Skip to content
Honeycomb Docs

Data Processing Agreement

Instructions

Section titled “Instructions”

When to use: This Data Processing Agreement (DPA) is required whenever Honeycomb engages a third-party data processor or when a business customer requires a DPA as part of their contractual relationship with the platform. Under GDPR Article 28, processing by a processor must be governed by a contract that sets out the subject matter, duration, nature, and purpose of the processing.

Who fills it out: The legal or compliance team, in coordination with the engineering team (for technical security measures) and the business team (for commercial terms).

When it is needed:

  • Onboarding a new sub-processor that will handle personal data
  • A B2B customer or enterprise client requests a DPA
  • Reviewing or renewing existing processor relationships

Data Processing Agreement

Section titled “Data Processing Agreement”

This Data Processing Agreement (“DPA”) is entered into as of [EFFECTIVE_DATE] (“Effective Date”) by and between:

Controller:

  • Name: [CONTROLLER_NAME]
  • Address: [CONTROLLER_ADDRESS]

(hereinafter the “Controller”)

Processor:

  • Name: [PROCESSOR_NAME]
  • Address: [PROCESSOR_ADDRESS]

(hereinafter the “Processor”)

Each a “Party” and together the “Parties.”

1. Definitions

Section titled “1. Definitions”

1.1. “Personal Data” means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.

1.2. “Processing” means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.

1.3. “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

1.4. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

1.5. “Applicable Data Protection Law” means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR (Regulation (EU) 2016/679), the UK GDPR, and any applicable national implementing legislation.

2. Subject Matter, Duration, and Scope

Section titled “2. Subject Matter, Duration, and Scope”

2.1. Subject Matter. This DPA governs the processing of Personal Data by the Processor on behalf of the Controller in connection with the services provided by the Processor under the parties’ principal services agreement (the “Services Agreement”).

2.2. Duration. This DPA shall remain in effect for the duration of the Services Agreement and shall automatically terminate upon the termination or expiration of the Services Agreement, subject to Section 13 (Data Return and Deletion).

2.3. Nature and Purpose of Processing. The Processor processes Personal Data for the purpose of providing the Honeycomb platform services, including but not limited to: user account management, social commerce features, marketplace transactions, payment processing, AI-powered features, content delivery, messaging, analytics, and platform administration.

3. Categories of Data

Section titled “3. Categories of Data”

3.1. Categories of Personal Data processed include:

  • User profile information (name, email, username, profile photo, bio)
  • Posts, comments, and social content
  • Direct messages and communications
  • Marketplace transaction records and purchase history
  • Payment and billing information
  • AI interaction logs (prompts, responses, preferences)
  • Media uploads (images, videos, documents)
  • Analytics and usage data (page views, session data, feature usage)
  • Device and browser information
  • IP addresses and geolocation data
  • E-signature records
  • Affiliate and referral tracking data
  • App extension usage and configuration data

3.2. Categories of Data Subjects:

  • Registered platform users (age 18+)
  • Marketplace sellers and course creators
  • Marketplace buyers and customers
  • Affiliate partners
  • Platform administrators

4. Controller Obligations

Section titled “4. Controller Obligations”

4.1. The Controller shall:

(a) Ensure that it has a lawful basis for processing Personal Data and for instructing the Processor to process Personal Data on its behalf;

(b) Provide documented instructions to the Processor regarding the processing of Personal Data;

(c) Ensure compliance with Applicable Data Protection Law with respect to its own obligations as a Controller;

(d) Notify the Processor without undue delay of any data subject requests received directly, to the extent the Processor’s assistance is required to fulfill such requests;

(e) Conduct data protection impact assessments where required by Applicable Data Protection Law.

5. Processor Obligations

Section titled “5. Processor Obligations”

5.1. Processing on Instructions. The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.

5.2. Confidentiality. The Processor shall ensure that all persons authorized to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

5.3. Security Measures. The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as set out in Annex B of this DPA.

5.4. Sub-processors. The Processor shall not engage a Sub-processor without the prior specific or general written authorization of the Controller. Where general authorization is given, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller an opportunity to object. The Processor shall impose the same data protection obligations as set out in this DPA on any Sub-processor by way of a written contract.

5.5. Assistance with Data Subject Rights. The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to data subject requests under Chapter III of the GDPR.

5.6. Data Breach Notification. The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Data Breach. The notification shall include the details specified in Section 10 of this DPA.

5.7. Deletion and Return. Upon termination of the Services Agreement, the Processor shall, at the Controller’s election, delete or return all Personal Data and delete existing copies, unless applicable law requires continued storage. See Section 13.

5.8. Audit and Inspection. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. See Section 11.

5.9. Data Protection Impact Assessments. The Processor shall provide reasonable assistance to the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required under Articles 35 and 36 of the GDPR.

5.10. International Transfers. The Processor shall not transfer Personal Data to a country outside the European Economic Area (EEA) or the United Kingdom without ensuring that adequate safeguards are in place, such as Standard Contractual Clauses approved by the European Commission, binding corporate rules, or an adequacy decision.

6. Authorized Sub-processors

Section titled “6. Authorized Sub-processors”

6.1. The Controller hereby grants general authorization for the Processor to engage the following Sub-processors:

Sub-processorPurposeLocation
Supabase, Inc.Database hosting, user authentication, file storageUnited States
Stripe, Inc.Payment processing, marketplace payouts (Stripe Connect)United States
OpenAI, LLCAI-powered features, content generation, prompt processingUnited States
Cloudflare, Inc.Content delivery, hosting, DDoS protection, edge computingUnited States (global edge network)

6.2. The Processor shall maintain an up-to-date list of Sub-processors and shall provide this list to the Controller upon request.

6.3. The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of a Sub-processor, providing the Controller with an opportunity to object. If the Controller objects on reasonable grounds related to data protection, the Parties shall discuss the matter in good faith. If no resolution is reached, the Controller may terminate the affected services without penalty.

7. Security Measures

Section titled “7. Security Measures”

7.1. The Processor shall implement and maintain the following technical and organizational security measures (Annex B):

Encryption:

  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Encryption of Personal Data at rest using AES-256 or equivalent
  • Encryption of database backups

Access Controls:

  • Role-based access control (RBAC) for all systems containing Personal Data
  • Multi-factor authentication (MFA) for administrative access
  • Principle of least privilege applied to all data access
  • Regular access reviews (at minimum, quarterly)

Incident Response:

  • Documented incident response plan with defined roles and responsibilities
  • Regular testing of incident response procedures
  • Designated incident response team with 24/7 availability for critical incidents

Infrastructure Security:

  • Regular vulnerability scanning and penetration testing
  • Patch management with defined timelines for critical vulnerabilities
  • Network segmentation and firewall protections
  • Logging and monitoring of access to systems containing Personal Data

Organizational Measures:

  • Data protection training for all personnel with access to Personal Data
  • Background checks for personnel with access to sensitive data
  • Clean desk and clear screen policies
  • Documented data retention and disposal procedures

8. Data Breach Notification

Section titled “8. Data Breach Notification”

8.1. The Processor shall notify the Controller of any Data Breach without undue delay and in any event within 72 hours of becoming aware of the breach.

8.2. The notification shall include, to the extent available:

(a) A description of the nature of the Data Breach, including the categories and approximate number of data subjects and Personal Data records concerned;

(b) The name and contact details of the Processor’s data protection officer or other contact point;

(c) A description of the likely consequences of the Data Breach;

(d) A description of the measures taken or proposed to be taken to address the Data Breach, including measures to mitigate its possible adverse effects.

8.3. Where it is not possible to provide all information at the time of notification, the Processor shall provide information in phases without further undue delay.

8.4. The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Data Breach.

9. Audit Rights

Section titled “9. Audit Rights”

9.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA.

9.2. The Controller may conduct audits, including inspections of the Processor’s facilities and systems, upon reasonable notice of not less than 30 days. Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor’s operations.

9.3. The Controller may engage a qualified, independent third-party auditor to conduct audits on its behalf, provided the auditor is bound by appropriate confidentiality obligations.

9.4. The Processor may satisfy audit requests by providing the Controller with relevant third-party audit reports or certifications (such as SOC 2 Type II or ISO 27001), provided they are current and relevant to the services.

9.5. The costs of audits shall be borne by the Controller, unless the audit reveals material non-compliance by the Processor, in which case the Processor shall bear the reasonable costs of the audit.

10. Data Return and Deletion

Section titled “10. Data Return and Deletion”

10.1. Upon termination or expiration of the Services Agreement, the Processor shall, at the Controller’s written election:

(a) Return all Personal Data to the Controller in a commonly used, machine-readable format; or

(b) Securely delete all Personal Data and certify such deletion in writing.

10.2. The Controller shall make its election within 30 days of the termination or expiration of the Services Agreement. If the Controller does not make an election within this period, the Processor shall delete all Personal Data.

10.3. The Processor may retain Personal Data to the extent required by applicable law, provided that the Processor shall ensure the confidentiality of such data and shall process it only for the purpose required by law.

11. Liability

Section titled “11. Liability”

11.1. Each Party’s liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Services Agreement.

11.2. Nothing in this DPA shall limit either Party’s liability for breaches of Applicable Data Protection Law to the extent such limitation is not permitted under applicable law.

12. Governing Law and Dispute Resolution

Section titled “12. Governing Law and Dispute Resolution”

12.1. This DPA shall be governed by and construed in accordance with the laws of [GOVERNING_LAW_JURISDICTION].

12.2. Any disputes arising under this DPA shall be resolved in accordance with the dispute resolution provisions of the Services Agreement.

13. General Provisions

Section titled “13. General Provisions”

13.1. Entire Agreement. This DPA, together with the Services Agreement, constitutes the entire agreement between the Parties with respect to the processing of Personal Data and supersedes all prior agreements and understandings.

13.2. Amendments. This DPA may only be amended in writing, signed by both Parties.

13.3. Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

13.4. Precedence. In the event of a conflict between this DPA and the Services Agreement, this DPA shall prevail with respect to the processing of Personal Data.

Signature

Section titled “Signature”

Controller:

Signature: ___________________________

Name: [CONTROLLER_SIGNATORY_NAME]

Title: [CONTROLLER_SIGNATORY_TITLE]

Date: [DATE]

Processor:

Signature: ___________________________

Name: [PROCESSOR_SIGNATORY_NAME]

Title: [PROCESSOR_SIGNATORY_TITLE]

Date: [DATE]

Notes for Counsel

Section titled “Notes for Counsel”

  1. Article 28 Compliance. This template is drafted to comply with GDPR Article 28(3). Review against the specific requirements of the jurisdiction to ensure all mandatory provisions are present, including any national implementing legislation.

  2. Standard Contractual Clauses. If Personal Data will be transferred outside the EEA, consider whether the EU Standard Contractual Clauses (SCCs) adopted by the European Commission should be appended as an annex to this DPA.

  3. UK Addendum. For UK data subjects, consider appending the UK International Data Transfer Addendum to the EU SCCs, as issued by the UK Information Commissioner’s Office.

  4. Sub-processor List. The sub-processor list in Section 6 reflects the platform’s current architecture. Update this list whenever a new sub-processor is engaged. Establish an internal process for the 30-day notice requirement.

  5. Security Measures. The security measures in Section 7 should be validated by the engineering team and updated to reflect actual implemented controls. Consider requesting SOC 2 Type II reports from each sub-processor.

  6. AI Processing. OpenAI processing of user prompts and content raises specific considerations under GDPR, including purpose limitation, data minimization, and automated decision-making under Article 22. Ensure the platform’s privacy notice adequately discloses AI processing.

  7. Stripe Connect. Stripe acts as both a processor (for payment data on behalf of the platform) and an independent controller (for its own fraud prevention and compliance purposes). The DPA should reflect this dual role where applicable.