Data Processing Agreement

Last updated: March 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Hummz, operated by WeApptivate Link Technologies Private Limited (New Delhi, India) ("Processor"), and you ("Controller"), and governs the processing of personal data by Hummz on your behalf.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person.
• Processing: Any operation performed on personal data, including collection, storage, modification, retrieval, use, disclosure, or deletion.
• Data Subject: An identified or identifiable natural person whose personal data is processed.
• Sub-processor: A third party engaged by Hummz to process personal data on behalf of the Controller.

3. Scope and Purpose

Hummz processes personal data solely for the purpose of providing the Services as described in the Terms of Service. The categories of data and data subjects are determined by the Controller's use of the Platform.

3.1 Categories of Data Processed

• Member contact information (names, email addresses, phone numbers).
• Member activity data (event attendance, purchases, interactions).
• Communications data (messages sent through the Platform).
• Billing and payment information.

3.2 Categories of Data Subjects

• Members of the Controller's community.
• Administrators and staff of the Controller's organization.

4. Obligations of the Processor

Hummz shall:

• Process personal data only on documented instructions from the Controller.
• Ensure that persons authorized to process personal data have committed to confidentiality.
• Implement appropriate technical and organizational security measures.
• Assist the Controller in responding to data subject rights requests.
• Delete or return all personal data upon termination of the Services, at the Controller's choice.
• Make available all information necessary to demonstrate compliance with data protection obligations.

5. Sub-processors

• Hummz maintains a list of approved sub-processors.
• We will notify the Controller of any intended changes to sub-processors with at least 30 days' notice.
• The Controller may object to a new sub-processor within 14 days of notification.
• The current list of approved sub-processors is available on request by emailing dpo@hummz.com.

6. Security Measures

Hummz implements the following security measures:

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
• Access controls with role-based permissions and multi-factor authentication.
• Regular security assessments and penetration testing.
• Incident response procedures with defined notification timelines.
• Data backup and disaster recovery procedures.

7. Data Breach Notification

In the event of a personal data breach, Hummz will:

• Notify the Controller without undue delay and within 72 hours of becoming aware of the breach.
• Provide details of the nature of the breach, categories of data affected, and remedial actions taken.
• Cooperate with the Controller in meeting any data breach notification obligations.

8. International Data Transfers

Where personal data is transferred outside the Controller's jurisdiction, Hummz ensures appropriate safeguards are in place, including:

• Standard contractual clauses approved by relevant data protection authorities.
• Adequacy decisions where applicable.
• Additional technical and organizational measures as required.

9. Audits

The Controller may audit Hummz's compliance with this DPA, subject to reasonable notice and confidentiality obligations. Hummz will cooperate with such audits and provide access to relevant documentation.

10. Term and Termination

This DPA remains in effect for the duration of the Terms of Service. Obligations regarding data protection survive termination.

11. Contact

For DPA-related inquiries, contact our Data Protection Officer at dpo@hummz.com.