Notification
Hema AI shall notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any actual or reasonably suspected: (a) unauthorized access to, acquisition of, use of, disclosure of, or other Processing of Customer Personal Data; or (b) breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed by Hema AI (each, a "Security Incident"). Where notification cannot be made within seventy-two (72) hours, Hema AI's notification shall be accompanied by written reasons for the delay. Hema AI's notification of a Security Incident shall not be construed as an acknowledgment of fault or liability.
5.3 Security Incident Response
Upon becoming aware of a Security Incident, Hema AI shall: (a) take prompt and reasonable measures to contain, mitigate, and remediate the Security Incident and to prevent its recurrence; (b) provide Customer with reasonably detailed information relating to the Security Incident, including the nature of the incident, the categories and approximate number of Data Subjects and records affected, the likely consequences of the incident, and the measures taken or proposed to address the incident; and (c) provide such other commercially reasonable assistance to Customer as Customer may reasonably require to comply with Customer's obligations under applicable Data Protection Laws with respect to the Security Incident.
5.4 Vulnerability Management
Hema AI shall conduct regular vulnerability scanning and security assessments of the Hema AI platform and infrastructure used to provide the Services. Hema AI shall promptly remediate identified vulnerabilities in accordance with its internal vulnerability management procedures and applicable security standards.
5.5 Encryption
Hema AI shall encrypt Customer Personal Data both in transit and at rest using industry-accepted encryption standards, strong encryption algorithms, and current security protocols (including, at minimum, TLS 1.2 or higher for data in transit and AES-256 or equivalent for data at rest).
6. Subprocessing
6.1 Authorization to Engage Subprocessors
Customer hereby provides Hema AI with general written authorization to engage third-party processors to Process Customer Personal Data on Hema AI's behalf in connection with the provision of the Services ("Subprocessors"). The Subprocessors currently engaged by Hema AI are listed in Annex III to this DPA.
6.2 Subprocessor Agreements
Hema AI shall enter into a written agreement with each Subprocessor that imposes data protection obligations on such Subprocessor that are substantially similar to, and no less protective than, the obligations imposed on Hema AI under this DPA. Hema AI remains fully responsible to Customer for the performance of each Subprocessor's obligations and for any acts or omissions of a Subprocessor that cause Hema AI to breach its obligations under this DPA.
6.3 Subprocessor Changes; Objection Rights
Hema AI shall provide Customer with reasonable prior written notice (which may be given by posting an update to Hema AI's website at www.tryhema.com/legal/subprocessors or by email) before making any intended addition to, or replacement of, a Subprocessor. Customer may object to the addition or replacement of a Subprocessor on reasonable grounds — specifically, that the appointment of such Subprocessor would result in a material violation of Data Protection Law — by delivering written notice to Hema AI at info@tryhema.com detailing the specific grounds for such objection within thirty (30) days of Hema AI's notice. The Parties shall work together in good faith to resolve Customer's objection. If Hema AI elects, in its reasonable discretion, to proceed with the addition or replacement of the Subprocessor notwithstanding Customer's objection, Hema AI shall notify Customer at least thirty (30) days before authorizing such Subprocessor to Process Customer Personal Data, and either Party may, as its sole remedy, discontinue or terminate the relevant portion of the Services that uses such Subprocessor upon written notice within such thirty (30) day period.
7. Assistance
Taking into account the nature of the Processing and the information available to Hema AI, Hema AI shall provide Customer with reasonable cooperation and assistance, at Customer's reasonable written request and at Customer's expense, in connection with:
(f) implementing appropriate technical and organizational measures to enable Customer to respond to requests from Data Subjects or "Consumers" (as defined under applicable Data Protection Laws) exercising their rights under applicable Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection;
(g) responding to inquiries, complaints, and investigations from Data Subjects, supervisory authorities, regulatory bodies, and law enforcement agencies relating to the Processing of Customer Personal Data;
(h) conducting and documenting data protection impact assessments, privacy impact assessments, and data protection assessments as may be required by applicable Data Protection Laws; and
(i) carrying out prior consultations with supervisory authorities or data protection regulators where required by applicable Data Protection Laws.
Hema AI shall promptly notify Customer if Hema AI receives any request directly from a Data Subject relating to Customer Personal Data, and shall not respond to any such request without Customer's prior written authorization, except to inform the Data Subject that their request has been received and referred to Customer.
8. Audit Rights
Upon Customer's reasonable prior written request (and no more than once per twelve (12) month period, unless required by a supervisory authority or other regulatory body responsible for the enforcement of applicable Data Protection Law), Hema AI shall permit Customer, at Customer's sole expense, to conduct an audit of Hema AI's applicable controls and compliance with this DPA (an "Audit"), subject to the following conditions:
(j) the Audit shall be conducted either by Customer's internal personnel or by a qualified third-party auditor designated by Customer, provided that such third-party auditor has executed an appropriate confidentiality agreement with Hema AI prior to commencing the Audit;
(k) Customer and Hema AI shall mutually agree in writing, in advance, on the reasonable details of the Audit, including the scheduled start date, scope, duration, and applicable security and confidentiality protocols;
(l) Customer shall provide Hema AI with at least thirty (30) days' prior written notice of the proposed Audit; and
(m) the Audit shall be conducted in a manner that minimizes disruption to Hema AI's operations and shall not require Hema AI to disclose information that would compromise the security of other customers' data or Hema AI's confidential business information.
Customer shall bear all costs and expenses incurred by Hema AI in connection with any Audit. Customer may use the results of an Audit solely for the purposes of verifying Hema AI's compliance with this DPA and meeting Customer's own regulatory requirements. Audit results shall be treated as Hema AI's Confidential Information under the Agreement.
9. International Data Transfers
9.1 EEA and Swiss Data Transfers
Hema AI shall obtain Customer's specific prior written authorization before making any transfer of Customer Personal Data subject to European Data Protection Law (including the GDPR and the Swiss Federal Act on Data Protection) to a country that is not subject to an adequacy decision by the European Commission or, in the case of Switzerland, an adequacy decision by the competent Swiss authority (each, an "International Data Transfer"). Customer hereby authorizes Hema AI to conduct International Data Transfers outside the EEA or Switzerland on any of the following bases:
(n) to any country that is the subject of a valid adequacy decision by the European Commission (or, for Switzerland, by the competent Swiss authority);
(o) to an organization whose binding corporate rules have been approved by competent EEA supervisory authorities in accordance with applicable Data Protection Law; or
(p) to any data importer with whom Hema AI has entered into standard contractual clauses ("SCCs") approved by the European Commission.
9.2 EU Standard Contractual Clauses
To the extent required by applicable Data Protection Law, Customer and Hema AI hereby conclude Module 2 (Controller-to-Processor) of the SCCs adopted by the European Commission by Decision 2021/914/EU, which are incorporated into and form part of this DPA. To the extent Customer is itself a Processor on behalf of a Third-Party Controller, the Parties also conclude Module 3 (Processor-to-Subprocessor) of the SCCs to the extent required. The SCCs are completed as follows: (a) the "data exporter" is Customer; (b) the "data importer" is Hema AI; (c) the optional docking clause in Clause 7 is incorporated; (d) Option 1 of Clause 9(a) (general written authorization) is selected, and the notice period specified therein is as set out in Section 6.3 above; (e) the optional redress clause in Clause 11(a) is not incorporated; (f) Option 1 of Clause 17 is selected and the governing law of the SCCs is the law of the Republic of Ireland; (g) the courts referred to in Clause 18(b) are the courts of the Republic of Ireland; and (h) Annexes I, II, and III to the SCCs are Annexes I, II, and III to this DPA respectively. For International Data Transfers from Switzerland, Data Subjects habitually resident in Switzerland may bring claims under the SCCs before the courts of Switzerland.
9.3 UK Data Transfers
Customer hereby authorizes Hema AI to perform International Data Transfers of Customer Personal Data subject to UK data protection law (including the UK GDPR and the Data Protection Act 2018) outside the UK on any of the following bases:
(q) to any country that is the subject of a valid adequacy decision issued by the UK Secretary of State;
(r) to an organization whose binding corporate rules have been approved by the UK Information Commissioner's Office ("ICO"); or
(s) to any data importer with whom Hema AI has entered into the International Data Transfer Addendum to the EU Standard Contractual Clauses issued by the UK ICO (the "UK Addendum") or other standard contractual clauses issued by the UK ICO, as applicable.
9.4 UK Transfer Mechanism
To the extent required by applicable UK data protection law, Customer and Hema AI hereby conclude the UK Addendum, which is incorporated into and forms part of this DPA. Part 1 of the UK Addendum is completed as follows: (a) in Table 1, the "Exporter" is Customer and the "Importer" is Hema AI, with their respective details as set forth in this DPA and the Agreement; (b) in Table 2, the first option is selected, and the "Approved EU SCCs" are the SCCs referred to in Section 9.2 of this DPA; (c) in Table 3, Annexes I (Parts A and B), II, and III to the "Approved EU SCCs" are Annexes I, II, and III to this DPA respectively; and (d) in Table 4, both the "Importer" and the "Exporter" have the right to terminate the UK Addendum in the event of a Relevant Change.
9.5 U.S. Data Transfers
To the extent Customer Personal Data originates in the United States or is subject to applicable U.S. Data Protection Laws, Hema AI shall Process such data in compliance with all applicable U.S. federal and state data protection laws, including the CCPA/CPRA and any other applicable U.S. state privacy statutes. Hema AI maintains its principal place of business in the United States and the Services are hosted on infrastructure located in the United States unless otherwise specified in the applicable Order or Annex III.
10. Return and Deletion of Customer Personal Data
Following the expiration or earlier termination of this DPA or the Agreement, Hema AI shall, within thirty (30) days of the effective date of such expiration or termination (or, if earlier, upon Customer's written request), promptly return to Customer or permanently and securely delete all Customer Personal Data in Hema AI's possession or control, including all copies thereof, and shall certify such return or deletion in writing to Customer upon request. Notwithstanding the foregoing, Hema AI may retain copies of Customer Personal Data: (a) as expressly agreed by the Parties in writing; (b) to the extent required to comply with applicable Law, including applicable record retention requirements (in which case Hema AI shall notify Customer of such retention and the legal basis therefor, to the extent permitted by applicable Law); or (c) to the extent contained in standard system backups generated in the ordinary course of business, provided that any such retained Customer Personal Data shall remain subject to the confidentiality and security obligations of this DPA until permanently deleted.
ANNEX I — DESCRIPTION OF THE TRANSFER
A. List of Parties
| Field | Hema AI Inc. (Data Importer) |
|---|---|
| Entity Name | Hema AI Inc. |
| Role | Data Importer / Processor (or Subprocessor on behalf of Third-Party Controller) |
| Activities | Hema AI provides AI search analytics, brand visibility monitoring, and related software services to Customer as described in the Agreement, and Processes Customer Personal Data on behalf of Customer in that context. |
| Registered Address | 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States of America |
| Contact | info@tryhema.com |
| Delaware File No. | 10586210 |
| Field | Customer (Data Exporter) |
|---|---|
| Entity Name | Customer (as identified in the Agreement) |
| Role | Data Exporter / Controller (or Processor on behalf of Third-Party Controller) |
| Activities | Customer receives Hema AI's Services as described in the Agreement and provides Customer Personal Data to Hema AI in that context. |
| Address | As set forth in the applicable Order |
| Contact | As set forth in the applicable Order |
B. Description of the Transfer
| Category | Description |
|---|---|
| Categories of Data Subjects | Customer's end customers and prospects; Customer's employees, contractors, and personnel; Users of the Services. |
| Categories of Personal Data | Name; email address; job title; company name; IP address; device and usage information; query data submitted through the Services; and any other personal data included in Customer Data as defined in the Agreement. |
| Sensitive Data | Not applicable. The Parties do not anticipate the transfer of special categories of personal data (as defined under applicable Data Protection Law). If Customer intends to transfer sensitive data, the Parties must agree additional safeguards in writing prior to such transfer. |
| Frequency of Transfer | Continuous, for the duration of the Agreement. |
| Nature of Processing | Collection, storage, organization, structuring, retrieval, use, analysis, disclosure, and deletion of Customer Personal Data as necessary to provide the Services, as described in the Agreement. |
| Purpose(s) of Transfer | Provision of the Services described in the Agreement, including AI search analytics, brand visibility monitoring, prompt analytics, and related features. |
| Retention Period | Customer Personal Data will be retained for as long as necessary to fulfil the purposes described in the Agreement and this DPA, and in compliance with applicable Data Protection Laws, including applicable statutes of limitation. Upon termination or expiration of the Agreement, data will be handled in accordance with Section 10 of this DPA. |
| Transfers to Subprocessors | Subject matter and nature: as described in the Agreement and this DPA. Duration: for the duration of the Agreement. See Annex III for a list of approved Subprocessors. |
C. Competent Supervisory Authority
| Jurisdiction | Competent Supervisory Authority |
|---|---|
| EEA Data Subjects | Supervisory Authority of the Republic of Ireland (Data Protection Commission) |
| UK Data Subjects | UK Information Commissioner's Office (ICO) |
| Swiss Data Subjects | Swiss Federal Data Protection and Information Commissioner (FDPIC) |
| U.S. Data Subjects (CA) | California Privacy Protection Agency (CPPA) / California Attorney General |
| U.S. Data Subjects (other) | Applicable state attorney general or data protection authority, as determined by applicable law |
ANNEX II — TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Hema AI shall implement and maintain, at minimum, the following technical and organizational security measures to protect Customer Personal Data against unauthorized or unlawful Processing and against accidental loss, destruction, damage, or disclosure, in accordance with SOC 2, ISO 27001, NIST 800-53, or a substantially equivalent standard:
| Security Measure | Description |
|---|---|
| Access Controls | Role-based access controls (RBAC) limiting access to Customer Personal Data to authorized personnel on a need-to-know basis; multi-factor authentication (MFA) for access to production systems; privileged access management (PAM) controls for administrative access. |
| Encryption in Transit | All Customer Personal Data transmitted over public networks is encrypted using TLS 1.2 or higher. |
| Encryption at Rest | Customer Personal Data stored in Hema AI's systems is encrypted at rest using AES-256 or an equivalent encryption standard. |
| Network Security | Firewall protection, intrusion detection and prevention systems (IDS/IPS), network segmentation, and regular network security monitoring. |
| Vulnerability Management | Regular vulnerability scanning, penetration testing, and patch management processes to identify and remediate security vulnerabilities in a timely manner. |
| Logging and Monitoring | Security event logging, monitoring, and alerting to detect and respond to security incidents; audit logs retained for a minimum period in accordance with applicable standards. |
| Incident Response | A documented Security Incident response plan covering detection, containment, eradication, recovery, and notification procedures, reviewed and tested at least annually. |
| Data Minimization | Processing of Customer Personal Data is limited to what is adequate, relevant, and necessary in relation to the purposes described in this DPA. |
| Data Backup and Recovery | Regular encrypted backups of Customer Personal Data; documented and tested disaster recovery and business continuity procedures. |
| Vendor Security | Security due diligence conducted on Subprocessors prior to engagement; contractual security obligations imposed on all Subprocessors as described in Section 6.2. |
| Physical Security | Customer Personal Data is processed in data centers maintained by Hema AI's cloud infrastructure provider(s), which implement industry-standard physical security controls including access logging, CCTV, and environmental controls. |
| Personnel Security | Background checks on personnel with access to Customer Personal Data (to the extent permitted by applicable law); mandatory data protection and security training; confidentiality obligations as described in Section 3. |
| Certification and Audits | Hema AI maintains security certifications or conducts third-party audits in accordance with SOC 2, ISO 27001, NIST 800-53, or substantially equivalent standards. Audit reports are available to Customer upon written request and execution of an appropriate non-disclosure agreement. |
ANNEX III — LIST OF APPROVED SUBPROCESSORS
Customer hereby authorizes Hema AI to engage the following Subprocessors to Process Customer Personal Data in connection with the provision of the Services. Hema AI shall update this Annex III in accordance with the procedures set out in Section 6.3 of this DPA.
| Subprocessor | Country | Category | Purpose |
|---|---|---|---|
| Vercel | United States | Cloud & App Hosting | Application hosting and deployment infrastructure for the Hema AI platform |
| OpenAI | United States | AI Model Provider | AI language model services supporting core platform functionality |
| Anthropic | United States | AI Model Provider | AI language model services supporting core platform functionality |
| Google Cloud | United States | AI & Auth Services | AI model services and user authentication (Firebase Auth / Google OAuth) |
| Supabase | United States | Database Provider | Relational database and backend infrastructure |
| Cloudflare | United States | CDN & Security | Content delivery network, DDoS protection, and web application firewall |
| HubSpot | United States | CRM & Support | Customer relationship management and customer support communications |
| Clerk | United States | Authentication | User authentication, session management, and identity services |
| ClickHouse | United States | Analytics Database | High-performance analytics database for processing query and usage data |
| Snowflake | United States | Data Warehouse | Cloud data warehouse for analytics and reporting |
| Zilliz | United States | Vector Database | Vector database supporting AI-powered search and similarity features |
| Stripe | United States | Payment Processing | Secure payment processing and subscription billing management |
| Pylon | United States | Customer Support | B2B customer support and ticketing platform |
| Clay | United States | CRM & Enrichment | Contact data enrichment and customer operations support |
| This Data Processing Agreement was adopted by Hema AI Inc., a Delaware corporation, effective June 13, 2026. Delaware File Number: 10586210. Registered Office: 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States of America. |
|---|
* * *
Hema AI Inc. | 131 Continental Dr, Suite 305, Newark, Delaware 19713 | info@tryhema.com | www.tryhema.com