llms.txt
Request access to the Closed Beta and get credits to test Hydron.app

Data Processing Agreement

Last Updated: 12 June 2026

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Hydron Terms of Service (the "Agreement") between UAB Vertex, company code 120320756, registered address Liepų 83, Klaipėda, Lithuania ("Vertex", "Processor"), and the customer agreeing to the Terms ("Client", "Controller"). It governs the processing of personal data carried out by Vertex on the Client's behalf in connection with the Service.

Where the GDPR or equivalent data protection law applies, the Client agrees to this DPA by accepting the Terms. In the event of conflict on data protection matters, this DPA prevails over the rest of the Agreement.

1. Definitions

Terms such as "personal data", "processing", "controller", "processor", "sub-processor", "data subject", "personal data breach", and "supervisory authority" have the meanings given in the GDPR (Regulation (EU) 2016/679). "Client Data" means personal data contained in the applications, databases, or workloads that the Client places on the infrastructure provided through the Service.

2. Roles and Scope

2.1 In respect of Client Data, the Client is the controller (or itself a processor acting for a third-party controller) and Vertex is the processor.

2.2 Vertex provides infrastructure — dedicated (bare-metal) servers and/or cloud capacity — and related provisioning, hosting, and maintenance. Vertex does not access, read, modify, structure, migrate, or otherwise use Client Data, and has no knowledge of its content, except as strictly necessary to provide maintenance and security or to follow the Client's documented instructions.

2.3 The Client determines what personal data is placed on the infrastructure, the purposes of processing, and how its applications and databases are configured. The subject matter, duration, nature and purpose of processing, types of personal data, and categories of data subjects are set out in Schedule 1 and are otherwise determined by the Client through its use of the Service.

3. Processor Obligations

Vertex shall:

(a) Instructions — process Client Data only on the Client's documented instructions, including those given through the Agreement and the Client's configuration and use of the Service, unless required to act otherwise by EU or Member State law (in which case Vertex will inform the Client, unless legally prohibited);

(b) Confidentiality — ensure that persons authorised to process Client Data are bound by appropriate confidentiality obligations;

(c) Security — implement and maintain the technical and organisational measures set out in Schedule 2, appropriate to the risk, in accordance with Art. 32 GDPR. The Client acknowledges that these measures operate at the infrastructure level and that the Client is responsible for security within its own applications, databases, and operating systems;

(d) Sub-processors — engage sub-processors only in accordance with Section 5;

(e) Assistance with data-subject requests — taking into account that Vertex does not access Client Data, provide reasonable assistance, by appropriate technical and organisational measures and insofar as possible, to help the Client respond to requests by data subjects. Because Vertex does not have visibility into the content of Client Data, the Client is responsible for locating, retrieving, correcting, and deleting personal data within its own applications and databases;

(f) Assistance with compliance — provide reasonable assistance to the Client with data protection impact assessments, prior consultations, and security obligations under Art. 32–36 GDPR, limited to information within Vertex's control as an infrastructure provider;

(g) Breach notification — notify the Client without undue delay after becoming aware of a personal data breach affecting the infrastructure or Client Data, with the information reasonably available to Vertex to assist the Client's own notification obligations;

(h) Deletion or return — upon termination of the Service, and at the Client's choice, delete or make available for return the Client Data, and delete existing copies unless EU or Member State law requires storage. Because the Client controls its own data, the Client is responsible for exporting its data before termination; following decommissioning, data on the infrastructure may be irretrievably deleted;

(i) Audit and information — make available to the Client information reasonably necessary to demonstrate compliance with this DPA and Art. 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Client or an auditor it mandates. Audits shall be on reasonable prior notice, no more than once per year (except where required by a supervisory authority or following a breach), during business hours, subject to confidentiality, and conducted so as not to disrupt the infrastructure or other clients. Vertex may satisfy audit requests by providing existing reports, certifications, or documentation where these reasonably address the Client's request.

4. Client Obligations

The Client:

(a) is solely responsible for the personal data it places on the infrastructure, for having a valid legal basis for the processing, and for compliance with its own obligations as controller;

(b) warrants that its instructions and use of the Service comply with applicable data protection law and do not require Vertex to act unlawfully;

(c) is responsible for configuring its applications and databases, for the lawfulness and accuracy of Client Data, for responding to its data subjects, and for maintaining its own backups;

(d) shall not place special-category personal data on the infrastructure in a manner requiring measures beyond those in Schedule 2 without first agreeing additional measures with Vertex in writing.

5. Sub-processors

5.1 The Client provides a general authorisation for Vertex to engage sub-processors to provide the infrastructure and Service, including the third-party infrastructure and cloud providers from which Vertex sources capacity.

5.2 A current list of sub-processors is maintained and made available to the Client on request and/or through the Service (see Schedule 3).

5.3 Vertex will impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains responsible for its sub-processors' performance.

5.4 Vertex will inform the Client of intended changes to sub-processors (by updating the list and/or by notice) and give the Client a reasonable opportunity to object on reasonable data-protection grounds. If an objection cannot be resolved, the Client's remedy is to terminate the affected Service.

6. International Transfers

Where processing of Client Data involves a transfer to, or access from, a country outside the EEA without an adequacy decision, the parties shall ensure an appropriate safeguard under Chapter V GDPR is in place — typically the European Commission's Standard Contractual Clauses (SCCs), which are incorporated by reference and completed in accordance with Schedule 1 — together with any supplementary measures required.

7. Liability

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

8. Term and Governing Law

8.1 This DPA takes effect when the Client accepts the Agreement and continues for as long as Vertex processes Client Data. Sections concerning confidentiality, deletion, liability, and governing law survive termination.

8.2 This DPA is governed by the laws of the Republic of Lithuania, and disputes are subject to the dispute-resolution provisions of the Agreement.

Schedule 1 — Details of Processing

  • Subject matter: Provision of hosting and infrastructure for the Client's applications, databases, and workloads through the Service.
  • Duration: For the term of the Agreement and until deletion or return of Client Data.
  • Nature and purpose: Storage, hosting, and maintenance of infrastructure on which the Client runs its own workloads. Vertex does not access Client Data content.
  • Types of personal data: Determined and controlled by the Client; may include any personal data the Client chooses to store (e.g. end-user account data such as names, email addresses, identifiers, and any other data within the Client's applications).
  • Categories of data subjects: Determined by the Client (e.g. the Client's own customers, users, employees, or contacts).
  • SCC details (where applicable): Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) as appropriate; Vertex as data importer/exporter as relevant; docking clause and sub-processor option as completed by the parties.

Schedule 2 — Technical and Organisational Measures

Infrastructure-level measures maintained by Vertex include, as appropriate to the risk:

  • Encryption of data in transit (TLS) and encryption at rest for sensitive data and stored credentials
  • Access controls, authentication, and least-privilege administration for Vertex personnel
  • Secure key management for any credentials the Client provides
  • Network security, monitoring, and logging at the infrastructure level
  • Physical and environmental security provided by the underlying data-centre/infrastructure providers
  • Regular security review and vulnerability management
  • Staff confidentiality undertakings and security awareness

The Client is responsible for security measures within its own operating systems, applications, and databases (including application-level access control, patching of its own software, and encryption it chooses to apply to its own data).

Schedule 3 — Sub-processors

Vertex engages third-party infrastructure and cloud providers to deliver the Service, together with supporting service providers (for example, payment, analytics, email, and support tools). A current list, including the categories or identities of sub-processors and their processing role, is available to the Client on request and/or through the Service.

Hydron