Data Processing Agreement

Last Updated: 2025-10-27

Version: 1.0

Need a PDF copy? Contact support@hacksplaining.com to request a signed PDF version of this DPA.

1. Introduction and Scope

This Data Processing Agreement ("DPA") applies when Hacksplaining (Greenbelt Software LLC d/b/a Hacksplaining, "Provider," "we," "us") processes Personal Data on behalf of our customers ("Customer," "you") in connection with the Hacksplaining security training platform ("Services").

This DPA is incorporated into and forms part of our Terms of Service. By using our Services, you agree to this DPA.

2. Incorporation of Standard Terms

This DPA incorporates by reference the Common Paper Data Processing Agreement Standard Terms Version 1.1, available at: https://commonpaper.com/standards/data-processing-agreement/1.1

To the extent those Standard Terms refer to a "Cover Page," the information in this DPA serves that purpose.

3. Roles and Processing

Provider Role: We act as a Processor (or Subprocessor, if you are also a Processor) of Customer Personal Data.

Customer Role: You act as the Controller (or Processor, if applicable) and are responsible for determining the purposes and means of processing Personal Data.

Processing Instructions: We process Personal Data only to provide the Services as described in our Terms of Service and as necessary to maintain, support, and improve the Services.

4. Details of Processing (Annex I)

Nature and Purpose

We process Personal Data to provide security awareness training services, including:

  • Delivering training content
  • Tracking training completion and progress
  • Generating reports on training activities
  • Providing customer support

Duration

Personal Data is processed for the duration of your subscription and as necessary thereafter to comply with legal obligations.

Categories of Data Subjects

  • Employees, contractors, and authorized users of Customer's organization

Categories of Personal Data

  • Identification data: name, email address, phone number
  • Organization affiliation data: company name, domain
  • Training data: course completion status, quiz scores, training progress
  • Technical data: IP address, browser type, device information
  • Usage data: login times, login locations, course access patterns
  • Authentication data: OAuth provider identities, password hashes (when applicable)

Special Categories of Data

We do not intentionally collect or process any Special Category Data as defined in Article 9 of the GDPR.

5. Security Measures (Annex II)

We implement appropriate technical and organizational security measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Technical Measures

  • Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
  • Access Controls: Role-based access, authentication requirements, principle of least privilege
  • Network Security: Firewalls (when applicable)
  • Monitoring: Event logging and monitoring
  • Data Backup: Regular automated backups with encryption
  • Security Updates: Timely application of security patches and updates

Organizational Measures

  • Personnel: Background checks where applicable and legally permitted, security training
  • Vendor Management: Security review of subprocessors and service providers

Infrastructure

  • Cloud hosting infrastructure with industry-standard security certifications
  • Data centers located in North America and Europe

These measures are periodically reviewed and updated to address evolving security threats.

6. Subprocessors

We engage third-party subprocessors to assist in providing the Services. Each subprocessor is bound by appropriate data protection obligations.

Current Subprocessors: A complete and current list of our subprocessors, including their name, location, and function, is maintained at:

https://hacksplaining.com/subprocessors

Subprocessor Updates:

  • We will update the subprocessor list at least 10 business days before engaging any new subprocessor or replacing an existing one
  • You may subscribe to email notifications of subprocessor changes at the above URL
  • You may object to a new subprocessor within 30 days of notice by contacting support@hacksplaining.com
  • If you object and we cannot resolve your concerns, you may terminate your subscription without penalty.

All subprocessors are required to implement security measures at least as protective as those described in Section 5 of this DPA.

7. International Data Transfers

We may transfer Personal Data to countries outside the European Economic Area, United Kingdom, or Switzerland to provide the Services. When we do so, we implement appropriate safeguards as required by applicable data protection laws.

7.1 Transfers from the EU/EEA

For transfers of Personal Data from the European Economic Area to countries outside the EEA that do not have an adequacy decision from the European Commission:

  • Transfer Mechanism: EU Standard Contractual Clauses (SCCs) as incorporated in Section 3.2 of the Common Paper Standard Terms
  • Governing Member State: Ireland
  • Supervisory Authority: Irish Data Protection Commission
  • Dispute Resolution: Courts of Ireland
  • SCCs Module:
    • Module Two applies when you are a Controller and we are a Processor
    • Module Three applies when you are a Processor and we are a Subprocessor

7.2 Transfers from the United Kingdom

For transfers of Personal Data from the United Kingdom to countries outside the UK that do not have adequacy regulations from the UK Secretary of State:

  • Transfer Mechanism: UK International Data Transfer Addendum (UK IDTA) to the SCCs, as incorporated in Section 3.3 of the Common Paper Standard Terms
  • Governing Law: Laws of England and Wales
  • Supervisory Authority: UK Information Commissioner's Office (ICO)
  • Dispute Resolution: Courts of England and Wales

7.3 Transfers from Switzerland

For transfers of Personal Data from Switzerland to countries outside Switzerland that do not have an adequacy decision:

  • Transfer Mechanism: EU SCCs adapted for Swiss law as specified in Section 3.4 of the Common Paper Standard Terms
  • References to GDPR: Interpreted as references to the Swiss Federal Data Protection Act
  • Supervisory Authority: Swiss Federal Data Protection and Information Commissioner
  • Dispute Resolution: Courts of Switzerland

7.4 Annexes

The information provided in Sections 4 (Details of Processing) and 5 (Security Measures) of this DPA satisfy the requirements of:

  • Annex I and Annex II of the EU SCCs
  • Annexes of the UK IDTA
  • Requirements for Swiss data transfers

8. Your Obligations

As the Controller, you are responsible for:

  • Ensuring you have a lawful basis to collect and process Personal Data
  • Providing required notices to data subjects
  • Obtaining necessary consents
  • Ensuring Personal Data is accurate and up-to-date
  • Complying with all applicable data protection laws

9. Data Subject Rights

We will assist you in responding to data subject requests (access, rectification, deletion, etc.) by:

  • Providing tools within the Services to manage user data
  • Responding to your requests for assistance within a reasonable timeframe
  • Cooperating with you to fulfill data subject requests

10. Data Return and Deletion

Upon termination or expiration of your subscription:

  • You may request a copy of your data during your subscription period and for 30 days thereafter
  • We will delete or anonymize Personal Data within 180 days after termination, unless legally required to retain it
  • Backups containing Personal Data may be retained for up to 365 days

11. Audits and Compliance

Upon request and under reasonable confidentiality terms, we will:

  • Respond to reasonable security questionnaires (up to once annually)
  • Cooperate with data protection impact assessments

12. Security Incidents

If we become aware of a Personal Data Breach, we will:

  • Notify you without undue delay and no later than 72 hours after becoming aware
  • Provide reasonable information about the breach
  • Take reasonable steps to mitigate the breach

13. Limitation of Liability

Our liability under this DPA is subject to the limitations set forth in our Terms of Service.

14. Contact Information

Provider Details:

  • Legal Entity: Greenbelt Software LLC d/b/a Hacksplaining
  • Address: PO Box 17401, Seattle, WA, 98127, USA
  • Contact: support@hacksplaining.com

15. Changes to this DPA

We may update this DPA to reflect changes in law or our practices. Material changes will be notified via email or through the Services with at least 30 days' notice.

Effective Date: October 27, 2025

This DPA is governed by the Common Paper Data Processing Agreement Standard Terms Version 1.1, which are incorporated by reference and available at:

https://commonpaper.com/standards/data-processing-agreement/1.1