Data Processing Addendum
Effective date: 23 June 2026
This Data Processing Addendum forms part of the Hackford Master Subscription Terms and every platform Subscription Order.
1. Scope and Precedence
The DPA applies automatically, but only to the extent that Hackford processes Customer Personal Data on the Customer's documented instructions.
This DPA does not apply to personal data in regulatory, professional, Companies House, SEC, FCA, business-contact, classification or enrichment data that Hackford independently collects, develops, maintains or supplies as part of its own data products. For that data, Hackford acts as an independent controller, and the Customer acts as an independent controller for its own use of the data.
If this DPA conflicts with the Hackford Master Subscription Terms or the applicable Order, this DPA prevails only for processing of Customer Personal Data. The Hackford Master Subscription Terms and the applicable Order continue to govern all other matters, including fees, service scope, permitted use, confidentiality, liability and termination.
2. Definitions
"Applicable Data Protection Law" means the UK GDPR, the Data Protection Act 2018 and any other UK data protection law applying to the relevant processing. EU GDPR applies only where it is directly applicable to the relevant processing.
"Customer Personal Data" means personal data contained in Customer Content or otherwise provided by Customer for Hackford to process on Customer's documented instructions. It excludes Hackford Data and Service Administration Data.
"Hackford Data" means data, content, classifications, analysis, regulatory information, business-contact information and other material independently collected, generated, enriched or supplied by Hackford.
"Hackford Master Subscription Terms" means Hackford's master subscription terms forming part of the contract with Customer.
"Order" means the order form, online order, statement of work or other ordering document accepted by both parties that describes the purchased service.
"Service Administration Data" means personal data processed by Hackford for its own account, billing, contracting, security, analytics, support, legal, compliance and business administration purposes.
"Service Schedule" means a schedule, statement of work or similar document under the Order or Hackford Master Subscription Terms that describes a specific service or project.
"Subprocessor" means a third party engaged by Hackford to process Customer Personal Data on Hackford's behalf.
Capitalised terms not defined in this DPA have the meanings given in the Hackford Master Subscription Terms, the applicable Order or Applicable Data Protection Law.
3. Processing Details
The subject matter, duration, nature and purpose of processing, categories of data subjects and categories of Customer Personal Data are set out in Schedule 1.
4. Customer Instructions
Hackford will process Customer Personal Data only on Customer's documented instructions, including the Hackford Master Subscription Terms, the applicable Order, any applicable Service Schedule, platform configuration, support requests and written instructions given by email or another agreed written channel.
Hackford may decline, suspend or ask Customer to clarify an instruction if Hackford reasonably considers that it is outside the service scope, creates a security risk, conflicts with the Hackford Master Subscription Terms or the applicable Order, or may breach Applicable Data Protection Law.
Hackford will promptly inform Customer if, in Hackford's reasonable opinion, a documented instruction infringes Applicable Data Protection Law.
If Hackford is required by law to process Customer Personal Data other than on Customer's instructions, Hackford will notify Customer before doing so unless the law prohibits notice.
5. Confidentiality
Hackford will ensure that persons authorised to process Customer Personal Data are subject to appropriate confidentiality obligations.
6. Security Measures
Hackford will maintain appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Current measures are summarised in Schedule 2 and may be updated from time to time provided the overall level of protection is not materially reduced.
7. Subprocessors
Customer gives Hackford general written authorisation to use Subprocessors for the processing of Customer Personal Data.
Hackford will maintain a current public Service Providers and Subprocessors list as described in Schedule 3. Hackford will give Customer at least 14 days' notice of material additions or replacements. Customer may object on reasonable data-protection grounds. If the parties cannot resolve the objection, Hackford may avoid using the relevant Subprocessor for Customer, suspend the affected service, or terminate the affected service in accordance with the Hackford Master Subscription Terms and the applicable Order.
Hackford will impose written data-protection obligations on Subprocessors that provide an equivalent level of protection for Customer Personal Data, taking account of the nature of the services. Hackford remains responsible to Customer for Subprocessor performance of those obligations, subject to the liability provisions in the Hackford Master Subscription Terms and the applicable Order.
8. International Transfers
Hackford will not make a restricted transfer of Customer Personal Data unless the transfer is covered by an adequacy regulation or an appropriate transfer mechanism under Applicable Data Protection Law, such as the UK International Data Transfer Agreement, the UK Addendum to the EU standard contractual clauses, or another lawful safeguard.
9. Personal Data Breach
Hackford will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
Hackford will provide information reasonably available to it to help Customer meet its breach assessment and notification obligations. Where full details are not immediately available, Hackford may provide information in phases as investigation progresses.
10. Data Subject Requests
Taking account of the nature of the processing, Hackford will provide reasonable assistance to help Customer respond to data subject rights requests relating to Customer Personal Data.
If Hackford receives a request directly and can identify it as relating to Customer Personal Data, Hackford will either refer the request to Customer or notify Customer, unless legally prohibited or required to respond itself.
11. DPIAs and Regulator Assistance
Taking account of the nature of the processing and the information available to Hackford, Hackford will provide reasonable assistance with DPIAs and supervisory authority consultations where legally required and where the request relates to Customer Personal Data.
12. Return or Deletion
After the end of the relevant processing service, Hackford will return or delete Customer Personal Data in its possession or control at Customer's choice, unless continued retention is required by law or reasonably needed for legal, security, audit or backup purposes.
During the term of the relevant processing service, Hackford is not required to delete Customer Personal Data where deletion would prevent or materially impair provision of the purchased service, unless the parties agree a service change or deletion is required by Applicable Data Protection Law.
Residual copies in backups or provider systems may remain until overwritten or deleted through ordinary deletion cycles, provided they are protected from active processing except where restoration, security, legal or compliance needs require otherwise.
13. Audit Information
Hackford will make reasonably available information necessary to demonstrate compliance with this DPA. This may include written responses, policy summaries, security information, Subprocessor information and relevant evidence exports.
Ordinary customer audits are limited to once in any 12-month period, on reasonable notice, and must begin with remote and documentary review before any meeting, live demonstration or inspection. This frequency limit does not apply where a personal-data breach affecting Customer Personal Data, or a requirement of a supervisory authority or regulator, justifies additional audit activity.
Any audit or inspection must be reasonable, proportionate, subject to confidentiality, avoid unnecessary disruption, and be limited to processing of Customer Personal Data. Customer is responsible for its own audit costs. Hackford may charge Customer at Hackford's reasonable cost for assistance beyond ordinary procurement or security review, including extraordinary audit assistance.
14. Customer Responsibilities
Customer is responsible for ensuring that:
- its instructions are lawful;
- it has a lawful basis for the processing;
- required notices have been given;
- Customer Personal Data is accurate, relevant and limited to what is necessary;
- its users keep credentials secure;
- it does not submit special-category data, criminal-offence data, children's data, payment-card data or other unusually sensitive personal data unless expressly agreed in the applicable Order or Service Schedule; and
- its use of Hackford Data complies with the Hackford Master Subscription Terms, the applicable Order, Applicable Data Protection Law and direct-marketing rules where relevant.
15. Liability
All claims arising under or in connection with this DPA are subject to the exclusions, limitations and general liability cap in the Hackford Master Subscription Terms and the applicable Order. This DPA does not create a separate or additional liability cap.
Schedule 1. Processing Details
| Item | Details |
|---|---|
| Subject matter | Storage and operation of customer-created watchlists, saved configurations, notes and related platform features. |
| Duration | Until the Customer deletes the relevant watchlist or content, the relevant service ends, or retention is otherwise required under the Agreement, subject to ordinary backup cycles. |
| Nature of processing | Receiving identifiers, matching them against Hackford Data, storing selected entity references, storing customer-created text, displaying and updating watchlists, generating alerts and deleting watchlist content. |
| Purposes | Providing customer-created watchlists, saved configurations, notes, matching and alert features in the platform. |
| Data subjects | Customer users, professional contacts and other individuals selected or referred to in Customer-created watchlists or notes. |
| Data categories | Professional identifiers, names, firm associations, the Customer's selection of an individual, watchlist names and descriptions, short free-text notes and related configuration data. |
| Excluded data | Hackford Data and Service Administration Data. |
Schedule 2. Security Measures
Hackford's current measures include:
- access limited to authorised persons;
- named accounts where supported;
- multi-factor authentication where available;
- long, unique passwords stored in a password manager;
- full-disk encryption and auto-lock on the work device;
- encrypted network access, including HTTPS/TLS for production services;
- production authentication, permission checks and rate limiting;
- secure cookie and security-header configuration where applicable;
- secrets stored in provider secret stores or environment variables rather than source code;
- provider-managed hosting, database and storage infrastructure;
- operational logging, provider alerts and incident-response procedures;
- automated security scanning of the product codebase on an ongoing basis to identify potential issues for review, prioritisation and remediation; and
- credential rotation, access review and corrective action after incidents where appropriate.
Schedule 3. Subprocessor Schedule
Hackford's current public Service Providers and Subprocessors list is available at https://hackforddata.com/subprocessors or any successor URL notified by Hackford.
Providers used only for Hackford's own billing, analytics, marketing, source control, public website enquiries, regulatory data supply, or independently collected Hackford Data are not listed as Subprocessors unless they process Customer Personal Data for the relevant service.