Data Processing Addendum
Last updated: May 16, 2026
This Data Processing Addendum is published in English, German, Simplified Chinese, Spanish, and Hungarian. In the event of a conflict between language versions, the English version prevails. The Standard Contractual Clauses incorporated by reference are governed by their authoritative texts as published in the Official Journal of the European Union.
This Data Processing Addendum (the "DPA") forms part of the Master Services Agreement, the Terms of Service, or any other written or electronic agreement between Haltless Kft. ("Haltless") and the customer identified in that agreement ("Customer") for the provision of the Haltless Services (collectively, the "Agreement"). The DPA governs the processing of Customer Personal Data by Haltless in connection with the Services. In the event of conflict between the Agreement and this DPA on data protection matters, this DPA prevails to the extent of the conflict. Haltless may update this DPA from time to time to reflect changes in applicable law or in the Services, with notice provided in accordance with the Agreement.
1. Definitions
The terms "controller", "processor", "data subject", "personal data", "processing", and "supervisory authority" have the meanings given to them in the GDPR. Other capitalised terms used but not defined herein have the meanings given in the Agreement. The following definitions also apply:
- "Applicable Data Protection Law"
- All laws and regulations applicable to the processing of Customer Personal Data under this DPA, including: (i) Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"); (ii) the UK Data Protection Act 2018 and the UK GDPR; (iii) the Swiss Federal Act on Data Protection; (iv) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA"); (v) the Personal Information Protection Law of the People's Republic of China ("PIPL"); and (vi) any other applicable data protection or privacy law, in each case as amended, replaced, or supplemented from time to time.
- "Customer Personal Data"
- Any personal data that Haltless processes on behalf of Customer in connection with the Services. Customer Personal Data does not include the personal data of Customer's billing contacts processed by Haltless or Paddle as an independent controller for billing, taxation, fraud prevention, or compliance purposes.
- "Personal Data Breach"
- A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored, or otherwise processed under this DPA.
- "Permitted Purpose"
- Processing necessary for the performance of the Services in accordance with Customer's documented instructions, including any instructions reasonably inferred from Customer's configuration and use of the Services, the Agreement, and this DPA.
- "SCCs"
- The Standard Contractual Clauses for the transfer of personal data to third countries pursuant to the GDPR, as set out in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as may be amended or replaced from time to time. In this DPA, the SCCs refer to Module Two (controller to processor) when Customer is a controller, and Module Three (processor to processor) when Customer is itself a processor acting on behalf of its own controller.
- "Sub-processor"
- Any third party engaged by Haltless to process Customer Personal Data on behalf of Customer in connection with the Services. Affiliates of Haltless that process Customer Personal Data are also treated as Sub-processors.
- "UK Addendum"
- The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, version B1.0, issued by the UK Information Commissioner and in force from 21 March 2022, as may be amended or replaced from time to time.
- "China Standard Contract"
- The Standard Contract for the Cross-border Transfer of Personal Information issued by the Cyberspace Administration of China, effective 1 June 2023, as may be amended from time to time.
2. Roles, scope, and duration
Customer acts as a controller (or as a processor acting on behalf of a third-party controller) with respect to Customer Personal Data and appoints Haltless as a processor. Haltless will process Customer Personal Data only for the Permitted Purpose. The categories of data subjects, categories of Customer Personal Data, processing operations, and other particulars of the processing are described in Annex I.
This DPA applies for as long as Haltless processes Customer Personal Data, which corresponds to the duration of the Agreement and any additional period required to fulfil the obligations set out in Section 12 (Return or deletion) and any retention obligations under applicable law.
Where Customer is itself a processor acting on behalf of a third-party controller, Customer warrants that it has obtained all necessary authorisations from that controller to enter into this DPA, and that the controller has approved the engagement of Haltless and its Sub-processors.
3. Compliance with applicable law
Each party will comply with the Applicable Data Protection Law that applies to it. Customer is responsible for ensuring that it has a valid legal basis for the processing carried out under the Services, that the data subjects have been provided with all information required under Articles 13 and 14 of the GDPR (and equivalent provisions of other Applicable Data Protection Law), and that any required consents have been obtained. Haltless is responsible for the obligations that apply to it as a processor. Haltless will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, but Haltless is under no obligation to actively monitor Customer's compliance.
4. Customer instructions and prohibited categories
Haltless will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or an international organisation, unless required to do otherwise by Union or Member State law to which Haltless is subject; in such a case, Haltless will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Agreement, this DPA, and Customer's use and configuration of the Services constitute Customer's documented instructions.
Customer must not submit, and must not permit data subjects to submit, the following categories of personal data to the Services: special categories of personal data within the meaning of Article 9 GDPR (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation), data relating to criminal convictions and offences (Article 10 GDPR), payment card data subject to PCI DSS, government-issued identification numbers, or the personal data of children under 16 years of age. The Services are not configured to process these categories, and Haltless accepts no liability arising from their submission in breach of this Section.
5. Confidentiality of authorised personnel
Haltless will ensure that any natural person acting under its authority and processing Customer Personal Data, including its employees, contractors, and agents, is bound by a written confidentiality obligation or is under an appropriate statutory obligation of confidentiality, and processes Customer Personal Data only on instructions from Haltless that are consistent with this DPA. Confidentiality obligations survive termination of the relationship with the relevant person.
6. Security of processing
Taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Haltless implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Annex II. Haltless reviews and updates these measures periodically. Haltless may update Annex II from time to time provided that the updated measures continue to provide a level of security that is materially equivalent to or higher than the measures in effect on the date this DPA is entered into.
7. Sub-processors
Customer grants Haltless a general authorisation to engage Sub-processors to process Customer Personal Data, subject to the conditions of this Section. The list of Sub-processors in effect on the date of this DPA is set out in Annex III and is also published at the URL specified in Annex III.
Haltless will inform Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days before the change takes effect, by updating the published list and providing a notification mechanism to which Customer may subscribe. Customer may object in writing to a proposed Sub-processor change on reasonable data protection grounds within fifteen (15) days of notification. If the parties cannot agree on a resolution within thirty (30) days of the objection, Customer may terminate the affected portion of the Services that cannot be provided without the Sub-processor, with a pro-rata refund of any prepaid fees for the unused portion of the term.
Where Haltless engages a Sub-processor, it will impose on that Sub-processor, by way of a written contract, data protection obligations that are no less protective than those set out in this DPA, including the obligations applicable to Haltless under Articles 28 and 32 GDPR. Haltless remains fully liable to Customer for the performance of each Sub-processor of its data protection obligations.
8. Data subject rights assistance
Taking into account the nature of the processing, Haltless will assist Customer by appropriate technical and organisational measures, insofar as this is possible, to fulfil Customer's obligation to respond to requests from data subjects exercising their rights under Applicable Data Protection Law (including the rights of access, rectification, erasure, restriction of processing, data portability, and objection). The Services provide self-service tools that allow Customer to access, export, correct, or delete Customer Personal Data. If a data subject contacts Haltless directly with a rights request related to Customer Personal Data, Haltless will not respond substantively and will forward the request to Customer without undue delay.
9. Personal Data Breach notification
Haltless will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data. The initial notification will be provided to the security contact designated in Customer's account, or, if no such contact is designated, to Customer's primary administrator.
The notification will include, to the extent then known: (i) a description of the nature of the breach, including the categories and approximate number of data subjects and records concerned; (ii) the likely consequences of the breach; (iii) the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects; and (iv) the contact point at Haltless from which more information may be obtained. Where information cannot be provided at the same time, it will be provided in phases without undue further delay. Haltless will cooperate with Customer and provide reasonable assistance to enable Customer to comply with its own notification obligations to supervisory authorities and data subjects under Articles 33 and 34 GDPR (and equivalent provisions of other Applicable Data Protection Law).
10. Data Protection Impact Assessments and prior consultation
Taking into account the nature of the processing and the information available to Haltless, Haltless will provide reasonable assistance to Customer (at Customer's expense) with any data protection impact assessment and any prior consultation with a supervisory authority that Customer is required to carry out under Articles 35 and 36 GDPR (or equivalent provisions of other Applicable Data Protection Law) in relation to the processing of Customer Personal Data by Haltless. This assistance may include the provision of the information set out in this DPA, in Annex I, in Annex II, and in the Trust and Security Center at haltless.io/security.
11. International data transfers
Where the processing of Customer Personal Data involves a transfer from the European Economic Area, the United Kingdom, or Switzerland to a country that does not benefit from an adequacy decision under Applicable Data Protection Law, the parties incorporate by reference Module Two of the SCCs (controller to processor), or Module Three (processor to processor) where Customer acts as a processor, with the following selections: Clause 7 (docking clause) is included; Clause 9, option 2 (general written authorisation) applies with the thirty (30) day prior notice period set out in Section 7; Clause 11(a) optional language is excluded; Clause 17 (governing law) is the law of Hungary; Clause 18 (forum) designates the courts of Hungary; and the Annexes to the SCCs are completed by reference to Annex I, Annex II, and Annex III of this DPA.
For transfers of personal data subject to the UK GDPR, the UK Addendum is incorporated by reference and completed using the information in Annex I, Annex II, and Annex III of this DPA. Tables 1, 2, and 3 of the UK Addendum are populated by the SCCs as completed in this DPA, and Table 4 indicates that the data importer may end the UK Addendum where this is permitted.
For transfers subject to the Swiss Federal Act on Data Protection, the SCCs apply with the following adaptations: references to the GDPR are interpreted as references to the Swiss Federal Act on Data Protection where relevant; the term "Member State" is interpreted in a way that does not exclude data subjects in Switzerland from invoking their rights; and the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
For transfers of personal information of individuals located in mainland China that are subject to the PIPL and the cross-border transfer rules issued by the Cyberspace Administration of China, the parties will use the China Standard Contract or another lawful mechanism (such as a security assessment or certification) as may be required given the volume and sensitivity of the transferred personal information. Customer is responsible for any filings or assessments required of it as the personal information handler; Haltless will provide reasonable cooperation, including the information necessary to complete the Standard Contract.
The parties acknowledge that Haltless may transfer Customer Personal Data to recipients in the United States that have self-certified under the EU-US Data Privacy Framework, the UK Extension to the EU-US Data Privacy Framework, or the Swiss-US Data Privacy Framework. Where such transfers occur, the certified recipient relies on the relevant Framework. Where the recipient is not certified or the relevant Framework is no longer in force, the SCCs apply as set out in this Section.
12. Return or deletion of Personal Data
At the choice of Customer, Haltless will delete or return all Customer Personal Data after the end of the provision of the Services and will delete existing copies, unless Union or Member State law requires retention. During the term of the Agreement, Customer may export Customer Personal Data at any time using the export tools provided by the Services. After termination or expiration of the Agreement, Customer has thirty (30) days to request retrieval of Customer Personal Data; after this period, Haltless will delete Customer Personal Data from production systems within sixty (60) days and from encrypted backups in accordance with the backup rotation schedule described in Annex II.
Where Haltless is required by Union or Member State law to retain Customer Personal Data beyond the deletion timelines set out above, Haltless will isolate the data, restrict further processing to the retention purpose, and delete the data once the retention obligation expires. Haltless may retain anonymised or aggregated data that no longer identifies any data subject for its own purposes, consistent with the Agreement.
13. Audits and inspections
Haltless maintains independent third-party assessments and certifications of its information security program, including ISO 27001 alignment and equivalent attestations, as listed at haltless.io/security. Customer may request a summary of the most recent audit report and supporting documentation by emailing privacy@haltless.io. Such information is Haltless Confidential Information and is provided subject to the confidentiality obligations of the Agreement.
In addition, Customer may, on reasonable prior written notice and no more than once per calendar year (except where a Personal Data Breach affecting Customer Personal Data has occurred), conduct an audit of Haltless's compliance with this DPA. The audit will be conducted during normal business hours, at Customer's cost, by Customer or by an independent third-party auditor bound by appropriate confidentiality obligations. The scope of the audit must not require disclosure of information that would compromise the security, confidentiality, or business interests of Haltless or its other customers. The parties will agree the audit scope, methodology, and timing in good faith.
14. California Consumer Privacy Act terms
For the purposes of the CCPA, Customer is the "business" and Haltless is a "service provider" or "contractor" with respect to Customer Personal Data, as those terms are defined in the CCPA. Haltless will: (i) process Customer Personal Data only for the limited and specified business purposes set out in the Agreement and this DPA; (ii) not sell or share (as those terms are defined in the CCPA) Customer Personal Data; (iii) not retain, use, or disclose Customer Personal Data for any purpose other than the business purposes specified, or outside the direct business relationship with Customer; (iv) not combine Customer Personal Data with personal information that Haltless receives from other persons, except as permitted by the CCPA; and (v) notify Customer if Haltless determines it can no longer meet its CCPA obligations.
Haltless will assist Customer with responses to verified consumer requests under the CCPA, including requests to know, delete, correct, and opt-out of sale or sharing. Customer is responsible for verifying the identity of the requesting consumer and for determining whether to respond. Customer grants Haltless the right, at any time, to take reasonable and appropriate steps to stop and remediate any unauthorised use of Customer Personal Data.
15. Edge Agent and industrial-control data
The Haltless Edge Agent runs on Customer-controlled infrastructure and reads from industrial endpoints (such as OPC UA servers, Modbus devices, and historian databases) that Customer explicitly configures. The Edge Agent does not read from endpoints that Customer has not configured. Industrial telemetry (sensor readings, machine state, event counters) is generally not personal data; however, ancillary fields entered by Customer or by its operators, such as supervisor names, operator names, and shift annotations, may constitute personal data and are treated as Customer Personal Data under this DPA.
Customer is responsible for the host environment of the Edge Agent, including operating system patching, network segmentation, electrical supply, and the credentials used to access industrial endpoints. Haltless is not responsible for damage to programmable logic controllers, human-machine interfaces, or other industrial equipment caused by Customer configuration errors or by the act of a third party. The Services are a monitoring and analytics platform; they are not a safety-instrumented system within the meaning of IEC 61511, and Customer must not rely solely on the Services for safety-critical control decisions. Customer remains responsible for compliance with sector-specific cybersecurity obligations applicable to its operations, including under Directive (EU) 2022/2555 (NIS2) and Regulation (EU) 2024/2847 (Cyber Resilience Act) where applicable.
16. Liability
Each party's liability arising out of or in connection with this DPA is subject to the limitations of liability set out in the Agreement, which apply to the aggregate liability of the parties under the Agreement and this DPA taken together. Nothing in this DPA limits the liability of either party for damages caused to a data subject under Article 82 GDPR, for breach of a third-party beneficiary right under the SCCs, for indemnification obligations, for fraud or wilful misconduct, for breach of confidentiality, or for any liability that cannot be excluded or limited under Applicable Data Protection Law.
17. Term, order of precedence, and survival
This DPA is effective from the date the parties enter into the Agreement and continues for so long as Haltless processes Customer Personal Data. Termination of the Agreement does not relieve either party of obligations that by their nature survive, including those concerning return or deletion of Customer Personal Data, confidentiality, audit rights for processing that occurred during the term, liability, and governing law.
In the event of conflict, the order of precedence is: (i) the SCCs (and the UK Addendum and the China Standard Contract, as applicable) to the extent they apply; (ii) this DPA; and (iii) the Agreement. Where Haltless updates its sub-processor list, its technical and organisational measures, or its security documentation, those updates take effect upon publication subject to the notification and objection rights set out in this DPA.
18. Governing law and jurisdiction
This DPA is governed by the laws of Hungary, excluding its conflict-of-laws principles, except where the SCCs, the UK Addendum, or the China Standard Contract require a different governing law for the matters they regulate. The courts of Budapest, Hungary have exclusive jurisdiction over any dispute arising out of or in connection with this DPA, without prejudice to the rights of data subjects to bring proceedings in the courts of their habitual residence as provided by the SCCs and Applicable Data Protection Law.
Where Customer is established in the European Union, the United Kingdom, or Switzerland and a mandatory provision of the law of that jurisdiction requires the application of a different governing law to specific aspects of the processing of Customer Personal Data, that mandatory provision applies to the extent required.
Annex I. Description of processing
Categories of data subjects
Haltless processes the following categories of data subjects on behalf of Customer: Customer's employees, contractors, and other authorised users of the Services; Customer's operators, supervisors, maintenance technicians, and other shift personnel whose names appear in shift logs, work-order records, or audit trails; and individuals whose contact details are stored in Customer's configuration of the Services (such as escalation contacts and on-call rosters).
Categories of personal data
Customer may submit the following categories of personal data through the Services, the extent and content of which is determined by Customer:
| Identifiers and contact data | Full name, work email address, work phone number, job title, employer name, postal address where provided. |
|---|---|
| Authentication and security artifacts | Hashed passwords, multi-factor authentication secrets, single sign-on subject identifiers, session identifiers, device fingerprints, IP addresses, browser and operating system metadata. |
| Audit-trail data | Actor user identifiers, IP addresses, timestamps, action types, target resource identifiers, and request metadata captured for security, compliance, and forensic purposes. |
| Shift and operational records | Operator names, supervisor names, shift annotations, work-order comments, and ancillary fields entered by Customer's personnel while operating the Services. |
| Support and communication data | Names, contact details, and content of communications between Customer's personnel and Haltless support, including ticket bodies, attachments, and call recordings where applicable. |
| Push and notification endpoints | VAPID push subscription endpoints (Apple Push Notification, Firebase Cloud Messaging, Mozilla autopush), notification preferences, and delivery receipts. |
| Billing-related personal data | Names, email addresses, billing addresses, and tax identifiers of billing contacts, processed by Paddle as merchant of record. Haltless receives a limited subset of this data for account administration. |
| Marketing attribution data | UTM parameters, referrer URLs, marketing consent timestamps, and engagement records, where Customer's personnel have opted into marketing communications. |
Sensitive data
No special categories of personal data within the meaning of Article 9 GDPR and no data relating to criminal convictions and offences within the meaning of Article 10 GDPR are intended to be processed under this DPA. Customer must not submit such data to the Services. The Services are not configured to apply the additional safeguards required for such data.
Frequency of processing
Continuous, for the duration of the Agreement, in line with Customer's use of the Services.
Nature and purpose of processing
Collection, recording, organisation, structuring, storage, retrieval, consultation, use, disclosure by transmission to authorised users, alignment, combination, restriction, erasure, or destruction, in each case as necessary to provide the Services, to operate the platform securely, to comply with legal obligations, and to deliver support to Customer. Specific purposes include account provisioning and authentication, ingestion and presentation of industrial telemetry, generation of alerts and anomaly notifications, audit logging, security monitoring, customer support, and billing administration.
Retention
Personal data is retained for the duration set out in the Haltless Privacy Policy at haltless.io/privacy and in the Agreement. Audit-log records are retained for seven (7) years to support SOC 2 attestation and the legitimate interest in security forensics. Operational telemetry retention is configured per Customer plan (Pilot, Site, Enterprise). At the end of the Services, retention follows Section 12 of this DPA.
Competent supervisory authority
The Hungarian National Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság, NAIH) acts as the competent supervisory authority. Where Customer is established in another EU Member State and Haltless's processing is principally connected to that establishment, the competent supervisory authority is the data protection authority of that Member State.
Annex II. Technical and organisational measures
Haltless implements and maintains the following technical and organisational measures, taking into account the nature, scope, context, and purposes of the processing and the risks to the rights and freedoms of natural persons. Haltless may update these measures over time provided that the updated measures continue to provide a level of security materially equivalent to or higher than those described below.
| Encryption in transit | TLS 1.2 or higher with modern cipher suites for all customer-facing connections. Strict Transport Security, certificate pinning on the Edge Agent control channel, and HSTS on web endpoints. |
|---|---|
| Encryption at rest | AES-256 encryption for production databases, object storage, and backups. Per-tenant key derivation where applicable, with keys managed by a hardened key-management service. |
| Access control | Role-based access control with least-privilege defaults, separation of duties between development, operations, and security roles, time-bound elevated access for production, and mandatory single sign-on with multi-factor authentication for all personnel accessing production systems. |
| Authentication and password hygiene | Customer authentication enforces strong password policies, bcrypt or Argon2 hashing, and support for TOTP and WebAuthn multi-factor authentication. Session tokens use HMAC-SHA256 signatures with short lifetimes and revocation on logout or compromise. |
| Network and infrastructure security | Defence-in-depth network segmentation, host-based firewalls, container image scanning, vulnerability management with prioritised remediation, and continuous monitoring of production infrastructure. |
| Application security | Secure software development lifecycle including code review, dependency scanning, static and dynamic analysis, secret detection, and periodic third-party penetration testing of customer-facing and Edge Agent components. |
| Logging and audit trails | Tamper-evident audit logs using an HMAC-SHA256 hash chain, retained for seven (7) years. Logs cover authentication events, privileged operations, configuration changes, and access to Customer Personal Data. |
| Backup and disaster recovery | Daily encrypted backups with off-region replication, regular restoration testing, documented recovery point objective and recovery time objective targets, and quarterly business continuity exercises. |
| Incident response | Documented incident response playbook with twenty-four-hour-a-day on-call coverage for high-severity events, predefined notification timelines including the seventy-two (72) hour breach notification commitment, and post-incident review for material events. |
| Personnel security | Background checks where lawful for personnel with access to production systems, mandatory written confidentiality undertakings, annual security and privacy awareness training, and segregation of administrative and personal accounts. |
| Physical security | Production environments hosted in ISO 27001 or SOC 2 attested data centres with physical access controls, environmental monitoring, and 24/7 surveillance operated by the underlying cloud provider. |
| Sub-processor governance | Documented sub-processor onboarding due diligence, contractual data protection terms equivalent to those imposed on Haltless, periodic review of sub-processor security posture, and the notification mechanism described in Section 7 of this DPA. |
Annex III. Sub-processors
Haltless engages the following Sub-processors to provide the Services. The current list, with the date of each addition or replacement, is published at haltless.io/security. Customer may subscribe to updates as described in Section 7 of this DPA.
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Cloud infrastructure provider | Hosting of production application servers, databases, object storage, and backups. | European Union (primary), with backup region within the EEA. |
| Paddle.com Market Limited | Merchant of record for sales, billing, tax determination and remittance, fraud prevention, and chargebacks. | United Kingdom and European Union. |
| Transactional email provider | Delivery of transactional emails (account verification, password reset, alerts, billing notifications). | European Union or United States (under EU-US Data Privacy Framework). |
| Push notification gateways | Delivery of web and mobile push notifications via Apple Push Notification service, Firebase Cloud Messaging, and Mozilla autopush. | United States and European Union, per provider routing. |
| Single sign-on identity providers | OpenID Connect federation with Google and Microsoft for account login where Customer opts in. | European Union and United States, per provider. |
| Error monitoring service | Capture and aggregation of application error events to support reliability engineering. Customer Personal Data is scrubbed before transmission. | European Union. |
| Customer support platform | Hosting of support tickets, knowledge base content, and customer communications initiated through the in-product support widget. | European Union. |
| Status and incident communication platform | Operation of status.haltless.io, including incident notifications and maintenance announcements. | European Union. |
| Observability and logging platform | Aggregation of application logs and metrics for operational monitoring. Customer Personal Data is minimised before transmission. | European Union. |
| Haltless affiliates | Engineering, support, and security operations performed by Haltless group entities under the same data protection terms as Haltless Kft. | European Union (Hungary). |
Additional Sub-processors may be engaged for ERP, MES, or CMMS integration only at Customer's instruction and only for the scope of the relevant integration. Such engagements are notified to Customer in accordance with Section 7 before any Customer Personal Data is transferred.
For questions regarding this DPA, to subscribe to Sub-processor notifications, or to coordinate an audit, contact privacy@haltless.io.