Data Processing Agreement

Last updated: February 1, 2026 — Version 3.0

This Data Processing Agreement ("DPA") is entered into between Harmny Inc. ("Processor") and the customer entity that has agreed to the Harmny Terms of Service ("Controller" or "Customer"). This DPA supplements the Terms of Service and applies wherever Harmny processes personal data on behalf of the Customer in connection with the Services.

This DPA is designed to comply with the requirements of the EU General Data Protection Regulation (GDPR) Article 28, the UK GDPR, and other applicable data protection laws. For Enterprise customers, a countersigned DPA is available on request.

1. Definitions

• "Controller" means the Customer entity that determines the purposes and means of processing personal data.
• "Processor" means Harmny Inc., which processes personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
• "Data Subject" means the natural person whose Personal Data is being processed (typically an employee or contractor of the Controller).
• "Sub-processor" means any third party engaged by Harmny to process Personal Data on behalf of the Controller.
• "Security Incident" means any confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Processing Details

Harmny processes the following categories of Personal Data on behalf of the Controller:

• Identity data: employee name, job title, department, manager relationship
• Contact data: work email address
• Employment data: start date, career level, performance ratings, competency scores
• Goal data: OKRs, key results, progress updates, and completion status
• Review data: self-assessments, manager assessments, peer feedback, and calibration notes
• Time-off data: leave requests, balances, and approval history
• Usage data: log data and activity within the platform

Processing is carried out for the purpose of providing the Harmny performance management, career development, and team management Services as described in the Terms of Service. Processing will continue for the duration of the active subscription.

3. Processor Obligations

Harmny agrees to:

• Process Personal Data only on documented instructions from the Controller, including as set out in the Terms of Service and this DPA
• Ensure that all personnel authorized to process Personal Data are under appropriate confidentiality obligations
• Implement and maintain appropriate technical and organizational security measures as described in Section 4
• Not engage Sub-processors without prior written or general authorization from the Controller, and ensure any Sub-processor is bound by equivalent data protection obligations
• Assist the Controller in responding to Data Subject requests in accordance with Section 5
• Provide all information necessary for the Controller to demonstrate compliance with applicable data protection laws
• Delete or return all Personal Data upon termination of the Services, as directed by the Controller
• Promptly notify the Controller of any Security Incident in accordance with Section 6

4. Security Measures

Harmny maintains the following technical and organizational measures to protect Personal Data:

• Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
• Access control: Role-based access control; least-privilege principle; MFA required for all internal systems
• Infrastructure security: VPC isolation, WAF, regular vulnerability scanning, and intrusion detection
• Personnel controls: Background checks for employees with data access; mandatory annual security training; access reviewed quarterly
• Audit logging: Immutable audit logs for all access to production customer data by Harmny personnel
• Business continuity: Automated backups every 6 hours; disaster recovery plan tested annually; 99.9% uptime SLA for paid plans
• Third-party audits: Annual SOC 2 Type II audit conducted by an independent third-party auditor

5. Data Subject Rights

Harmny will provide the Controller with reasonable assistance in fulfilling obligations to respond to Data Subject requests, including requests for access, correction, deletion, portability, restriction, and objection.

Where technically feasible, Data Subjects may exercise the following rights directly within the Harmny platform: access to their personal profile and performance data; correction of their profile information; and export of their own data in a portable format.

Requests that require Harmny to take action beyond the platform UI (such as full account deletion) should be submitted by the Controller's administrator via [email protected]. Harmny will respond within 5 business days.

6. Security Incident Notification

In the event of a confirmed Security Incident affecting the Controller's Personal Data, Harmny will:

• Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the incident
• Provide an initial notification containing: (a) a description of the nature of the incident; (b) the categories and approximate number of Data Subjects and Personal Data records affected; (c) the likely consequences; and (d) the measures taken or proposed to address the incident
• Cooperate fully with the Controller's incident response process and regulatory notifications

7. Sub-processors

The Controller grants Harmny general authorization to engage Sub-processors. Harmny maintains a current list of Sub-processors and provides 30 days notice before adding or replacing any Sub-processor. The Controller may object to a new Sub-processor in writing within this notice period.

Current primary Sub-processors include:

• Amazon Web Services (AWS) — Cloud hosting and infrastructure (US and EU regions)
• Stripe — Payment processing (Controller billing data only)
• Intercom — Customer support and in-app messaging
• Postmark — Transactional email delivery
• Sentry — Error monitoring and debugging (anonymized stack traces)

8. International Data Transfers

Where Personal Data is transferred outside the European Economic Area or the United Kingdom, Harmny relies on the Standard Contractual Clauses (SCCs) adopted by the European Commission (or UK addendum, as applicable) as the legal basis for such transfers.

Enterprise customers may request an EU data residency configuration where all Customer Personal Data is stored and processed exclusively within Harmny's eu-west-1 region. Contact [email protected] for details.

9. Audits and Certifications

Harmny will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA, including a copy of Harmny's most recent SOC 2 Type II report (under NDA on request).

In the event of a regulatory investigation or where required by applicable law, the Controller may request an on-site audit with at least 30 days written notice. Harmny may charge a reasonable fee for audit cooperation that exceeds standard disclosure obligations.

10. Governing Law

This DPA is governed by the same law as the Terms of Service, except where applicable data protection laws (including GDPR) impose mandatory requirements that supersede those terms. For Controllers established in the EEA, this DPA shall be construed in accordance with the laws of the member state in which the Controller is established.