DATA PROCESSING ADDENDUM
to the Glider Monitoring Terms / Agreement
Last updated: 16 June 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Customer”, “Controller”) and Hexens Cyber Security Ltd. (“Hexens”, “Processor”) for use of the Service (the “Agreement”) and applies where Hexens processes Customer Personal Data on Customer’s behalf. If there is a conflict on data protection matters, this DPA prevails over the rest of the Agreement.
1. Definitions and Roles
1.1 Capitalized terms not defined here have the meaning given in the Agreement. “Data Protection Laws” means all laws applicable to the processing of personal data under this DPA, including the EU GDPR, the UK GDPR, and U.S. state privacy laws. “Customer Personal Data” means personal data Hexens processes on Customer’s behalf under the Agreement, as described in Annex I.
1.2 For Customer Personal Data, Customer is the controller and Hexens is the processor. Where Hexens determines the purposes and means of processing (for example, account administration, security, and its own analytics), Hexens acts as a controller and this DPA does not apply to that processing.
2. Processing of Customer Personal Data
2.1 Hexens will process Customer Personal Data only on Customer’s documented instructions, including as set out in the Agreement, this DPA, and Annex I, and as needed to comply with law (in which case Hexens will inform Customer unless legally prohibited).
2.2 Customer warrants that it has a lawful basis and has provided all required notices and obtained all required consents for the personal data it submits, including the contact details of its personnel used to deliver alerts, and that its instructions comply with Data Protection Laws.
2.3 Hexens will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
3. Confidentiality and Personnel
3.1 Hexens will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations and process the data only as instructed.
4. Security
4.1 Hexens will implement and maintain the technical and organizational measures set out in Annex II, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing.
5. Sub-processors
5.1 Customer authorizes Hexens to engage the sub-processors listed in Annex III and others to support the Service. Hexens will impose data protection obligations on each sub-processor that are no less protective than this DPA and remains responsible for their performance.
5.2 Hexens will give Customer notice of any new sub-processor (by the means stated in Annex III) before it begins processing, and Customer may object on reasonable data-protection grounds within 10 days, in which case the parties will work in good faith to resolve the objection.
6. Assistance to Customer
6.1 Taking into account the nature of the processing, Hexens will assist Customer by appropriate measures, insofar as possible, in fulfilling Customer’s obligations to respond to data-subject requests, and will promptly forward any such request it receives directly.
6.2 Hexens will assist Customer, taking into account the information available to it, with data protection impact assessments, prior consultations, and the security and breach-notification obligations under Data Protection Laws.
7. Personal Data Breach
7.1 Hexens will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its notification obligations.
8. Audits
8.1 Hexens will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or its mandated auditor on reasonable prior notice, no more than once per year except where required by a supervisory authority, subject to confidentiality and to not unduly disrupting Hexens’ operations. Hexens may satisfy this through third-party reports or certifications where available.
9. International Transfers
9.1 To the extent Hexens transfers Customer Personal Data out of the EEA or the UK to a country without an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module Two: controller to processor), and the UK International Data Transfer Addendum, are incorporated into this DPA and completed by reference to the Annexes, with Customer as data exporter and Hexens as data importer.
9.2 The EU Standard Contractual Clauses are governed by the law specified in those Clauses (and, where a Member State must be designated, Ireland); the UK Addendum is governed by the laws of England and Wales. The remainder of this DPA follows the governing law of the Agreement.
10. U.S. State Privacy Laws
10.1 To the extent U.S. state privacy laws apply, Hexens acts as a “service provider” / “processor” and will: process Customer Personal Data only to provide the Service or as permitted by those laws; not sell or share it; not retain, use, or disclose it outside the direct business relationship or for any purpose other than the Service; and not combine it with personal data from other sources except as permitted. Hexens certifies that it understands and will comply with these restrictions.
11. Deletion and Return
11.1 On termination or expiry of the Agreement, Hexens will, at Customer’s choice, delete or return Customer Personal Data and delete existing copies, except to the extent law requires retention. This obligation does not apply to aggregated, de-identified, or to datasets Hexens holds as a controller under its Privacy Policy, which are not Customer Personal Data.
12. Liability
12.1 Each party’s liability under this DPA is subject to the exclusions and limitations of liability in the Agreement.
13. Execution
13.1 This DPA is effective on the effective date of the Agreement and is accepted by Customer’s acceptance of the Agreement, or by signature where the parties choose to sign. It supersedes any prior data processing terms between the parties for the Service.
Annex I — Description of Processing
Parties | Data exporter: Customer (controller). Data importer: Hexens (processor). |
|---|---|
Data subjects | Customer’s authorized users, employees, and personnel designated to receive alerts. |
Categories of data | Name, business email, job/role, Telegram usernames and channel identifiers, Slack usernames and workspace identifiers, account and configuration data. |
Special categories | None intended or required. |
Purpose | Account administration and delivery of monitoring alerts to designated destinations under the Agreement. |
Frequency | Continuous, for the duration of the Agreement. |
Retention | For the duration of the Agreement and a short period afterwards, per Clause 11. |
Annex II — Technical and Organizational Measures
Access control and least-privilege provisioning; multi-factor authentication for administrative access; encryption of data in transit and, where appropriate, at rest; network and application security controls; logging and monitoring; secure software development practices; personnel confidentiality and training; vendor due diligence; and incident response and breach-handling procedures.
Annex III — Sub-processors
Notice of new sub-processors is given by email to the account contact or posting at hexens.io. Current sub-processors:
Sub-processor | Purpose | Location |
|---|---|---|
Amazon Web Services, Inc. | Infrastructure | Seattle, Washington, United States |
Google LLC | Transactional email | Mountain View, California, United States |
Telegram Group Inc. | Alert delivery | Dubai, United Arab Emirates |
Slack Technologies, LLC | Alert delivery | San Francisco, California, United States |
Stripe, Inc | Billing | South San Francisco, California, United States, and Dublin, Ireland |
Google LLC | Product analytics | Mountain View, California, United States |