(Hydrant → Customer)

Last updated: May 10, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement between Manuel Rossner / Hydrant ("Processor" or "Hydrant") and the Workspace Owner ("Controller" or "Customer") governing Customer's use of the Hydrant Service ("Agreement").

By using the Service to process personal data within a workspace, Customer accepts this DPA.

1. Subject matter and duration

Hydrant will process Customer Personal Data on behalf of Customer for the purpose of providing the Service (hosting workspaces, rendering, storage, collaboration). The DPA applies for the term of the Agreement and until all Customer Personal Data is deleted.

2. Nature and purpose of processing

Processing includes collection (via APIs/UI), storage, structuring, rendering, transmission (to sub-processors), retrieval, deletion, and other operations necessary to provide the Service, ensure security, and perform support. Hydrant engages identified AI sub-processors (including Anthropic for language assistance integrated into the workspace product and Black Forest Labs for AI-assisted imagery in export flows) as part of delivering the agreed Service. Such processing constitutes processing on documented instructions, including ordinary use by Customer’s authorised users acting within workspaces Customer controls.

3. Types of personal data and data subjects

• Data subjects: Customer's users (workspace members), customer's clients or audience whose personal data is included in uploaded datasets, and any individuals referenced in Customer-provided content.
• Personal data categories: identifiers (name, email, workspace/user IDs), usage metadata, and any personal data included in datasets or uploads that Customer chooses to process through the Service. Customer shall not upload special categories of data unless permitted by law and necessary safeguards are in place.
• AI inputs and outputs, including prompts, conversational messages, contextual metadata sent with model requests and images used in export AI flows, along with identifiers or personal data incidental to renders (e.g. names in chart titles, labels attributed to identifiable persons.)

4. Roles and instructions

Customer is the controller. Hydrant is the processor. Hydrant will process Customer Personal Data only on documented instructions from Customer, including via the Agreement, this DPA, and Customer's settings and usage of the Service. If Hydrant is required by law to process data beyond Customer's instructions, it will inform Customer (unless legally prohibited).

5. Confidentiality

Hydrant ensures persons authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate training.

6. Security measures

Hydrant implements appropriate technical and organizational measures pursuant to Art. 32 GDPR, including, as applicable:

• encryption in transit; encryption at rest where supported;
• separation of environments; least-privilege access; MFA for admin access;
• logging and monitoring; vulnerability management;
• regular backups and tested restoration;
• data minimization and retention controls;
• secure software development practices.

Upon request, Hydrant will provide a current description of its security controls.

7. Sub-processors

Customer provides a general authorization for Hydrant to engage sub-processors to support the Service. Current core sub-processors include:

• Amazon Web Services (AWS) – hosting/rendering/storage (primarily EU regions)
• NeonDB – managed PostgreSQL database
• Upstash – managed Redis for rate limiting/queues
• Stripe – payments and invoicing (limited customer identifiers and billing data)
• PostHog – analytics, session recording, and workspace content capture (only when enabled and subject to Customer's consent settings); Sentry – error tracking and performance monitoring (only when enabled and subject to Customer's consent settings)
• Google Analytics – Analytics & Ads (only when enabled and subject to Customer's consent settings)
• Anthropic — LLM/API services used so Hydrant can provide workspace AI capabilities that are part of the Service (e.g. in-app assistant/chat). Hydrant transmits instructions, conversational content, and technical context needed to operate those capabilities (such as identifiers in auth/session context and, where relevant to fulfil the user request, workspace/scene configuration and derived or stored tabular excerpts). Transmission occurs when that functionality is used or invoked in connection with Customer’s workspaces, consistent with documented instructions via the Agreement and Customer’s configuration of the workspace.
• Black Forest Labs (BFL) — image generation/API services used so Hydrant can provide AI-assisted export and image processing that are part of the Service. Hydrant may transmit user prompts, generation parameters, and render/output imagery derived from Customer’s exports when Customers or their users use those capabilities. Use of Customer’s branding, labels, legends, charts, maps, numeric values, titles, captions, subtitles, disclaimers or other visible content appearing in renders within inputs to image models or related outputs constitutes personal or non-personal Customer content communicated to BFL strictly for temporary processing tied to fulfillment of exports (not for repurposing Hydrant unrelated use cases.)

Hydrant will maintain an up-to-date list (or section in the Privacy Policy). Hydrant will impose data-protection obligations on sub-processors equivalent to this DPA. Hydrant will notify Customer of material changes and provide an opportunity to object on reasonable grounds. If an objection cannot be resolved, Customer may terminate the affected Service.

8. International data transfers

Where Customer Personal Data is transferred outside the EEA/UK/Switzerland, Hydrant ensures a valid transfer mechanism (e.g., Standard Contractual Clauses, UK IDTA/Addendum, adequacy decisions) and reasonable additional safeguards as needed.

9. Assistance to Customer

Hydrant will, taking into account the nature of processing, assist Customer by appropriate technical and organizational measures to fulfill Customer's obligations to respond to data subject requests and to comply with Art. 32–36 GDPR (security, breach notifications, DPIAs, and consultations with authorities). Reasonable costs may apply where assistance exceeds standard support.

10. Personal data breach

Hydrant will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and provide information available at that time, followed by updates as details emerge. Customer remains responsible for any required notifications to authorities or data subjects unless the Agreement allocates that task to Hydrant.

11. Audits and information

Upon written request, Hydrant will make available information necessary to demonstrate compliance with this DPA and GDPR (e.g., policy summaries, security descriptions, third-party reports where available). Where additional audits are required by law or a regulator, Customer may conduct (or appoint an independent auditor to conduct) an audit no more than annually, subject to reasonable notice, scope, confidentiality, and reimbursement of Hydrant's reasonable costs.

12. Deletion and return

Upon termination or upon Customer's request, Hydrant will delete Customer Personal Data within a reasonable period (target: ~30–90 days), unless retention is required by law. Backups are overwritten on a rolling basis (e.g., up to ~35 days). Upon request made before deletion, Hydrant will provide a machine-readable export of Customer Personal Data that Hydrant stores as part of the Service.

13. Liability

The Parties' liability under this DPA is governed by the limitations and exclusions in the Agreement, except to the extent prohibited by law.

14. Miscellaneous

If any provision of this DPA is held invalid, the remainder remains in effect. In case of conflict between this DPA and the Agreement, this DPA prevails with respect to processing of Customer Personal Data.

Annex 1 – Technical and Organizational Measures (TOMs) Hydrant maintains TOMs including (non-exhaustive):

• Organizational: security governance; personnel confidentiality; access management; vendor risk management; incident response; business continuity and disaster recovery.
• Technical: TLS for data in transit; encryption at rest where supported; network segmentation; hardened baselines; WAF and rate limiting; continuous logging/monitoring; automated backups and tested restores; secure key management; periodic vulnerability scans and remediation.
• Product-level controls: role-based access control, workspace isolation, optional 2FA, audit trails for sensitive actions, and automatic credit refunds on failed renders.

Annex 2 – Sub-processor List
As listed in Section 7 and updated from time to time at: www.hydrant.app/legal/privacy-policy

Annex 3 – Data Processing Details

• Subject matter: operation of the Hydrant Service for Customer's workspaces.
• Duration: term of the Agreement plus deletion period.
• Nature of processing: hosting, storage, rendering, collaboration, and support.
• Purpose: provide, secure, and improve the Service per Customer's instructions.
• Data subjects & categories: as in Section 3.
• Special categories: not intended; if processed, Customer is responsible for legal basis and notice to Hydrant.