Harbinger ExplorerHarbinger Explorer

Data Processing Agreement (DPA)

GDPR Art. 28 — between Harbinger Explorer (Processor) and the Customer (Controller). This is the customer-signable template; legal counsel review required before counter-signature.

Version 1.0Effective from 2026-04-17Trust hub

Status note. This template represents the contractual framework Harbinger Explorer offers to every paying customer. For execution, request a counter-signed PDF copy from dpa@harbingerexplorer.com. Modifications outside the agreed Order Form require Marc Cherier's written approval.

1. Parties and subject matter

This Data Processing Agreement (the "DPA") forms part of the Order Form or Subscription Agreement (the "Principal Agreement") between Marc Cherier (Sole Trader), Massower Straße 13, 10315 Berlin, Germany ("Processor", "we") and the customer identified in the Principal Agreement ("Controller", "you").

It implements the requirements of Article 28 of Regulation (EU) 2016/679 ("GDPR") for any processing of personal data the Processor performs on the Controller's behalf in the course of providing the Harbinger Explorer service (the "Service").

2. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. "Personal Data", "Data Subject", "Processing", "Controller", "Processor", and "Sub-Processor" carry their GDPR meanings. "Customer Data" means any data the Controller or its Authorised Users upload to or generate within the Service.

3. Scope, nature and purpose of processing

ItemSpecification
Subject matterProvision of the Harbinger Explorer Service (data exploration, agentic analysis, governance)
DurationThe Subscription Term plus the deletion / retention periods in §10
Nature and purposeStorage, transformation, schema inference, AI-based analysis on pseudonymised excerpts
Categories of Personal DataAccount identifiers (email, name); billing identifiers; usage telemetry; data the Controller uploads (which may contain Personal Data of the Controller's data subjects); support correspondence
Categories of Data SubjectsAuthorised Users of the Controller; the Controller's customers, employees, prospects (insofar as their data is uploaded)

4. Controller obligations and instructions

4.1 The Controller warrants that it has a lawful basis under GDPR Art. 6 (and, where applicable, Art. 9) for every Processing operation it instructs.

4.2 The complete and final instructions from the Controller are: (a) the Principal Agreement, (b) this DPA, and (c) the configuration the Controller selects through the Service UI (governance tags, retention settings, exports). Any further instruction must be issued in writing to dpa@harbingerexplorer.com.

4.3 If the Processor believes an instruction infringes data protection law, it will inform the Controller without undue delay and may suspend the affected Processing.

5. Processor obligations

The Processor will:

  • 5.1 Process Personal Data only on documented instructions from the Controller.
  • 5.2 Ensure that personnel authorised to Process Personal Data are bound by confidentiality obligations.
  • 5.3 Implement the technical and organisational measures listed in the Security Addendum (see /trust/security).
  • 5.4 Engage Sub-Processors only in accordance with §6.
  • 5.5 Assist the Controller in fulfilling Data Subject requests (Art. 12-23 GDPR), DPIAs (Art. 35), and consultations with the supervisory authority (Art. 36) by providing the technical means listed in §7.
  • 5.6 Notify the Controller of any Personal Data Breach affecting Customer Data without undue delay, and in any event within 72 hours of becoming aware (see §8).
  • 5.7 At the Controller's choice, delete or return all Personal Data upon termination as set out in §10.
  • 5.8 Make available to the Controller all information necessary to demonstrate compliance with Art. 28 (see §9 — audits).

6. Sub-Processors

6.1 The Controller grants the Processor a general written authorisation to engage Sub-Processors. The current list is published at https://www.harbingerexplorer.com/trust/subprocessors and is the single authoritative record.

6.2 The Processor will inform the Controller of intended additions or replacements at least 30 days in advance by publishing the change to the Sub-Processor list and the corresponding RSS feed at /trust/subprocessors/feed.xml. The Controller may subscribe to that feed, which constitutes notice for the purposes of this clause.

6.3 The Controller may object to a new Sub-Processor on reasonable data-protection grounds during the 30-day notice period by emailing dpa@harbingerexplorer.com. Where the Processor cannot accommodate the objection, the Controller may terminate the affected portion of the Service for cause and receive a pro-rata refund.

6.4 The Processor remains liable for the acts and omissions of its Sub-Processors with respect to Customer Data.

7. Data Subject rights, DPIAs, and assistance

7.1 The Service surfaces self-service tooling that the Controller can use to fulfil Data Subject rights without a separate request to the Processor:

  • export of Customer Data via the Workspace export controls,
  • deletion of an account and its data via the account-settings page (cascading delete of derived artefacts),
  • column-level governance tags that record the lawful basis and retention class.

7.2 Where the Controller requires further assistance — including for DPIAs (Art. 35) or supervisory authority consultations (Art. 36) — the Processor will provide reasonable assistance at no additional charge for assistance that takes less than four (4) hours per calendar quarter; any further assistance is chargeable at the standard professional-services rate set out in the Order Form.

8. Personal Data Breach notification

8.1 The Processor maintains a documented incident-response runbook (docs/runbooks/incident-response.md) and a public status page at /status.

8.2 On becoming aware of a Personal Data Breach affecting Customer Data, the Processor will notify the Controller without undue delay and within 72 hours via the Controller's notification email of record. The notification will include, to the extent then known:

  • nature of the Breach (categories and approximate number of Data Subjects, categories and approximate number of records),
  • likely consequences,
  • measures taken or proposed to address the Breach and mitigate adverse effects,
  • contact point for further information.

8.3 The Processor maintains a tamper-evident, hash-chained audit log (admin_audit) so post-incident forensics can establish the chain of custody. Audit-log integrity can be verified on request.

9. Audit rights

9.1 The Processor will make available to the Controller, on reasonable written request and no more than once per calendar year (except after a Personal Data Breach):

  • the Sub-Processor list,
  • the Security Addendum,
  • the Disaster Recovery runbook (docs/runbooks/disaster-recovery.md),
  • the most recent annual penetration-test executive summary (once available, targeted Q3 2026),
  • the most recent SOC 2 / ISO 27001 audit report (once available — see §9.3).

9.2 If those documents are insufficient for the Controller's specific compliance obligation, the Controller may, on 30 days' written notice and at its own cost, mandate an independent third-party auditor (subject to confidentiality) to perform an on-site audit during business hours, in a manner that does not unreasonably interfere with the Processor's operations.

9.3 The Processor's compliance roadmap (statement only, not a binding service commitment): SOC 2 Type I targeted Q3 2026; ISO 27001 pre-assessment targeted Q4 2026.

10. Return and deletion

10.1 On termination of the Principal Agreement, the Controller may, within 30 days, request export of Customer Data via the Service's export tooling.

10.2 After the 30-day window, the Processor will delete Customer Data from production systems within 30 further days. Backup copies are subject to the rolling 35-day retention specified in docs/runbooks/disaster-recovery.md.

10.3 The Processor may retain account-level metadata strictly necessary to comply with statutory record-keeping obligations (HGB §257; AO §147 — invoicing data, 10 years).

11. International data transfers

11.1 The Processor's primary infrastructure is hosted in the EU. Where a Sub-Processor processes data outside the EU/EEA, the transfer relies on:

  • EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (Controller-to-Processor) and/or Module 3 (Processor-to-Processor), or
  • the EU-US Data Privacy Framework where the Sub-Processor is certified, or
  • another transfer mechanism explicitly identified on /trust/subprocessors.

11.2 The Processor performs Transfer Impact Assessments (TIAs) for each non-EU Sub-Processor and makes the latest TIA available on request.

12. Liability and limitations

Liability under this DPA is governed by the limitation of liability clause of the Principal Agreement, except where mandatory law (in particular GDPR Art. 82) provides otherwise.

13. Order of precedence

In the event of a conflict, the order of precedence is: (1) mandatory law, (2) this DPA, (3) the Principal Agreement.

14. Governing law and venue

This DPA is governed by the laws of the Federal Republic of Germany, excluding its conflict-of-laws rules. Exclusive venue is Berlin, Germany, to the extent permitted by law.

15. Acceptance

This DPA enters into force when the Controller accepts the Principal Agreement and ticks the "I accept the Data Processing Agreement" checkbox in the Account Settings, or counter-signs the PDF version available from dpa@harbingerexplorer.com.

Document version: 1.0 — Effective date: 2026-04-17