Data Processing Addendum
Terms for processing personal data on behalf of customers.
Last updated July 12, 2026
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Haruspex (“Haruspex”, “we”, “our”, or “us”) and the customer or organization (“Customer”) using the Haruspex platform.
This DPA applies whenever Haruspex processes Personal Data on behalf of the Customer while providing the Services.
Where applicable privacy laws require a data processing agreement between a service provider and a controller, this DPA fulfills those requirements.
1. Definitions
For purposes of this DPA:
Personal Data means any information relating to an identified or identifiable natural person.
Processing means any operation performed on Personal Data including collection, storage, use, disclosure, analysis, deletion, or destruction.
Controller means the party determining the purposes and means of processing Personal Data.
Processor means the party processing Personal Data on behalf of a Controller.
Subprocessor means any third party engaged by Haruspex to process Personal Data.
Applicable Privacy Laws means any privacy or data protection legislation applicable to the parties.
Capitalized terms not defined in this DPA have the meaning assigned in the Terms of Service.
2. Scope
This DPA applies solely to Personal Data processed by Haruspex on behalf of the Customer.
This DPA does not apply to:
- information processed by Haruspex as an independent controller;
- publicly available information;
- anonymized information;
- aggregated statistical information that cannot identify individuals.
3. Roles of the Parties
Except where otherwise agreed:
- Customer acts as the Controller.
- Haruspex acts as the Processor.
The Customer remains responsible for determining:
- the legal basis for processing;
- the categories of Personal Data submitted;
- the purposes of processing;
- compliance with applicable laws.
Haruspex processes Personal Data only to provide the Services described in the Terms of Service.
4. Processing Instructions
Haruspex shall process Personal Data only:
- according to documented instructions from the Customer;
- as required to provide the Services;
- where required by applicable law.
If applicable law requires processing contrary to Customer instructions, Haruspex will notify the Customer unless prohibited by law.
5. Nature and Purpose of Processing
Processing activities may include:
- hosting Customer accounts;
- authentication;
- storage of submitted information;
- AI-powered analysis;
- generation of investment research;
- technical support;
- fraud prevention;
- security monitoring;
- system administration;
- backup and disaster recovery.
6. Categories of Personal Data
Depending upon Customer usage, Personal Data may include:
- names;
- email addresses;
- usernames;
- organization information;
- IP addresses;
- device identifiers;
- browser information;
- account activity;
- API credentials;
- uploaded documents;
- support communications;
- log files;
- usage analytics.
Customers are responsible for ensuring they submit only Personal Data necessary for their intended use.
7. Categories of Data Subjects
Data subjects may include:
- Customer employees;
- contractors;
- consultants;
- authorized users;
- clients;
- business partners;
- end users;
- support contacts.
8. Confidentiality
Haruspex ensures that individuals authorized to process Personal Data:
- are bound by confidentiality obligations;
- receive appropriate security training;
- access Personal Data only when necessary.
9. Security Measures
Haruspex implements appropriate technical and organizational measures designed to protect Personal Data against:
- accidental destruction;
- unlawful destruction;
- loss;
- unauthorized disclosure;
- unauthorized access;
- alteration;
- misuse.
Security measures include, where appropriate:
- encryption in transit;
- encryption at rest where supported;
- authentication controls;
- least privilege access;
- audit logging;
- monitoring;
- infrastructure security;
- vulnerability management;
- backup procedures;
- disaster recovery planning.
Haruspex may modify security measures provided overall protection is not materially reduced.
10. Customer Responsibilities
The Customer agrees to:
- provide lawful processing instructions;
- obtain all required consents;
- provide required privacy notices;
- ensure lawful collection of Personal Data;
- avoid submitting prohibited information unless expressly supported by the Services;
- maintain secure credentials;
- manage user permissions appropriately.
The Customer remains responsible for the accuracy and legality of Personal Data submitted.
11. Use of Subprocessors
Haruspex may engage Subprocessors to deliver the Services.
Subprocessors may include providers of:
- cloud infrastructure;
- hosting;
- authentication;
- monitoring;
- analytics;
- communications;
- customer support;
- AI infrastructure;
- storage;
- security services.
Haruspex remains responsible for the performance of its Subprocessors under this DPA.
Subprocessors shall be bound by data protection obligations substantially equivalent to those contained in this DPA.
12. International Transfers
Customer acknowledges that Personal Data may be processed in multiple jurisdictions where Haruspex or its Subprocessors operate.
Haruspex shall implement appropriate safeguards where required by applicable privacy laws.
13. Assistance to Customer
Taking into account the nature of processing, Haruspex shall provide reasonable assistance to enable the Customer to respond to lawful requests involving:
- access;
- correction;
- deletion;
- restriction;
- portability;
- objections;
- other rights provided under applicable privacy laws.
Haruspex reserves the right to charge reasonable fees for excessive or repetitive assistance requests where permitted by law.
14. Security Incidents
If Haruspex becomes aware of a confirmed Security Incident affecting Personal Data processed on behalf of the Customer, Haruspex will:
- investigate the incident;
- take reasonable measures to mitigate harm;
- notify the Customer without undue delay where required by applicable law;
- provide available information reasonably necessary for the Customer to comply with legal obligations.
Notification does not constitute an admission of fault or liability.
15. Government Requests
Where legally permitted, Haruspex may notify the Customer before disclosing Personal Data in response to governmental, judicial, or regulatory requests.
Where notification is prohibited, Haruspex will comply with applicable law.
16. Audits
Upon reasonable written request, Haruspex may provide information demonstrating compliance with this DPA.
Where required by applicable law, the parties may agree to a reasonable audit process that:
- minimizes operational disruption;
- protects confidential information;
- preserves security;
- occurs no more than once annually unless required following a confirmed Security Incident.
Haruspex may satisfy audit obligations through independent security certifications or audit reports where available.
17. Retention and Deletion
Haruspex retains Personal Data only as long as necessary:
- to provide the Services;
- to comply with legal obligations;
- to resolve disputes;
- to enforce agreements;
- to maintain legitimate business records.
Following termination of Services, Haruspex will delete or anonymize Personal Data within a commercially reasonable period unless retention is legally required.
18. Data Subject Requests
If Haruspex receives a request directly from a data subject regarding Personal Data processed on behalf of the Customer, Haruspex may:
- redirect the requester to the Customer;
- notify the Customer where appropriate;
- refrain from responding except as legally required.
19. Liability
Liability arising under this DPA shall be governed by the liability limitations contained in the Terms of Service unless prohibited by applicable law.
20. Term and Termination
This DPA remains effective for as long as Haruspex processes Personal Data on behalf of the Customer.
Termination of the Terms of Service automatically terminates this DPA except for obligations that survive by their nature.
21. Changes to this DPA
Haruspex may update this DPA to:
- reflect changes in law;
- improve privacy protections;
- accommodate operational changes;
- support new platform functionality.
Material changes will be communicated in accordance with the Terms of Service.
Continued use of the Services after the effective date constitutes acceptance of the updated DPA where permitted by law.
22. Order of Precedence
If a conflict exists between this DPA and the Terms of Service regarding Personal Data processing, this DPA shall control solely with respect to such processing.
All remaining provisions of the Terms of Service remain in full force and effect.