Last updated: June 9, 2026
This Data Processing Addendum ("DPA") forms part of the agreement between Headlight Tech LLC ("Headlight") and the customer ("Customer") governing Customer's use of Headlight's services (the "Agreement"), whether that is our Terms of Service or a separately signed agreement. It applies whenever Headlight processes Customer Personal Data on Customer's behalf.
Headlight will:
For Customers that are financial institutions subject to GLBA or SEC Regulation S-P, Headlight acts as a service provider with respect to nonpublic personal information in Customer Personal Data and processes it only as permitted under the exceptions for service providers, consistent with this DPA.
Headlight ensures that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations, are granted access on a least-privilege basis, and access Customer Personal Data only when necessary to provide support, investigate security incidents, or as required by law. Such access is logged.
Headlight implements and maintains the technical and organizational measures described in Annex B, including encryption in transit and at rest, application-layer field encryption for the most sensitive values, database-enforced tenant isolation, role-based access control, and audit logging. Headlight may update these measures over time, provided the overall level of protection is not materially reduced.
Taking into account the nature of the processing, Headlight will assist Customer in responding to requests from data subjects exercising rights under Data Protection Laws (such as access, correction, and deletion), including through the retrieval, correction, and deletion capabilities of the services. If a data subject contacts Headlight directly about Customer Personal Data, Headlight will refer the request to Customer without responding substantively, except as required by law.
Headlight will notify Customer without undue delay, and in any event within 72 hours, after confirming a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Customer Personal Data. The notice will describe, to the extent known, the nature of the incident, the data and data subjects affected, the measures taken, and a contact point. Headlight will cooperate reasonably with Customer's own notification obligations. Headlight's notification is not an admission of fault.
On written request, no more than once per year (except after a security incident affecting Customer Personal Data), Headlight will make available information reasonably necessary to demonstrate compliance with this DPA, such as security documentation, audit reports (for example, SOC 2 reports when available), and responses to reasonable security questionnaires. Where Data Protection Laws grant Customer an audit right that cannot be satisfied by documentation, the parties will agree on the scope, timing, and conditions of an audit conducted at Customer's expense with minimal disruption to Headlight's operations.
During the term, Customer can retrieve its documents and records through the services and their API, and Headlight will provide reasonable assistance with exporting Customer Content on request. After termination of the Agreement, Headlight retains Customer Content for at least 30 days for retrieval or reactivation, then deletes Customer Personal Data from production systems — including database records, stored documents, and derived data such as extracted text, document chunks, and vector embeddings — except where retention is required by law. Residual copies in encrypted, access-controlled backups are deleted in the ordinary course as backups expire and are not used to restore individually deleted records.
Headlight processes Customer Personal Data in the United States. If and to the extent GDPR or similar laws apply to Customer Personal Data, the parties will enter into appropriate transfer mechanisms (such as the EU Standard Contractual Clauses and UK Addendum), which are incorporated into this DPA where required by law.
This DPA is subject to the limitations of liability in the Agreement. If this DPA conflicts with the Agreement regarding the processing of Customer Personal Data, this DPA controls. Headlight may update this DPA as practices or laws change; material changes will be notified in accordance with the Agreement.
| Subprocessor | Function | Customer Personal Data processed | Location |
|---|---|---|---|
| Amazon Web Services | Cloud hosting, storage, key management, transactional email (SES), AI inference (Amazon Bedrock) | All Customer Content | United States |
| WorkOS | Authentication and identity | User identities of Customer's authorized users | United States |
| Inngest | Background job orchestration | Bounded job metadata (record identifiers, counts); no document content | United States |
| Sentry | Error and performance monitoring | Technical diagnostics that may incidentally reference records | United States |
| Ably | Realtime in-app status updates | Ephemeral event signals that may include file names and record display names; no document content; messages are not persisted | Global edge network |
| Brave Search | Public web search for assistant queries | Search query text entered by users; no documents or client records | United States |
Stripe (billing) processes Customer's payment and billing information as described in the Privacy Policy; it does not process Customer Personal Data contained in Customer Content. Third-party services Customer chooses to connect (such as Box, Dropbox, Google Drive, or Google Calendar) are engaged at Customer's direction and are not Headlight Subprocessors.
Privacy questions and requests: privacy@withheadlight.com
Security: security@withheadlight.com