§ LEGAL · DATA PROCESSING AGREEMENT

Data processing
agreement.

Effective since

19 July 2017

Last revised

5 May 2026

Governing law

Hong Kong SAR

Document

v1.0 · Template

§ 01 / Background and Order of Precedence

Background and Order of Precedence

This DPA sits underneath the main services agreement (the "MSA" or "ToS") between you and HEADGATE. If something in this DPA conflicts with the MSA on data protection, this DPA wins.

1.1 The Parties have entered, or will enter, into one or more Statements of Work or other engagement documents (together, the "Principal Agreement") under which HEADGATE provides services to Customer (the "Services").

1.2 In performing the Services, HEADGATE may process Personal Data on behalf of Customer. This Data Processing Agreement ("DPA") sets out the Parties' obligations with respect to that Personal Data.

1.3 In the event of any conflict or inconsistency between the terms of this DPA and the Principal Agreement, this DPA prevails with respect to the subject matter of this DPA. Capitalized terms not defined in this DPA have the meanings given to them in the Principal Agreement or in Applicable Data Protection Law.

§ 02 / Definitions

Definitions

Standard data-protection vocabulary. Where the underlying laws define a term, we use that definition.

In this DPA:

  • "Applicable Data Protection Law" means all data protection and privacy laws and regulations applicable to the processing of Personal Data under this DPA, including (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"); (b) the United Kingdom General Data Protection Regulation and the Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the Hong Kong Personal Data (Privacy) Ordinance (Cap. 486) ("PDPO"); (e) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 ("CCPA/CPRA"); and (f) any other applicable data protection laws.
  • "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Special Categories of Personal Data", "Sensitive Personal Information", and "Sub-processor" have the meanings given to them under Applicable Data Protection Law.
  • "EU SCCs" means the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021.
  • "UK Addendum" means the International Data Transfer Addendum to the EU SCCs, version B1.0, issued by the UK ICO under section 119A of the Data Protection Act 2018.
  • "Swiss Addendum" means the supplementary clauses recognized by the Swiss Federal Data Protection and Information Commissioner for transfers under the FADP.
  • "Customer Personal Data" means Personal Data Processed by HEADGATE on behalf of Customer in performance of the Services.
  • "Restricted Transfer" means a transfer of Customer Personal Data from a jurisdiction where the transfer is restricted absent a Chapter V GDPR (or equivalent) safeguard.
§ 03 / Roles and Scope of Processing

Roles and Scope of Processing

For Personal Data we process for you under the Services, you're the Controller and we're the Processor. The full description of what we process is in Annex 1.

3.1 With respect to Customer Personal Data Processed under this DPA, Customer is the Controller and HEADGATE is the Processor. Where Customer is itself a processor for an upstream controller, HEADGATE acts as a sub-processor and the obligations in this DPA flow through accordingly.

3.2 The subject matter, duration, nature, and purpose of the Processing, the categories of Data Subjects, and the categories of Customer Personal Data are set out in Annex 1 (Description of Processing) to this DPA.

3.3 HEADGATE will Process Customer Personal Data only on documented instructions from Customer (including those set out in the Principal Agreement, this DPA, or otherwise documented in writing — including via Customer's authorized use of the Services). If HEADGATE believes an instruction infringes Applicable Data Protection Law, it will inform Customer (unless prohibited by law).

§ 04 / HEADGATE Obligations as Processor

HEADGATE Obligations as Processor

We process your data only on your instructions; we keep it confidential; we secure it; we help you respond to data-subject requests; we tell you about breaches; and we cooperate with audits.

HEADGATE will:

4.1 Process only on instructions. Process Customer Personal Data only as set out in this DPA or otherwise documented in writing by Customer.

4.2 Confidentiality. Ensure that personnel authorized to Process Customer Personal Data are bound by written confidentiality obligations or are under a statutory obligation of confidentiality, and have received appropriate data protection training.

4.3 Security measures. Implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure, as set out in Annex 2 (Technical and Organizational Measures), in compliance with Article 32 GDPR.

4.4 Sub-processors. Comply with the conditions in Section 6 (Sub-processors).

4.5 Assistance with data-subject rights. Take appropriate technical and organizational measures, insofar as possible, to assist Customer in fulfilling Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (Articles 12–22 GDPR). Where HEADGATE receives a request directly from a Data Subject relating to Customer Personal Data, HEADGATE will (a) not respond substantively (other than to confirm receipt and direct the Data Subject to Customer where appropriate), and (b) forward the request to Customer without undue delay.

4.6 Assistance with controller obligations. Assist Customer, taking into account the nature of Processing and information available, in ensuring compliance with Articles 32–36 GDPR (security, breach notification, data protection impact assessments, and prior consultation).

4.7 Return or deletion. At Customer's choice, return or delete all Customer Personal Data after the end of the provision of Services, unless Applicable Data Protection Law requires storage. Backups subject to standard rotation will be deleted in the ordinary course (typically within 90 days), and during that period remain subject to the confidentiality and security obligations of this DPA.

4.8 Records and audits. Make available to Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, on reasonable prior notice (at least 30 days), no more than once per twelve-month period (except where required by a regulator or following a Personal Data Breach), under reasonable confidentiality obligations, and at Customer's expense (unless the audit reveals material non-compliance, in which case the cost is borne by HEADGATE).

4.9 No selling, sharing, or retention beyond purpose. HEADGATE will not (a) sell or share Customer Personal Data within the meaning of CCPA/CPRA; (b) retain, use, or disclose Customer Personal Data for any purpose other than the specific purpose of performing the Services or as otherwise permitted by Applicable Data Protection Law; or (c) combine Customer Personal Data with personal information that HEADGATE receives from or on behalf of any other person, except where permitted by CCPA/CPRA. HEADGATE certifies that it understands and will comply with these CCPA/CPRA "service provider" / "contractor" obligations.

§ 05 / Customer Obligations as Controller

Customer Obligations as Controller

You confirm you have a lawful basis for the data you ask us to process, and you've given the appropriate notices to your end-users.

Customer will:

5.1 Comply with Applicable Data Protection Law in its capacity as Controller, including by establishing a valid lawful basis for the Processing, providing required notices to Data Subjects, and obtaining required consents.

5.2 Provide complete and accurate documented instructions to HEADGATE concerning the Processing.

5.3 Ensure that the Personal Data provided to HEADGATE was lawfully collected and that the disclosure to HEADGATE for the purposes of the Services is lawful.

5.4 Refrain from instructing HEADGATE to Process Personal Data in a manner that would cause HEADGATE to violate Applicable Data Protection Law.

§ 06 / Sub-processors

Sub-processors

We use a small set of subprocessors (cloud, email, AI tools, etc.). The current list lives at headgatetech.com/subprocessors. You can subscribe to be notified of changes 30 days before they take effect; if you object on data-protection grounds, we'll work it out or you can terminate the affected SOW.

6.1 General authorization. Customer grants HEADGATE general authorization to engage Sub-processors for the Processing of Customer Personal Data, subject to the conditions in this Section.

6.2 Public list. HEADGATE maintains and keeps current a public list of Sub-processors at https://headgatetech.com/subprocessors, including for each Sub-processor: name, purpose, country of processing, transfer mechanism (where applicable), and reference to its DPA / data protection commitments.

6.3 Notice of changes. HEADGATE will provide at least thirty (30) days' notice of any addition or replacement of a Sub-processor that will Process Customer Personal Data, by updating the public list and (if Customer has subscribed) by email notification to Customer's designated contact.

6.4 Right to object. Customer may, on reasonable data-protection grounds, object to a new Sub-processor by notifying HEADGATE in writing within fifteen (15) days of the notice of change. The Parties will discuss the objection in good faith. If the objection cannot be resolved within thirty (30) days, Customer may terminate the affected Statement of Work without penalty (other than for Services already performed).

6.5 Flow-through obligations. HEADGATE will impose on each Sub-processor data protection obligations that are no less protective than those set out in this DPA. HEADGATE remains liable to Customer for the acts and omissions of its Sub-processors as if performed by HEADGATE itself.

§ 07 / International Data Transfers

International Data Transfers

When data leaves your home jurisdiction to come to us in Hong Kong (or to one of our subprocessors elsewhere), we use the EU SCCs (with Module Two or Three), the UK IDTA, or the Swiss Addendum as the legal mechanism. Section 7 lists the specifics.

7.1 Restricted Transfers. To the extent that the Processing of Customer Personal Data under this DPA constitutes a Restricted Transfer, the relevant transfer mechanism in this Section applies.

7.2 EU SCCs (Module 2 — Controller to Processor). Where Customer is a Controller of Personal Data subject to the GDPR and HEADGATE acts as Processor, the EU SCCs (Module 2) are incorporated into this DPA by reference, with the following details:

  • Clause 7 (Docking): Optional clause is included.
  • Clause 9 (Sub-processor authorization): Option 2 (general authorization) applies, with thirty (30) days' notice of changes (per Section 6).
  • Clause 11 (Redress): The optional independent dispute resolution body is not included.
  • Clause 17 (Governing law): The law of the Republic of Ireland.
  • Clause 18 (Forum and jurisdiction): The courts of Ireland.
  • Annex I.A (List of Parties): Customer is the data exporter; HEADGATE is the data importer. Contact details on the signature page.
  • Annex I.B (Description of transfer): As set out in Annex 1 of this DPA.
  • Annex I.C (Competent supervisory authority): Determined under Clause 13 (typically the supervisory authority of the EU member state of the data exporter's establishment, or where the data exporter is not established in the EU, the supervisory authority of the EU member state where the data subjects are located).
  • Annex II (Technical and organizational measures): As set out in Annex 2 of this DPA.
  • Annex III (List of Sub-processors): As maintained at https://headgatetech.com/subprocessors.

7.3 EU SCCs (Module 3 — Processor to Processor). Where Customer is a Processor on behalf of an upstream Controller and HEADGATE acts as a Sub-processor, EU SCCs Module 3 applies on the same basis as Section 7.2, mutatis mutandis.

7.4 UK Transfers — UK Addendum. For Restricted Transfers from the UK, the UK Addendum is incorporated into this DPA by reference. Table 1 (Parties) and Table 3 (Appendix Information) are completed using the details in the EU SCCs annexes above. Table 2 selects the EU SCCs as the approved EU SCCs.

7.5 Swiss Transfers — Swiss Addendum. For Restricted Transfers from Switzerland, the Swiss Addendum is incorporated into this DPA, with the FDPIC as the competent supervisory authority, references to GDPR construed as references to the FADP, and the courts of Switzerland as the forum where required by Swiss law.

7.6 Onward Transfers from Hong Kong. For onward transfers from HEADGATE in Hong Kong to Sub-processors outside Hong Kong, HEADGATE will apply the same transfer mechanism (EU SCCs / UK Addendum / Swiss Addendum) flowed through to the Sub-processor where the original transfer was subject to those mechanisms. For other onward transfers, HEADGATE will apply the PCPD's Recommended Model Contractual Clauses where appropriate.

7.7 Transfer Impact Assessment. HEADGATE has conducted, and will keep under review, a Transfer Impact Assessment for Hong Kong as a destination jurisdiction and for relevant Sub-processor jurisdictions. A summary is available to Customer on request under reasonable confidentiality terms.

7.8 Supplementary Measures. In addition to the contractual mechanisms above, HEADGATE applies the supplementary measures set out in Annex 2.

§ 08 / Personal Data Breach Notification

Personal Data Breach Notification

If something goes wrong with your data, we tell you fast — within 24 hours of confirming a breach — and give you what you need to meet your own regulator-notification deadlines.

8.1 HEADGATE will notify Customer without undue delay, and in any event within twenty-four (24) hours of becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

8.2 The notification will, to the extent reasonably available at the time, include:

  • A description of the nature of the Breach (categories and approximate number of Data Subjects and records affected)
  • The likely consequences of the Breach
  • The measures taken or proposed to address the Breach and to mitigate its possible adverse effects
  • Contact details for the HEADGATE incident coordinator

8.3 HEADGATE will provide a post-incident report to Customer within fourteen (14) days, including root-cause analysis, remediation measures, and updates as additional information becomes available.

8.4 HEADGATE will reasonably cooperate with Customer's investigation and Customer's notification obligations to supervisory authorities, Data Subjects, and other affected parties under Applicable Data Protection Law.

8.5 Notification under this Section is not, in itself, an acknowledgement of fault or liability.

§ 09 / Liability

Liability

Liability under this DPA flows from the Principal Agreement's liability provisions. Where the SCCs apply on their own terms, those govern that piece of liability.

9.1 The liability of each Party under this DPA is subject to the exclusions and limitations set out in the Principal Agreement, save that nothing in this DPA or the Principal Agreement excludes or limits either Party's liability where such exclusion or limitation is prohibited by Applicable Data Protection Law.

9.2 Where the EU SCCs (or the UK Addendum or Swiss Addendum) apply on their own terms, the liability provisions in those clauses govern as between Data Subjects and the Parties, but the Parties' allocation of liability inter se remains subject to Section 9.1.

§ 10 / Term and Termination

Term and Termination

This DPA runs for as long as we're processing your data. After we stop, we return or delete your data per the Principal Agreement and Section 4.7 above.

10.1 This DPA takes effect on the Effective Date and continues until HEADGATE has ceased Processing Customer Personal Data and has returned or deleted the same in accordance with Section 4.7.

10.2 Sections that by their nature should survive termination (including Sections 4.2, 4.7, 8, 9, and 11) survive termination.

§ 11 / General

General

Standard contract boilerplate. Notices, governing law, severability, etc.

11.1 Notices. Notices under this DPA must be in writing and sent to: (a) for HEADGATE — legal@headgatetech.com, with a copy to the postal address above; (b) for Customer — the email and postal address listed on the signature page or otherwise notified in writing.

11.2 Governing law. Subject to Section 7 (which incorporates the SCCs governed by the law of Ireland), this DPA is governed by the law specified in the Principal Agreement (typically the law of the Hong Kong Special Administrative Region).

11.3 Severability. If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions remain in effect.

11.4 Amendments. This DPA may be amended only by a written instrument signed by both Parties, except that HEADGATE may unilaterally update the Sub-processor list and Annex 2 in accordance with Sections 6 and 4.3, respectively.

11.5 Counterparts; electronic signature. This DPA may be executed in counterparts, including by electronic signature, each of which is deemed an original.

§ 12 / Annex 1 — Description of Processing

Annex 1 — Description of Processing

A factual description of who, what, why, and for how long. Customer-side detail is filled in on the signature page or in the SOW.

(A) Subject matter of Processing HEADGATE's Processing of Customer Personal Data in performance of the Services described in the applicable Statement of Work.

(B) Duration of Processing For the duration of the applicable Statement of Work and any retention period set out in Section 4.7 of this DPA or the Principal Agreement.

(C) Nature and purpose of Processing The provision of digital marketing services, which may include (depending on the SOW): website analytics, email and lifecycle marketing, content production (including with AI Tools), audience modeling, search-engine optimization, and web design and build.

(D) Categories of Data Subjects

  • Customer's end-users and website visitors
  • Customer's employees who interact with HEADGATE in the course of the engagement
  • Customer's prospective customers and leads
  • (Other, as specified in the SOW)

(E) Categories of Personal Data

  • Identifiers (name, email, IP address, device ID)
  • Internet/network activity (pages viewed, click-stream data)
  • Commercial information (purchase history if shared by Customer)
  • Professional information (job title, company, role)
  • Inferences (audience-segment assignments)
  • (Other, as specified in the SOW)

(F) Special Categories / Sensitive Personal Information None expected. Customer will not provide Special Categories of Personal Data or Sensitive Personal Information without prior written agreement and additional safeguards.

(G) Frequency of transfer On a continuous basis during the term of the Services.

(H) Retention As set out in Section 4.7 of this DPA, the Principal Agreement, and Customer's documented instructions.

§ 13 / Annex 2 — Technical and Organizational Measures

Annex 2 — Technical and Organizational Measures

The security stack we maintain. We update this annex as our practices improve; we won't reduce protections without telling you.

HEADGATE implements the following technical and organizational measures, in compliance with Article 32 GDPR and analogous requirements. HEADGATE may update these measures from time to time provided that the updated measures provide a level of security at least equivalent to those set out below.

Pseudonymization and Encryption

  • All Personal Data encrypted in transit using TLS 1.2 or higher with strong cipher suites
  • All Personal Data encrypted at rest using AES-256 or equivalent
  • Key management via reputable cloud KMS with role-based access controls
  • Pseudonymization applied where appropriate (e.g., analytics identifiers)

Confidentiality

  • Need-to-know access; role-based access controls (RBAC)
  • Multi-factor authentication on all administrative accounts and on accounts with access to Personal Data
  • Time-bounded access for engagement-specific work; access revoked at engagement end
  • Workspace and document-level segregation between client engagements
  • Written confidentiality and data-protection clauses in all employment and contractor agreements

Integrity

  • Tamper-evident audit logs of access to Personal Data
  • Monthly access-log reviews and engagement close-out audits
  • Change-management controls on production systems

Availability

  • Documented business-continuity and disaster-recovery procedures
  • Encrypted backups with defined retention and rotation
  • Sub-processor selection criteria include uptime SLAs and vendor SOC 2 Type II or equivalent

Resilience

  • Incident-response plan with defined roles, escalation paths, and notification timelines
  • Annual tabletop exercises
  • Vulnerability management with timely patching of high- and critical-severity vulnerabilities

Restoration

  • Tested backup-restoration procedures
  • Defined recovery-time and recovery-point objectives (available to Customer on request under NDA)

Testing

  • Periodic vulnerability scanning of HEADGATE infrastructure
  • Annual review of security controls
  • Sub-processor due-diligence reviews

Personnel Measures

  • Background checks where permitted by law
  • Mandatory privacy and security training upon onboarding and annually thereafter
  • Access provisioned through documented joiner/mover/leaver process

Vendor Management

  • Sub-processor due-diligence including security and privacy review
  • Contractual obligations no less protective than those in this DPA
  • Quarterly review of Sub-processor list

AI / Machine-Learning Specific Measures

  • AI vendors selected to contractually commit not to train, retrain, or fine-tune models on Customer Personal Data
  • Where technically not feasible, prior written Customer consent required
  • Logging of AI-Tool usage and data flows
  • Alignment with PCPD 2024 Model Personal Data Protection Framework for AI Use
§ 14 / Annex 3 — Sub-processors

Annex 3 — Sub-processors

The current public list lives at headgatetech.com/subprocessors and is the canonical source. Annex 3 is a snapshot incorporated by reference.

The list of Sub-processors authorized as of the Effective Date is maintained at https://headgatetech.com/subprocessors and is incorporated by reference into this DPA. The most recent published version of that list at the time of any change governs.

§ 15 / Signature Page

Signature Page

HEADGATE TECHNOLOGY LTD[Customer Legal Name]
Signature: ____________Signature: ____________
Name:Name:
Title:Title:
Date:Date:
Email for legal notices: legal@headgatetech.comEmail for legal notices:
Postal: Suite C, Level 7, 50 Stanley Street, Central, Hong KongPostal:
§ L01 Terms of service § L02 Privacy notice § L03 Cookie policy § L04 Data & trust § L05 Data processing § L06 Sub- processors § L07 Accessibility