HUGIN
Demo
HomeHow it worksUse casesPricingSecurityCompare
Legal

Data Processing Addendum

Official Hugin legal terms from Fixeon AI Labs.

Effective date: June 16, 2026

Last updated: June 16, 2026

Processor: Fixeon AI Labs ("Hugin," "we," "us," or "our")

Contact: fixeonai@gmail.com

Registered address: No.2 Haile Selassie Street, Asokoro, Abuja, Nigeria

This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") between Fixeon AI Labs ("Processor," "Hugin") and the customer ("Controller," "Customer") and applies to the extent Hugin processes Personal Data on the Customer's behalf in providing the Service. Where Customer requires a counter-signed copy, contact fixeonai@gmail.com.

In case of conflict, this DPA controls over the rest of the Agreement with respect to the processing of Personal Data. Capitalized terms not defined here have the meaning in the Agreement.

1. Definitions

  • "Data Protection Laws" means all laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (Regulation 2016/679) ("GDPR"), the UK GDPR and Data Protection Act 2018, the Nigeria Data Protection Act 2023 ("NDPA"), the California Consumer Privacy Act as amended ("CCPA/CPRA"), and other applicable state, national, or supranational privacy laws.
  • "Personal Data," "Controller," "Processor," "Data Subject," "Processing," and "Personal Data Breach" have the meanings given in the GDPR (or the equivalent terms, such as "business," "service provider," and "consumer," under the CCPA/CPRA).
  • "Customer Personal Data" means Personal Data contained within Customer Data that Hugin processes on the Customer's behalf.
  • "Subprocessor" means a third party engaged by Hugin to process Customer Personal Data.
  • "Standard Contractual Clauses" / "SCCs" means the clauses approved by the European Commission Implementing Decision (EU) 2021/914, and, for the UK, the UK International Data Transfer Addendum issued by the ICO.

2. Roles and Scope

The parties acknowledge that, for Customer Personal Data, the Customer is the Controller (or a processor acting on behalf of a third-party controller) and Hugin is the Processor. Hugin processes Customer Personal Data only to provide the Service and as documented in this DPA, the Agreement, and the Customer's lawful instructions. For Hugin's processing of account, billing, support, security, and website data, Hugin acts as a Controller as described in the Privacy Policy, and this DPA does not apply to that processing.

Details of the processing (subject matter, duration, nature and purpose, types of Personal Data, and categories of Data Subjects) are set out in Annex A.

3. Processor Obligations

Hugin will:

  1. Process only on documented instructions from the Customer, including with regard to international transfers, unless required to act by applicable law (in which case Hugin will inform the Customer unless legally prohibited). The Agreement, this DPA, and use of the Service's features constitute the Customer's documented instructions. Hugin will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.
  2. Confidentiality — ensure that persons authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
  3. Security — implement and maintain the technical and organizational measures described in Annex B, appropriate to the risk.
  4. Subprocessors — engage Subprocessors only as set out in Section 4.
  5. Assist the Controller — taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to Data Subject requests (Section 5) and to meet the Customer's obligations regarding security, breach notification, data protection impact assessments, and prior consultation (Articles 32–36 GDPR and equivalents).
  6. Deletion or return — at the Customer's choice, delete or return Customer Personal Data at the end of the provision of the Service, and delete existing copies unless storage is required by law, as described in Section 7.
  7. Demonstrate compliance — make available information reasonably necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits as set out in Section 6.
  8. No sale; CCPA — Hugin is a "service provider"/"processor" under the CCPA/CPRA. Hugin will not sell or share Customer Personal Data, will not retain, use, or disclose it for any purpose other than providing the Service (or as permitted by the CCPA/CPRA), will not combine it with data from other sources except as permitted, and certifies it understands and will comply with these restrictions.

4. Subprocessors

The Customer provides general authorization for Hugin to engage Subprocessors to process Customer Personal Data. Hugin's current Subprocessors, with their purpose, the data categories they process, and their locations, are listed at our Subprocessors page, which forms Annex C.

Hugin will: (a) impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA; (b) remain liable for its Subprocessors' performance; and (c) provide notice of any intended addition or replacement of a Subprocessor at least 30 days in advance (where reasonably practicable) to Customers who have subscribed to subprocessor notifications. The Customer may object on reasonable, documented data-protection grounds within the notice period; the parties will work in good faith to resolve the objection, and if they cannot, the Customer may terminate the affected part of the Service as its sole remedy.

5. Data Subject Rights

The Service provides features that allow the Customer to access, correct, delete, restrict, and export Customer Personal Data. To the extent the Customer cannot do so through the Service, Hugin will, taking into account the nature of the processing, provide reasonable assistance to enable the Customer to respond to Data Subject requests. If Hugin receives a request directly from a Data Subject regarding Customer Personal Data, it will, unless legally required to respond, refer the Data Subject to the Customer.

6. Audit

Hugin will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, including relevant policies, summaries, and any third-party certifications or reports it holds. Where the Customer reasonably requires further information to satisfy a regulatory audit obligation, the Customer may request an audit no more than once per year (or as required by a supervisory authority), on reasonable prior written notice, during business hours, subject to confidentiality, without disrupting Hugin's operations or compromising other customers' data, and at the Customer's expense.

7. Deletion and Return

On termination or expiry of the Agreement, or on Customer request, Hugin will delete Customer Personal Data within a commercially reasonable period, except (a) Customer-controlled deletion/export features which the Customer may use directly, and (b) copies that must be retained by law or that exist in routine backups, which Hugin will delete on their normal cycle and continue to protect under this DPA. Hugin provides Customer-initiated export and deletion features as described in the Privacy Policy.

8. Personal Data Breach

Hugin will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to help the Customer meet its breach-notification obligations, and take reasonable steps to mitigate and remediate. Hugin's notification is not an acknowledgment of fault or liability.

9. International Transfers

To the extent Hugin's processing of Customer Personal Data involves a transfer from the EEA, UK, or Switzerland (or another jurisdiction requiring a transfer mechanism) to a country without an adequacy decision — including processing by Hugin in Nigeria or by Subprocessors in the United States — the Standard Contractual Clauses are hereby incorporated into this DPA by reference and apply to that transfer, with Hugin (and relevant Subprocessors) as data importer and the Customer as data exporter:

  • Module Two (Controller-to-Processor) applies where the Customer is a Controller; Module Three (Processor-to-Processor) applies where the Customer is itself a processor.
  • For Clause 7 (docking), the optional clause applies. For Clause 9, Option 2 (general written authorization) applies, with the notice period in Section 4. For Clause 11, the optional redress clause does not apply. For Clause 17, the governing law is that of Ireland (or, where required, the EU Member State of the supervisory authority). For Clause 18, disputes are resolved before the courts of that jurisdiction. The Annexes of the SCCs are populated by Annexes A, B, and C of this DPA.
  • For transfers subject to the UK GDPR, the UK International Data Transfer Addendum applies to the SCCs. For Switzerland, the SCCs apply with references to the GDPR read as references to the Swiss FADP, and the Swiss FDPIC as a supervisory authority.

The parties will, where a transfer mechanism is invalidated or additional measures are required, work in good faith to implement an alternative valid mechanism and appropriate supplementary measures (such as encryption).

10. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. This DPA does not limit any rights a Data Subject may have under Data Protection Laws.

11. Term and Governing Law

This DPA takes effect on the effective date of the Agreement and continues until Hugin ceases processing Customer Personal Data. Except where the SCCs require otherwise for a specific transfer, this DPA is governed by the law and jurisdiction stated in the Agreement.

Annex A — Description of Processing

  • Subject matter: Hugin's provision of the Service (organizational context infrastructure) to the Customer.
  • Duration: for the term of the Agreement and until deletion/return under Section 7.
  • Nature and purpose: connecting approved sources; ingesting, normalizing, indexing, embedding, redacting, storing, retrieving, and serving Customer Data to authorized AI tools at the Customer's direction; security, support, and billing related to the Service.
  • Types of Personal Data: as determined by the Customer's configuration and connected sources — may include names, contact details, identifiers, employment and organizational information, communications and message content, documents and files, calendar and meeting data, support and ticket data, and any other Personal Data the Customer chooses to connect or submit. The Customer should not connect special-category data unless permitted under the Agreement and applicable law.
  • Categories of Data Subjects: as determined by the Customer — may include the Customer's personnel, contractors, customers, prospects, partners, and other individuals referenced in connected sources.
  • Frequency: continuous/at the Customer's direction.

Annex B — Technical and Organizational Measures

Hugin maintains measures appropriate to the risk, including:

  • Access control & isolation: multi-tenant isolation enforced by database row-level security; role-based access checks resolved server-side; least-privilege service boundaries; invitation-only administrative access.
  • Encryption: ingested source content encrypted at rest using AES-256-GCM; encryption in transit via HTTPS/TLS; access tokens and consumer credentials stored as cryptographic hashes; encrypted backup credentials.
  • Network & application security: private storage with short-lived signed URLs; webhook signature verification; rate limiting and idempotency; bot/abuse protection (CAPTCHA) on authentication; always-on prompt-injection detection on retrieval; circuit breakers and concurrency controls.
  • Data minimization & redaction: sanitized analytics (sensitive values stripped before analytics); optional redaction at ingestion and on retrieval; storage of hashes rather than content for model-execution records.
  • AI processing: model traffic routed in zero-data-retention mode; no use of Customer Data to train AI models.
  • Operational: secrets held in managed environment configuration; trace and audit logging; environment separation (staging vs production); change-managed deployment via CI/CD.
  • Deletion: Customer-initiated source and workspace deletion with confirmation safeguards, batched purge, and deletion-signal propagation from connected sources.

These measures may be updated as the Service evolves, provided the level of protection is not materially decreased.

Annex C — Subprocessors

The current list of Subprocessors — with purpose, data categories, and location — is maintained at the Subprocessors page and is incorporated here by reference.

Contact

Fixeon AI Labs

No.2 Haile Selassie Street, Asokoro, Abuja, Nigeria

fixeonai@gmail.com