Data Processing Addendum

Last updated: June 9, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Headlight Tech LLC ("Headlight") and the customer ("Customer") governing Customer's use of Headlight's services (the "Agreement"), whether that is our Terms of Service or a separately signed agreement. It applies whenever Headlight processes Customer Personal Data on Customer's behalf.

1. Definitions

2. Roles and Scope

3. Processing Instructions

Headlight will:

For Customers that are financial institutions subject to GLBA or SEC Regulation S-P, Headlight acts as a service provider with respect to nonpublic personal information in Customer Personal Data and processes it only as permitted under the exceptions for service providers, consistent with this DPA.

4. Confidentiality

Headlight ensures that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations, are granted access on a least-privilege basis, and access Customer Personal Data only when necessary to provide support, investigate security incidents, or as required by law. Such access is logged.

5. Security

Headlight implements and maintains the technical and organizational measures described in Annex B, including encryption in transit and at rest, application-layer field encryption for the most sensitive values, database-enforced tenant isolation, role-based access control, and audit logging. Headlight may update these measures over time, provided the overall level of protection is not materially reduced.

6. Subprocessors

7. Data Subject Requests

Taking into account the nature of the processing, Headlight will assist Customer in responding to requests from data subjects exercising rights under Data Protection Laws (such as access, correction, and deletion), including through the retrieval, correction, and deletion capabilities of the services. If a data subject contacts Headlight directly about Customer Personal Data, Headlight will refer the request to Customer without responding substantively, except as required by law.

8. Security Incidents

Headlight will notify Customer without undue delay, and in any event within 72 hours, after confirming a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Customer Personal Data. The notice will describe, to the extent known, the nature of the incident, the data and data subjects affected, the measures taken, and a contact point. Headlight will cooperate reasonably with Customer's own notification obligations. Headlight's notification is not an admission of fault.

9. Audits and Documentation

On written request, no more than once per year (except after a security incident affecting Customer Personal Data), Headlight will make available information reasonably necessary to demonstrate compliance with this DPA, such as security documentation, audit reports (for example, SOC 2 reports when available), and responses to reasonable security questionnaires. Where Data Protection Laws grant Customer an audit right that cannot be satisfied by documentation, the parties will agree on the scope, timing, and conditions of an audit conducted at Customer's expense with minimal disruption to Headlight's operations.

10. Return and Deletion

During the term, Customer can retrieve its documents and records through the services and their API, and Headlight will provide reasonable assistance with exporting Customer Content on request. After termination of the Agreement, Headlight retains Customer Content for at least 30 days for retrieval or reactivation, then deletes Customer Personal Data from production systems — including database records, stored documents, and derived data such as extracted text, document chunks, and vector embeddings — except where retention is required by law. Residual copies in encrypted, access-controlled backups are deleted in the ordinary course as backups expire and are not used to restore individually deleted records.

11. International Transfers

Headlight processes Customer Personal Data in the United States. If and to the extent GDPR or similar laws apply to Customer Personal Data, the parties will enter into appropriate transfer mechanisms (such as the EU Standard Contractual Clauses and UK Addendum), which are incorporated into this DPA where required by law.

12. Liability and Precedence

This DPA is subject to the limitations of liability in the Agreement. If this DPA conflicts with the Agreement regarding the processing of Customer Personal Data, this DPA controls. Headlight may update this DPA as practices or laws change; material changes will be notified in accordance with the Agreement.

Annex A — Details of Processing

Annex B — Technical and Organizational Measures

Annex C — Subprocessors

SubprocessorFunctionCustomer Personal Data processedLocation
Amazon Web ServicesCloud hosting, storage, key management, transactional email (SES), AI inference (Amazon Bedrock)All Customer ContentUnited States
WorkOSAuthentication and identityUser identities of Customer's authorized usersUnited States
InngestBackground job orchestrationBounded job metadata (record identifiers, counts); no document contentUnited States
SentryError and performance monitoringTechnical diagnostics that may incidentally reference recordsUnited States
AblyRealtime in-app status updatesEphemeral event signals that may include file names and record display names; no document content; messages are not persistedGlobal edge network
Brave SearchPublic web search for assistant queriesSearch query text entered by users; no documents or client recordsUnited States

Stripe (billing) processes Customer's payment and billing information as described in the Privacy Policy; it does not process Customer Personal Data contained in Customer Content. Third-party services Customer chooses to connect (such as Box, Dropbox, Google Drive, or Google Calendar) are engaged at Customer's direction and are not Headlight Subprocessors.

Contact

Privacy questions and requests: privacy@withheadlight.com

Security: security@withheadlight.com