Trust CenterCCPA / CPRA

HASP and CCPA

HASP is a service provider under the California Consumer Privacy Act, contracted by the business that determines the purposes of processing California consumers' personal information. Every paid tier — and the Free Evaluation tier — gets the same service-provider contract, the same consumer-rights tooling, and the same no-sale / no-sharing commitments.

Service-provider contract (DPA) → Trust Center — full posture → Sub-processor register →
The role

HASP processes personal information for you, not for us

Under Cal. Civ. Code §1798.140, your organization is the business — you decide why and how California consumers' personal information is processed. HASP is a service provider (and, where the relationship qualifies, a contractor) — we process that personal information only to deliver the platform you contracted for, under a written agreement that satisfies §1798.140(ag)(1).

That written agreement is the HASP Data Processing Agreement (DPA). It applies to every customer — self-serve, business, and enterprise — and is incorporated by reference into the Terms of Service. It is the single instrument that handles both the CCPA / CPRA service-provider obligations and the GDPR controller-processor obligations. HIPAA obligations are handled separately by the Business Associate Agreement (BAA).

Service-provider contract

What the DPA commits HASP to under CCPA

Purpose limitation
HASP processes personal information only for the business purposes documented in the DPA — providing the HASP platform, supporting customers, securing the service, complying with legal obligations. No secondary uses, no inference about consumers outside the contracted purpose.
No sale
HASP does not sell personal information as defined in §1798.140(ad). The DPA contains an explicit prohibition. No advertising auctions, no data brokerage, no monetary or other valuable consideration for personal information.
No sharing
HASP does not share personal information for cross-context behavioral advertising as defined in §1798.140(ah). No identifier graphs, no audience syncs, no advertising partners.
No combining
HASP does not combine personal information received from one customer with personal information received from another customer, or from any source outside the documented business purpose. Tenant isolation is enforced at the database and application layers.
Annual certification
The DPA includes the §1798.140(ag)(1) certification: HASP certifies that it understands the restrictions above and will comply with them.
Audit cooperation
HASP will, on reasonable notice and at the customer's expense, support reasonable assessments to verify compliance — including making documentation, sub-processor information, and control evidence available. The full procedure is at §11 of the DPA.
Read the DPA Request a countersigned copy
Consumer rights

The mechanisms behind every California right

HASP does not receive consumer rights requests directly in most cases — the business receives them and uses HASP's tooling to honor them. Every paid plan and the Free Evaluation tier include the full set of mechanisms below.

§1798.110 · §1798.115

Right to know

Machine-readable export of every category of personal information HASP processes about a consumer, the sources, the business purposes, and the categories of third parties (sub-processors) to which it has been disclosed. Self-service from the account dashboard.

§1798.105

Right to delete

Account deletion triggers a 30-day cascade across primary storage, encrypted backups, and direct sub-processors. The same mechanism that satisfies GDPR Article 17 erasure. §1798.105(d) exceptions (legal compliance, fraud detection, internal use compatible with consumer expectations) are documented in the Privacy Policy.

§1798.106

Right to correct

In-app correction by the consumer (where they hold an account) or by an account administrator acting on their request. Corrections propagate to backups within the next backup cycle.

§1798.120 · §1798.135

Right to opt out of sale / sharing

Not engaged. HASP does not sell or share personal information, so the §1798.135 opt-out notice and Global Privacy Control honoring requirements are satisfied by non-engagement rather than by a working opt-out flow.

§1798.121

Right to limit use of SPI

Sensitive personal information is processed only for the §1798.121(a) permitted purposes — providing the requested service, security, fraud prevention, ensuring quality of the service. Never for inference about a consumer outside those purposes.

§1798.130

Disclosure obligations

Categories of personal information collected, sources, purposes, and retention periods are disclosed in the Privacy Policy. The 12-month look-back disclosures required by §1798.130(a)(5) are available on request via [email protected].

Sensitive personal information

SPI is contained, not mined

California's definition of Sensitive Personal Information in §1798.140(ae) covers government identifiers, account credentials, precise geolocation, racial or ethnic origin, contents of communications, genetic data, biometric identifiers used for identification, health information, sex life or sexual orientation, and information about a known child. HASP's posture is the same across every category: process only for the §1798.121(a) permitted purposes, never for inference outside those purposes.

Credentials
HASP is passwordless — we do not collect or store passwords. OAuth tokens used to connect customer data sources are encrypted at rest with AES-256-CBC and accessible only to the connecting tenant.
Health information
PHI is detected at the AI gateway. Organizations configure whether PHI passes through, is anonymized before reaching an inference provider, or is blocked entirely — the policy is the customer's choice. PHI handling is not delegated to third parties. A signed BAA is required to enable PHI handling for an organization.
Contents of communications
Customer content (chat messages, uploaded documents, AI prompts and outputs) is processed only to operate the service. It is never used to train models, never sold, never shared.
Geolocation
HASP does not collect precise geolocation. IP addresses are processed for security and rate limiting and are not used to derive a consumer's precise location.
Third parties

Sub-processors and downstream recipients

CCPA service-provider status requires that every downstream recipient of personal information accept the same restrictions HASP does. Every direct sub-processor is listed publicly on our sub-processors page and in §5 of the DPA, with processing purpose, data categories, and storage region.

Flow-down
Every sub-processor contract obligates the sub-processor to the same §1798.140(ag)(1) restrictions HASP accepts — no sale, no sharing, no retention beyond the business purpose, no combining with other sources.
Advance notice
30 days' advance notice before adding or materially changing a direct sub-processor. Customers may object during the notice period; HASP will work in good faith to resolve objections or, where no acceptable alternative exists, allow the affected portion of the service to be terminated.
Endpoint monitoring scope
Our 24/7 endpoint monitoring service receives only availability data — no customer or consumer personal information — and is therefore not a sub-processor under CCPA.
Substrate posture

CCPA is universal, not a tier feature

HASP's compliance posture is a floor at every paid tier and at the Free Evaluation tier — not a feature gated to Enterprise. The DPA, the consumer-rights tooling, the no-sale / no-sharing commitments, the sub-processor flow-down terms, and the security controls that back them up all apply uniformly. The Trust Center documents the full posture.

The corollary: a California buyer evaluating HASP does not need to choose a higher tier to get a service-provider contract or the consumer-rights primitives. Enterprise differentiation is about the dedicated data plane, region selection, SSO enforcement, retention, and procurement workflow — not about whether CCPA is honored.

FAQ

CCPA / CPRA — frequently asked

Is HASP CCPA / CPRA compliant?
Yes. HASP's platform-level controls satisfy the operational requirements the CCPA and CPRA impose on a service provider: a written service-provider contract (the DPA), restrictions on retention and reuse of personal information, support for consumer access / deletion / correction / opt-out rights, sub-processor flow-down terms, and security controls aligned with Civil Code §1798.100(e). CCPA does not have a government-issued certification; compliance is demonstrated through contracts, controls, and documented practice — all of which HASP publishes.
Is HASP a 'business', 'service provider', or 'contractor' under CCPA?
HASP is a service provider (and, for some customer relationships, a contractor) under Cal. Civ. Code §1798.140(ag) and (j). The customer is the business that determines the purposes and means of processing California consumers' personal information. HASP processes that personal information solely to provide the platform under a written contract that meets the §1798.140(ag)(1)–(2) requirements: limited retention, no sale, no sharing for cross-context behavioral advertising, no combining with personal information from other sources, and no use outside the documented business purpose.
Does HASP sign a service-provider contract?
Yes. The HASP Data Processing Agreement (DPA) is the service-provider contract for CCPA and CPRA, and the controller-processor contract for GDPR. It is published at usehasp.com/legal/dpa and incorporated by reference into the Terms of Service for all self-serve customers. A countersigned MSA-style copy is available on request for enterprise procurement. The DPA contains the four §1798.140(ag)(1) prohibitions, the certification language required by CPRA, and the sub-processor flow-down requirements.
How does HASP support California consumer rights?
HASP provides the operational primitives the business needs to honor consumer rights end-to-end. Right to know (§1798.110 and §1798.115): machine-readable export of all personal information associated with a data subject. Right to delete (§1798.105): a 30-day deletion cascade across primary storage, backups, and downstream sub-processors. Right to correct (§1798.106): in-app correction by the data subject or by an account administrator acting on their request. Right to opt out of sale / sharing (§1798.120): not applicable — HASP does not sell or share personal information. Right to limit use of sensitive personal information (§1798.121): SPI is processed only for the §1798.121(a) permitted business purposes.
Does HASP sell personal information or share it for cross-context behavioral advertising?
No. HASP has never sold personal information as defined in Cal. Civ. Code §1798.140(ad), and HASP has never shared personal information for cross-context behavioral advertising as defined in §1798.140(ah). This commitment is contractual in the DPA, surfaced in the Privacy Policy, and enforced operationally — HASP does not run advertising auctions, does not pass user identifiers to advertising platforms, and does not load third-party advertising tags on the runtime domain (usehasp.run).
What about Sensitive Personal Information (SPI)?
HASP processes SPI — including credentials, government identifiers, health information, and information about a known child — only for the purposes permitted by §1798.121(a) and only as necessary to provide the platform the customer has contracted for. SPI is never used to infer characteristics about a consumer for any other purpose. PHI (a subset of SPI under CCPA, separately regulated under HIPAA) is anonymized at the AI gateway using HASP's PHI anonymization pipeline before any content reaches an inference provider. SPI handling is documented in §6 of the DPA and the data-flow inventory at /trust/data-flow.
How are sub-processors and third-party recipients documented?
Every direct sub-processor that may receive California personal information is listed in §5 of the DPA and at usehasp.com/sub-processors, with the processing purpose, the data categories involved, and the storage region. HASP gives 30 days' advance notice before adding or materially changing a direct sub-processor. Every sub-processor contract flows down the §1798.140(ag)(1) restrictions — no sale, no sharing, no retention beyond the business purpose, no use outside the documented purpose.
Does HASP support a Global Privacy Control (GPC) signal?
HASP does not need a GPC opt-out because it does not engage in sale or sharing of personal information that would require one. On the marketing site (usehasp.com), HASP honors the Do Not Track and GPC signals by suppressing analytics tracking. On the runtime domain (usehasp.run), no third-party analytics or advertising tags are loaded on behalf of customer end users, so GPC has nothing to suppress.
How does HASP handle California consumer requests received directly?
If a California consumer contacts HASP directly with a rights request relating to personal information HASP processes on behalf of a customer, HASP will, without undue delay, either (a) forward the request to the customer (the business under CCPA) or (b) inform the consumer that the request must be directed to the business. This is the §1798.140(ag)(2) service-provider model. For HASP's own first-party processing (account holders, billing contacts, marketing leads), requests are honored directly via [email protected] within 45 days, with one 45-day extension permitted under §1798.130(a)(2).
Where is CCPA / CPRA compliance offered — on which plans?
Every paid plan and the Free Evaluation tier. CCPA support is part of HASP's universal compliance posture: the same compliance floor applies at every tier. There is no upgrade gate on the DPA, on consumer rights tooling, on the no-sale / no-sharing commitments, or on sub-processor transparency. Enterprise customers additionally receive a dedicated data plane and region selection for residency requirements.
Related

Adjacent frameworks and reference material

Sibling framework

GDPR

European data protection — controller / processor model, Article 17 erasure, Article 20 portability, Standard Contractual Clauses for transfers.

Healthcare

HIPAA

Business Associate Agreement, PHI handling at the AI gateway, breach notification, and the relationship between PHI and CCPA Sensitive Personal Information.

Control attestation

SOC 2

Substrate-inherited Type II report from our compliance substrate, available under NDA. HASP's own direct engagement scheduled.

Healthcare control framework

HITRUST CSF

Posture inherited from the compliance substrate, attestation letter available under NDA, direct certification on the roadmap.

Sibling framework

PIPEDA

Canadian federal privacy law — ten fair-information principles satisfied by the same controls as GDPR, with cross-border transfer accountability discharged through the DPA.

Contract

Data Processing Agreement

The single service-provider / processor contract that satisfies CCPA, CPRA, and GDPR. Published and incorporated by reference into the Terms of Service.

Register

Sub-processors

Every downstream recipient with processing purpose, data categories, and storage region. 30-day advance notice before any change.

First-party processing

Privacy Policy

How HASP handles personal information collected directly from account holders, billing contacts, and marketing leads — separate from customer-controller data.

Hub

Trust Center

The full posture — frameworks, controls, sub-processors, data flow inventory, and audit verification recipe — in one place.

Talk to us

California privacy contacts

CCPA / CPRA inquiries
[email protected]

Service-provider contract execution, sub-processor questions, assessment requests, pre-filled privacy questionnaires.

Data subject rights
[email protected]

For HASP's own first-party processing. Customer end-user requests should be directed to the business that holds the account.

Enterprise procurement
[email protected]

Countersigned DPA, custom assessment scope, dedicated data plane and region selection, SSO enforcement.