HATS Data Processing and Privacy Position

DRAFT -- Subject to revision by legal counsel

1. Purpose and Scope

1.1 Purpose

This document establishes the data processing and privacy position of H33.ai, Inc. ("H33" or "Processor") with respect to governance evidence data processed through the HATS standard infrastructure, including governance graphs, receipts, and related metadata stored in Cachee or any successor storage system. This document defines the roles, responsibilities, and obligations of H33 and its customers ("Controller" or "Customer") regarding the handling of governance data.

1.2 Scope

This document applies to:

(a) Governance evidence data generated, stored, and processed through H33-operated HATS infrastructure, including the Cachee distributed storage layer; (b) Metadata associated with governance graphs, including node identifiers, timestamps, tenant hashes, signer key identifiers, and cryptographic receipts; (c) Federation checkpoint data exchanged between HATS-participating nodes; (d) Any personal data that may be embedded within or derivable from governance graph content.

This document does not apply to:

(a) Data processed entirely within the Customer's own infrastructure using self-hosted HATS verifiers; (b) Canonical Test Vectors, which contain no personal data; (c) The HATS specification itself, which is publicly available.

2. Data Processing Roles

2.1 H33 as Processor

When H33 operates HATS infrastructure (including Cachee) on behalf of a Customer, H33 acts as a data processor within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and analogous data protection laws. In this capacity:

(a) H33 processes governance evidence data solely on behalf of the Customer and in accordance with the Customer's documented instructions; (b) H33 does not determine the purposes or means of processing governance evidence data -- those decisions rest with the Customer; (c) H33 does not use governance evidence data for its own commercial purposes, including marketing, analytics, product development, or sale to third parties; (d) H33 does not aggregate governance evidence data across Customers for any purpose.

2.2 Customer as Controller

The Customer acts as the data controller with respect to governance evidence data. In this capacity, the Customer:

(a) Determines the purposes for which governance graphs are created, the data included in governance nodes, and the retention periods applied to governance evidence; (b) Is responsible for ensuring that the processing of governance evidence data, including any personal data contained therein, has a valid legal basis under applicable data protection laws; (c) Is responsible for providing notice to data subjects whose personal data may be included in governance nodes; (d) Is responsible for responding to data subject access requests (DSARs) and other data subject rights requests; (e) Is responsible for conducting data protection impact assessments (DPIAs) where required by applicable law.

2.3 Sub-Processors

H33 shall maintain a list of sub-processors used in the provision of HATS infrastructure services. H33 shall:

(a) Notify the Customer of any intended addition or replacement of sub-processors at least thirty (30) calendar days in advance; (b) Enter into written agreements with sub-processors that impose data protection obligations no less restrictive than those in this document; (c) Remain liable for the acts and omissions of sub-processors as if they were H33's own acts and omissions.

3. Data Minimization

3.1 Customer Responsibility for Data Minimization

The HATS standard is designed to govern decisions and attestations, not to store primary business data. The Customer is responsible for ensuring that governance graphs contain only the data necessary for governance purposes. Specifically:

(a) Governance nodes should contain governance-relevant metadata (decision identifiers, policy references, timestamps, hash commitments) rather than primary business data (e.g., full customer records, financial transactions, medical records); (b) Where business data must be referenced in a governance node, the Customer should use cryptographic commitments (hashes) rather than plaintext values; (c) Personal data should not be included in governance nodes unless the governance purpose requires it and the Customer has established a legal basis for such processing; (d) The Customer should periodically review governance graph content to ensure continued compliance with data minimization principles.

3.2 H33 Design Principles

H33 designs HATS infrastructure with data minimization as a core principle:

(a) The HATS verifier operates on cryptographic hashes and structural metadata, not on the underlying business data; (b) Governance receipts contain hash commitments, not source data; (c) Tenant isolation (HATS-G-003, HATS_ERR_CROSS_TENANT) ensures that governance data from different tenants cannot be accessed or correlated through the HATS infrastructure; (d) The verification process requires no access to the underlying data -- only the governance graph and public keys.

4. H33 Access to Governance Data

4.1 Limited Access Principle

H33 does not access, read, analyze, or interpret the content of governance graph nodes except as necessary to perform the following functions:

(a) Verification operations: Computing canonical hashes, verifying cryptographic signatures, validating graph structure, and executing replay operations as defined in the HATS specification; (b) Infrastructure operations: Storage, replication, backup, and disaster recovery of governance data within the Cachee infrastructure; (c) Technical support: Investigating technical issues reported by the Customer, with Customer authorization, and only to the extent necessary to resolve the issue; (d) Security incident response: Identifying and responding to security incidents affecting the HATS infrastructure.

4.2 No Content Inspection

H33 does not:

(a) Read or interpret the semantic content of governance nodes (e.g., what business decision was made, what data was processed, or what policy was applied); (b) Apply machine learning, natural language processing, or any other analytical technique to governance graph content; (c) Correlate governance data with data from other sources for profiling, advertising, or market research; (d) Share governance data content with third parties except as required by law or authorized by the Customer.

4.3 Structural and Cryptographic Processing

H33 processes the following categories of data in the normal course of HATS infrastructure operations:

(a) Canonical hash values (SHA3-256) of governance nodes; (b) Cryptographic signatures (ML-DSA-65 by default) on governance receipts; (c) Structural metadata: node types, parent references, tenant hashes, transcript versions; (d) Temporal metadata: timestamps in UTC milliseconds since Unix epoch; (e) Signer key identifiers and key lifecycle status (active, revoked, expired); (f) Federation checkpoint data (quorum status, checkpoint age, peer identifiers).

This processing is inherent to the operation of the HATS standard and does not constitute access to the underlying governed data.

5. Retention

5.1 Customer-Configurable Retention

Retention periods for governance evidence data are configurable by the Customer. H33 provides the following retention controls:

(a) Minimum retention period: No mandatory minimum. Customers may delete governance data at any time, subject to applicable legal hold obligations that the Customer is responsible for managing. (b) Default retention period: Thirty (30) years from the date of creation of the governance node. This default reflects the long-term evidentiary value of governance records for legal, regulatory, and compliance purposes. (c) Maximum retention period: No maximum. Customers may retain governance data indefinitely. (d) Granularity: Retention policies may be applied at the tenant level, the namespace level, or the individual graph level.

5.2 Rationale for Default Retention

The thirty (30) year default retention period is based on:

(a) The longest applicable statute of limitations for fraud and contractual claims in major jurisdictions; (b) Regulatory requirements in financial services (e.g., SEC Rule 17a-4, MiFID II transaction reporting); (c) Healthcare records retention requirements (e.g., HIPAA, 21 CFR Part 11); (d) The evidentiary value of governance records for long-term dispute resolution and regulatory examination.

Customers are responsible for determining the appropriate retention period for their specific regulatory and business requirements.

5.3 Deletion

Upon expiration of the applicable retention period, or upon Customer request:

(a) H33 shall delete all copies of the specified governance data from active storage within thirty (30) calendar days; (b) H33 shall delete all copies from backup and archive storage within ninety (90) calendar days; (c) H33 shall provide written confirmation of deletion upon Customer request; (d) Deletion is irreversible. H33 has no obligation to maintain copies of governance data after the Customer has requested deletion.

6. Data Processing Agreements

6.1 DPA Availability

H33 offers a Data Processing Agreement (DPA) to enterprise customers that supplements and formalizes the positions described in this document. The DPA includes:

(a) Binding contractual commitments regarding data processing obligations; (b) Standard Contractual Clauses (SCCs) for international data transfers, where applicable; (c) Security measures described in accordance with Article 32 of the GDPR; (d) Audit rights enabling the Customer to verify H33's compliance with the DPA; (e) Breach notification obligations consistent with Article 33 of the GDPR.

6.2 Requesting a DPA

Enterprise customers may request a DPA by contacting support@h33.ai. H33 shall provide a proposed DPA within fifteen (15) business days of request.

7. Data Subject Rights

7.1 Customer Responsibility for DSARs

The Customer, as data controller, is responsible for receiving and responding to data subject requests under applicable data protection laws, including:

(a) Right of access (GDPR Article 15); (b) Right to rectification (GDPR Article 16); (c) Right to erasure (GDPR Article 17); (d) Right to restriction of processing (GDPR Article 18); (e) Right to data portability (GDPR Article 20); (f) Right to object (GDPR Article 21).

7.2 H33 Assistance

H33 shall assist the Customer in responding to data subject requests by:

(a) Providing technical mechanisms for the Customer to search, export, and delete governance data associated with a specific data subject, to the extent such data is identifiable within the governance graph; (b) Responding to Customer requests for data export within ten (10) business days; (c) Executing Customer-authorized deletion requests within the timelines specified in Section 5.3; (d) Not independently responding to data subject requests received directly by H33, but instead redirecting such requests to the Customer within five (5) business days.

7.3 Limitations

Due to the cryptographic design of HATS governance graphs:

(a) Deletion of individual governance nodes may affect the structural integrity of the governance graph. The Customer is responsible for determining whether deletion is compatible with governance integrity requirements. (b) Hash values derived from deleted data will remain in the graph (hashes are not personal data under prevailing regulatory guidance, as they are not reversible to the original data). The Customer should consider this limitation when embedding personal data in governance nodes. (c) Rectification of governance nodes is not supported within the HATS protocol, as governance receipts are cryptographically committed. The Customer may create new governance nodes with corrected information and deprecate prior nodes through the governance lineage mechanism.

8. Cross-Border Transfer

8.1 Transfer Mechanisms

Where governance evidence data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to jurisdictions that have not received an adequacy decision, H33 shall ensure that transfers are made under one or more of the following mechanisms:

(a) Standard Contractual Clauses (SCCs) adopted by the European Commission, incorporated into the DPA; (b) Binding Corporate Rules (BCRs), where applicable; (c) Derogations for specific situations under Article 49 of the GDPR, where no other mechanism is available and the conditions of Article 49 are satisfied; (d) Adequacy decisions, where the destination jurisdiction has received an adequacy finding.

8.2 Data Residency

H33 shall provide Customers with the ability to designate the geographic region in which their governance evidence data is stored. Available regions and any restrictions shall be documented in the Customer's service agreement.

8.3 Transfer Impact Assessment

H33 shall conduct and maintain a transfer impact assessment (TIA) for each jurisdiction to which governance evidence data may be transferred, evaluating:

(a) The legal framework of the destination jurisdiction regarding government access to data; (b) The effectiveness of the applicable transfer mechanism; (c) Supplementary measures implemented by H33 to protect the data.

9. GDPR Article 28 Compliance

9.1 Article 28 Requirements

Where H33 acts as a processor under GDPR Article 28, the following requirements apply:

(a) H33 processes governance evidence data only on documented instructions from the Customer, unless required to do so by Union or Member State law; (b) H33 ensures that persons authorized to process the data have committed themselves to confidentiality; (c) H33 implements appropriate technical and organizational security measures as described in the DPA; (d) H33 assists the Customer in ensuring compliance with Articles 32-36 of the GDPR; (e) H33 deletes or returns all governance evidence data to the Customer at the end of the service, at the Customer's election; (f) H33 makes available to the Customer all information necessary to demonstrate compliance with Article 28 obligations and allows for audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.

10. Log Ownership and Governance Data

10.1 Customer Ownership

The Customer owns all governance evidence data generated by or on behalf of the Customer, including:

(a) Governance graph nodes and their content; (b) Governance receipts (route, policy, result, state transition, enforcement); (c) Replay frames and frame hashes; (d) Federation checkpoints originated by the Customer's systems; (e) Verification output generated by HATS verifiers processing the Customer's data.

10.2 H33 Operational Logs

H33 retains operational logs necessary for infrastructure management, security monitoring, and incident response. These logs may include:

(a) API request metadata (timestamps, source IP addresses, request identifiers, response codes); (b) Infrastructure performance metrics; (c) Security event logs (authentication attempts, access control decisions); (d) Error logs related to infrastructure operations.

H33 operational logs are owned by H33 and are not considered Customer governance evidence data. H33 retains operational logs for the minimum period necessary for their operational and security purpose, not to exceed twenty-four (24) months unless required by law.

11. Personal Data in Governance Nodes

11.1 Categories of Potentially Personal Data

Governance nodes may contain metadata that qualifies as personal data under applicable data protection laws, including:

(a) Signer key identifiers that can be linked to a natural person (e.g., an employee who holds a signing key); (b) Tenant identifiers that identify a specific organization and, in small organizations, may be linked to specific individuals; (c) Timestamps that, in combination with other metadata, could be used to identify individuals (e.g., a governance receipt timestamped to the precise moment of an employee's action); (d) Decision metadata embedded in governance nodes by the Customer that references individuals (e.g., a policy decision node that references the identifier of the individual whose request was denied); (e) IP addresses or other network identifiers included in event metadata.

11.2 Customer Obligations

Where governance nodes contain personal data, the Customer is responsible for:

(a) Identifying and documenting the categories of personal data present in governance nodes; (b) Ensuring a valid legal basis for processing (e.g., legitimate interest in maintaining governance records, contractual necessity); (c) Providing appropriate privacy notices to data subjects; (d) Implementing data minimization measures to limit personal data in governance nodes to what is strictly necessary; (e) Conducting a DPIA where the governance processing is likely to result in a high risk to the rights and freedoms of natural persons.

12. Security Measures

12.1 Technical Measures

H33 implements the following technical measures to protect governance evidence data:

(a) Encryption at rest using AES-256 or equivalent; (b) Encryption in transit using TLS 1.3 with post-quantum key exchange where supported; (c) Tenant isolation at the storage, computation, and network layers; (d) Access control based on the principle of least privilege; (e) Intrusion detection and monitoring of infrastructure access; (f) Regular vulnerability scanning and penetration testing.

12.2 Organizational Measures

H33 implements the following organizational measures:

(a) Background checks for personnel with access to infrastructure; (b) Mandatory security awareness training; (c) Incident response procedures with documented escalation paths; (d) Access reviews on a quarterly basis; (e) Segregation of duties for production infrastructure access.

13. Breach Notification

13.1 Notification to Customer

In the event of a personal data breach affecting governance evidence data, H33 shall notify the Customer without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach. The notification shall include:

(a) A description of the nature of the breach; (b) The categories and approximate number of records affected; (c) The likely consequences of the breach; (d) The measures taken or proposed to address the breach.

13.2 Customer Obligations

The Customer is responsible for determining whether the breach requires notification to supervisory authorities or data subjects under applicable law.

14. Amendments

This Data Processing and Privacy Position may be amended through the governance process defined in the HATS Standards Governance Model (HATS-GOV-001). Amendments that materially reduce privacy protections require a minimum ninety (90) day Public Comment Period.

HATS Data Processing and Privacy Position v1.0 -- H33.ai, Inc.