Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into by and between:

Client: [Institution Name] (“Controller,” “Client,” or “Institution”)
Address: [Address]
Contact: [Name, Title, Email]

and

Processor: Hone Labs LLC (“Processor” or “Hone Labs”)
Address: Berkshires, MA
Contact: Todd Burner, Founder & CEO, privacy@honelabs.dev

(each a “Party” and together the “Parties”)

Effective Date: [Date]

This DPA supplements and forms part of the Master Services Agreement, Pilot Agreement, or other written agreement between the Parties for the provision of the Hone Studio platform (“Service Agreement”). In the event of a conflict between this DPA and the Service Agreement, this DPA shall prevail with respect to data processing matters.

“Client Data”

All data uploaded to, generated within, or processed by the Platform on behalf of the Client, including documents, knowledge base content, conversation history, research projects, AI-generated outputs, embeddings, and associated metadata.

“Education Records”

Those records directly related to a student that are maintained by an educational agency or institution, as defined under FERPA (20 U.S.C. § 1232g; 34 CFR Part 99).

“Personal Data”

Any information relating to an identified or identifiable natural person contained within Client Data.

“Processing”

Any operation performed on Client Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

“Sub-Processor”

Any third party engaged by Hone Labs to process Client Data on behalf of the Client.

“Platform”

The Hone Studio software-as-a-service platform, including all frontend, backend, database, AI, and infrastructure components.

“Security Incident”

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data.

2.1 Purpose

Hone Labs processes Client Data solely to provide the Platform services as described in the Service Agreement. Processing activities include:

2.2 Duration

Processing shall continue for the duration of the Service Agreement plus the data retention period specified in Section 8.

2.3 Data Subjects

Data subjects may include: Client employees, Client contractors, and any individuals whose information is contained in content uploaded to the Platform by the Client.

Hone Labs shall:

• (a) Process Client Data only on documented instructions from the Client, including as described in this DPA and the Service Agreement. Hone Labs shall not process Client Data for any other purpose, including marketing, profiling, advertising, or product development beyond the contracted service.
• (b) Ensure that persons authorized to process Client Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• (c) Implement and maintain the technical and organizational security measures described in Schedule A (Security Measures).
• (d) Engage Sub-Processors only in accordance with Section 5.
• (e) Assist the Client in responding to requests from data subjects exercising their rights, to the extent technically feasible and within the scope of the Platform.
• (f) Assist the Client in ensuring compliance with security, breach notification, and data protection impact assessment obligations, taking into account the nature of processing and the information available to Hone Labs.
• (g) At the Client’s choice, delete or return all Client Data upon termination of the Service Agreement, in accordance with Section 8.
• (h) Make available to the Client all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections, in accordance with Section 9.
• (i) Immediately inform the Client if, in Hone Labs’ opinion, an instruction from the Client infringes applicable data protection legislation.

The Client shall:

• (a) Determine the purposes and means of processing Client Data and provide documented instructions to Hone Labs.
• (b) Ensure that it has a lawful basis for processing Personal Data and transferring it to Hone Labs.
• (c) Manage authorized user access, including promptly revoking access when no longer appropriate.
• (d) Notify Hone Labs of any data subject requests that require Hone Labs’ assistance.
• (e) Ensure that content uploaded to the Platform does not include data types beyond the Platform’s intended scope (e.g., Social Security numbers, credit card numbers, medical records) unless specifically agreed in writing.

5.1 Authorized Sub-Processors

The Client authorizes Hone Labs to engage the Sub-Processors listed in Schedule B (Sub-Processor List). The current list is also published at honelabs.dev/trust/subprocessors.

5.2 New Sub-Processors

Before engaging a new Sub-Processor that will process Client Data, Hone Labs shall:

• (a) Provide the Client with at least 30 days’ written notice, including the identity and location of the new Sub-Processor, the nature of processing, and what Client Data will be shared.
• (b) Ensure the new Sub-Processor is bound by data protection obligations no less protective than those in this DPA.

5.3 Objection Right

If the Client has a reasonable, documented objection to a new Sub-Processor based on data protection grounds, the Client shall notify Hone Labs within 30 days of receiving notice. The Parties shall work in good faith to resolve the objection. If resolution is not possible, the Client may terminate the Service Agreement without penalty, and Hone Labs shall facilitate the data return/deletion process described in Section 8.

5.4 Sub-Processor Liability

Hone Labs shall remain fully liable for the acts and omissions of its Sub-Processors as if they were Hone Labs’ own acts and omissions.

Hone Labs shall implement and maintain the technical and organizational security measures described in Schedule A attached to this DPA. These measures include, at minimum:

• Encryption of Client Data at rest (AES-256) and in transit (TLS 1.2+)
• Infrastructure isolation (separate Supabase project, Railway backend, and Vercel frontend per client — no shared infrastructure between clients)
• Application-level isolation via client-prefixed database schemas and Row-Level Security (defense-in-depth)
• Authentication controls (JWT with algorithm confusion prevention, bcrypt-hashed API keys)
• Access restriction via email/domain allowlisting
• Rate limiting to prevent abuse
• Input validation and injection prevention
• Security headers on all responses
• Error monitoring with PII scrubbing
• Automated CI/CD security checks on every code change

Hone Labs shall regularly test and evaluate the effectiveness of these measures. For comprehensive details, see our Security Practices page.

7.1 Notification

Hone Labs shall notify the Client of a confirmed Security Incident without undue delay and in any event:

7.2 Notification Content

Notification shall include, to the extent known:

• (a) The nature of the Security Incident, including the categories and approximate number of data subjects and records concerned
• (b) The name and contact details of Hone Labs’ point of contact for further information
• (c) A description of the likely consequences of the Security Incident
• (d) A description of the measures taken or proposed to address the Security Incident, including mitigation measures

7.3 Cooperation

Hone Labs shall cooperate with the Client’s investigation of the Security Incident and shall:

• (a) Take reasonable steps to contain and mitigate the effects of the Security Incident
• (b) Preserve evidence related to the Security Incident for at least 90 days
• (c) Assist the Client in meeting any regulatory notification obligations
• (d) Provide ongoing status updates as the investigation progresses

7.4 No Self-Incrimination Waiver

Notification of a Security Incident shall not be construed as an admission of fault or liability by either Party.

8.1 During the Term

The Client may request export of Client Data at any time during the Service Agreement. Hone Labs shall provide the export within 15 business days in JSON format (structured data) and original format (uploaded files). For exports exceeding 100GB, Hone Labs will provide a delivery timeline within 3 business days of the request.

8.2 Upon Termination

Upon termination or expiration of the Service Agreement:

8.3 Certification

Upon request, Hone Labs shall provide written certification that all Client Data has been permanently deleted, specifying the date of deletion and confirming that data has expired from backups.

8.4 Legal Hold Exception

If Hone Labs is required by law to retain specific Client Data beyond the periods above, Hone Labs shall notify the Client (unless prohibited by the legal requirement) and shall limit processing of such data to that required by the legal obligation.

9.1 Information Requests

The Client may, no more than once per calendar year, submit a written request for information demonstrating Hone Labs’ compliance with this DPA. Hone Labs shall respond within 20 business days.

9.2 Documentation Review

Upon reasonable request, Hone Labs shall make available relevant security policies, procedures, and audit reports (including any SOC 2 reports when available) for the Client’s review.

9.3 On-Site or Remote Audit

If the Client has reasonable grounds to believe Hone Labs is not complying with this DPA, the Client may, upon 30 days’ written notice, conduct or commission a third-party audit of Hone Labs’ processing activities. Such audit shall:

• (a) Be conducted during normal business hours
• (b) Not unreasonably interfere with Hone Labs’ operations
• (c) Be subject to reasonable confidentiality obligations
• (d) Be at the Client’s expense, unless the audit reveals material non-compliance

9.4 Remediation

If an audit reveals material non-compliance, Hone Labs shall prepare a remediation plan within 15 business days and implement the plan within a mutually agreed timeframe.

All Client Data is processed and stored in the United States. If the Client requires data residency in a specific jurisdiction, this shall be documented in the Service Agreement.

Hone Labs does not transfer Client Data outside the United States unless: (a) a Sub-Processor listed in Schedule B processes data in a different location, or (b) the Client provides specific written instructions to do so.

Each Party’s liability under this DPA is subject to the limitations of liability set forth in the Service Agreement, except that neither Party’s liability for breaches of its confidentiality obligations or data protection obligations under this DPA shall be excluded or limited below the total fees paid or payable under the Service Agreement during the 12-month period preceding the claim.

This DPA shall remain in effect for the duration of the Service Agreement plus the period required for Hone Labs to complete data deletion as described in Section 8. Sections 7 (Security Incidents), 8 (Data Return and Deletion), 9 (Audit Rights), and 11 (Liability) shall survive termination.

The following technical and organizational measures are implemented and maintained by Hone Labs:

Encryption

Access Control

Multi-Tenant Isolation

7 independent isolation mechanisms protect Client Data. Each mechanism is enforced independently — multiple would need to fail simultaneously for cross-tenant access to occur.

Input Validation

Monitoring

Change Management

Current as of the Effective Date. Updated list always available at honelabs.dev/trust/subprocessors.

AI Providers

Infrastructure Providers

Monitoring

Research & Enrichment (Zero Data Retention)

Authentication Providers

Source Control

This addendum applies when the Client is an educational institution subject to FERPA and Education Records are processed through the Platform.

F-1. School Official Designation

By executing this DPA, the Client designates Hone Labs as a “school official” with a “legitimate educational interest” in Education Records, pursuant to 34 CFR § 99.31(a)(1)(i)(B). The Client is responsible for documenting this designation in its institutional FERPA policies. Hone Labs performs an institutional service or function for which the Client would otherwise use its own employees.

F-2. Direct Control

Hone Labs is under the direct control of the Client with respect to the use and maintenance of Education Records. The Client determines which users have access to the Platform and what content is uploaded.

F-3. Use Restriction

Hone Labs shall use Education Records solely for the purpose of providing the Platform services as specified in the Service Agreement. Hone Labs shall not:

• (a) Use Education Records for any purpose other than the contracted service
• (b) Share Education Records with any party other than authorized Sub-Processors bound by equivalent restrictions
• (c) Use Education Records for marketing, advertising, profiling, or product development
• (d) Condition services on a student or parent waiving FERPA rights

F-4. Re-Disclosure Prohibition

Hone Labs shall not disclose Education Records to any third party except:

• (a) Sub-Processors listed in Schedule B, who are bound by data processing obligations no less protective than this DPA
• (b) As required by law, regulation, or legal process (with notice to the Client unless prohibited)

F-5. AI Provider Protections

Google and Perplexity process Education Records under confirmed zero-retention API terms. Zero-retention agreements have been requested from Anthropic and Cohere (pending confirmation). Education Records included in AI prompts are:

• (a) Not stored by the AI provider after processing
• (b) Not used to train, fine-tune, or improve AI models
• (c) Not accessible to the AI provider’s employees or other customers

F-6. Breach Notification

In the event of unauthorized access to or disclosure of Education Records, Hone Labs shall notify the Client within 24 hours of confirmation, in accordance with Section 7 of this DPA.

F-7. Data Return and Destruction

Upon termination, Education Records shall be returned (via data export) and destroyed in accordance with Section 8 of this DPA. Hone Labs shall provide written certification that Education Records have been destroyed, specifying that FERPA-protected records have been permanently deleted from all production systems and have expired from backups.

F-8. Rhode Island State Law

For Rhode Island institutions, Hone Labs additionally complies with the Rhode Island Identity Theft Protection Act (R.I. Gen. Laws § 11-49.3) regarding breach notification for personal information of Rhode Island residents.