Last updated: 2026-01-05
This Data Processing Agreement ("DPA") forms part of the Terms of Service and applies to the extent that HCL Systems OU processes Personal Data on behalf of a Customer in the course of providing the HCAPP service (the "Service").
1. Parties and Roles
Controller:
The customer entity that uses the Service ("Customer").
Processor:
HCL Systems OU, registry code 17389479, Vana-Tartu mnt 79a, 75312
Peetri, Estonia ("Processor").
For the purposes of this DPA, the Customer is the data controller and the Processor acts as a data processor within the meaning of the GDPR.
2. Scope and Duration of Processing
Processor processes Personal Data solely for the purpose of providing, maintaining, and supporting the Service, in accordance with the Customer's documented instructions and this DPA.
Processing continues for the duration of the Customer's use of the Service and terminates upon deletion of the Customer's account, subject to applicable retention obligations.
3. Nature and Purpose of Processing
The nature of processing includes hosting, storage, transmission, and other operations necessary to provide the Service.
The purpose of processing is to enable the Customer to use the Service for business process management, task tracking, and related functionalities.
4. Categories of Data and Data Subjects
Types of Personal Data may include:
- identification data (name, email);
- user account data;
- business-related personal data uploaded by the Customer;
- metadata and usage logs related to the Service.
Categories of Data Subjects may include:
- Customer's employees;
- Customer's contractors;
- Customer's clients or end users.
5. Processor Obligations
The Processor shall:
- process Personal Data only on documented instructions from the Customer;
- ensure that persons authorized to process Personal Data are bound by confidentiality obligations;
- implement appropriate technical and organizational measures to protect Personal Data;
- not use Personal Data for its own purposes or disclose it to third parties except as permitted by this DPA or required by law.
6. Security Measures
The Processor implements reasonable technical and organizational measures, including:
- access controls and least-privilege principles;
- encryption of data in transit;
- secure infrastructure hosted on Amazon Web Services (AWS);
- logging and monitoring for security purposes.
These measures are designed to protect Personal Data against unauthorized access, loss, or alteration.
7. Sub-processors
The Customer authorizes the Processor to engage sub-processors necessary to provide the Service (such as infrastructure and hosting providers).
The Processor ensures that sub-processors are bound by data protection obligations substantially similar to those in this DPA.
A current list of sub-processors is available upon request.
8. Assistance with Data Subject Rights
The Processor shall reasonably assist the Customer in fulfilling requests from data subjects to exercise their rights under the GDPR, taking into account the nature of processing and the information available to the Processor.
9. Personal Data Breach
The Processor shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide reasonable information to assist the Customer in meeting its notification obligations under the GDPR.
10. Return and Deletion of Data
Upon termination of the Service, the Processor shall, at the Customer's choice:
- return Customer Personal Data, or
- delete Customer Personal Data,
except to the extent retention is required by applicable law or technical backup lifecycle policies.
11. Audits
Upon reasonable written request, the Processor shall make available information necessary to demonstrate compliance with this DPA.
Audits shall be limited to documentation review and shall not unreasonably interfere with the Processor's operations.
12. International Transfers
Personal Data is primarily processed within the EU/EEA.
If processing involves transfers outside the EU/EEA, appropriate safeguards such as Standard Contractual Clauses will be applied.
13. Governing Law
This DPA is governed by the laws of the Republic of Estonia.
14. Contact
For questions regarding this DPA, contact:
HCL Systems OU
Email: support@hcapp.ee