Data Processing Addendum

Last updated: 2/1/2026

Human Layer Lab, Inc. Last Updated: February 1, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Human Layer Lab, Inc. ("Processor") and the customer entity ("Controller") for the provision of workforce intelligence services.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.

"Supervisory Authority" means an independent public authority responsible for monitoring the application of data protection laws.

2. Roles and Responsibilities

2.1 Controller

The Controller:

  • Determines the purposes and means of processing Personal Data
  • Ensures lawful basis for data processing
  • Responds to Data Subject requests
  • Maintains records of processing activities
  • Conducts data protection impact assessments when required

2.2 Processor

Human Layer Lab, as Processor:

  • Processes Personal Data only on documented instructions from the Controller
  • Ensures personnel are bound by confidentiality obligations
  • Implements appropriate technical and organizational security measures
  • Assists the Controller with Data Subject requests
  • Deletes or returns Personal Data upon termination
  • Provides information necessary to demonstrate compliance

3. Processing Details

3.1 Subject Matter

Processing of Personal Data in connection with the provision of workforce intelligence and analytics services.

3.2 Duration

Processing continues for the duration of the service agreement plus any retention period required by law or agreed upon in writing.

3.3 Nature and Purpose

| Processing Activity | Purpose | |---------------------|---------| | Account management | User authentication and authorization | | Data storage | Secure storage of customer-uploaded data | | Analytics | Generation of workforce intelligence insights | | AI processing | Machine learning analysis for risk assessment | | Reporting | Generation of reports and exports |

3.4 Categories of Data Subjects

  • Customer employees and administrators
  • Workforce members described in uploaded data
  • Third-party contacts as provided by Controller

3.5 Categories of Personal Data

  • Contact information (name, email)
  • Professional information (job titles, departments)
  • Organizational data (reporting structures)
  • Usage data (platform interactions)

3.6 Special Categories

Human Layer Lab does not process special categories of personal data (sensitive data) unless explicitly instructed by the Controller with appropriate safeguards.

4. Controller Instructions

4.1 Documented Instructions

The Processor shall process Personal Data only in accordance with:

  • This DPA
  • The main service agreement
  • Written instructions from the Controller

4.2 Additional Instructions

Additional processing instructions must be provided in writing and may be subject to additional fees if they require significant changes to processing activities.

4.3 Conflicting Instructions

If the Processor believes an instruction infringes applicable data protection law, it shall promptly inform the Controller.

5. Security Measures

5.1 Technical Measures

The Processor implements:

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Access Control: Role-based access with MFA enforcement
  • Logging: Comprehensive audit logging with 90-day retention
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Backup: Daily encrypted backups with tested recovery procedures

5.2 Organizational Measures

The Processor maintains:

  • Information security policies and procedures
  • Employee security awareness training
  • Background checks for personnel with data access
  • Incident response and business continuity plans
  • Regular security assessments and penetration testing

5.3 SOC 2 Certification

The Processor maintains SOC 2 Type I certification for Security and Confidentiality trust service criteria. Audit reports are available upon request under NDA.

6. Subprocessors

6.1 Current Subprocessors

| Subprocessor | Purpose | Location | |--------------|---------|----------| | Replit, Inc. | Cloud hosting and infrastructure | United States | | OpenAI, Inc. | AI processing and analysis | United States | | Stripe, Inc. | Payment processing | United States | | Perplexity AI | Research and data enrichment | United States |

6.2 Authorization

The Controller provides general authorization for the Processor to engage Subprocessors, subject to the requirements of this section.

6.3 New Subprocessors

The Processor shall:

  1. Notify the Controller at least 30 days before engaging a new Subprocessor
  2. Provide details of the Subprocessor and processing activities
  3. Allow the Controller to object on reasonable grounds

6.4 Subprocessor Agreements

All Subprocessors are bound by written agreements imposing data protection obligations substantially similar to those in this DPA.

6.5 Liability

The Processor remains liable for the acts and omissions of its Subprocessors.

7. Data Subject Rights

7.1 Assistance

The Processor shall assist the Controller in responding to Data Subject requests, including requests to:

  • Access Personal Data
  • Rectify inaccurate data
  • Erase Personal Data
  • Restrict processing
  • Port data to another controller
  • Object to processing

7.2 Response Time

The Processor shall respond to Controller assistance requests within 10 business days.

7.3 Costs

Assistance beyond reasonable levels may be subject to additional fees at the Processor's then-current rates.

8. Data Breach Notification

8.1 Notification Timeline

The Processor shall notify the Controller of any Personal Data breach within 48 hours of becoming aware of it.

8.2 Notification Content

Breach notifications shall include:

  • Nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of records affected
  • Likely consequences
  • Measures taken or proposed to address the breach

8.3 Cooperation

The Processor shall cooperate with the Controller's investigation and remediation efforts, including providing additional information as reasonably requested.

9. Data Protection Impact Assessments

Upon request, the Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with Supervisory Authorities.

10. Audits and Inspections

10.1 Audit Rights

The Controller may audit the Processor's compliance with this DPA:

  • Upon reasonable notice (minimum 30 days)
  • During normal business hours
  • No more than once per year (unless a breach has occurred)
  • At the Controller's expense

10.2 Third-Party Audits

In lieu of direct audits, the Processor may provide:

  • SOC 2 reports
  • Third-party security assessments
  • Compliance certifications

10.3 Confidentiality

Audit findings and reports are confidential and may not be disclosed to third parties without the Processor's consent.

11. International Transfers

11.1 Transfer Mechanisms

For transfers of Personal Data outside the European Economic Area, the Processor relies on:

  • Standard Contractual Clauses (EU Commission Decision 2021/914)
  • Supplementary measures as required

11.2 Standard Contractual Clauses

The Standard Contractual Clauses are incorporated by reference and shall apply to all transfers to third countries without an adequacy decision.

12. Data Return and Deletion

12.1 Upon Termination

Upon termination of the service agreement, the Processor shall:

  1. Return Personal Data in a commonly used format (upon request)
  2. Delete all Personal Data within 30 days
  3. Provide written certification of deletion

12.2 Exceptions

The Processor may retain Personal Data as required by applicable law, provided such data remains subject to the confidentiality provisions of this DPA.

13. Limitation of Liability

Liability under this DPA is subject to the limitations set forth in the main service agreement.

14. Governing Law

This DPA shall be governed by the laws specified in the main service agreement. For GDPR-related matters, the laws of the Member State where the Controller is established shall apply.

15. Amendments

This DPA may be amended only in writing signed by both parties.

16. Contact

Human Layer Lab, Inc. Data Protection Officer Email: dpo@humanlayerlab.com

CONTROLLER ACKNOWLEDGMENT

By using Human Layer Lab services, the Controller acknowledges and agrees to the terms of this Data Processing Addendum.