Data Processing Agreement
GDPR Article 28 compliant agreement governing data processing on behalf of the Controller.
Last updated: March 11, 2026
This Data Processing Agreement ("DPA") is between the Customer ("Controller") and Lumea di Georgiana Huides ("Processor" / "HailAPI"), Via Ofanto 26L, 00071 Pomezia (RM), Italy — P.IVA: IT18023211008. This DPA supplements the Terms of Service and governs the processing of personal data pursuant to Article 28 GDPR.
1. Definitions
Terms like "Personal Data", "Processing", "Controller", "Processor", "Data Subject", and "Personal Data Breach" have the meanings in Article 4 GDPR. "Applicable Data Protection Law" means the GDPR plus Italian Legislative Decree 196/2003 (as amended).
2. Scope
This DPA applies to all processing of Personal Data by the Processor on behalf of the Controller in connection with the HailAPI detection service. In case of conflict with the Terms of Service regarding data processing, this DPA prevails.
3. Roles
The Controller determines purposes and means of processing data submitted through the Service. The Processor processes data solely on the Controller's documented instructions.
4. Controller's Obligations
The Controller warrants that: it has a lawful basis for submitting Personal Data, it has provided appropriate notice to Data Subjects, any images containing Personal Data are submitted lawfully, and its instructions comply with Applicable Data Protection Law.
5. Processor's Obligations
The Processor shall:
- Process Personal Data only on documented instructions from the Controller (Art. 28(3)(a))
- Ensure authorized personnel are bound by confidentiality (Art. 28(3)(b))
- Implement appropriate security measures per Article 32 (Art. 28(3)(c))
- Comply with sub-processor requirements in Section 7 (Art. 28(3)(d))
- Assist with Data Subject rights requests (Art. 28(3)(e))
- Assist with security, breach notification, and DPIA obligations (Art. 28(3)(f))
- Delete or return all Personal Data upon termination (Art. 28(3)(g))
- Make information available for compliance audits (Art. 28(3)(h))
6. Security Measures
Data Minimization
- Images processed in volatile memory (RAM) only — never written to disk or database
- Images discarded from memory upon API response completion
- Usage logs contain only metadata (timestamp, status, processing time, image size, dent count) — no image data
Technical Measures
- TLS 1.2+ encryption for all data in transit
- API keys stored as SHA-256 hashes — never in plaintext
- Publishable keys restricted by allowed origin domains
- Rate limiting via Redis on all API endpoints
- Input validation (MIME type, file size) via Zod schema validation
- Security headers: CSP, X-Frame-Options, HSTS
7. Sub-Processors
The Controller provides general written authorization for the following sub-processors:
| Sub-Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Vercel Inc. | API hosting, frontend | USA (EU edge) | DPF / SCCs |
| Railway Corp. | AI model inference | USA | DPF / SCCs |
| Upstash Inc. | Redis rate limiting | EU / USA | DPF / SCCs |
| Cloudflare Inc. | Image storage (R2) | EU / Global | DPF / SCCs |
| Paddle.com Market Ltd | Payment processing | UK | UK adequacy decision |
The Processor will notify the Controller at least 30 days before engaging new sub-processors. The Controller may object within 30 days on reasonable data protection grounds.
The Processor imposes data protection obligations no less protective than this DPA on all sub-processors and remains fully liable for their performance.
8. International Transfers
Where sub-processors are outside the EEA, transfers are protected by: EU adequacy decisions (Art. 45), Standard Contractual Clauses (Art. 46), or the EU-U.S. Data Privacy Framework.
The Service architecture minimizes transfers: images are processed transiently in memory, detection results contain only analytical data, and usage logs contain no image data.
9. Data Subject Rights
The Processor assists the Controller in responding to Data Subject requests (Art. 15–22 GDPR). If the Processor receives a request directly, it will redirect the Data Subject to the Controller and notify the Controller without undue delay.
10. Breach Notification
The Processor will notify the Controller of any Personal Data Breach within 48 hours, including:
- Nature of the breach, categories and number of Data Subjects affected
- Likely consequences
- Measures taken or proposed to address the breach
The Processor will cooperate with the Controller's obligations under Articles 33 and 34 GDPR (72-hour supervisory authority notification and Data Subject communication).
11. Audit Rights
The Processor will make available information to demonstrate compliance and allow audits by the Controller or a mandated auditor, subject to:
- 30 days' written notice (except for breach/supervisory authority requirements)
- During business hours, without unreasonable disruption
- Maximum one audit per year (unless breach occurs)
- Third-party auditors must sign confidentiality agreements
As an alternative, the Processor may provide third-party security audit results or written responses to audit questionnaires.
12. Duration and Termination
This DPA is effective for the duration of the Terms of Service. Upon termination, the Processor will (at Controller's choice) return or securely delete all Personal Data and certify deletion — except where retention is required by law.
Given the transient nature of image processing, no image data is retained after API response delivery.
13. Liability
Liability under this DPA is subject to the Terms of Service, except where Applicable Data Protection Law prohibits limitations. Neither party's liability is limited for fraud or fines imposed directly by a Supervisory Authority for that party's own infringement.
14. General
- Governing Law: Italian law, courts of Roma
- Severability: Invalid provisions do not affect the remainder
- Amendments: Written only, except sub-processor list updates per Section 7
- Precedence: This DPA prevails over the Terms of Service for data processing matters
Processing Details (Annex 1)
| Element | Description |
|---|---|
| Subject matter | AI-powered analysis of vehicle images for hail damage detection |
| Duration | Term of the Terms of Service. Images processed transiently (<10s) |
| Nature | Automated YOLO-based object detection in volatile memory |
| Purpose | Return detection results: bounding boxes, severity, damage scores, dent counts |
| Personal Data types | Incidental: license plates, reflections, background indicators in vehicle images. Metadata: timestamps, processing times, image dimensions |
| Data Subject categories | Vehicle owners, drivers, insurance claimants, fleet operators |
Contact
Lumea di Georgiana Huides
Via Ofanto 26L, 00071 Pomezia (RM), Italy
P.IVA: IT18023211008
Email: support@hailapi.com
Phone: +39 328 258 1946
PEC: georgiana.huides@pec.it
Web: hailapi.com