NOTICE: This is part of a series of updates to our policies, effective October 19, 2025. The current terms, effective today remain active until then. You can review a summary of the changes here.

Data Processing Addendum

Last Updated: September 16, 2025

This Data Processing Addendum ("DPA") forms part of the Hund Master Subscription Agreement ("Agreement") between Hund, LLC ("we", "us", "our", or "Hund") and you ("Customer"). This DPA applies to the extent that Hund processes Personal Data on behalf of the Customer in the course of providing the Services detailed in the Agreement.

1. Definitions

  • "Account Data" means Personal Data relating to Customer's relationship with Hund, such as contact and billing information, processed by Hund for its own business purposes.
  • "Applicable Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), and the California Consumer Privacy Act ("CCPA").
  • "Controller" has the meaning given to it in the GDPR.
  • "Customer Personal Data" means any Personal Data that Hund processes on behalf of Customer as a Processor in the course of providing the Services.
  • "Data Subject" has the meaning given to it in the GDPR.
  • "GDPR" means Regulation (EU) 2016/679 (the General Data Protection Regulation).
  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processor" has the meaning given to it in the GDPR.
  • "Restricted Transfer" means a transfer of Personal Data from the EEA, UK, or Switzerland to a country not recognized by the European Commission, the UK Information Commissioner's Office, or the Swiss FDPIC (as applicable) as providing an adequate level of protection for Personal Data.
  • "SCCs" means the Standard Contractual Clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021.
  • "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.

2. Applicability and Roles of the Parties

2.1. Applicability. This DPA applies to the processing of Customer Personal Data by Hund to provide the Services. The details of processing are described in Annex I.

2.2. Roles and Responsibilities. The parties acknowledge and agree that with regard to the processing of Personal Data:

  • Hund is a Processor acting on behalf of Customer with respect to Customer Personal Data. Hund will process Customer Personal Data only in accordance with Customer's documented instructions as set forth in this DPA and the Agreement.
  • Hund is an independent Controller with respect to Account Data. Hund will process Account Data for its own business purposes, such as account management, billing, and service improvement, in accordance with its Privacy Policy and this DPA.
  • Customer is the Controller of Customer Personal Data and is responsible for compliance with its obligations as a Controller under Applicable Data Protection Laws, including providing any necessary notices to Data Subjects and establishing a legal basis for the processing.

2.3. Customer Obligations. Customer agrees that it is responsible for the lawfulness of the processing of Customer Personal Data and for ensuring it has a valid legal basis for Hund to process such data in accordance with the Agreement.

3. Security Measures

Hund will implement and maintain appropriate technical and organizational measures to protect Personal Data against security incidents. These measures are described in detail on our Security page and are incorporated as Annex II of this DPA.

4. Sub-processing

4.1. General Authorization. Customer provides a general authorization for Hund to engage third-party sub-processors. Hund shall maintain a list of its current sub-processors on its Sub-processors page.

4.2. Obligations. Hund will enter into a written agreement with each sub-processor imposing data protection obligations that are at least as protective as those in this DPA. Hund remains fully liable to the Customer for the performance of the sub-processor's obligations.

4.3. Changes. Hund will provide Customer with at least 30 days' prior notice of any intended changes concerning the addition or replacement of sub-processors. Customer may object to such changes on reasonable data protection grounds by notifying Hund in writing.

5. International Data Transfers

5.1. Transfer Mechanisms. For any Restricted Transfer of Customer Personal Data from the European Economic Area (EEA), UK, or Switzerland to Hund in the United States, the parties agree that such transfers will be safeguarded by the Standard Contractual Clauses ("SCCs"), as detailed in Annex III.

For any onward Restricted Transfer from Hund to a third-party sub-processor, Hund will ensure the transfer is safeguarded by an appropriate mechanism under Applicable Data Protection Laws, which may include:

  • The sub-processor's certification under the EU-U.S. Data Privacy Framework (and its UK and Swiss extensions, where applicable); or
  • The execution of Standard Contractual Clauses with the sub-processor.

Our Data Transfer Impact Assessment provides further details for relevant jurisdictions.

6. Data Subject Rights and Assistance

Taking into account the nature of the processing, Hund shall provide reasonable assistance to the Customer, to the extent possible, to enable the Customer to respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Laws.

7. Data Breach Notification

Hund will notify the Customer without undue delay after becoming aware of a breach affecting Customer Personal Data. Hund will provide reasonable cooperation to the Customer in relation to the investigation and remediation of the breach.

8. Audits

Hund shall make available to the Customer all information necessary to demonstrate compliance with its obligations as a Processor. Upon written request, Hund will provide Customer with its latest security documentation or third-party audit reports (such as SOC 2 or ISO 27001 reports, where available). If such information is not sufficient to demonstrate compliance, Hund will allow for and contribute to an audit, including inspections, conducted by the Customer or another auditor mandated by the Customer (at Customer's expense), subject to reasonable notice and confidentiality obligations.

9. Data Return and Deletion

Upon termination of the Agreement, Hund shall delete all Customer Personal Data in its possession or control in accordance with the retention periods detailed in our Privacy Policy.

10. U.S. Privacy Laws

To the extent that the processing of Customer Personal Data is subject to the CCPA, Hund is prohibited from: (a) selling or sharing Customer Personal Data; (b) retaining, using, or disclosing Customer Personal Data for any purpose other than for the specific business purposes specified in this DPA; and (c) combining Customer Personal Data with personal data that Hund receives from other sources, except as permitted under the CCPA.

Annex I: Details of Processing

A. List of Parties

Role Details
Data Exporter The Customer, as defined in the Master Subscription Agreement. Customer is the Controller of Customer Personal Data.
Data Importer Hund, LLC, a Wyoming, USA limited liability company. Hund is the Processor of Customer Personal Data.

B. Description of Transfer

Categories of Data Subjects
  • Customer's employees and authorized users who interact with the Hund platform.
  • Subscribers to Customer's status pages.
  • End-users whose Personal Data (such as IP address) is incidentally collected as part of Service monitoring.
Categories of Personal Data
  • Account Data (Hund as Controller): Names, email addresses, phone numbers, company names, billing information of Customer's representatives.
  • Customer Personal Data (Hund as Processor): Authentication data, monitoring configuration data, log & performance data, support data, and content data as further described in our Privacy Policy.
Sensitive Data Processed No sensitive data is intended to be processed by the Services.
Frequency of Transfer The transfer is continuous for the duration of the Services.
Nature and Purpose of Processing To provide, maintain, and support the Hund uptime monitoring and status page services as described in the Master Subscription Agreement.
Sub-processor Transfers The subject matter and nature of processing by sub-processors are detailed on Hund's Sub-processors page.

C. Competent Supervisory Authority

For the purposes of the SCCs, the competent supervisory authority will be the authority of the EU member state in which the Customer is established, or if the Customer is not established in the EU, the Irish Data Protection Commission (DPC).

Annex II: Technical and Organizational Measures

This Annex II describes the formal technical and organizational measures (TOMs) to which Data Importer (Hund, LLC) is committed. For a general overview of our security program, which is provided for informational purposes only and does not form part of this DPA, please see our public Security page.

Hund may update these measures from time to time, provided that such updates do not result in a material degradation of the overall security of the Services.

  1. Information Security Program: Hund maintains a formal security program designed to protect Customer Data. The program includes documented policies, procedures, and regular risk assessments, and is reviewed by management at least annually.
  2. Access Control: Hund restricts access to Customer Data to authorized personnel based on the Principle of Least Privilege. Access controls include secure authentication methods for administrative access and timely de-provisioning of user accounts.
  3. Encryption: Hund employs industry-standard encryption for Customer Data in transit over public networks and at rest within its production environment.
  4. Vulnerability Management: Hund maintains a vulnerability management program which includes regular vulnerability scanning of its networks and applications. Identified vulnerabilities are remediated based on their assessed risk. The Services also undergo penetration tests on at least an annual basis.
  5. Business Continuity and Resilience: Hund maintains business continuity and disaster recovery plans designed to ensure the ongoing availability and resilience of the processing systems and services. These plans are tested at regular intervals. Regular backups of Customer Data are maintained in a secure, separate location.
  6. Secure Development: Hund follows secure development practices, including maintaining separate environments for testing and production.
  7. Personnel Security: All Hund personnel are subject to confidentiality obligations and are required to complete security awareness training upon hire and at least annually thereafter.
  8. Incident Management: Hund maintains an incident response plan and will notify affected Customers without undue delay upon becoming aware of a security breach affecting their Customer Data.
  9. Physical Security: Hund utilizes major cloud infrastructure providers who are responsible for the physical security of the data centers where the Services are hosted. These providers maintain industry-standard certifications (such as SOC 2 and/or ISO 27001).

Annex III: Standard Contractual Clauses

1. Incorporation of SCCs. For any Restricted Transfer subject to the SCCs, the SCCs are hereby incorporated by reference and shall apply as follows:

  • Module Two (Controller to Processor) will apply where Customer is a Controller and Hund is a Processor.
  • Module Three (Processor to Processor) will apply where Customer is a Processor and Hund is a sub-processor.

2. Specific Clauses. For the purposes of the SCCs:

  • The optional "docking clause" in Clause 7 will apply.
  • In Clause 9, Option 2 will apply, and the notice period for sub-processor changes shall be 30 days as set out in Section 4.3 of this DPA.
  • The optional language in Clause 11 will not apply.
  • In Clause 17, Option 1 will apply, and the SCCs will be governed by the laws of the Republic of Ireland.
  • In Clause 18(b), disputes shall be resolved before the courts of the Republic of Ireland.

3. UK Transfers. For transfers of personal data protected by the UK GDPR, the SCCs as specified above shall be supplemented by the UK Addendum, which is incorporated by reference. Table 4 of the UK Addendum shall be deemed completed by selecting "neither party".

4. Swiss Transfers. For transfers of personal data protected by the Swiss FADP, the SCCs as specified above shall apply with the following modifications: (i) references to "Regulation (EU) 2016/679" shall be interpreted as references to the FADP; (ii) references to the "competent supervisory authority" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC).

5. UK IDTA Mandatory Information Table.

Table Reference
Table 1 - Parties Completed automatically by reference to Annex I above.
Table 2 - Transfer Details See Sections 5 and Annex I of this DPA.
Table 3 - Technical & Organisational Measures See Annex II.
Table 4 - Governing Law & Jurisdiction Neither party (per Section 3 of the UK Addendum).