Data Processing Addendum

This HiddenLayer Data Processing Addendum (“Addendum”) is incorporated into and forms part of the End User License Agreement, located at https://hiddenlayer.com/eula/, between you (“Customer”) and HiddenLayer, Inc. (“Company”) (the “Agreement”). This Addendum reflects the parties’ agreement with respect to the Processing of Personal Data by Company on Customer’s behalf. The term of this Addendum will follow the term of the Agreement.

1. DEFINITIONS

1.1 The following definitions and rules of interpretation apply in this Addendum.

“Applicable Data Protection Laws” means privacy, data protection, and data security laws that apply to the processing of data under this Addendum, including, as applicable, the GDPR, UK GDPR, and CCPA.
“Data Subject” means an individual who is the subject of the Personal Data and to whom or about whom the Personal Data relates or identifies, directly or indirectly.
“Force Majeure Event” means any of the following: (i) fire, explosion storm, earthquake, hurricane, tornado, drought, flood, typhoon, tsunami or other act of God; (ii) war, act of terrorism, sabotage, bombing, insurrection, rebellion, revolution, riot or other civil commotion or unrest; (iii) epidemics, quarantine restrictions or other public health restrictions or advisories; (iv) strikes or lockouts or other labor interruptions; (v) disruption to local, national or international transport services; (vi) events which threaten public safety or create substantial disruption in commercial activity; or (vii) any other event that is beyond the reasonable control of either party.
“Personal Data” means any information Company processes for Customer that the Applicable Data Protection Laws otherwise define as protected personal data or personal information.
“Process” or “Processing” means any operation performed on Personal Data or that the Applicable Data Protection Laws may otherwise include in the definition of processing, processes, or process, including collection, storage, use, access, review, or deletion of such information.
“Security Breach” means any act or omission that constitutes a security breach under Applicable Data Protection Laws.
“Subprocessor” means any third party engaged by Company to process Personal Data on its behalf.

2. Data Scope & Processing Models

2.1 Nature of Processing. Company does not require or actively collect any specific category of Personal Data. However, in the course of providing services to Customer pursuant to the Agreement (“Services”), Company may process Personal Data.

2.2 Customer Responsibility. Customer retains control of the Personal Data and remains solely responsible for its compliance obligations under Applicable Data Protection Laws, including providing any required notices and obtaining any required consents, and for the Processing instructions it gives to Company. Company disclaims any control over the type, sensitivity, or content of such data, and does not intentionally access or use Personal Data beyond the scope necessary to provide the Services.

3. Roles of the Parties

3.1 Customer acts as a “data controller” or “business” (or equivalent under Applicable Data Protection Laws).

3.2 Company acts as “data processor” or “service provider” (or equivalent under Applicable Data Protection Laws).

4. Company Obligations

4.1 Company agrees to:

(a) Process Personal Data in a manner that is reasonably necessary to provide Services in accordance with Customer’s direction;
(b) Use commercially reasonable efforts to maintain the confidentiality of all Personal Data and ensure that its personnel with access to such Personal Data are informed of such Personal Data’s confidential nature and use restrictions and are obliged to keep such Personal Data confidential;
(c) Use commercially reasonable efforts to implement appropriate safeguards, including access controls, network segmentation, and data encryption in transit, designed to safeguard Personal Data against Security Breaches;
(d) Avoid using Personal Data for profiling or behavioral analytics unrelated to the Services; and
(e) Limit Subprocessor use of Personal Data to trusted providers under written contracts that contain terms consistent with those set out in this Addendum.

5. SUBPROCESSORS

5.1 Company may engage Subprocessors (e.g., cloud infrastructure) to support its Services, a current list of which shall be provided to Customer upon Customer’s written request. Company will provide reasonable notice to Customer of any material changes to such list.

5.2 Customer may object to Company’s use of a Subprocessor on reasonable data protection grounds by providing Company with written notice detailing the basis of such objection. Upon receipt of such notice, the parties shall engage in good faith discussions to seek a mutually acceptable resolution. If the parties are unable to reach a resolution within fourteen (14) days of Company’s receipt of such notice, Company may, at its sole discretion, (i) propose an alternative Subprocessor or substitute Subprocessor, as applicable (subject to the same objection process outlined in the foregoing sentence) or (ii) terminate the relevant portion of the Services on written notice without liability, to the extent performance is materially affected by such unresolved objection.

6. INTERNATIONAL TRANSFERS

If Personal Data is transferred outside the EEA, UK, or other jurisdictions with adequacy decisions, Customer will ensure that there is an appropriate lawful basis (e.g., Standard Contractual Clauses or UK IDTA) for such transfer.

7. SECURITY & INCIDENT RESPONSE

7.1 Company shall use commercially reasonable efforts to maintain technical and organizational security measures designed to prevent unauthorized access, use, or disclosure of Personal Data.

7.2 In the event of a Security Breach, Company shall notify Customer without undue delay and cooperate in any investigation or notification process to the extent required under Applicable Data Protection Laws.

8. DATA RETENTION & DELETION

Upon termination or expiration of the Agreement, Company shall, upon Customer’s written request, delete or return all Personal Data in its possession, unless retention of such Personal Data is required by any law, regulation, or government or regulatory body.

9. Data Subject Rights & Cooperation

9.1 To the extent required by Applicable Data Protection Laws, Company shall use commercially reasonable efforts to:

(a) Assist Customer in responding to a request from a Data Subject to exercise any rights the individual may have regarding their Personal Data (e.g., access, correction, erasure, or to opt out of or limit certain activities like sales, disclosures, or other Processing actions);
(b) Provide information reasonably requested by Customer to demonstrate compliance with this Addendum; and
(c) Cooperate with data protection authorities upon valid request.

10. Acceptance

By accepting the Agreement or using the Services after the Effective Date, Customer agrees to this Addendum.

11. Indemnification

11.1 Customer agrees to indemnify, keep indemnified, and defend at its own expense Company against all costs, claims, damages, or expenses incurred by Company or for which Company may become liable due to any breach by Customer of its obligations under this Addendum or Applicable Data Protection Laws and any processing of Personal Data by Company in accordance with the documented instruction of Customer that results in a violation of Applicable Data Protection Laws.

11.2 Company agrees to indemnify, keep indemnified, and defend at its own expense Customer against all costs, claims, damages, or expenses incurred by Customer or for which Customer may become liable due to any failure by Company or its employees, subcontractors, or agents to comply with any of its obligations under this Addendum or Applicable Data Protection Laws.

12. Limitation of Liability

12.1 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL COMPANY BE LIABLE FOR ANY LOSS OF, DAMAGE TO, OR CORRUPTION OF DATA, LOST PROFITS, BUSINESS, CONTRACTS, REVENUE, PRODUCTION, GOODWILL OR ANTICIPATED SAVINGS, OR BUSINESS INTERRUPTION OR OTHER COMMERCIAL, ECONOMIC OR OTHER DAMAGES, LOSSES OR INJURY OF ANY KIND INCLUDING, BUT NOT LIMITED TO, ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS ADDENDUM OR ANY SUBJECT MATTER HEREOF, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH LOSSES, DAMAGES OR INJURIES AND REGARDLESS OF WHETHER ANY REMEDY SET FORTH IN THIS AGREEMENT FAILS OF ITS ESSENTIAL PURPOSE.

12.2 IN NO EVENT WILL THE COLLECTIVE AGGREGATE LIABILITY OF COMPANY ARISING OUT OF OR RELATED TO THIS AGREEMENT, WHETHER ARISING UNDER OR RELATED TO BREACH OF CONTRACT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY OR ANY OTHER LEGAL OR EQUITABLE THEORY, EXCEED THE TOTAL FEES PAID TO COMPANY UNDER THE APPLICABLE ORDER FORM IN THE 12 MONTH PERIOD PRECEDING THE FIRST EVENT GIVING RISE TO THE CLAIM. ALL CLAIMS THAT THE CUSTOMER MAY HAVE AGAINST COMPANY UNDER THIS AGREEMENT WILL BE AGGREGATED TO SATISFY THE LIMIT AND MULTIPLE CLAIMS WILL NOT ENLARGE THIS LIMIT. THE FOREGOING LIMITATIONS APPLY EVEN IF ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE.

13. Miscellaneous

13.1 This Addendum will be governed and construed by and under the laws of the State of Texas without regard to its conflict of laws rules. The parties expressly consent to the personal jurisdiction and venue in the state and federal courts in Travis County, Texas for any lawsuit filed there arising from or related to this Addendum. The parties agree that the United Nations Convention on Contracts for the International Sale of Goods does not apply to this Addendum.

13.2 In the event of the occurrence of a Force Majeure Event, the obligations of the parties and the time period for the performance of such obligations shall be suspended to the extent such parties are prevented, hindered or delayed in such performance during the period of such Force Majeure Event. Upon the occurrence of a Force Majeure Event, the affected party shall give prompt, written notice of such Force Majeure Event to the other party describing such Force Majeure Event and its cause (to the extent known to such party) and a description of the condition delaying the performance of such party’s obligations.

13.3 All notices will be in writing and will be deemed to have been duly given: (a) when delivered by hand; (b) three (3) days after being sent by registered or certified mail, return receipt requested and postage prepaid; (c) one (1) day after deposit with a nationally recognized overnight delivery or express courier service; or (d) when provided via email when the sender has received a delivery/read receipt. Notices for Company should be sent to the following addresses: (i) for physical Notices, 14900 Avery Ranch Blvd. Box 201 Suite C200 Austin, TX 78717; and (ii) for electronic notices, [email protected]. Notices for Customer should be sent to the following address: (i) for physical notices, 1455 3rd Street, San Francisco, CA 94158; and (ii) for electronic notices, [email protected].

13.4 If any provision of this Addendum is held to be invalid, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions will in no way be affected or impaired thereby.

13.5 Company shall be free to assign, subcontract or otherwise transfer its rights and obligations under this Addendum. Any sublicense, assignment or transfer of this Addendum or any part thereof by Customer requires Company’s prior written consent, which shall be at Company’s sole discretion; including by merger, corporate reorganization or operation of law. Any purported assignment, delegation or transfer in violation of this Section 11.5 is null and void. This Addendum is binding on and inures to the benefit of the parties hereto and their respective permitted successors and assigns.

13.6 THIS ADDENDUM CONSTITUTES A BINDING LEGAL AGREEMENT BETWEEN CUSTOMER AND COMPANY AND REPRESENTS THE ENTIRE UNDERSTANDING BETWEEN CUSTOMER AND COMPANY WITH REGARD TO THE PROCESSING OF PERSONAL DATA PURSUANT TO THE AGREEMENT. No conflicting provision of any other agreement between Customer and Company or in any acknowledgement or other business form that Customer may use in connection with the processing of Personal Data pursuant to the Agreement will have any effect on the rights, duties or obligations of the parties under, or otherwise modify, this Addendum.

HiddenLayer, a Gartner-recognized Cool Vendor for AI Security, is the leading provider of Security for AI. Its AISec Platform unifies supply chain security, runtime defense, posture management, and automated red teaming to protect agentic, generative, and predictive AI applications. The platform enables organizations across the private and public sectors to reduce risk, ensure compliance, and adopt AI with confidence.

Founded by a team of cybersecurity and machine learning veterans, HiddenLayer combines patented technology with industry-leading research to defend against prompt injection, adversarial manipulation, model theft, and supply chain compromise. The company is backed by strategic investors including M12 (Microsoft’s Venture Fund), Moore Strategic Ventures, Booz Allen Ventures, IBM Ventures, and Capital One Ventures.

Book a Demo