Data Processing Addendum.

This Data Processing Addendum ("DPA") describes Hardseal's intended handling of Customer Data, including Federal Contract Information ("FCI") and Controlled Unclassified Information ("CUI") where applicable. This page is a public framework — it becomes binding only when expressly incorporated into a signed Master Services Agreement ("MSA"), Statement of Work, Subscription Order, or other written agreement between Hardseal and Customer. Final order of precedence is governed by the signed agreement.

1. Definitions

"Customer Data" means any data, information, or content provided by Customer to Hardseal, or generated by Hardseal at Customer's direction during performance of the Services, including artifacts ingested into evidence packets.

"CUI" means Controlled Unclassified Information as defined in 32 CFR Part 2002 and applicable U.S. Government regulations and contract clauses.

"FCI" means Federal Contract Information where applicable to the Customer engagement. FCI and CUI handling requirements are identified in the applicable SOW, contract clause, flowdown, or written Customer instruction — not in this DPA generically.

"Personal Information" means any information relating to an identified or identifiable natural person.

"Sub-processor" means a third party engaged by Hardseal to process Customer Data.

2. Roles and Responsibilities

Customer owns and controls Customer Data. Hardseal is primarily a software tool provider: Hardseal Edge is a license to software that runs on Customer-controlled environments, and Hardseal Core is a defined-scope engagement in which Hardseal personnel operate the software at Customer's direction inside Customer's enclave. In either case, Hardseal does not host Customer Data on its own servers, does not maintain a continuous service relationship that ingests Customer Data, and does not act as a third-party data processor in the GDPR/CCPA SaaS-vendor sense. Where applicable privacy law uses controller/processor terminology, Customer acts as controller; Hardseal's role is limited to whatever processing is incidental to executing the software run inside Customer's environment.

Hardseal will only access or process Customer Data as necessary to perform the Services described in the applicable SOW or Subscription Order, and only on Customer's documented instructions.

3. Hardseal Commitments

• Process per instructions. Hardseal will process Customer Data only as necessary to provide the Services and as instructed by Customer. Hardseal will not use Customer Data for any other purpose.
• No model training. Hardseal will not use Customer Data to train any machine-learning model.
• No transmission outside Customer environment. Hardseal will not transmit Customer Data outside the Customer-designated environment unless Customer expressly authorizes a specific delivery (e.g., shipment of a signed evidence packet to Customer's C3PAO assessor).
• Confidentiality. Hardseal personnel with access to Customer Data are bound by written confidentiality obligations no less protective than those in the MSA.
• Security measures. Hardseal implements administrative, technical, and physical safeguards designed to protect Customer Data against unauthorized access, disclosure, alteration, and destruction. Specific safeguards are described in §6.
• Incident notification. Hardseal will notify Customer in writing within twenty-four (24) hours of confirming an actual or suspected security incident affecting Customer Data, and will cooperate in Customer's investigation and response.

4. CUI Specific Obligations

Where the Services involve CUI, Hardseal will:

• Handle CUI within Customer-controlled environments in a manner intended to align with the safeguarding principles in FAR 52.204-21 and NIST SP 800-171, to the extent applicable to Hardseal's limited processing role;
• Conduct CUI handling on Customer's enclave or in a documented secure environment under Customer's direction;
• Restrict CUI access to authorized personnel meeting any citizenship, export-control, training, or access requirements specified by Customer's environment policy, contract clauses, or applicable U.S. law;
• Notify Customer immediately and in no event later than twenty-four (24) hours after confirming any actual or suspected cyber incident affecting CUI, so that Customer has sufficient time to meet its 72-hour DoD reporting obligations under DFARS 252.204-7012; Hardseal supports Customer's government-reporting role and does not assume that role unless expressly agreed in writing;
• Flow down equivalent obligations to any Sub-processor with access to CUI.

Nothing in this DPA represents that Hardseal, on its own, satisfies all requirements of NIST SP 800-171 or DFARS 252.204-7012 for Customer's broader environment. Those responsibilities remain with Customer and its prime contractors. Hardseal supports Customer's compliance work by producing tools and verifiable evidence packets — it does not assume Customer's role as a covered contractor.

5. Sub-processors

Hardseal does not currently engage Sub-processors with access to Customer Data for the Services. If Hardseal engages a Sub-processor, it will:

• Provide Customer with at least thirty (30) days' written notice prior to engagement;
• Bind the Sub-processor by written agreement to data-protection obligations no less protective than this DPA;
• Remain liable to Customer for the Sub-processor's performance.

Customer may object to a proposed Sub-processor by written notice within fifteen (15) days. If Hardseal cannot accommodate the objection, Customer may terminate the affected Service for convenience.

6. Security Measures

Hardseal applies the following baseline measures, with additional environment-specific measures defined per SOW where applicable:

• Access control. Role-based access; multi-factor authentication on all admin accounts; principle of least privilege.
• Encryption. Transport encryption for any data in transit; full-disk encryption on Hardseal personnel laptops.
• Software supply-chain. Hardseal release artifacts are identified by version, commit reference where applicable, and SHA-256 digest. Delivery packages are verified against published or Customer-provided hashes before use.
• Audit logging. Access to Customer Data on Hardseal-side systems (when any exists) is logged with at least 90-day retention.
• Personnel. Background checks for personnel with CUI access where required by Customer's environment.
• Workstation hygiene. Hardseal personnel use hardened workstations with current OS patches, disk encryption, endpoint protection where applicable, and restricted administrative access.

7. Data Subject Requests

If Customer receives a request from a data subject regarding Personal Information processed by Hardseal under this DPA, Hardseal will provide reasonable cooperation to enable Customer to respond, at Customer's reasonable cost.

8. Audit Rights

Once per twelve-month period, with thirty (30) days' written notice and during business hours, Customer or its independent auditor may audit Hardseal's compliance with this DPA, subject to reasonable confidentiality and security restrictions. Hardseal will provide reasonable cooperation. Customer bears the audit costs unless the audit reveals a material breach.

9. Return and Deletion

Because Hardseal does not host Customer Data and does not maintain a continuous service that ingests Customer Data, the typical termination posture is that Hardseal already holds no Customer Data when an engagement concludes — all artifacts and evidence packets reside on Customer's enclave under Customer's control.

If, during a Hardseal Core engagement, any temporary or incidental copies of Customer Data exist in Hardseal personnel work environments (for example, screenshots, logs, or notes used to perform the engagement at Customer's direction), Hardseal will:

• Identify and destroy those incidental copies within thirty (30) days of engagement completion or earlier on Customer's written request;
• Provide a written certification of destruction on Customer's request;
• Retain incidental copies only to the extent required by applicable law, in which case the data remains subject to the obligations of this DPA.

10. Data Sovereignty and Export Control

Hardseal enforces U.S. data sovereignty for Customer engagements involving FCI, CUI, ITAR-controlled technical data, or EAR-controlled technology. Hardseal will not transfer, store, or process such Customer Data outside the geographic boundaries of the United States, and will restrict access — including administrative and support access — to U.S. Persons as defined in 22 CFR § 120.15. Hardseal will not engage offshore Sub-processors for engagements involving CUI, ITAR, or EAR data.

For Customer engagements that do not involve CUI/ITAR/EAR data, any future cross-border processing will be addressed by written amendment to the applicable signed agreement.

11. Liability

Liability arising under this DPA is subject to the limitations of liability set forth in the MSA.

12. Order of Precedence

For signed Customer engagements, the order of precedence among this DPA, the MSA, and the applicable SOW or Subscription Order is governed by the express terms of the signed agreement. This public framework does not unilaterally override any negotiated MSA.

13. Updates

Hardseal may update this public framework to reflect changes in law, product architecture, or data-handling practices. For signed Customer engagements, material changes to data-handling obligations will apply only as permitted by the applicable MSA, SOW, Subscription Order, or written amendment signed by authorized representatives of both parties. Hardseal will not unilaterally degrade the security commitments outlined herein via website updates.

14. Contact

Data-protection questions: rico@hardseal.ai · subject "DPA / data protection."