Data Processing Agreement
Last updated: 20 May 2026
This Data Processing Agreement (“DPA”) supplements the Hail Pilot Terms of Service between Hail Pilot Pte Ltd (“Processor”) and the Customer identified in the Order Form (“Controller”). On execution, this DPA forms part of the agreement between the parties.
This published version is the template. Executed DPAs are signed and counter-signed via email and stored in the Customer's account. Procurement teams may request a redlined copy at legal@hailpilot.com.
1. Definitions
Capitalised terms not defined here have the meanings given in the Terms of Service, the Singapore Personal Data Protection Act 2012 (“PDPA”), Malaysia's Personal Data Protection Act 2010 (“MY PDPA”), or the EU General Data Protection Regulation (“GDPR”), as the context requires.
“Personal Data” means any personal data Controller uploads to or generates within the Service. “Sub-Processor” means any processor engaged by Processor to process Personal Data. “Security Incident” means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
2. Roles and scope
Controller is the data controller; Processor is the data processor (in PDPA terms, the “data intermediary”). Processor processes Personal Data only on the documented instructions of Controller, including with regard to cross-border transfers, except where required by Singapore law (in which case Processor will notify Controller before processing, unless prohibited by law).
The subject matter, duration, nature, purpose, and categories of Personal Data are described in Annex 1.
3. Processor obligations
- Process Personal Data only on documented instructions from Controller.
- Ensure personnel authorised to process Personal Data are bound by confidentiality.
- Implement appropriate technical and organisational measures (Annex 2) consistent with PDPA's Protection Obligation and GDPR Article 32.
- Assist Controller, taking into account the nature of processing, in responding to data subject access, correction, and erasure requests within 5 business days of receipt.
- Assist Controller with data protection impact assessments where required.
- Make available all information necessary to demonstrate compliance with this DPA and allow for audits per Section 8.
4. Security Incident notification — PDPA s.26B
Processor will notify Controller of a confirmed Security Incident affecting Controller's Personal Data within 48 hours of awareness. The notification will include, to the extent then known:
- The nature of the incident and the categories and approximate number of data subjects affected.
- The categories and approximate number of records affected.
- The likely consequences of the incident.
- The measures taken or proposed to address the incident and mitigate adverse effects.
- Processor's incident-response contact (DPO).
Processor will assist Controller with PDPA s.26B notification obligations (PDPC + data subject), MY PDPA notifications, and GDPR Articles 33-34 where applicable, including providing draft regulatory notification language and a forensic webhook log if relevant.
5. Cross-border transfers — PDPA s.26
Controller authorises Processor to transfer Personal Data to the regions and Sub-Processors listed at /legal/subprocessors. Cross-border transfers are subject to:
- The ASEAN Model Contractual Clauses (Annex 3) where the recipient is located in an ASEAN member state.
- Standard contractual provisions consistent with PDPA s.26 for transfers outside ASEAN.
- For Personal Data subject to GDPR exposure, EU Standard Contractual Clauses (Module 2: Controller-to-Processor) plus supplementary technical measures (encryption-in-transit + at-rest, pseudonymisation where applicable).
6. Sub-Processors
Controller provides general written authorisation for the Sub-Processors listed at /legal/subprocessors. Processor will provide at least 30 days' advance notice via email or the public subprocessor changelog of any intended changes (addition or replacement) so that Controller has the opportunity to object on reasonable grounds.
Processor remains liable for the acts and omissions of Sub-Processors to the same extent as for its own acts.
7. Cross-merchant fraud-signal carve-out
Processor may retain pseudonymised fraud-prevention signals derived from Personal Data, where such signals do not permit re-identification of Controller's data subjects, for the purpose of providing the Service to other Hail Pilot customers. Such signals comprise:
- HMAC-SHA256 tokens of normalised buyer identifiers (no raw PII).
- Perceptual hashes (phash) of evidence photographs, used to detect cross-merchant evidence reuse.
- Aggregated counters on network profiles (e.g. dispute counts, refund-request counts).
These signals constitute pseudonymised personal data under PDPA guidance — they remain personal data, are treated as such, and are protected accordingly. Processor does not represent them as anonymised. Before any cross-customer surfacing, Processor applies a k-anonymity ≥5 guard: no signal is exposed to another customer unless the signal aggregates contributions from at least five distinct Hail Pilot customers' data, and no other customer's identity is revealed.
On valid erasure request, Processor will nullify the HMAC token and aggregated counters tied to the relevant data subject; phash entries that were contributed by Controller's tenant are nullified per the docs/runbook/erasure-request.md SOP, while the corresponding entries in other customers' rows (which describe a separate evidence photo, not the original data subject) remain undisturbed.
The exact carve-out wording above will be finalised on receipt of the Phase 8 HMAC + phash anonymisation opinion from external counsel. Material changes will be communicated to Controller with a 30-day notice and right to terminate.
8. Audit and assurance
Processor will, on reasonable written request and no more than once per twelve-month period, provide Controller with:
- The current public Trust Center page at trust.hailpilot.com.
- The latest security questionnaire response.
- Once available, a SOC 2 Type II report (in lieu of in-person audit). Until then, an annual security questionnaire substitutes.
On reasonable request following a Security Incident affecting Controller, Processor will allow on-site audit by Controller (or its third-party auditor under NDA), subject to reasonable notice (30 days), business-hours scheduling, and confidentiality.
9. Return and deletion of Personal Data
On termination of the Agreement, Processor will, at Controller's choice:
- Make Personal Data available for export for 30 days, after which Processor will delete it from production systems within a further 30 days and from backups within 13 months (consistent with the backup retention schedule).
- Delete Personal Data immediately on Controller's written instruction, subject to the same backup-purge horizon.
The cross-merchant fraud-signal carve-out in Section 7 applies to pseudonymised signals derived before termination. Processor will certify deletion on request.
10. Liability
The limitation of liability provisions in the Terms of Service apply to this DPA. In particular: the general 12-month-fees cap, the 2× annual-fees super-cap for data breach claims, and the uncapped exclusions for IP indemnity, willful misconduct, and fraud.
11. Governing law
This DPA is governed by the laws of Singapore. Disputes are subject to the exclusive jurisdiction of the courts of Singapore.
Annex 1 — Subject matter, duration, nature, purpose, categories
Subject matter: processing of Personal Data to operate the Hail Pilot dispute-defense, evidence-management, and post-purchase intelligence platform.
Duration: for the term of the Subscription Plan plus retention periods in the Privacy Policy.
Nature: storage, encryption, indexing, AI inference, evidence packaging, transmission to marketplace platforms on Controller's instruction.
Purpose: as set out in the Terms of Service and Privacy Policy.
Categories of data subjects: Controller's users, Controller's buyers and customers, persons identified in evidence files.
Categories of Personal Data: identifiers (name, email, phone), location (shipping address), transactional data, evidence files, payment metadata (tokenised; no full PAN), authentication credentials, audit-log events.
Annex 2 — Technical and organisational measures
- AES-256-GCM envelope encryption at rest with key versioning, per data class.
- TLS 1.2+ in transit.
- Argon2id password hashing (time_cost=3, memory_cost=65536).
- Server-side sessions; HttpOnly + Secure + SameSite=Lax cookies.
- CSRF double-submit-cookie protection on mutating requests.
- PostgreSQL Row Level Security plus application-layer multi-tenant filtering; app role has no BYPASSRLS.
- OpenFGA fine-grained authorisation as defence-in-depth above RLS.
- HMAC-SHA256 cross-merchant identity tokenisation; no raw PII in shared tables.
- AlignmentCheck on RAG output and Prompt Guard 2 on inputs to mitigate AI prompt injection.
- Weekly off-platform backups with quarterly restore drills.
- Webhook forensic audit log with raw-payload + signature-verification capture.
- Annual penetration testing and continuous Sentry + Better Stack monitoring.
- Confidentiality NDAs for all personnel and Sub-Processors.
Annex 3 — ASEAN MCCs and SCCs
On request, Processor will provide a fully populated copy of the ASEAN Model Contractual Clauses (intra-ASEAN transfers) and the EU Standard Contractual Clauses, Module 2 (Controller-to-Processor) for transfers subject to GDPR. These are incorporated by reference into this DPA and override conflicting provisions.
Execution
To execute this DPA, email legal@hailpilot.com from the email address associated with your Hail Pilot account. We will counter-sign and store a copy in your account.