Data Processing Agreement

Effective Date: February 16, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between H33 ("Processor") and the customer ("Controller") for the processing of personal data in connection with H33's quantum-safe authentication services.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed through H33's authentication APIs.

"Processing" means any operation performed on Personal Data, including collection, storage, use, encryption, and deletion.

"Sub-processor" means any third party engaged by H33 to process Personal Data on behalf of the Controller.

2. Scope of Processing

H33 processes Personal Data solely for the purpose of providing authentication and identity verification services as described in the API documentation. This includes:

• Biometric template encryption using Fully Homomorphic Encryption (FHE)
• Zero-knowledge proof generation and verification
• Post-quantum cryptographic key management
• Authentication session management

3. Data Protection Measures

H33 implements the following technical measures to protect Personal Data:

• Encryption at rest: All biometric templates are stored as FHE ciphertexts — the server never accesses plaintext biometric data
• Encryption in transit: TLS 1.3 with post-quantum key exchange (Kyber-768)
• Zero-knowledge verification: Authentication proofs reveal no personal information beyond the yes/no result
• Post-quantum security: All cryptographic operations use NIST-standardized post-quantum algorithms (ML-KEM, ML-DSA)
• Data minimization: Only encrypted template hashes are stored; raw biometric data is never retained

4. Sub-processors

H33 uses the following sub-processors:

• Amazon Web Services (AWS) — Infrastructure hosting (us-east-1)
• Auth1 (Z101 Inc.) — Authentication orchestration and session management
• Stripe — Payment processing (no biometric data shared)

The Controller will be notified of any changes to sub-processors with 30 days' advance notice.

5. Data Subject Rights

H33 will assist the Controller in responding to data subject requests including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to data portability (Article 20 GDPR)

6. Data Retention and Deletion

Personal Data is retained only for the duration of the service agreement. Upon termination, all Personal Data (including encrypted templates) is deleted within 30 days. Deletion certificates are available upon request.

7. International Transfers

H33 processes data in the United States (AWS us-east-1). For EU/EEA customers, transfers are governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission.

8. Breach Notification

H33 will notify the Controller of any Personal Data breach without undue delay and no later than 72 hours after becoming aware of the breach. Notification will include the nature of the breach, categories of data affected, and remediation measures taken.

9. Audit Rights

The Controller may audit H33's compliance with this DPA upon reasonable notice. H33 will make available all information necessary to demonstrate compliance and allow for inspections.