Data Processing Agreement
Last updated: March 1, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between HexaClaw ("Processor", "we", "us") and the entity or individual subscribing to HexaClaw services ("Controller", "you").
This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applies to the processing of personal data by HexaClaw on behalf of the Controller in connection with the provision of HexaClaw services.
For custom DPA requirements or enterprise agreements, contact legal@hexaclaw.com.
2. Definitions
Terms not defined here have the meanings given in the GDPR or the Terms of Service.
- Personal Data: Any information relating to an identified or identifiable natural person processed by HexaClaw on behalf of the Controller
- Processing: Any operation performed on Personal Data, including collection, storage, use, transmission, and deletion
- Sub-processor: A third party engaged by HexaClaw to process Personal Data on behalf of the Controller
- Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data
3. Scope of Processing
HexaClaw processes Personal Data solely for the purpose of providing the HexaClaw services as described in the Terms of Service. The following details apply:
| Aspect | Details |
|---|---|
| Subject matter | Provision of HexaClaw AI services platform, including the Cloud API Platform (LLM completions, embeddings, web search, image generation, text-to-speech, speech-to-text, browser automation, vector storage), Guardian Cloud API, and related services |
| Duration | For the term of the subscription agreement plus data retention periods specified in the Privacy Policy |
| Nature and purpose | Authentication, subscription management, API request routing and credit billing, security threat analysis (anonymized metadata only), usage metering and reporting |
| Categories of data subjects | Subscribers and end users of the Controller's HexaClaw deployment |
| Types of Personal Data | Email address, name, profile photo URL, Stripe customer ID, subscription status, API key identifiers (hashed), credit transaction ledger, generation metadata (model, token counts, timestamps), anonymized threat metadata, connection timestamps, browser session metadata |
4. Controller Obligations
The Controller shall:
- Ensure it has a lawful basis for processing Personal Data and for instructing HexaClaw to process on its behalf
- Provide any necessary notices to and obtain any necessary consents from data subjects
- Ensure that its instructions to HexaClaw comply with applicable data protection laws
- Maintain appropriate security measures for any Personal Data it handles directly
5. Processor Obligations
HexaClaw shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures as described in Section 7
- Engage sub-processors only in accordance with Section 6
- Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
- Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation
- Delete or return all Personal Data upon termination of services, at the Controller's choice, unless retention is required by law
- Make available to the Controller all information necessary to demonstrate compliance with Article 28 obligations
6. Sub-processors
The Controller provides general authorization for HexaClaw to engage sub-processors. The current list of sub-processors:
| Sub-processor | Location | Purpose |
|---|---|---|
| Google Cloud Platform | United States | Infrastructure hosting, Cloud Run relay, Firestore database |
| Firebase (Google) | United States | Authentication, user database, cloud functions |
| Stripe | United States | Payment processing, subscription management |
| Anthropic | United States | LLM completions (Claude models) |
| OpenAI | United States | LLM completions, embeddings, TTS, STT |
| Google (Gemini API) | United States | LLM completions, embeddings |
| DeepSeek | China | LLM completions |
| Mistral AI | France (EU) | LLM completions |
| Groq | United States | LLM completions |
| xAI | United States | LLM completions (Grok models) |
| Brave Software | United States | Web search results |
| fal.ai | United States | Image generation |
| Browserbase | United States | Browser automation sessions |
| Qdrant | United States | Vector storage and semantic search |
| Google Analytics | United States | Website analytics (optional, consent-based) |
HexaClaw will notify the Controller at least 30 days before adding or replacing a sub-processor, providing the Controller an opportunity to object. Notification will be sent to the email address associated with the Controller's account.
If the Controller objects to a new sub-processor on reasonable grounds related to data protection, HexaClaw will make reasonable efforts to provide an alternative or allow the Controller to terminate the affected services without penalty.
HexaClaw shall ensure that each sub-processor is bound by data protection obligations no less protective than those in this DPA.
7. Security Measures
HexaClaw implements the following technical and organizational measures to protect Personal Data:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Firebase Authentication with secure token handling
- Access controls limiting employee access to Personal Data on a need-to-know basis
- Infrastructure hosted on Google Cloud Platform (SOC 2 certified)
- Regular security reviews of codebase and infrastructure
- Guardian Cloud API processes only sanitized, anonymized metadata
- Automated monitoring for unauthorized access attempts
8. Data Breach Notification
In the event of a Data Breach affecting Personal Data processed on behalf of the Controller:
- HexaClaw will notify the Controller without undue delay and in any event within 72 hours of becoming aware of the breach (per GDPR Article 33)
- Notification will include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach
- HexaClaw will cooperate with the Controller in investigating and mitigating the breach
- HexaClaw will assist the Controller in meeting its own breach notification obligations to supervisory authorities and data subjects
9. International Data Transfers
Personal Data is primarily stored and processed in the United States (Google Cloud, us-central1 region). For transfers of Personal Data from the EU/EEA to the United States:
- Transfers are covered by Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914)
- Google Cloud and Stripe maintain their own SCCs for data transfers
- A copy of the applicable SCCs is available upon request from legal@hexaclaw.com
HexaClaw will not transfer Personal Data to any country outside the EU/EEA without ensuring that appropriate safeguards are in place in accordance with Chapter V of the GDPR.
China-Based Sub-processor (DeepSeek)
DeepSeek, a sub-processor for LLM completions, is based in China. Transfers to DeepSeek occur only when the Controller or end user explicitly selects a DeepSeek model. Supplementary measures include: encryption in transit (TLS 1.3), no personal data beyond request content is shared, and DeepSeek processes data solely for generating completions per their API terms. The Controller can avoid transfers to China by not selecting DeepSeek models. EU/EEA-based alternatives include Mistral AI (France).
10. Audit Rights
The Controller has the right to verify HexaClaw's compliance with this DPA:
- HexaClaw will make available all information reasonably necessary to demonstrate compliance with Article 28 obligations
- HexaClaw will allow and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller
- Audit requests must be made in writing with at least 30 days' notice
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt HexaClaw's operations
- The Controller shall bear its own costs for any audit unless the audit reveals material non-compliance by HexaClaw
11. Data Deletion on Termination
Upon termination or expiration of the subscription agreement:
- The Controller may request return of all Personal Data in a commonly used, machine-readable format within 30 days of termination
- After the 30-day export period, HexaClaw will delete all Personal Data processed on behalf of the Controller, except where retention is required by applicable law
- HexaClaw will certify deletion in writing upon the Controller's request
- Data retained for legal obligations will be isolated and protected, and deleted when the obligation expires
12. Contact
For questions about this DPA or to request a custom enterprise DPA:
- Legal inquiries: legal@hexaclaw.com
- Privacy inquiries: privacy@hexaclaw.com
- General questions: hello@hexaclaw.com