LEGAL · DPA

Data Processing Addendum.

Standard SCC-aligned DPA for customers processing personal data through Imposter Hunter services. Signed counter-execution within 5 business days on request.

INFORMATIONAL PAGE: This page is informational. The binding DPA is the signed PDF version provided on request. Nothing on this page constitutes a legally binding agreement. Consult your legal counsel before relying on any terms described here.

01 · SCOPE

What the DPA covers.

SUBJECT MATTER

Detection and classification services.

Processing of personal data submitted to or generated by Imposter Hunter services, including LLM Shield (adversarial input detection) and Social-Media Shield (impersonator detection). Processing is strictly limited to service delivery.

DURATION

Term of the Service Agreement.

The DPA is effective for the duration of the Customer’s active service subscription and terminates automatically upon service termination, subject to data-return and deletion obligations described in Section 5.

NATURE OF PROCESSING

Analysis, classification, and routing.

Automated classification of text inputs against Imposter Hunter’s proprietary detection engine. No training on customer data. No cross-customer data sharing. Processing performed by instruction-tuned LLM pipeline in Customer-selected region.

DATA CATEGORIES

Text inputs submitted to the API.

Customer-submitted text inputs (prompts, voice transcripts, tool responses, documents). May incidentally contain personal data at Customer’s discretion. No special-category personal data required or solicited. Account metadata (name, email, billing) processed separately under Privacy Policy.

02 · SUB-PROCESSORS

Who we run on.

Current sub-processor list. Updated on our Trust page at /trust#subprocessors whenever sub-processors are added or removed. Customers are notified 30 days in advance of any new sub-processor addition.

Sub-processor	Purpose	Region(s)	Safeguard
Amazon Web Services (AWS)	Compute, inference, storage	US-East-1 / EU-Central-1 (Customer selectable)	AWS DPA + SCCs
Stripe	Payment processing	Global (Stripe-controlled)	Stripe DPA + SCCs
SendGrid (Twilio)	Transactional email	US	Twilio DPA + SCCs
Linear	Support ticket management	US	Linear DPA

03 · INTERNATIONAL TRANSFERS

Cross-border data transfer mechanisms.

EU SCC MODULE 2

Controller → Processor

For transfers from EU/EEA Controllers to Imposter Hunter acting as Processor. Standard Contractual Clauses (Module 2) per Commission Implementing Decision (EU) 2021/914 are incorporated by reference into the signed DPA.

EU SCC MODULE 3

Processor → Sub-processor

For onward transfers to AWS and other sub-processors. SCC Module 3 (Processor to Sub-processor) applies. Sub-processor SCCs are maintained on file and available to Customers on request under NDA.

CONTRACTING ENTITIES

Two entities. Region routes the contract.

EU/EEA and UK Customers contract with IMPOSTERHUNTER S.R.L. (Romania, CUI 54468885, Trade Registry J2026024097006). MENA, GCC, and rest-of-world Customers contract with Imposter Hunter Solutions (Dubai, UAE, Trade License #1540371). Where unspecified, IMPOSTERHUNTER S.R.L. is the default. The applicable entity is identified on each signed DPA.

04 · DATA SUBJECT RIGHTS AND OBLIGATIONS

Our obligations to you and your data subjects.

DSAR ASSISTANCE

We support your DSAR obligations.

Imposter Hunter will provide commercially reasonable assistance to Customers in responding to Data Subject Access Requests, including access, portability, rectification, erasure, and restriction of processing, within the scope of data we process on the Customer’s behalf. Response SLA: 10 business days.

BREACH NOTIFICATION

72-hour notification commitment.

In the event of a confirmed personal data breach affecting Customer data, Imposter Hunter will notify the affected Customer within 72 hours of becoming aware of the breach, with sufficient detail to enable Customer to fulfill its own notification obligations to supervisory authorities and data subjects.

AUDIT RIGHTS

Audit via SOC 2 reports.

Customers may request evidence of compliance through Imposter Hunter’s SOC 2 Type II report (when available, targeted Q4 2026) or through a third-party methodology attestation report. On-site audits available under NDA for Tier 2 enterprise customers at Processor’s reasonable discretion.

05 · TECHNICAL AND ORGANISATIONAL MEASURES

Security baseline included in every DPA.

Encryption at rest (AES-256)Encryption in transit (TLS 1.3)Zero static credentials (OIDC-only CI/CD)Customer-selectable data regionNo cross-customer data comminglingNo training on customer inputsAPI key rotation toolingDeletion on termination (30-day default)

Full Technical and Organisational Measures (TOMs) annex is included in the signed DPA and updated quarterly. Current TOMs are available to prospective customers under a short-form NDA at the due-diligence stage.

06 · HOW TO EXECUTE

Signed DPA in 5 business days.

Email our legal team. We’ll send the current DPA template for your review, incorporate any negotiated modifications, and return a counter-executed PDF within 5 business days.

DPA REQUEST

legal@imposterhunter.com

Include your company name, jurisdiction, and the Imposter Hunter services in scope. Counter-execution within 5 business days.

Self-serve click-to-sign DPA expected Q3 2026 alongside subscription billing launch.

Informational footnote: This page describes Imposter Hunter’s standard DPA terms in summary form for evaluation guidance purposes. It is not a legally binding agreement. The binding DPA is the signed PDF version provided by counter-execution on request. This page will be reviewed by legal counsel before any binding execution. All terms are subject to negotiation. Operated by IMPOSTERHUNTER S.R.L. (Romania, CUI 54468885) and Imposter Hunter Solutions (Dubai, UAE, Trade License #1540371).

Ready to start your evaluation?

Book a 30-minute security review call, or email us to request the DPA directly.

Book a Security Review →Request DPA →