hot.dev logo
Coming Soon
Light Dark

Legal Documents

Terms Privacy DPA License Self-Host

Hot Dev Data Processing Addendum

Version: 1.0 Last Updated: November 27, 2025

This Data Processing Addendum ("DPA") forms part of the Hot Dev Cloud Software as a Service Agreement or other agreement between Hot Dev, LLC ("Hot Dev," "Processor," "we," "us") and the customer identified in the Agreement ("Customer," "Controller," "you") (collectively, the "Parties").

This DPA applies to the extent that Hot Dev processes Personal Data on behalf of Customer in connection with the Services.

1. DEFINITIONS

"Applicable Data Protection Laws" means all laws and regulations applicable to the processing of Personal Data, including:

  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • The UK General Data Protection Regulation ("UK GDPR")
  • The California Consumer Privacy Act, as amended by the CPRA ("CCPA")
  • The Swiss Federal Act on Data Protection ("FADP")
  • Other applicable data protection laws

"Controller" means the entity that determines the purposes and means of processing Personal Data.

"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.

"EEA" means the European Economic Area.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Hot Dev on behalf of Customer in connection with the Services.

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.

"Processor" means an entity that processes Personal Data on behalf of a Controller.

"Services" means the Hot Dev Cloud services provided under the Agreement.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission.

"Sub-processor" means any third party engaged by Hot Dev to process Personal Data on behalf of Customer.

2. SCOPE AND ROLES

2.1 Scope

This DPA applies to Personal Data that Hot Dev processes on behalf of Customer when providing the Services. This DPA does not apply to Personal Data that Hot Dev processes as a Controller (e.g., Customer account information), which is governed by Hot Dev's Privacy Policy.

2.2 Roles

For Personal Data processed under this DPA:

  • Customer is the Controller: Customer determines the purposes and means of processing Personal Data through its use of the Services.
  • Hot Dev is the Processor: Hot Dev processes Personal Data on behalf of Customer in accordance with Customer's instructions.

2.3 Customer Obligations

Customer represents and warrants that:

  • Customer has all necessary rights, consents, and legal bases to provide Personal Data to Hot Dev
  • Customer's instructions to Hot Dev comply with Applicable Data Protection Laws
  • Customer will inform Data Subjects about the processing of their Personal Data as required by law

3. PROCESSING OF PERSONAL DATA

3.1 Processing Instructions

Hot Dev will process Personal Data only:

  • In accordance with Customer's documented instructions (including those in the Agreement)
  • As necessary to provide the Services
  • As required by Applicable Data Protection Laws

If Hot Dev believes an instruction violates Applicable Data Protection Laws, Hot Dev will promptly notify Customer.

3.2 Details of Processing

ElementDescription
Subject MatterProvision of Hot Dev Cloud workflow automation services
DurationFor the term of the Agreement, plus any retention period specified
Nature and PurposeProcessing workflow execution data, API requests, and associated metadata to provide the Services
Categories of Data SubjectsEnd users, employees, customers, and other individuals whose data is processed through Customer's workflows
Categories of Personal DataContact information, identifiers, transaction data, and any other Personal Data submitted by Customer to the Services

3.3 Prohibited Data

Customer agrees not to submit the following categories of data to the Services without Hot Dev's prior written consent:

  • Special categories of data (as defined in GDPR Article 9)
  • Health information subject to HIPAA
  • Payment card data subject to PCI-DSS
  • Data subject to other heightened regulatory requirements

4. DATA SECURITY

4.1 Security Measures

Hot Dev will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures include:

Technical Measures:

  • Encryption of data in transit (TLS 1.2+)
  • Encryption of data at rest (AES-256)
  • Access controls and authentication
  • Network security (firewalls, intrusion detection)
  • Regular security testing and vulnerability assessments
  • Logging and monitoring

Organizational Measures:

  • Employee background checks (where permitted)
  • Security awareness training
  • Confidentiality agreements
  • Access limited to authorized personnel
  • Incident response procedures
  • Vendor security assessments

4.2 Security Assessment

Upon Customer's written request (no more than once per year), Hot Dev will provide:

  • Documentation of security measures
  • Results of third-party security audits or certifications (if available)
  • Responses to reasonable security questionnaires

5. SUB-PROCESSORS

5.1 Authorization

Customer provides general authorization for Hot Dev to engage Sub-processors to process Personal Data. Hot Dev will:

  • Enter into written agreements with Sub-processors imposing data protection obligations no less protective than this DPA
  • Remain liable for Sub-processor compliance with this DPA

5.2 Current Sub-processors

The following Sub-processors are authorized to process Personal Data on behalf of Customer:

Sub-processorPurposeLocationData Processed
Amazon Web Services, Inc.Cloud infrastructure and hostingUnited StatesAll Customer Data stored and processed through the Services
Stripe, Inc.Payment processingUnited StatesBilling information, payment transactions

5.3 Changes to Sub-processors

Hot Dev will notify Customer at least thirty (30) days before engaging a new Sub-processor or making material changes to existing Sub-processors. Notification will be sent to Customer's registered email address.

Customer may object to a new Sub-processor by notifying Hot Dev in writing within fourteen (14) days of receipt of notice. The objection must include reasonable grounds related to data protection. If Customer objects and the Parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected Services without penalty.

5.4 Sub-processor Updates

This DPA, including the Sub-processor list, is available at https://hot.dev/dpa. The "Last Updated" date indicates when changes were last made.

6. DATA SUBJECT RIGHTS

6.1 Assistance

Hot Dev will assist Customer in responding to Data Subject requests to exercise their rights under Applicable Data Protection Laws, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

6.2 Process

  • Hot Dev will promptly notify Customer if it receives a Data Subject request directly
  • Hot Dev will not respond to Data Subject requests directly unless authorized by Customer or required by law
  • Customer is responsible for responding to Data Subject requests
  • Hot Dev will provide reasonable assistance, taking into account the nature of the processing

6.3 Costs

Hot Dev may charge reasonable fees for assistance beyond what is included in the standard Services.

7. PERSONAL DATA BREACH

7.1 Notification

Hot Dev will notify Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting Customer's Personal Data.

7.2 Content of Notification

The notification will include, to the extent known:

  • Description of the nature of the Personal Data Breach
  • Categories and approximate number of Data Subjects affected
  • Categories and approximate number of Personal Data records affected
  • Name and contact details of Hot Dev's point of contact
  • Description of likely consequences
  • Description of measures taken or proposed to address the breach

7.3 Cooperation

Hot Dev will:

  • Cooperate with Customer in investigating and remediating the breach
  • Provide reasonable assistance in Customer's communications with supervisory authorities and Data Subjects
  • Take reasonable steps to mitigate the effects of the breach

7.4 No Admission

Hot Dev's notification of a Personal Data Breach is not an acknowledgment of fault or liability.

8. DATA PROTECTION IMPACT ASSESSMENTS

Upon Customer's request, Hot Dev will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, to the extent required by Applicable Data Protection Laws and relating to the Services.

9. AUDITS

9.1 Audit Rights

Customer may audit Hot Dev's compliance with this DPA by:

  • Reviewing certifications, audit reports, and other documentation provided by Hot Dev
  • Requesting completion of security questionnaires
  • Conducting an on-site audit (subject to Section 9.2)

9.2 On-Site Audits

On-site audits are subject to:

  • Reasonable advance notice (at least 30 days)
  • Scope limited to verifying compliance with this DPA
  • Execution during normal business hours
  • Confidentiality obligations
  • Customer bearing audit costs
  • Frequency limited to once per year unless required by a supervisory authority

9.3 Third-Party Audits

Hot Dev may satisfy audit requirements by providing third-party audit reports (e.g., SOC 2) covering the relevant controls.

10. INTERNATIONAL DATA TRANSFERS

10.1 Transfers from EEA, UK, and Switzerland

When Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, Hot Dev will ensure appropriate safeguards are in place, including:

Standard Contractual Clauses: The EU SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA by reference:

  • For Controller-to-Processor transfers: Module Two applies
  • Customer is the "data exporter" and Hot Dev is the "data importer"

For UK transfers, the UK Addendum to the EU SCCs applies.

For Swiss transfers, the SCCs apply with the modifications required by Swiss law.

10.2 Transfer Impact Assessment

Hot Dev has conducted a transfer impact assessment and determined that it can comply with its obligations under the SCCs. Hot Dev will:

  • Notify Customer if it becomes aware of any legal requirements that would prevent compliance
  • Implement supplementary measures as necessary to ensure adequate protection

10.3 Data Localization

Customer may request information about where Personal Data is stored. Currently, the Services are hosted in the United States (AWS US regions).

11. DELETION AND RETURN OF DATA

11.1 During the Term

Customer may delete Personal Data through the Services' functionality at any time.

11.2 Upon Termination

Upon termination or expiration of the Agreement:

  • Customer may export Personal Data for thirty (30) days
  • After thirty (30) days, Hot Dev will delete all Personal Data, except as required by law
  • Hot Dev will provide written confirmation of deletion upon request

11.3 Retention Exceptions

Hot Dev may retain Personal Data after termination if required by:

  • Applicable law
  • Regulatory requirements
  • Legal proceedings or investigations

In such cases, Hot Dev will protect the data in accordance with this DPA and delete it when no longer required.

12. CALIFORNIA-SPECIFIC TERMS

To the extent the CCPA applies to Customer's Personal Data:

12.1 Roles

Hot Dev is a "Service Provider" as defined in the CCPA.

12.2 Restrictions

Hot Dev will not:

  • Sell or share Personal Data
  • Retain, use, or disclose Personal Data for any purpose other than providing the Services
  • Retain, use, or disclose Personal Data outside the direct business relationship with Customer

12.3 Compliance

Hot Dev certifies that it understands and will comply with the restrictions in Section 12.2.

12.4 Assistance

Hot Dev will assist Customer in responding to verifiable consumer requests under the CCPA.

13. GENERAL PROVISIONS

13.1 Precedence

In the event of conflict between this DPA and the Agreement, this DPA prevails with respect to data protection matters.

13.2 Liability

Each Party's liability under this DPA is subject to the limitations of liability in the Agreement.

13.3 Severability

If any provision of this DPA is held invalid, the remaining provisions remain in effect.

13.4 Governing Law

This DPA is governed by the same law as the Agreement, except that:

  • For EEA Personal Data: GDPR and applicable EU member state law apply
  • For UK Personal Data: UK GDPR and UK law apply
  • For Swiss Personal Data: Swiss law applies

13.5 Term

This DPA remains in effect for as long as Hot Dev processes Personal Data on behalf of Customer.

14. CONTACT

For questions about this DPA or data protection matters:

Hot Dev, LLC 1606 Headway Cir STE 9513 Austin, TX 78754 United States

ANNEX I: STANDARD CONTRACTUAL CLAUSES

A. LIST OF PARTIES

Data exporter: Customer (as identified in the Agreement)

  • Activities relevant to the transfer: Use of Hot Dev Cloud services
  • Role: Controller

Data importer: Hot Dev, LLC

  • Address: 1606 Headway Cir STE 9513, Austin, TX 78754, United States
  • Contact: support@hot.dev
  • Activities relevant to the transfer: Provision of Hot Dev Cloud services
  • Role: Processor

B. DESCRIPTION OF TRANSFER

ElementDescription
Categories of Data SubjectsEnd users, employees, customers, and other individuals whose data Customer processes through the Services
Categories of Personal DataContact information (names, emails), identifiers, transaction data, and other data submitted by Customer
Sensitive DataNone, unless Customer submits such data contrary to Section 3.3
Frequency of TransferContinuous
Nature of ProcessingStorage, retrieval, execution of workflows, API processing
PurposeProvision of Hot Dev Cloud services as described in the Agreement
Retention PeriodFor the duration of the Agreement, plus retention period specified in Section 11
Sub-processor TransfersTo Sub-processors listed in Section 5.2

C. COMPETENT SUPERVISORY AUTHORITY

The competent supervisory authority is determined in accordance with Clause 13 of the SCCs.

D. TECHNICAL AND ORGANIZATIONAL MEASURES

See Section 4 of this DPA for the technical and organizational measures implemented by Hot Dev.

ANNEX II: UK ADDENDUM TO THE EU SCCS

This Addendum has been issued by the Information Commissioner for parties making Restricted Transfers. The Approved Addendum, incorporating the mandatory clauses, is incorporated into this DPA by reference for transfers of Personal Data from the United Kingdom.

TableContent
Table 1: PartiesAs specified in Annex I, Section A
Table 2: Selected SCCsModule Two (Controller to Processor)
Table 3: Appendix InformationAs specified in Annex I
Table 4: Ending the AddendumNeither Party may end this Addendum

ANNEX III: SWISS ADDENDUM

For transfers of Personal Data from Switzerland:

  1. References to the GDPR are to be understood as references to the Swiss Federal Act on Data Protection (FADP)
  2. References to "EU" or "Union" are to be understood as references to Switzerland
  3. References to "Member State" are to be understood as references to Switzerland
  4. The competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner (FDPIC)
  5. The governing law for contractual claims is Swiss law

This DPA is available at https://hot.dev/dpa

ACKNOWLEDGED AND AGREED:

By using the Services, Customer acknowledges and agrees to the terms of this Data Processing Addendum.

For customers requiring a countersigned DPA, please contact support@hot.dev.

↑ Back to top ← Back to Home