This Data Processing Addendum ("DPA") forms part of the agreement between Til Technologies Inc. (d/b/a Hotsauce) ("Hotsauce") and the customer that has accepted Hotsauce's Terms of Use or has otherwise entered into an agreement with Hotsauce for use of the Service ("Customer"). The Terms of Use, any Orders, and any other written agreements between the parties governing use of the Service are referred to as the "Agreement." If there is any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA controls.
This DPA reflects the parties' commitments under applicable Data Protection Laws when Hotsauce processes Personal Data on Customer's behalf in connection with the Service.
1. Definitions
Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement. For purposes of this DPA:
"Customer Personal Data" means Personal Data contained within Customer Data that Hotsauce processes on Customer's behalf in connection with the Service.
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data and privacy, including, as applicable: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the United Kingdom Data Protection Act 2018 and the UK GDPR ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"); and (e) other U.S. state privacy laws (collectively, "U.S. State Privacy Laws").
"EU SCCs" means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, available at eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office (Version B1.0, effective 21 March 2022).
"Personal Data," "Controller," "Processor," "Data Subject," "Processing," "Sub-processor," and "Supervisory Authority" have the meanings given to them under the applicable Data Protection Laws.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Hotsauce or its Sub-processors.
"Restricted Transfer" means a transfer of Personal Data from the European Economic Area, United Kingdom, or Switzerland to a country that has not been determined to provide an adequate level of protection under applicable Data Protection Laws.
"Service" has the meaning given in the Agreement (the Hotsauce platform and related services).
2. Roles of the Parties
For purposes of this DPA and with respect to the processing of Customer Personal Data:
Customer is the Controller (or, where applicable, a Processor acting on behalf of a third-party Controller).
Hotsauce is the Processor (or, where Customer is a Processor, a Sub-processor).
Under the CCPA, Hotsauce is a "service provider" and processes Customer Personal Data only to perform the services specified in the Agreement.
Where Customer acts as a Processor for a third-party Controller, Customer represents that it has obtained all necessary authorizations from the relevant Controller(s) for Hotsauce to process the Customer Personal Data as set forth in the Agreement and this DPA.
3. Scope and Details of Processing
The subject matter, nature and purpose, duration, types of Personal Data, and categories of Data Subjects relating to Hotsauce's processing of Customer Personal Data are set forth in Annex I (Details of Processing).
4. Customer Instructions
Hotsauce will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country. Customer's instructions are set forth in the Agreement, this DPA, and Customer's use of and configuration of the Service. Any additional or alternative instructions must be agreed in writing between the parties.
Hotsauce will notify Customer if, in its opinion, an instruction from Customer infringes applicable Data Protection Laws, unless prohibited from doing so by law.
Customer represents and warrants that it has obtained all necessary rights, consents, and authorizations to provide Customer Personal Data to Hotsauce and to permit Hotsauce's processing of Customer Personal Data as contemplated by the Agreement and this DPA.
5. Confidentiality of Personnel
Hotsauce will ensure that personnel authorized to process Customer Personal Data are bound by appropriate written confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Hotsauce limits access to Customer Personal Data to personnel who have a need to access it to perform Hotsauce's obligations under the Agreement.
6. Security Measures
Hotsauce will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures are described in Annex II (Technical and Organizational Measures) and take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to Data Subjects.
Hotsauce may update its security measures from time to time, provided that any such updates do not materially decrease the overall level of protection of Customer Personal Data.
7. Sub-processors
Customer grants Hotsauce a general authorization to engage Sub-processors to process Customer Personal Data in connection with the Service. A current list of Hotsauce's Sub-processors is made available to Customer upon request to privacy@hotsauce.com and is described in Annex III.
Hotsauce will:
enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA;
remain liable for the acts and omissions of its Sub-processors with respect to Customer Personal Data to the same extent as if Hotsauce performed the services directly; and
provide Customer with at least thirty (30) days' prior notice of any new Sub-processor by email to Customer's designated contact or by other reasonable means.
If Customer reasonably objects to a new Sub-processor on data protection grounds, Customer may notify Hotsauce in writing within thirty (30) days of the notice. The parties will work together in good faith to resolve the objection. If the parties cannot agree on a resolution, Customer's exclusive remedy is to terminate the affected portion of the Agreement by providing written notice to Hotsauce. Termination will not relieve Customer of any payment obligations accrued prior to the effective date of termination.
8. AI Model Providers
Customer acknowledges that the Service relies on artificial intelligence and machine learning models provided by third-party model providers ("Model Providers"), which act as Sub-processors. Hotsauce contractually requires Model Providers (a) to process Customer Personal Data solely to provide inference services to Hotsauce in connection with operating the Service, (b) not to use Customer Personal Data to train, fine-tune, or otherwise improve their models, and (c) to implement appropriate technical and organizational measures consistent with this DPA. The current list of Model Providers is included in the Sub-processor list described in Section 7.
9. Data Subject Requests
Taking into account the nature of the processing, Hotsauce will provide reasonable assistance to Customer, through appropriate technical and organizational measures and to the extent possible, to enable Customer to respond to requests from Data Subjects to exercise their rights under applicable Data Protection Laws (including rights of access, rectification, restriction, deletion, portability, objection, and not being subject to automated decision-making).
If Hotsauce receives a request directly from a Data Subject relating to Customer Personal Data, Hotsauce will, without undue delay, refer the Data Subject to Customer and notify Customer of the request, unless prohibited by law.
10. Personal Data Breaches
Hotsauce will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. The notification will include, to the extent known at the time, information reasonably required to enable Customer to comply with its obligations under Data Protection Laws, including the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
Hotsauce will take reasonable steps to investigate, contain, and remediate the Personal Data Breach and will provide Customer with reasonable assistance in connection with Customer's notification or other obligations under applicable Data Protection Laws. Hotsauce's notification of or response to a Personal Data Breach is not an acknowledgment of any fault or liability.
11. Data Protection Impact Assessments and Prior Consultation
Hotsauce will provide Customer with reasonable assistance, at Customer's expense (other than to the extent the costs are attributable to Hotsauce), with respect to data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under applicable Data Protection Laws in relation to the Service, taking into account the nature of the processing and the information available to Hotsauce.
12. International Data Transfers
To the extent that Hotsauce processes Customer Personal Data that is subject to the GDPR, UK GDPR, or FADP and that processing involves a Restricted Transfer:
EEA transfers. The EU SCCs are hereby incorporated into this DPA by reference, with Customer as "data exporter" and Hotsauce as "data importer." Module Two (Controller to Processor) applies where Customer is a Controller; Module Three (Processor to Processor) applies where Customer is a Processor. The optional docking clause in Clause 7 applies. In Clause 9, Option 2 (general written authorization) applies, with the change notification period set forth in Section 7 above. In Clause 11, the optional independent dispute resolution body language does not apply. In Clauses 17 and 18, the parties agree that the laws and courts of Ireland apply.
UK transfers. The UK Addendum is incorporated by reference. Tables 1, 2, and 3 of the UK Addendum are deemed completed using the information in the EU SCCs as incorporated above, and the optional Table 4 (the parties that may end the UK Addendum) selects "Importer" and "Exporter."
Swiss transfers. The EU SCCs apply with the following modifications: references to the GDPR are deemed to be references to the FADP; references to EU Member States or Supervisory Authorities are deemed to be references to Switzerland or the Swiss Federal Data Protection and Information Commissioner; and the parties acknowledge that, until the entry into force of the revised FADP, the EU SCCs also protect Personal Data of legal entities to the extent required by Swiss law.
The details required to complete the SCCs and UK Addendum are set forth in Annex I and Annex II.
13. Deletion and Return of Customer Personal Data
Upon expiration or termination of the Agreement, Hotsauce will, at Customer's choice, delete or return all Customer Personal Data in Hotsauce's possession or control, and delete existing copies, unless applicable law requires storage of Customer Personal Data. Customer may make this choice through the Service or by written notice to Hotsauce within thirty (30) days after the effective date of termination. If Customer does not make a choice within that period, Hotsauce will delete Customer Personal Data in accordance with its standard practices.
Hotsauce may retain Customer Personal Data in backup systems for a limited period in accordance with its backup retention schedule, provided that such data remains subject to the confidentiality and security obligations of this DPA and is deleted in the ordinary course.
14. Audits
Hotsauce will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including by providing copies of relevant third-party audit reports and security certifications that Hotsauce maintains, upon written request.
If the audit reports and information described above are not sufficient to demonstrate compliance with this DPA, Customer may, at its own expense and no more than once per calendar year (unless required by a Supervisory Authority or following a Personal Data Breach), conduct an audit of Hotsauce's relevant policies, procedures, and records relating to its processing of Customer Personal Data. Audits will: (a) be subject to at least sixty (60) days' prior written notice; (b) be conducted during normal business hours; (c) not unreasonably interfere with Hotsauce's business; (d) be subject to confidentiality obligations no less protective than those in the Agreement; and (e) be conducted by Customer or a mutually agreed independent third-party auditor that is not a competitor of Hotsauce.
15. CCPA and U.S. State Privacy Laws
The following terms apply with respect to Customer Personal Data that is subject to the CCPA or another U.S. State Privacy Law, in addition to the rest of this DPA:
Hotsauce will process Customer Personal Data solely for the limited and specified purposes set forth in the Agreement and this DPA (the "Business Purposes").
Hotsauce will not (a) sell or share (as those terms are defined under the CCPA) Customer Personal Data; (b) retain, use, or disclose Customer Personal Data for any purpose other than the Business Purposes, including for any commercial purpose other than the Business Purposes; (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Customer and Hotsauce; or (d) combine Customer Personal Data with personal information that Hotsauce receives from or on behalf of another person, or collects from its own interaction with a consumer, except as permitted by applicable U.S. State Privacy Laws.
Hotsauce will comply with applicable obligations under the CCPA and other U.S. State Privacy Laws and will provide the same level of privacy protection as required of businesses under those laws. Hotsauce will notify Customer if it determines that it can no longer meet its obligations under those laws.
Customer may take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer Personal Data by Hotsauce.
16. Liability
Each party's and its affiliates' aggregate liability arising out of or related to this DPA, whether in contract, tort, or any other legal theory, is subject to the limitations of liability set forth in the Agreement. For the avoidance of doubt, the limitations of liability in the Agreement apply to all claims under this DPA, including claims under the EU SCCs and UK Addendum, to the extent permitted by applicable law.
17. General
This DPA is governed by the same governing law and jurisdiction provisions as set forth in the Agreement, except where required otherwise by applicable Data Protection Laws (including the EU SCCs and UK Addendum). If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions will remain in full force and effect. This DPA may be updated by Hotsauce from time to time to reflect changes in Data Protection Laws or in Hotsauce's processing activities, provided that any updates will not materially reduce the protection afforded to Customer Personal Data.
This DPA, together with the Agreement, constitutes the entire agreement between the parties with respect to the subject matter of this DPA and supersedes any prior agreements relating to the same subject matter.
Annex I — Details of Processing
A. List of Parties
Data exporter: Customer (as identified in the Agreement and Order). Customer's role: Controller (or Processor, where applicable).
Data importer: Til Technologies Inc. (d/b/a Hotsauce), 3579 17th St, San Francisco, CA 94110, USA. Contact: privacy@hotsauce.com. Hotsauce's role: Processor (or Sub-processor, where applicable).
B. Description of Processing
Subject matter of processing: Hotsauce's provision of the Service to Customer pursuant to the Agreement.
Duration of processing: For the term of the Agreement and any period required for Hotsauce to fulfill its obligations under this DPA following termination (including secure deletion).
Nature and purpose of processing: To provide, maintain, support, and improve the Service for Customer; to authenticate users; to enable AI assistant and agent functionality; to integrate with Customer's connected systems as directed by Customer; to detect and prevent security incidents; and to comply with applicable law.
Categories of Data Subjects: (i) Customer's employees, contractors, and other authorized end users of the Service; (ii) individuals whose Personal Data appears in Customer Data submitted to or accessed through the Service.
Categories of Personal Data: Personal Data submitted by Customer or its authorized users, or accessed by the Service from Customer's connected systems as directed by Customer. This may include: identifiers (name, email, user ID); employment or organizational information; content of documents, messages, files, and prompts; metadata; and any other categories Customer chooses to process through the Service.
Sensitive data: Customer should not submit, and the Service is not intended to process, special categories of data (as defined in Article 9 GDPR), Social Security numbers, payment card numbers (PCI), or protected health information (PHI), unless the parties have agreed in writing on additional safeguards.
Frequency of transfer: Continuous, for the duration of the Agreement.
Retention: For the term of the Agreement and as further described in Section 13 of this DPA.
C. Competent Supervisory Authority
Where Module Two of the EU SCCs applies, the competent Supervisory Authority is the Irish Data Protection Commission, unless another Supervisory Authority is the competent authority under Clause 13 of the EU SCCs.
Annex II — Technical and Organizational Measures
Hotsauce maintains technical and organizational measures designed to protect Customer Personal Data, including the following:
Information security program. A documented information security program with policies and procedures reviewed at least annually, and assignment of responsibility for information security to designated personnel.
Access controls. Role-based access controls; the principle of least privilege; unique user accounts; multi-factor authentication for administrative access; and prompt revocation of access upon role change or termination.
Encryption. Encryption of Customer Personal Data in transit over public networks using industry-standard protocols (e.g., TLS 1.2 or higher) and encryption at rest using industry-standard algorithms (e.g., AES-256).
Network and infrastructure security. Use of reputable cloud infrastructure providers; network segmentation; firewalls; intrusion detection and prevention; and regular vulnerability scanning.
Application security. Secure software development practices, including code review, dependency scanning, and pre-deployment security testing; periodic third-party penetration testing.
Logging and monitoring. Centralized logging of security-relevant events; monitoring for anomalous activity; and retention of logs sufficient to support investigation of security incidents.
Personnel security. Background checks for personnel with access to Customer Personal Data (where permitted by law); written confidentiality obligations; and mandatory security and privacy training.
Vendor and Sub-processor management. Risk-based assessment of Sub-processors; written data protection terms with Sub-processors; and ongoing monitoring of Sub-processor security posture.
Incident response. A documented incident response plan covering detection, containment, investigation, remediation, and notification of Personal Data Breaches.
Business continuity and backups. Regular backups; documented business continuity and disaster recovery plans; and periodic testing of recovery procedures.
Physical security. Reliance on cloud infrastructure providers that maintain physical security controls consistent with industry standards (e.g., ISO 27001, SOC 2).
Additional detail on these measures, including any audit reports or security certifications Hotsauce maintains, is available to Customer on request, subject to confidentiality obligations.
Annex III — Approved Sub-processors
Hotsauce uses Sub-processors in the following categories to process Customer Personal Data on Hotsauce's behalf:
cloud hosting and infrastructure providers;
AI model providers (large language model inference);
communications and email delivery providers;
analytics, monitoring, and error tracking providers;
customer support and ticketing providers;
security and fraud prevention providers; and
payment processors (for billing-related Personal Data).
A current list identifying the specific entities in each category, the processing activities performed, and the location of processing is made available to Customer upon request to privacy@hotsauce.com. Customer may request to be notified of changes to the Sub-processor list as described in Section 7 of this DPA.