Blokketen Solutions

HATI Data Processing Addendum

Template addendum for customer contracts when Blokketen Solutions Inc. processes personal data on behalf of a customer.

1. Parties and relationship

This Data Processing Addendum ("DPA") forms part of the agreement between the customer and Blokketen Solutions Inc. for HATI services. To the extent Blokketen Solutions Inc. processes Customer Personal Data on behalf of the customer, the customer acts as the controller or equivalent business customer, and Blokketen Solutions Inc. acts as processor or service provider, except where Blokketen Solutions Inc. acts as an independent controller for its own account administration, billing, service security, legal compliance, and business operations.

2. Subject matter and duration

The subject matter of the processing is the provision of HATI-related services, including workflow orchestration, onboarding, support, hosting, analytics, and related technical operations. Processing continues for the term of the underlying agreement and any limited post-termination period required for secure deletion, export, transition, or legal retention.

3. Nature and purpose of processing

  • hosting, storing, organizing, and presenting customer-submitted data;
  • authenticating users and managing permissions;
  • providing workflow, routing, validation, exception, support, and reporting features;
  • detecting misuse, maintaining logs, and securing the service;
  • assisting the customer with support requests, incident handling, and configuration changes; and
  • performing other documented instructions that are consistent with the agreement.

4. Categories of data and data subjects

Categories of data and data subjects depend on the customer's use case and may include employees, contractors, authorized users, vendors, payees, beneficial owners, customer contacts, and support contacts, along with names, business contact details, identifiers, payment references, bank-related data, workflow metadata, and other information included in uploaded files or connected systems.

5. Processor obligations

  • process Customer Personal Data only on documented instructions from the customer, unless otherwise required by law;
  • ensure personnel authorized to process Customer Personal Data are subject to confidentiality obligations;
  • implement and maintain appropriate technical and organizational security measures;
  • notify the customer of a confirmed personal-data incident affecting Customer Personal Data without undue delay after becoming aware of it, taking into account the information reasonably available at the time;
  • assist the customer, taking into account the nature of processing, with reasonable requests related to data-subject rights, security, breach response, impact assessments, and regulator inquiries;
  • delete or return Customer Personal Data at the end of the services, unless retention is required by law or necessary for limited backup, security, or dispute-resolution purposes; and
  • make available information reasonably necessary to demonstrate compliance with this DPA, subject to confidentiality and security safeguards.

6. Customer obligations

  • provide lawful instructions and maintain an appropriate legal basis for the processing;
  • ensure that uploads, integrations, and user permissions are lawful and necessary;
  • respond to data-subject requests and regulator communications in its controller role;
  • review the suitability of HATI for the data and workflow involved; and
  • notify Blokketen Solutions Inc. if special restrictions or localization requirements apply.

7. Subprocessors

The customer authorizes Blokketen Solutions Inc. to use subprocessors for hosting, infrastructure, support, security, analytics, communications, and related business operations, provided that Blokketen Solutions Inc. imposes data-protection obligations on those subprocessors that are materially protective of Customer Personal Data.

Insert the process for providing the customer with a current subprocessor list, change notifications, and objection rights, if any.

8. International transfers

If Customer Personal Data is transferred across borders, the parties will use an appropriate transfer mechanism when required by law. Insert any SCC, UK Addendum, regional transfer schedule, or localization commitments that apply to the final deployment.

9. Audit and information rights

Audits should be limited to reasonable intervals, normal business hours, and appropriate confidentiality and security protections. Remote review of policies, certifications, summaries, and questionnaires should be the default, with on-site activity reserved for higher-risk cases and subject to prior notice.

10. Return or deletion

Upon termination or expiry of the underlying agreement, Blokketen Solutions Inc. will delete or return Customer Personal Data in accordance with the agreement and its retention practices, except where retention is legally required or reasonably necessary for security, backup, fraud prevention, or dispute resolution.

11. Annex placeholders

  • Annex A - details of processing activities;
  • Annex B - security measures summary;
  • Annex C - subprocessor list or link;
  • Annex D - transfer mechanism schedule, if required.