Data Processing Agreement

In plain English

When you use Expandigo, you (Controller) entrust us (Processor) with personal data about your team, your prospects and your customers. This DPA sets out how we process it, the sub-processors we rely on, and the legal mechanisms for any transfers outside the European Economic Area.

1. Parties and scope

This Data Processing Agreement (the "DPA") supplements the Terms of Service between the Customer ("Controller") and Huberway LLC, EIN 35-2903558, 1309 Coffeen Avenue, Suite 1200, Sheridan, WY 82801, USA ("Processor", "Huberway"). It governs the processing of personal data carried out by Huberway on behalf of the Controller to provide the Service.

2. Subject-matter and duration

Subject-matter: processing of personal data in Customer Content to enable use of Expandigo (B2B sales workspace).
Duration: for the term of the Service plus the 30-day grace period, plus retention periods set in the Privacy Policy.
Nature and purpose: hosting, storage, search, enrichment, LLM-based generation, analytics, notifications.
Types of data: account data, workspace content, business contact data, usage metadata.
Categories of data subjects: Customer's employees, prospects, business contacts.

3. Processor obligations

Huberway shall:

Process personal data only on documented instructions of the Controller, including with regard to transfers.
Ensure personnel authorized to process data are bound by confidentiality.
Implement appropriate technical and organizational measures (see section 6).
Assist the Controller in responding to data subject requests.
Assist with DPIAs and consultations with supervisory authorities.
At the Controller's choice, delete or return personal data at the end of the Service.
Make available all information necessary to demonstrate compliance and allow audits.

4. Sub-processors

The Controller grants general authorization to engage the sub-processors listed in section 9. We will notify Controllers of any new sub-processor at least 30 days in advance via email to workspace administrators. The Controller may object on reasonable data protection grounds; if the parties cannot agree, the Controller may terminate the affected portion of the Service with a prorated refund.

5. International transfers

Huberway is established in the United States. Where personal data is transferred from the EEA, the UK or Switzerland to a third country without an adequacy decision, the parties rely on the Standard Contractual Clauses adopted by Commission Implementing Decision 2021/914 (Module Two, Controller to Processor), incorporated herein by reference. Technical measures include encryption in transit (TLS 1.2+) and at rest (AES-256), strict access controls, and EU-first data residency where available.

6. Security measures

Huberway implements:

Encryption - TLS 1.2+ in transit, AES-256 at rest, encrypted backups.
Access control - role-based permissions, least privilege, mandatory MFA for Huberway personnel.
Authentication - one-time passcodes; no passwords stored for end users.
Network - private VPC, WAF, DDoS mitigation, segmented production environment.
Operational - audit logging, vulnerability management, quarterly penetration tests.
People - background checks for production access, ongoing security training.
Compliance - SOC 2 Type II roadmap, ISO 27001 alignment.

7. Data breach notification

Huberway shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller's data, with the information required by Art. 33 GDPR to allow the Controller to meet its own notification obligations.

8. Data subject rights and deletion

Expandigo provides in-product tooling that allows Controller administrators to export, rectify or delete personal data without contacting support. On account closure, data moves to a 30-day read-only export window, after which it is permanently deleted from production systems and rotated out of encrypted backups within 30 days.

9. Current sub-processors

The table below lists every sub-processor that may process personal data under this DPA. Location is the primary processing region.

Sub-processor	Purpose	Location	Transfer mechanism
Amazon Web Services, Inc.	Cloud hosting, compute, storage, managed databases.	EU (Frankfurt, Dublin); US regions for disaster recovery.	SCCs 2021/914 + AWS GDPR DPA + EU-first region policy.
Cloudflare, Inc.	CDN, DNS, bot mitigation, WAF.	Global edge network; EU data localization enabled.	SCCs 2021/914 + Cloudflare DPA.
Stripe, Inc.	Payment processing and invoicing.	US + Ireland (EU processing).	SCCs 2021/914 + Stripe DPA.
Resend, Inc.	Transactional email delivery.	US (EU region available).	SCCs 2021/914 + Resend DPA.
Plausible Insights OU	Privacy-friendly, cookieless website analytics.	Germany (EU).	EU-only processing, no transfers outside the EEA.
Anthropic, PBC	Large Language Model inference (Claude).	US.	SCCs 2021/914 + Anthropic zero-retention API setting.
OpenAI, L.L.C.	Large Language Model inference (GPT).	US (EU data residency available on enterprise tier).	SCCs 2021/914 + OpenAI DPA + opt-out from training.
Apollo.io (ZenProspect, Inc.)	B2B contact enrichment and firmographic data.	US.	SCCs 2021/914 + Apollo DPA.

10. Audit rights

The Controller may, at its cost and with reasonable prior notice (at least 30 days, not more than once per year except after a breach), audit Huberway's compliance with this DPA. Huberway may satisfy audit requests by providing its latest independent audit reports (e.g. SOC 2 Type II) where they reasonably cover the scope.

11. Liability and conflicts

Liability under this DPA is subject to the limitations in the Terms of Service, except where such limitation is not permitted by law. In case of conflict between this DPA and the Terms, this DPA prevails with respect to data protection matters.

12. Contact

Huberway LLC - 1309 Coffeen Avenue, Suite 1200, Sheridan, WY 82801, USA
DPA and privacy requests: privacy@expandigo.com
Security incidents: security@expandigo.com