For your security and compliance team

Data Processing Agreement

HASP Data Processing Agreement Last updated · May 14, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service (the "Agreement") between:

  • Customer ("Controller"): The entity that agreed to the Terms of Service
  • HASP ("Processor"): Hasp, Inc., 1270 Mackintosh Park Northwest, Atlanta, GA 30318

This DPA applies where HASP processes Personal Data on behalf of the Customer in the course of providing the HASP platform (the "Service"). For self-serve customers, acceptance of the Terms of Service incorporates this DPA. Enterprise customers requiring a countersigned copy should contact [email protected].

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • Processing: Any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.
  • Sub-processor: A third party engaged by HASP to process Personal Data on behalf of the Customer.
  • Data Subject: The individual to whom Personal Data relates.

2. Scope and Purpose of Processing

HASP processes Personal Data solely to provide the Service, including:

  • User account management: Names, email addresses, authentication tokens
  • Application data storage: Records created by Customer's end users within Customer's apps (stored as structured JSONB data)
  • File attachments: Files uploaded by end users to Customer's apps
  • Audit logging: Activity logs for security and compliance purposes
  • API request payload retention (API tier customers only): Full HTTP request and response payloads of API calls Customer makes to HASP, retained for 30 days to power the in-app developer-console request inspector. Stored encrypted at rest, accessible only to Customer's authorized workforce members holding developer.read capability or higher within the Customer's own organization. May contain PHI; the inspector renders payloads with PHI placeholders by default and exposes a per-inspection "Show PHI" reveal that emits an inspector.phi_revealed audit event on every use. Retained for the shorter of 30 days from creation or termination of the Agreement. This store does not participate in the integrity-chained audit log; the audit log retains its own redacted record independently.
  • Billing: Payment and subscription data (processed via Stripe)

3. Customer Obligations

The Customer shall:

  • Ensure a lawful basis for processing Personal Data (e.g., consent, legitimate interest)
  • Provide notice to Data Subjects about the processing
  • Respond to Data Subject requests, using the self-service tools provided by HASP (data export, account deletion)

4. HASP Obligations

HASP shall:

  • Process Personal Data only on documented instructions from the Customer
  • Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures (see Section 6)
  • Assist the Customer in responding to Data Subject requests
  • Delete or return all Personal Data upon termination of the Agreement, at the Customer's choice
  • Make available information necessary to demonstrate compliance with this DPA

5. Sub-processors

HASP uses the following sub-processors. This list is also published on our sub-processors page and kept in sync with this DPA.

Direct sub-processors

Sub-processor Purpose Location
Aptible Compliance substrate: managed PostgreSQL (compliance data planes), application hosting (compute and network); HIPAA + SOC 2 substrate inheritance US (AWS-backed)
Anthropic Claude inference (chat, document analysis, AI Studio, public API, agent workflows) — direct integration under HASP Healthcare BAA US
OpenAI GPT inference (alternative inference provider) — direct integration under HASP Enterprise BAA US
Cloudflare CDN, R2 object storage, DNS, SSL Global (US-headquartered)
Stripe Payment processing, billing, Stripe Tax (US sales tax / EU VAT / UK GST) US
Voyage AI Document embeddings for RAG US
Postmark Transactional email delivery US
Google OAuth authentication (when Customer enables Google sign-in) US
Microsoft OAuth authentication (when Customer enables Microsoft sign-in) US
WorkOS Enterprise SSO/SAML authentication US
Nightwatch Error monitoring and application telemetry US
PostHog Product analytics (only when end user consents via cookie banner) US

PHI handling

PHI de-identification, redaction, and re-identification is performed by HASP's own pipeline, built on Microsoft Presidio with healthcare-specific custom recognizers, running on Aptible-managed infrastructure inside the HASP compliance boundary. PHI handling is not delegated to any third party. Inference flows through direct provider integration with Anthropic and OpenAI under HASP-direct BAAs as listed above; PHI scanning and redaction occurs before content leaves HASP's substrate to any inference provider.

Sub-processor change notification

HASP will notify the Customer at least 30 days before adding a new direct sub-processor or making a material change to an existing one. The Customer may object by contacting [email protected] within the 30-day notice period.

For inference providers: if a new direct inference provider is added, the 30-day notice applies. Customers may also restrict specific provider routing for their workloads via Customer-configurable inference policy at the org level on Business+ tiers.

HASP will work with Customer in good faith to address objections, including by ceasing use of the affected sub-processor or terminating the affected portion of the Service if no acceptable alternative exists.

6. Security Measures

HASP implements the following technical and organizational measures:

Encryption

  • All data in transit encrypted via TLS 1.2+
  • OAuth tokens encrypted at rest (AES-256-CBC)
  • Compliance data plane connections use SSL with CA verification

Access Control

  • Role-based access control (Owner, Admin, Member roles)
  • Enterprise SSO/SAML enforcement available
  • Session-based authentication with CSRF protection

Data Isolation

  • Solo / Professional / Business: shared PostgreSQL with application-level isolation and row-level security on a compliance-certified cluster
  • Enterprise: dedicated PostgreSQL cluster with restricted database users and firewall rules

Audit & Monitoring

  • Immutable append-only audit logs on all paid plans
  • Cryptographic chain integrity with Ed25519 signatures on every paid plan
  • 24/7 uptime monitoring across all platform components

Data Retention

  • User data deleted upon account deletion (within 30 days)
  • Expired invitations purged after 30 days
  • Audit logs retained per tier: 90 days (Solo/Professional), 7 years (Business/Enterprise)

7. Data Breach Notification

HASP will notify the Customer without undue delay — and in any event within 72 hours — upon becoming aware of a Personal Data breach. The notification will include:

  • Nature of the breach
  • Categories and approximate number of Data Subjects affected
  • Likely consequences
  • Measures taken or proposed to address the breach

8. Data Subject Rights

HASP provides the following self-service tools to support Data Subject rights:

  • Right of Access / Portability: Data export (Settings → Privacy & Data)
  • Right to Erasure: Account deletion (Settings → Profile)
  • Right to Rectification: Profile editing (Settings → Profile)
  • Consent Management: Consent capture at sign-up; cookie consent banner for analytics

For requests that cannot be handled via self-service, Customer should contact [email protected].

9. International Transfers

Where Personal Data is transferred outside the EEA, HASP relies on:

  • Standard Contractual Clauses (SCCs) as approved by the European Commission
  • Sub-processor compliance with applicable data protection frameworks

10. Term and Termination

This DPA is effective for the duration of the Agreement. Upon termination:

  • HASP will delete Customer's Personal Data within 30 days
  • Customer may request a data export before termination
  • Audit logs may be retained as required by law

11. Governing Law

This DPA is governed by the same law as the Agreement.

Questions about this DPA? Contact [email protected]. Enterprise customers requiring a countersigned copy should contact us to initiate execution.