Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the agreement between Hilla, Inc. (“Processor”) and the Hilla customer (“Controller”) using paid plans of the Hilla service.

It applies to all Personal Data that the Controller submits to Hilla through use of the service — including board content, task data, AI prompts, account profile fields, and any data routed through MCP or the CLI.

Where the Controller acts as a Processor for its own end users, this DPA applies on a sub-processor basis and the Controller remains responsible for its own end users’ instructions.

Hilla processes Personal Data only on documented instructions from the Controller. The Controller’s instructions are reflected in the Terms of Service, the in-product configuration, and any written instructions sent to dpo@hilla.ai.

Hilla will inform the Controller without undue delay if, in its opinion, an instruction infringes applicable data protection law.

Subject-matter: provision of the Hilla project canvas and related services (planning, board collaboration, AI-assisted task generation, integrations, MCP, CLI, sharing).

Duration: until termination of the underlying agreement, plus any retention period required to satisfy legal obligations or to provide post-termination support agreed in writing.

Categories of data subjects: Controller’s authorized users, invited collaborators, and any individuals named in board content. Categories of Personal Data: name, email, IP address, account profile, board content submitted by users, prompt and chat content, integration tokens.

The Controller authorizes Hilla to engage sub-processors listed at hilla.ai/security#sub-processors. Hilla maintains an up-to-date list and provides at least 30 days’ prior notice of any addition or replacement.

Each sub-processor is bound by data protection obligations no less protective than those in this DPA. Hilla remains liable for sub-processor performance.

If the Controller has a reasonable objection to a new sub-processor on data protection grounds, the Controller may terminate the affected portion of the service for the unused remainder of the billing period.

Hilla implements technical and organizational measures appropriate to the risk — encryption in transit (TLS 1.2+) and at rest, role-based access control, audit logging, principle-of-least-privilege production access, hardened CI, dependency scanning, and incident response procedures.

Detail on current controls is maintained at hilla.ai/security and provided in greater depth under NDA on request.

Where Controller cannot satisfy a data subject request using self-serve product controls (export, deletion, share-link revocation), Hilla will provide reasonable assistance, taking into account the nature of processing.

Hilla forwards data subject requests received directly to the relevant Controller without responding to them on the Controller’s behalf.

Hilla will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Controller data, with the information required under Art. 33(3) GDPR to the extent then available.

Hilla will cooperate with the Controller in investigating and remediating the breach and in any notifications to supervisory authorities or data subjects.

Where Personal Data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the EU Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum.

Hilla maintains the relevant transfer impact assessments and provides summaries on request.

On reasonable notice and no more than once per 12 months (except following a confirmed incident), the Controller may request an audit summary, including the most recent independent security report and answers to a standard security questionnaire.

On-site audits are not generally accommodated; equivalent assurance is provided through documentation, attestations, and live review meetings under NDA.

On termination, Hilla will, at the Controller’s choice, delete or return all Personal Data within 30 days, except where retention is required by law. After deletion, residual copies in encrypted backups are removed in line with the backup rotation cycle (currently 35 days).

Self-serve account deletion is available at any time from account settings.

Questions about this DPA, or to request a signed counter-signed copy: dpo@hilla.ai. Postal address: Hilla, Inc., Istanbul, Türkiye.