Gopher smiling and calling you to attention

Legal › Data Processing Agreement (DPA)

HappyHQ, Inc., a Delaware C‑Corporation

Effective date: 20 April 2026

This Data Processing Agreement ("DPA") is entered into between HappyHQ, Inc. ("HappyHQ," "we," "us," or "our") and the customer agreeing to these terms ("Customer," "you," or "Controller"). It forms part of, and is incorporated into, the HappyHQ Terms of Service or any separately signed agreement (the "Agreement").

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by HappyHQ on behalf of the Customer in connection with the Services.

"Processing" (and "Process") means any operation or set of operations performed on Personal Data, including collection, storage, use, disclosure, or deletion.

"Controller" means the Customer, who determines the purposes and means of Processing Personal Data.

"Processor" means HappyHQ, who Processes Personal Data on behalf of the Controller.

"Sub-processor" means any third party engaged by HappyHQ to Process Personal Data in connection with the Services.

"Data Subject" means the individual to whom Personal Data relates.

"Applicable Data Protection Law" means all privacy and data protection laws applicable to the Processing of Personal Data under this DPA, including (where applicable) the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and GDPR.

"Services" has the meaning given in the HappyHQ Terms of Service.

2. Scope & Roles

This DPA applies when HappyHQ Processes Personal Data that the Customer uploads, submits, or generates through the Services ("Customer Data").

  • The Customer is the Controller. You determine what Personal Data enters the Services and for what purpose.
  • HappyHQ is the Processor. We Process Customer Data only on your behalf, as described in this DPA and the Agreement.

HappyHQ does not sell Customer Data, and does not Process Customer Data for its own commercial purposes.

3. Customer Obligations

By using the Services, you represent and warrant that:

  • You have a lawful basis for Processing and sharing Personal Data with HappyHQ
  • You have provided all required notices to, and obtained all required consents from, Data Subjects
  • Your instructions to HappyHQ comply with Applicable Data Protection Law
  • You will promptly notify HappyHQ if you become aware of any instruction that would cause HappyHQ to violate applicable law

4. HappyHQ's Obligations

HappyHQ agrees to:

  • Process Customer Data only in accordance with your documented instructions, and as described in this DPA and the Agreement
  • Promptly inform you if we believe any instruction violates Applicable Data Protection Law
  • Ensure that personnel authorized to Process Customer Data are bound by appropriate confidentiality obligations
  • Implement and maintain the technical and organizational security measures described in Annex B
  • Not disclose Customer Data to third parties except as permitted under this DPA or required by law
  • Notify you without undue delay (and in any event within 72 hours) upon becoming aware of a Personal Data breach affecting Customer Data
  • Assist you, at your reasonable request and expense, in responding to Data Subject requests, conducting data protection impact assessments, and fulfilling other obligations under Applicable Data Protection Law
  • Delete or return Customer Data upon termination of the Agreement, as set out in Section 9

5. Sub-processors

5.1 Authorization

You authorize HappyHQ to engage Sub-processors to assist in delivering the Services. Our current list of Sub-processors is available at happyhq.com/legal/subprocessors and is updated as changes are made.

5.2 Notice of Changes

HappyHQ will provide at least 30 days' notice before adding or replacing a Sub-processor that Processes Customer Data. Notice will be provided by email or through an in-app notification.

5.3 Objection

If you have a reasonable objection to a new Sub-processor on data protection grounds, you may notify us at legal@happyhq.com within 14 days of receiving notice. We will work in good faith to accommodate your concern. If we cannot, you may terminate the relevant portion of the Services without penalty, as your sole remedy.

5.4 Sub-processor Obligations

HappyHQ will impose data protection obligations on Sub-processors that are no less protective than those in this DPA. HappyHQ remains responsible to you for the performance of Sub-processors' obligations.

6. Data Subject Rights

If HappyHQ receives a request directly from a Data Subject regarding their Personal Data in the Services, we will promptly forward it to you. We will not respond to such requests directly except at your instruction or as required by law.

HappyHQ will provide reasonable technical and organizational assistance to help you fulfill Data Subject rights requests (including access, correction, deletion, portability, and objection) within the timeframes required by Applicable Data Protection Law.

7. Security

HappyHQ will implement and maintain appropriate technical and organizational measures to protect Customer Data against unauthorized access, disclosure, alteration, or destruction. These measures are described in Annex B and take into account the nature, scope, and purpose of Processing, as well as the risks to Data Subjects.

HappyHQ will regularly review and update these measures as the threat landscape evolves.

8. Audits & Compliance

HappyHQ will make available to you all information reasonably necessary to demonstrate compliance with this DPA.

Upon your written request (no more than once per year, absent a specific compliance concern), HappyHQ will cooperate with an audit or inspection of its data processing practices, either by you or a mutually agreed third-party auditor, subject to reasonable confidentiality obligations and scheduling constraints. You will bear the costs of any such audit unless the audit reveals a material breach by HappyHQ.

9. Retention & Deletion

HappyHQ will retain Customer Data for the duration of the Agreement. Upon expiration or termination:

  • We will work with you to export or return your Customer Data within 30 days of termination
  • After that period, HappyHQ will delete or anonymize Customer Data within 90 days, except where retention is required by law
  • Upon request, HappyHQ will provide written confirmation that deletion is complete

10. International Data Transfers

HappyHQ primarily Processes Customer Data within the United States. If Customer Data is transferred outside the jurisdiction in which it was collected, HappyHQ will ensure that appropriate transfer mechanisms are in place (such as Standard Contractual Clauses or other legally recognized mechanisms) as required by Applicable Data Protection Law.

11. CCPA Addendum

To the extent HappyHQ Processes Personal Information (as defined under the CCPA/CPRA) on behalf of the Customer:

  • HappyHQ is a Service Provider under the CCPA/CPRA
  • HappyHQ will not sell or share Personal Information, retain, use, or disclose it for any purpose other than providing the Services, or combine it with Personal Information from other sources except as permitted under applicable law
  • HappyHQ certifies that it understands and will comply with the restrictions of this Section

12. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Agreement. Nothing in this DPA limits either party's liability to Data Subjects or supervisory authorities under Applicable Data Protection Law.

13. Governing Law

This DPA is governed by the laws of the State of California, consistent with the Agreement. For customers subject to GDPR, this DPA shall be interpreted in a manner consistent with GDPR requirements, and any Standard Contractual Clauses incorporated herein shall be governed by the law specified therein.

14. Order of Precedence

In the event of a conflict between this DPA and the Agreement, this DPA will control with respect to the Processing of Personal Data. In the event of a conflict between this DPA and any Standard Contractual Clauses, the Standard Contractual Clauses will control.

15. Changes to This DPA

HappyHQ may update this DPA from time to time to reflect changes in law or our practices. We will provide at least 30 days' notice of material changes. Continued use of the Services after that period constitutes acceptance of the updated DPA.

Annex A — Details of Processing

Field Details
Controller Customer (as identified in the Agreement)
Processor HappyHQ, Inc.
Subject matter Provision of the HappyHQ Services (an AI workspace for everyday work)
Duration For the term of the Agreement
Nature of Processing Storage, retrieval, display, deletion
Purpose Providing, maintaining, and improving the Services
Types of Personal Data Email addresses, names, billing metadata, AI inputs when using Q, and workspace content shared through HappyHQ Cloud
Categories of Data Subjects Customer's employees, contractors, and end users

Annex B — Technical & Organizational Security Measures

HappyHQ maintains the following security measures, which may be updated over time to reflect industry best practices:

Encryption

  • Data in transit is encrypted using HTTPS/TLS
  • Data at rest is encrypted by our sub-processors where applicable. Fly.io encrypts volumes at rest (LUKS); Stripe is PCI-DSS Level 1 certified; InstantDB transmits data over HTTPS/TLS.

Access Controls

  • Access to production systems is limited to authorised team members
  • Access is reviewed and revoked as team membership changes

Infrastructure

  • Early adopter workspace data is hosted on Fly.io (SOC 2 Type 2 certified)
  • Account and billing data is hosted by InstantDB
  • Payments are processed by Stripe (PCI-DSS Level 1)
  • Services traffic is routed through Cloudflare's infrastructure

Data Minimisation

  • Most workspace content (tasks, notes, chats, documents) lives on the Customer's own machine or on their own Fly.io instance, not on HappyHQ's shared infrastructure. This limits the surface area for incidents affecting Customer Data.

Incident Response

  • If a Personal Data breach affecting Customer Data occurs, HappyHQ will notify the Customer within 72 hours as described in Section 4

Sub-processor Management

  • Sub-processors are selected in part based on their security practices and certifications, and are governed by their own security commitments

Business Continuity

  • Data held by our sub-processors benefits from their respective backup and recovery practices

Questions about this DPA? Contact us at legal@happyhq.com.