Data Processing Addendum

Roles

You are the data controller. Halvert is the data processor. When instructed, Halvert will also act as sub-processor for upstream controllers you identify.

Scope of processing

Halvert processes personal data only to provide and support the service, to bill for it, to prevent abuse, and to meet legal obligations. We never process personal data for secondary purposes without a documented instruction from the controller.

Sub-processors

The current sub-processor list lives on our Trust report. We provide at least thirty days' notice before adding a new sub-processor. You may object in writing, and we will work with you in good faith to find a resolution before the change takes effect.

International transfers

Personal data originating in the EU or UK is processed in the EU by default. Transfers to the US, when necessary for support, rely on the EU-US Data Privacy Framework (for Halvert, Inc's participation) and the UK Extension, plus Standard Contractual Clauses as a fallback.

Security

We maintain the technical and organisational measures described on our Security page and in our SOC 2 Type II report. On request, we provide the most recent report under NDA.

Data subject rights

When a data subject exercises rights against you and the request requires action inside the Halvert platform, we provide self-service tooling and will assist at no additional cost.

Breach notification

In the unlikely event of a personal data breach, we notify the affected controllers without undue delay and no later than seventy-two hours after becoming aware.

Audit rights

Controllers may audit Halvert's processing activities once per year on reasonable written notice, or more frequently if required by a supervisory authority. Our SOC 2 Type II report typically satisfies audit obligations for most controllers.