top of page

DPA and AI Addendum

  • Effective Date: May 29, 2026 

  • Incorporated into the HIO Customer Terms & Conditions  |  Project Mongoose, Inc., a Virginia corporation, doing business as HIO ("HIO")

  • This Data Processing Addendum and AI Addendum (the "DPA & AI Addendum") is incorporated into and forms part of the HIO Customer Terms & Conditions (the "Agreement") between Project Mongoose, Inc. d/b/a HIO ("HIO") and the entity identified as Customer ("Customer"). It applies to (a) HIO's processing of Personal Data on Customer's behalf in connection with the Services, and (b) HIO's and Customer's respective obligations as a developer and a deployer of an AI System under applicable AI laws. Capitalized terms not defined here have the meanings given in the Agreement.

  • In the event of a conflict between this DPA & AI Addendum and the Agreement, this DPA & AI Addendum controls solely with respect to the subject matter addressed in it.

  • PART A — Data Processing

  • A1. Roles

  • For purposes of applicable data-protection laws : (a) Customer is the "controller" or "business" with respect to Personal Data contained in Customer Data; (b) HIO is the "processor" or "service provider" with respect to such Personal Data; and (c) HIO's Sub-Processors are "sub-processors" or "service providers" of HIO. In limited circumstances expressly described in the Privacy Policy, HIO acts as an independent controller of certain Personal Data.

  • A2. Subject Matter and Details of Processing

  • Subject matter: HIO's provision of the Services to Customer.

  • Duration: the Subscription Term and any post-termination deletion window.

  • Nature and purpose: ingestion of Customer Data into the Vector Store; storage of Vector Embeddings in Customer's isolated tenant; retrieval-augmented generation by the AI Assistant in response to End User queries; operation, monitoring, and securing of the Services.  Where Knowledge Graph Services are included in the Order Form: extraction of Entities and relationships from Customer Data; construction, storage, and maintenance of the Knowledge Graph in Customer’s isolated tenant; and use of the Knowledge Graph to enhance AI Assistant responses.

  • Categories of data subjects: End Users authorized by Customer; individuals identified in Customer Data ingested by Customer.

  • Categories of Personal Data: business-contact data of End Users; content and metadata of End User queries; any Personal Data Customer chooses to include in Customer Data.

  • Special categories: none expected unless separately agreed in writing.

  • A3. Customer Instructions

  • HIO will process Personal Data only on Customer's documented instructions, which include the Agreement, this DPA & AI Addendum, the Order Form, and instructions Customer gives through the Studio or through written notice to HIO. HIO will inform Customer if HIO believes an instruction violates applicable data-protection law. HIO will not "sell" or "share" (as those terms are defined under U.S. state privacy laws) any Personal Data, and HIO will not retain, use, or disclose Personal Data outside the direct business relationship with Customer or for any purpose other than the business purposes specified in the Agreement.

  • A4. Confidentiality of Personnel

  • HIO ensures that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations.

  • A5. Security

  • HIO maintains the technical and organizational measures set forth in Schedule 1 (TOMs). HIO may update Schedule 1 from time to time, provided that updates do not materially decrease the overall security of the Services. HIO will assist Customer in ensuring compliance with Customer's security obligations under applicable data-protection law, taking into account the nature of the processing and the information available to HIO.

  • A6. Sub-Processors

  • Customer authorizes HIO to engage with Sub-Processors . HIO will provide Customer with at least thirty (30) days' advance notice of any new Sub-Processor (the "Notice Period"), through update to heyhio.com/subprocessors and, where Customer has subscribed to notice, by email. Customer may object to a new Sub-Processor in writing during the Notice Period on reasonable data-protection grounds; if Customer objects and HIO cannot reasonably accommodate Customer's concern, Customer may terminate the affected Order Form on written notice and receive a pro-rated refund of pre-paid Fees for the unused portion of the Subscription Term. HIO imposes data-protection obligations on its Sub-Processors that are no less protective than those in this DPA & AI Addendum.

  • A7. Data Subject Rights

  • Taking into account the nature of the processing, HIO will assist Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling Customer's obligation to respond to requests to exercise data-subject rights. If HIO receives a request directly from a data subject relating to Personal Data of which Customer is the controller, HIO will, without responding to the request, refer the data subject to Customer and notify Customer.

  • A8. DPIA and Prior Consultation

  • HIO will provide Customer with reasonable assistance with data-protection impact assessments and any consultation with supervisory authorities, taking into account the nature of the processing and the information available to HIO.

  • A9. Personal Data Breach

  • HIO will notify Customer without undue delay, and in any event within seventy-two (72) hours, of any confirmed Personal Data Breach affecting Customer Data. "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. HIO's notice will include the information reasonably required for Customer to comply with its own notification obligations (nature of the breach, categories and approximate number of data subjects, likely consequences, measures taken or proposed). HIO will cooperate with Customer in investigating and mitigating the Personal Data Breach.

  • PART B — AI Provisions

  • B1. No Training on Customer Data

  • HIO will not use, and will contractually prohibit its Sub-Processors from using, Customer Data, prompts derived from Customer Data, or AI Assistant outputs based on Customer Data, to train, fine-tune, or otherwise improve any foundation model, large language model, or other machine-learning model that benefits any party other than Customer, except as Customer expressly authorizes in writing.

  • B2. Multi-Tenant Isolation

  • HIO hosts the Services in a multi-tenant cloud environment. HIO will maintain logical isolation of each Customer's tenant within the Vector Store and apply access controls designed to prevent Customer Data, Vector Embeddings, prompts, or AI Assistant outputs from being commingled with, or made accessible to, any other HIO customer or its End Users. HIO's standard configuration prevents cross-tenant retrieval.

  • B3. Aggregated Anonymous Data

  • HIO may compile, retain, and use Aggregated Anonymous Data (as defined in the Agreement) for the purposes described in the Agreement and the Privacy Policy. HIO will not re-identify or attempt to re-identify Aggregated Anonymous Data.

  • B4. AI System Developer Documentation

  • In its capacity as a developer of the AI System, HIO will maintain and make available to Customer the documentation reasonably required by applicable AI laws, including without limitation the EU AI Act and the Colorado AI Act and its successors.

  • HIO acknowledges that the AI Assistant interacts with natural persons. HIO will provide, and make available to Customer for incorporation into Customer's deployment, in-product disclosure components designed to inform End Users that they are interacting with an AI system, in a form intended to satisfy Article 50(1) of the EU AI Act. Customer will, in cooperation with HIO, ensure that such disclosures are provided to End Users at the point of first interaction and at appropriate intervals thereafter, and will not disable or materially modify HIO's standard disclosures. Where the AI Assistant generates content intended to be published to the public, the parties will cooperate on labeling such content as AI-generated where required by Article 50(4).

  • B5. Restriction on Use for Consequential Decisions

  • Customer will not, and will not permit any End User to, use the AI Assistant or AI Assistant outputs as the sole or substantial basis for any Consequential Decision unless Customer has (a) notified HIO in writing that Customer intends to deploy the AI System in connection with a Consequential Decision, (b) completed the deployer-side obligations under applicable AI laws (including, where applicable, the Colorado AI Act and its successors, including any required impact assessment, consumer notice, opportunity to correct, and opportunity to appeal), and (c) agreed with HIO in writing on any additional measures required for that deployment. HIO is not responsible for Customer's compliance with deployer-side obligations.

  • B6. Acceptable Use Coordination

  • Customer's and End Users' use of the AI System must comply with the AI Use Restrictions in the Agreement and any AI-related terms in the User Terms applicable to End Users. HIO may suspend access for any End User HIO reasonably believes has violated those restrictions.

  • B7. Knowledge Graph Processing

  • (a) Scope. This Section B10 applies where the Order Form includes Knowledge Graph Services. Where Knowledge Graph Services are not included in an Order Form, this Section B10 does not apply to that Order.

  • (b) No Training on Knowledge Graph Data. HIO will not use, and will contractually prohibit its Sub-Processors from using, the Knowledge Graph, Entities, relationship data, or any output derived from the Knowledge Graph, to train, fine-tune, or otherwise improve any foundation model, large language model, graph neural network, or other machine-learning model that benefits any party other than Customer, except as Customer expressly authorizes in writing.

  • (c) Graph Query Restrictions. Customer will not, and will not permit any End User to, use graph-query capabilities (where made available) to extract, bulk-export, or reconstruct Customer Data. Graph queries are intended for retrieval-augmented generation and operational use of the Services only.

  • (d) Sub-Processor Authorization. Customer authorizes HIO to engage graph-database Sub-Processors for the storage and retrieval of Knowledge Graph data, subject to the terms in A6. HIO will apply the same data-protection obligations to graph-database Sub-Processors as to vector-database Sub-Processors under this DPA & AI Addendum.

  • PART C — General

  • C1. Term

  • This DPA & AI Addendum takes effect on the Effective Date of the Agreement and continues for the duration of the Agreement and any post-termination period during which HIO retains Personal Data.

  • C2. Liability

  • Each Party's liability under this DPA & AI Addendum is subject to the limitations of liability set forth in Section 10 of the Agreement, including the Super-Cap applicable to data-protection claims.

  • C3. Order of Precedence

  • In the event of a conflict between this DPA & AI Addendum and the Agreement, this DPA & AI Addendum controls solely with respect to the subject matter addressed in it. In the event of a conflict between this DPA & AI Addendum and Standard Contractual Clauses, the Standard Contractual Clauses control with respect to international data transfers.

  •  

  • Schedule 1 — Technical and Organizational Measures

  • HIO maintains the following technical and organizational measures (as updated from time to time, provided that the overall security level is not materially decreased):

  • Access control

  • Role-based access control with least-privilege provisioning.

  • Multi-factor authentication for HIO personnel access to production systems.

  • Logical isolation of each Customer's tenant within the Vector Store.

  • Encryption

  • Encryption in transit using TLS 1.2 or later.

  • Encryption at rest using AES-256 or equivalent.

bottom of page