Data Processing Addendum

This DPA forms part of the Agreement between you (Controller) and INSIDEA (Processor) for the processing of personal data carried out via Ancil.

Processing is for the purpose of providing the Ancil service. Duration matches the term of your Ancil subscription.

Categories of data: identifiers (email, name), professional details (job title, company), CRM data (contacts, deals, lifecycle stages, communication metadata).

Categories of data subjects: your employees, your prospects and customers as represented in your HubSpot portal.

Process personal data only on documented Controller instructions.

Ensure persons authorised to process personal data are bound by confidentiality.

Implement appropriate technical and organisational measures.

Assist Controller with data subject requests, security incidents, DPIAs, and prior consultations.

Delete or return personal data at the end of the service, subject to any law requiring retention.

Controller authorises the sub-processors listed in our Privacy Policy. We will notify Controller of any new sub-processor with 30 days’ notice; Controller may object on reasonable grounds.

Where required, transfers outside the EEA / UK / Switzerland rely on Standard Contractual Clauses, with supplementary measures where appropriate.

Encryption in transit (TLS 1.2+) and at rest. AES-256-GCM at the application layer for sensitive credentials. Role-based access. Audit logging of administrative actions. SOC 2 Type II in progress.

On reasonable written notice, we will provide the most recent SOC 2 report (when available) under NDA, and respond in writing to a security questionnaire.

Liability under this DPA is governed by the limitation of liability in the Agreement.

In the event of conflict between this DPA and the Agreement, this DPA prevails for matters of personal data processing.

A countersigned copy of this DPA is available on request: hello@ancil.ai.