Data Processing Agreement

This DPA is entered into between Hi Luca Technologies, S.A.P.I. de C.V. (“Processor”) with registered address at Londres 219, Colonia Juárez, Alcaldía Cuauhtémoc, Ciudad de México, México, and the Customer identified in the MSA or order form (“Controller”).

It applies to Personal Data processed by Processor on behalf of Controller in connection with the Services. It supersedes any prior data-protection terms between the parties.

If a signed DPA is required, email legal@hiluca.net and we will countersign within 3 business days.

• Applicable Data Protection Law — LFPDPPP, GDPR, LGPD, and any other data protection law applicable to Controller’s data.
• Personal Data, Controller, Processor, Processing, Data Subject, Supervisory Authority — have the meanings in GDPR Art. 4 (and their equivalents in LFPDPPP and LGPD).
• SCCs — the Standard Contractual Clauses approved by the European Commission on 4 June 2021 (EU Decision 2021/914), Module Two (controller-to-processor) and Module Three (processor-to-processor) as applicable.
• Sub-processor — any third party engaged by Processor to process Personal Data.

Subject matter and duration

The provision of the Services to Controller under the MSA, for the duration of the MSA plus 30 days for data recovery.

Nature and purpose

Processing necessary to operate, maintain, secure, and improve the Services, including AI-assisted content generation, campaign orchestration, performance analysis, and support.

Categories of data subjects

• Controller’s personnel and authorized users of the Services
• Controller’s customers and prospects whose data Controller submits

Categories of Personal Data

• Identification data (name, email, role, employer)
• Contact metadata (IP address, device, cookies)
• Content data submitted by Controller (briefs, assets, prompts, audience lists — as configured)
• Support correspondence and system logs

Special categories

Not requested. Controller shall not submit special categories of data without a prior written agreement describing the safeguards.

Frequency and storage

Continuous during the term; encrypted at rest in regional data stores (USA by default; EU optional on enterprise plans).

• Process Personal Data only on documented instructions from Controller (including with respect to transfers).
• Ensure personnel authorized to process Personal Data are bound by confidentiality.
• Implement the technical and organizational measures in Annex II — Security Measures (see /security for the full posture).
• Assist Controller in responding to Data Subject Requests and in fulfilling obligations under Applicable Data Protection Law.
• Notify Controller without undue delay and in any event within 72 hours of discovery after becoming aware of a Personal Data Breach.
• On termination, delete or return Personal Data and delete existing copies unless storage is required by law.
• Make available to Controller all information necessary to demonstrate compliance with this DPA and allow for reasonable audits.

Controller authorizes Processor’s use of the sub-processors listed at /sub-processors. Processor will give Controller at least 30 days’ notice of any new sub-processor via email or in-product notification. Controller may object on reasonable data-protection grounds; the parties will work in good faith to resolve the objection.

Processor remains liable to Controller for the performance of its sub-processors.

Where Personal Data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties hereby enter into the SCCs as follows:

• Module Two applies where Controller (as a controller) engages Processor (as a processor).
• Module Three applies where Controller (itself acting as a processor) engages Processor as a sub-processor.
• Clause 7 (Docking clause) applies. Clause 9(a) Option 2 (general written authorization) applies with 30-day notice.
• Clause 11 — the optional independent dispute resolution is not selected.
• Clause 17 — the SCCs are governed by the law of Ireland.
• Clause 18 — disputes will be resolved before the courts of Dublin, Ireland.
• Annex I and II of the SCCs are populated by the processing details and security measures in this DPA.

For UK transfers the UK International Data Transfer Addendum applies. For Swiss transfers the SCCs apply with standard amendments (data protection authority = FDPIC; references to EU law also refer to the Swiss Federal Act).

Where LGPD applies, the parties agree:

• Processor acts as an operador; Controller acts as a controlador.
• Processor will follow Controller’s instructions and applicable LGPD legal bases (LGPD Art. 7).
• Processor will assist Controller with titular rights requests (access, rectification, portability, erasure, revocation of consent) within statutory timeframes.
• Processor will notify Controller of any incident affecting Personal Data that poses risk or relevant damage to data subjects, consistent with ANPD guidance.

Processor maintains the following technical and organizational measures (summary — full posture at /security):

• Encryption in transit (TLS 1.2+) and at rest (AES-256) for customer data stores and backups.
• Role-based access control; SSO / SCIM on enterprise plans; MFA mandatory for personnel.
• Just-in-time admin access; tamper-evident audit logs.
• Annual third-party penetration testing and dependency scanning on every pull request.
• Personnel background checks (where lawful); mandatory security and privacy training.
• Documented incident response plan with 72 hours of discovery customer-notification window.
• Business continuity: multi-AZ deployment, daily encrypted backups, documented RTO / RPO.

The liability of each party under this DPA is subject to the limitations and exclusions in the MSA. Nothing in this DPA excludes or limits any liability that cannot be excluded or limited under Applicable Data Protection Law.

For signable copies, SCC annexes, or LGPD-specific addenda, contact legal@hiluca.net.