Closed beta — join the waiting list

Data Processing Agreement

Effective date: February 1, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ESCAPE VELOCITY OPERATIONS, a French SARL (SIREN 908 987 241), located at 110 Boulevard de Verdun, 94120 Fontenay-sous-Bois, France (the "Processor"), and you, the customer (the "Controller"), collectively referred to as the "Parties".

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to the processing of personal data by the Processor on behalf of the Controller in connection with the Hatch platform services.

1. Definitions

  • "Controller" means you, the customer, who determines the purposes and means of the processing of personal data.
  • "Processor" means Escape Velocity Operations, which processes personal data on behalf of the Controller through the Hatch platform.
  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined under Article 4(1) GDPR.
  • "Sub-processor" means any third party engaged by the Processor to process personal data on behalf of the Controller.
  • "Data Subject" means the identified or identifiable natural person to whom the personal data relates.
  • "Services" means the Hatch platform services provided by the Processor under the Terms of Service.

2. Scope of Processing

This DPA applies to the processing of personal data that the Controller stores, transmits, or otherwise manages through applications hosted on the Hatch platform. The Processor provides hosting infrastructure, database services, and related platform services that may involve the processing of personal data on behalf of the Controller.

3. Data Processing Details

Categories of Data
Any personal data stored by the Controller's applications in Hatch-provided databases and infrastructure, as determined by the Controller.
Categories of Data Subjects
End users and any other individuals whose personal data is processed through the Controller's applications hosted on Hatch.
Purpose of Processing
Hosting, serving, and operating the Controller's applications, including database storage, compute, and network services.
Duration of Processing
For the duration of the service agreement between the Controller and the Processor, plus any retention period required for data deletion.

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller, unless required by EU or member state law to which the Processor is subject.
  • Ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Implement appropriate technical and organizational security measures as described in Section 6.
  • Respect the conditions for engaging sub-processors as described in Section 5.
  • Assist the Controller in responding to requests for exercising data subject rights as described in Section 8.
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services as described in Section 10.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits as described in Section 9.

5. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.

The following sub-processors are currently engaged:

Sub-processorPurposeLocation
OVHcloudCloud infrastructure and hostingEU (Roubaix, France)

The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a contract, ensuring that the processing of personal data meets the requirements of the GDPR.

6. Data Location and Security Measures

All personal data is processed and stored exclusively within the European Union, using OVHcloud EU datacenters. No personal data is transferred outside the EU/EEA.

The Processor implements the following technical and organizational measures:

  • Encryption at rest — All data stored on disk is encrypted.
  • Encryption in transit — All network traffic is encrypted using TLS.
  • Access controls — Role-based access controls with the principle of least privilege.
  • Backups — Regular automated backups with encrypted storage.
  • Monitoring — Continuous infrastructure monitoring and logging.
  • Isolation — Logical separation of customer environments.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. In accordance with Article 33 GDPR, such notification shall be made within 72 hours where feasible and shall include:

  • A description of the nature of the personal data breach, including the categories and approximate number of data subjects and records concerned.
  • The name and contact details of the Processor's point of contact.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects.

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to requests from data subjects exercising their rights under Chapter III of the GDPR, including:

  • Right of access (Article 15)
  • Right to rectification (Article 16)
  • Right to erasure (Article 17)
  • Right to restriction of processing (Article 18)
  • Right to data portability (Article 20)
  • Right to object (Article 21)

If the Processor receives a request from a data subject directly, it shall promptly forward the request to the Controller and shall not respond to the request without the Controller's instructions, unless required by applicable law.

9. Audit Rights

The Controller may audit the Processor's compliance with this DPA. Audits shall be carried out with reasonable prior notice (at least 30 days), during normal business hours, and in a manner that does not disrupt the Processor's operations. The Controller shall bear the costs of any audit initiated by the Controller.

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 GDPR.

10. Data Deletion and Return

Upon termination of the Services, the Processor shall, at the Controller's choice:

  • Return all personal data to the Controller in a commonly used, machine-readable format, and/or
  • Delete all personal data within 30 days of termination.

The Controller may export their data at any time during the term of service using the platform's built-in export functionality. After the 30-day post-termination period, all personal data shall be securely deleted, unless retention is required by applicable law.

11. Liability

Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, except where such limitations are prohibited by the GDPR.

12. Governing Law and Supervisory Authority

This DPA shall be governed by and construed in accordance with the laws of France. The competent supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL).

Processor Details

Company
ESCAPE VELOCITY OPERATIONS, SARL
SIREN
908 987 241
Address
110 Boulevard de Verdun, 94120 Fontenay-sous-Bois, France
Hosting Provider
OVHcloud, Roubaix, France
Hatch mascot