Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between HyperionWave Limited ("Provider", "we", "us") and the Customer ("you", "Controller") and sets out the terms on which we process personal data on your behalf.

This DPA applies where and to the extent that we process Customer Personal Data as a data processor on behalf of the Customer in the course of providing our platform and services.

2. Definitions

Terms used in this DPA have the meanings given in the Terms & Conditions. Additionally:

• Data Protection Legislation: the UK GDPR, the Data Protection Act 2018, and any applicable national implementing laws, regulations and secondary legislation, as amended or updated from time to time.
• Customer Personal Data: any personal data that we process on your behalf as a data processor in connection with the provision of our platform and services.
• Sub-processor: any third party appointed by us to process Customer Personal Data on your behalf.

3. Scope of Processing

Subject matter: The provision of the Unago AI platform and associated services.

Duration: For the term of the agreement between us, plus any retention period specified in our Terms & Conditions (90 days following termination).

Nature and purpose: We process Customer Personal Data to provide AI agent orchestration, workflow automation, data analysis, file storage, and integration with third-party services as described in our Terms & Conditions.

Types of personal data: Names, email addresses, telephone numbers, job titles, IP addresses, user account information, usage data, content uploaded to the platform, and communication data.

Categories of data subjects: Customer employees, contractors, agents, authorised users, and individuals whose personal data is uploaded to or processed through the platform.

4. Our Obligations

We shall:

• Process Customer Personal Data only on your documented written instructions, unless required by law to do otherwise.
• Ensure that all personnel who have access to Customer Personal Data are bound by obligations of confidentiality.
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing.
• Assist you in responding to requests from data subjects exercising their rights under Data Protection Legislation.
• Assist you in ensuring compliance with your obligations regarding security, breach notification, impact assessments, and consultations with supervisory authorities.
• Notify you without undue delay upon becoming aware of a personal data breach involving Customer Personal Data.
• At your written direction, delete or return Customer Personal Data upon termination of the agreement, unless required by law to retain it.
• Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.

5. Sub-processors

You consent to our use of sub-processors to process Customer Personal Data. We maintain a current list of sub-processors on our Sub-processor List page.

We will notify you of any intended changes to sub-processors by updating the sub-processor list. You may object to a new sub-processor by notifying us in writing within 30 days. We remain fully liable for the acts and omissions of our sub-processors.

6. International Transfers

We shall not transfer Customer Personal Data outside of the United Kingdom without your prior written consent. Where transfers are necessary, we will ensure appropriate safeguards are in place in accordance with Data Protection Legislation, including the use of approved transfer mechanisms.

7. Security Measures

We implement and maintain appropriate technical and organisational measures, including:

• Encryption of personal data in transit and at rest.
• Access controls ensuring only authorised personnel can access Customer Personal Data.
• Regular security testing and vulnerability assessments.
• Incident response procedures for security breaches.
• Employee security awareness training.
• Regular backups and disaster recovery procedures.
• Network security measures including firewalls and intrusion detection.
• Logging and monitoring of access to Customer Personal Data.

8. Contact

For questions about this Data Processing Agreement, please contact us at: