Data Processing Addendum
The Data Processing Addendum (DPA) supplements the MSA and governs how Han AI processes Personal Data on your behalf. You are the Controller; Han AI is the Processor.
What it covers
| Section | Subject |
|---|---|
| §1–2 | Scope, roles, and definitions aligned with Singapore PDPA, Cambodia’s Law on Personal Data Protection, and the EU/UK GDPR where applicable. |
| §3 | Han AI obligations — processing on documented instructions, confidentiality, security measures, assistance with data-subject requests, records of processing. |
| §4 | Sub-processors. General written authorisation to engage sub-processors; fourteen days’ notice on additions or replacements; right to object. |
| §5 | International transfers. Transfers to the United States and other jurisdictions for foundation-model inference and SaaS sub-processors. |
| §6 | Personal Data Breach. Notification to you without undue delay and in any event within seventy-two hours of awareness. |
| §7 | Return and deletion on termination. Thirty-day request window; thirty-day fulfilment. |
| §8 | Audit rights. Up to one audit per calendar year on thirty days’ notice. |
| §9 | Conflict and term. DPA prevails over the MSA on matters of Personal Data processing. |
| Annex A | Description of processing — subject matter, duration, categories of data and data subjects. |
| Annex B | Sub-processor list. Authoritative version at hanai.systems/sub-processors. |
| Annex C | Technical and organisational measures — access control, encryption, network security, logging, backup, retention. |
Sub-processors
The current sub-processor list includes OpenAI, Anthropic, Cloudflare, Airtable, Telegram, Google, and Vultr. See DPA Annex B for the full table with regions and data categories.
Breach notification
Han AI notifies you of a Personal Data Breach within seventy-two hours of becoming aware of it. The notification describes the nature of the breach, the categories and approximate number of records, the likely consequences, and the mitigating measures.
Retention defaults
- Active Client Data: for the term of the Services.
- Backups: 30 days rolling.
- Telemetry and operational logs: 90 days.
- Personal Data flagged for deletion: removed from primary stores within 30 days; from backups by natural rollover within the next 30 days.
Full document
TODO: confirm public PDF URL for the signed DPA.