Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of the Terms of Service between you (the Controller) and Hulo Global Limited (the Processor). It governs any processing of personal data we perform on your behalf.

When this DPA applies to you. In most cases when you buy our plugins, you remain the sole controller of the personal data the plugins capture about your end users — the plugins run on your servers and we never see that data. This DPA only takes effect for the limited situations where we do act as a processor (e.g. you use a future managed-hosting offering or paid support tier that requires us to handle your data).

1. Definitions

"UK GDPR" means the United Kingdom General Data Protection Regulation as defined in the Data Protection Act 2018. "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the EU GDPR where applicable, the Privacy and Electronic Communications Regulations 2003 (PECR), and any successor or supplementary legislation.

"Personal Data", "Process", "Controller", "Processor", "Data Subject" and "Supervisory Authority" have the meanings given in Data Protection Laws.

2. Subject matter, duration, nature and purpose

Subject matter — processing as needed to provide our Vendure plugins and related customer-facing services.
Duration — for the period the Controller has an active licence + the retention periods set out in our Privacy Policy.
Nature and purpose — issuing, delivering, renewing and revoking licences; payment processing via Stripe; transactional support email; security monitoring.
Categories of data subject — the Controller's authorised representatives (typically the developer or finance contact who buys the licence).
Categories of personal data — name, email address, billing address, VAT number, payment-card fingerprint (a SHA-256 hash from Stripe; not the card number), Stripe customer/subscription IDs.
Special categories — none.

3. Processor obligations

The Processor will:

• Process Personal Data only on documented instructions from the Controller (these Terms + this DPA are such instructions);
• Ensure persons authorised to process Personal Data are bound by confidentiality;
• Implement appropriate technical and organisational security measures (see Annex 2);
• Assist the Controller in responding to Data Subject requests under Articles 15-22 UK GDPR, by providing the self-service endpoints at elite.charity/licence/privacy and elite.charity/licence/forgot;
• Notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a Personal Data breach;
• Assist the Controller with DPIAs and consultations with the Supervisory Authority where reasonably required;
• At the Controller's choice on termination, delete or return all Personal Data, subject to record-keeping required by law.

4. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed in Annex 1. The Processor will inform the Controller of any intended addition or replacement of a sub-processor and give the Controller a reasonable opportunity to object on substantial grounds.

The Processor remains liable for the acts and omissions of its sub-processors.

5. International transfers

Where Personal Data is transferred outside the UK and EEA, the parties rely on the UK Addendum to the EU Standard Contractual Clauses (UK ICO IDTA) or the UK-US Data Bridge / EU-US Data Privacy Framework as applicable. Annex 1 lists the lawful basis for each named sub-processor.

6. Audit

The Controller may, on 30 days' written notice and no more than once per 12 months, audit the Processor's compliance with this DPA — either by requesting a written self-assessment or, where reasonable and necessary, by visiting the Processor's offices during normal business hours. Audits must not disproportionately disrupt the Processor's business and must respect the confidentiality of other customers' data.

7. Liability

The liability cap in section 17 of the Terms of Service applies to this DPA. Each party's liability under Data Protection Laws is several, not joint — each party is responsible for its own acts and omissions.

8. Survival

Sections 3 (Processor obligations), 5 (International transfers) and 7 (Liability) survive termination of this DPA for so long as the Processor holds any Personal Data of the Controller.

Annex 1 — Sub-processors

Provider	Purpose	Location / lawful basis for transfer
Stripe Payments Europe, Ltd	Payment processing, billing portal, invoices	Ireland (EEA) with US transfers under the EU-US DPF
Google Workspace (Google Ireland Ltd)	SMTP relay for transactional email	Ireland (EEA), UK-US Data Bridge
Cloudflare, Inc	TLS termination, DDoS protection, IP geolocation	US, EU-US DPF
GitHub, Inc	Source hosting (no end-user personal data)	US, EU-US DPF

Annex 2 — Security measures

• Encryption in transit (TLS 1.2+ on every public endpoint).
• HMAC-SHA256 verification on every inbound webhook (Stripe + bounce notifications).
• HMAC-signed cookies on the visitor-analytics plugin so tampered values are rejected.
• HMAC-signed open/click URLs on the email-tracking plugin so forged tracking events are rejected.
• Rate-limiting on every public endpoint to defeat enumeration + DoS.
• Security headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Resource-Policy) on every response.
• IP addresses stored as a SHA-256 hash with a per-install salt where stored at all.
• RSA private signing key held at /etc/hulo/licence/private.pem, mode 600, root-only.
• AES-256-CBC + PBKDF2-250000 encrypted weekly backups of the signing key, integrity-verified weekly off-site.
• Offline JWT verification — the signing key never leaves our servers, never appears in an HTTP request body.
• Webhook idempotency via a dedicated WebhookEvent table so retries cannot double-process.
• Process-level error monitoring with all Personal Data scrubbed before events leave our servers.

How to execute

This DPA is offered on a counterpart-not-required basis: by accepting our Terms of Service you are deemed to accept it where applicable. If you require a counter-signed copy (for example for your own internal records or compliance with a customer of your own), email [email protected] and we will exchange signatures by DocuSign or equivalent.