Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the services agreement between Hyperion Finance, Inc. ("Hyperion", "Processor") and the business customer using the Services ("Customer", "Controller"), and applies when Hyperion processes Personal Data on behalf of the Customer.

In case of conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Hyperion on behalf of the Customer.
• "Processing" means any operation performed on Personal Data, whether by automated means or not.
• "Data Subject" means the natural person to whom the Personal Data relates.
• "Sub-processor" means any third party engaged by Hyperion to process Personal Data on behalf of the Customer.
• "Data Protection Laws" means the laws and regulations applicable to the protection of personal data, including applicable federal laws, the laws of the Commonwealth of Puerto Rico, and, where applicable, foreign laws such as the GDPR.

2. Roles of the Parties

With respect to the Personal Data processed by Hyperion under the services agreement, the Customer acts as Controller (or joint controller, as applicable), and Hyperion acts as Processor. Each party will comply with its respective obligations under the Data Protection Laws.

3. Subject Matter and Duration

The subject matter of the processing is the provision of the Services described in the Terms of Service, including entity formation, automation of IVU and municipal filings, integrations with third-party systems, and related communications. The duration of the processing coincides with the term of the services agreement, plus any additional period required by law for record retention.

4. Nature and Purpose of Processing

Hyperion will process Personal Data solely for the purpose of providing the Services to the Customer and complying with the Customer's documented instructions, unless required otherwise by law.

5. Categories of Data and Data Subjects

• Categories of Data Subjects: the Customer, its administrators, invited members, beneficial owners, employees (where applicable), and authorized representatives.
• Categories of Data: identification data (names, tax identifications, government identifications), contact data (email, phone, address), financial and bank-account information, transaction and sales data, corporate and compliance information, and records generated in the operation of the Services.

6. Processor Obligations

Hyperion: (a) will process Personal Data only under the Customer's documented instructions (the Terms of Service and this DPA constitute such documented instructions); (b) will ensure that personnel authorized to process Personal Data are subject to confidentiality obligations; (c) will implement appropriate technical and organizational measures to protect Personal Data (see Annex A); (d) will assist the Customer in fulfilling Data Subjects' requests to the extent reasonably possible; (e) will assist the Customer in conducting impact assessments, incident notifications, and consultations with data-protection authorities, to the extent reasonably possible; and (f) at the end of the agreement, will delete or return the Personal Data in accordance with Section 11.

7. Sub-processors

The Customer grants Hyperion general authorization to engage sub-processors for the provision of the Services. An updated list is published at /en/legal/sub-processors. Hyperion will notify of significant changes to the list with at least fifteen (15) days' advance notice; during that period, the Customer may reasonably object, in which case the parties will negotiate in good faith an alternative solution, or, if not possible, may terminate the affected portion of the Service.

Hyperion will enter into an agreement with each sub-processor containing data-protection obligations substantially equivalent to those set forth herein, and will be responsible for the sub-processor's compliance.

8. Data Security

Hyperion will implement reasonable and appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. Measures include, without limitation: encryption in transit (TLS) and at rest where technically feasible, role-based access controls, multi-factor authentication for administrative access, environment segregation, activity monitoring, vulnerability management, and personnel training.

9. Security Incident Notification

Hyperion will notify the Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Security Incident affecting the Customer's Personal Data. The notification will include, to the extent available, the nature of the incident, the categories and approximate volume of affected data, the measures taken or proposed, and a contact point.

10. International Transfers

Some Personal Data may be processed outside of Puerto Rico, including in the continental United States, the European Union, or other jurisdictions where sub-processors operate. For such transfers, Hyperion will implement appropriate legal mechanisms (for example, standard contractual clauses) where required by applicable law.

11. Return and Deletion

At the end of the services agreement, Hyperion, at the Customer's option, will return or delete the Personal Data in its possession, except where retention is required by applicable law (for example, tax record-retention requirements). Hyperion will confirm in writing compliance with this obligation.

12. Audit

Once per year, or with greater frequency if required by a regulatory authority, the Customer may request reasonable information demonstrating Hyperion's compliance with this DPA. Hyperion will provide, as applicable, compliance certifications, third-party audit reports (for example, SOC 2), or completed questionnaires. On-site audits may be performed, subject to reasonable notice, during business hours, without disrupting Hyperion's operations, and under confidentiality agreements.

13. Liability

The limitations of liability set forth in the Terms of Service will apply to claims arising under this DPA, to the extent permitted by applicable law.

14. Governing Law

This DPA is governed by the laws of the Commonwealth of Puerto Rico, without prejudice to any data-protection mechanism required by foreign laws applicable to international transfers.

Annex A — Technical and Organizational Measures

• Data encryption in transit (TLS 1.2+) and at rest where feasible.
• Role-based access controls; multi-factor authentication for administrative and personnel access.
• Audit logs and security monitoring.
• Vulnerability management, regular patching, and periodic testing.
• Environment segregation (development, staging, production).
• Backup and disaster-recovery processes.
• Confidentiality agreements with personnel and sub-processors.
• Periodic personnel training on privacy and security.

Annex B — Sub-processors

The updated list of sub-processors is maintained at /en/legal/sub-processors.