Data Processing Addendum

1. Scope and Purpose

This DPA applies to the processing of personal data by HDE in the course of providing services through the Platform at hde.dev. It describes the data processing activities, security measures, and obligations that HDE undertakes as a data controller, and the safeguards in place for any sub-processors engaged.

2. Data Controller

HDE acts as the data controller for all personal data collected through the Platform. The data controller is responsible for determining the purposes and means of processing personal data.

• Entity: HDE (HDetailEnterprise)
• Address: bul. "Dunav" #1, Plovdiv, Bulgaria
• Contact: info@hdetailenterprise.com

3. Categories of Data Processed

The following categories of personal data are processed through the Platform:

• Identity data: name, email address, Discord user ID, Google user ID, GitHub user ID, avatar URL, phone number
• Authentication data: password hashes (bcrypt), JWT session tokens, OAuth tokens, workspace portal session tokens, encrypted MFA TOTP secrets, hashed backup recovery codes, trusted device fingerprints and associated IP addresses
• Billing data: legal name, company name, billing address, city, postal code, country, VAT number, Tax ID
• Service data: orders, order conversations, cart contents, consultation bookings, support tickets, affiliate activity, personalised offers
• VIP data: subscription tier, status, start and end dates, Stripe customer and subscription identifiers
• Financial data: invoice records, payment records, credit notes, wallet balances, wallet transaction history, commission calculations, price multiplier values, exchange rates, expense records
• Project data: project details, milestones, uploaded files, time entries with task descriptions and hours
• Teamspace data: team membership, team roles and permissions, projects, tasks (including subtasks, assignees, watchers, priorities, checklists, dependencies, custom fields), task comments and reactions, file attachments, automation rules (triggers and actions), activity logs, team invitations, saved views and templates
• Careers data: job applications, questionnaire responses, application status and review history
• Provider data: provider profiles, company information, service department configurations, service offerings, revenue tracking
• Preference data: language preference, theme selection, custom theme configurations, analytics consent
• Technical data: IP addresses (in server logs), browser timezone, IP country for locale detection
• Communication data: ticket messages, order conversation messages, consultation notes, questionnaire responses, file attachments
• Real-time session data: socket connection metadata, presence status, room subscriptions (held in memory only, not persisted)
• Knowledge base data: article content, metadata, category and department associations (managed by authorised staff)
• Workspace portal data: worker nicknames, session activity, validation accuracy, performance metrics, quota tracking (internal employees only; all displayed transaction data is synthetic and sanitised)

4. Processing Principles

All personal data processing is conducted in accordance with the following GDPR principles:

• Lawfulness, fairness, and transparency: Data is processed lawfully with clear disclosure to users
• Purpose limitation: Data is collected for specified, explicit purposes and not processed beyond those purposes
• Data minimisation: Only data necessary for the stated purposes is collected
• Accuracy: Reasonable measures are taken to ensure data accuracy, and users can request corrections
• Storage limitation: Data is retained only as long as necessary, per the retention periods in the Privacy Policy
• Integrity and confidentiality: Appropriate technical and organisational security measures are implemented
• Accountability: HDE maintains records of processing activities and can demonstrate compliance

5. Sub-Processors

HDE engages the following sub-processors for the operation of the Platform. Each sub-processor processes data only as necessary for their specific function:

6. Data Breach Procedure

In the event of a personal data breach, HDE will:

• Assess the nature, scope, and potential impact of the breach
• Notify the Bulgarian Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of individuals, in accordance with GDPR Article 33
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34
• Document the breach, including its effects and the remedial actions taken
• Take immediate steps to contain the breach and prevent further unauthorised access

7. Security Safeguards

HDE implements the following technical and organisational security measures:

8. Data Minimisation

HDE adheres to the principle of data minimisation. We collect only the personal data necessary to provide the requested services. Optional fields (such as consultation notes, ticket tags, or custom theme configurations) are provided at the user's discretion. The Platform does not collect or process any special categories of personal data (Article 9 GDPR) such as health data, biometric data, or data revealing racial or ethnic origin. The workspace portal employs data sanitisation techniques to ensure that all transaction data displayed to internal workers is synthetic and masked - no real customer personally identifiable information is exposed in the portal environment.

9. Right to Audit

Data subjects may request information about how their personal data is processed by contacting info@hdetailenterprise.com. HDE will provide a summary of processing activities relevant to the requesting individual within 30 days. The supervisory authority (CPDP) has the right to conduct audits of HDE's data processing activities in accordance with applicable law.

10. Data Deletion

Upon receiving a valid data deletion request (right to erasure under GDPR Article 17), HDE will:

• Delete or anonymise the user's personal data within 30 days
• Retain only data that is required by law (e.g., financial records, invoices, and tax documentation for compliance)
• Anonymise audit log entries related to the user while preserving the integrity of the audit trail
• Cancel any active VIP subscription and remove associated Stripe references
• Confirm deletion to the requesting individual

11. International Data Transfers

Where personal data is transferred to sub-processors located outside the European Economic Area (EEA), HDE ensures that appropriate safeguards are in place. Currently, the following sub-processors process data outside the EEA: Discord, Inc. (United States), Alphabet Inc. / Google (United States), Microsoft Corporation / GitHub (United States), and Stripe, Inc. (United States and EU). In all cases, Standard Contractual Clauses (SCCs) approved by the European Commission are used to ensure an adequate level of data protection. HDE does not transfer personal data to countries without adequate protection unless appropriate safeguards are in place.

12. Supervisory Authority

The competent supervisory authority for HDE's data processing activities is:

• Commission for Personal Data Protection (CPDP)
• Data subjects also have the right to lodge a complaint with the supervisory authority in their EU member state of habitual residence.