HYPERSTANDARD PRIVACY POLICY

1. Introduction

Hyperstandard SAGL ("Hyperstandard," "we," "us," or "our") is a societa a garanzia limitata incorporated under the laws of Switzerland, with UID CHE-432.275.678, registered at Contrada di Sassello 10, 6900 Lugano, Switzerland. We provide a non-custodial multi-asset treasury management platform (the "Platform") enabling enterprise-grade management of digital assets.

This Privacy Policy explains:

• What personal data we collect
• How and why we use personal data
• With whom we share personal data
• How long we retain personal data
• Your rights regarding your personal data
• How we protect personal data
• How to contact us about privacy matters

This Privacy Policy applies to all personal data we process in connection with the Platform, including:

• Data provided during account registration
• Data generated through Platform use
• Data collected through our website and communications
• Data received from third-party service providers

By using the Platform, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, you must not use the Platform.

We may update this Privacy Policy from time to time to reflect:

• Changes in our data practices
• Legal or regulatory requirements
• New Platform features or services
• Improved privacy protections

We will provide notice of material changes via email at least thirty (30) days before the changes take effect. Your continued use of the Platform after the effective date constitutes acceptance of the updated Privacy Policy.

2. Data Controller and Contact Information

2.1.1 Hyperstandard as Data Controller: For data relating to the Customer organization (account registration, billing, platform usage analytics, and security monitoring), Hyperstandard SAGL is the data controller.

2.1.2 Hyperstandard as Data Processor: For personal data of individual Users (employees, contractors, or agents of the Customer), the Customer is the data controller and Hyperstandard acts as a data processor providing the Platform on the Customer's behalf.

2.1.3 Customer Responsibilities: When acting as data processor, we process User data in accordance with the Customer's instructions and applicable data protection laws. The Customer is responsible for ensuring they have a lawful basis to share User data with Hyperstandard and for fulfilling their obligations as data controller to their Users.

Privacy and Data Protection Inquiries:
Hyperstandard SAGL
Attention: Privacy Officer
Contrada di Sassello 10
6900 Lugano, Switzerland
Email: privacy@hyperstandard.com

For all data protection and privacy compliance matters, please contact us at privacy@hyperstandard.com. We aim to respond to all privacy enquiries within five (5) business days.

3. Personal Data We Collect

3.1.1 Account Registration Information

When you create an account, we collect:

• Organization Details: Legal entity name, organization type, registration number, registered address
• Representative Information: Name, title, email address, phone number
• Contact Details: Billing address, correspondence address
• Account Credentials: Username, password (hashed and encrypted)
• Authentication Information: Two-factor authentication (2FA) setup details

3.1.2 Verification and Identity Information

For compliance and risk management purposes, we may collect:

• Identity Documents: Passport, national ID, driver's license (if required)
• Proof of Address: Utility bills, bank statements
• Business Documentation: Articles of incorporation, business licenses, beneficial ownership information
• Regulatory Information: Tax identification numbers, VAT numbers
• Source of Funds Information: Information about the source and legitimacy of Digital Assets

3.1.3 Transaction and Wallet Information

Through your use of the Platform, we collect:

• Wallet Addresses: Public blockchain addresses for your wallets
• Transaction Details: Transaction amounts, timestamps, recipient addresses, transaction hashes
• Beneficiary Information: Whitelisted beneficiary addresses and labels
• Asset Holdings: Types and amounts of Digital Assets held
• Gas Fee Information: Gas fee wallet balances and consumption

Note: Blockchain transactions are publicly visible on distributed ledgers. While we collect wallet addresses you create through the Platform, the blockchain itself records all transaction data immutably and publicly.

3.1.4 Communications

When you communicate with us, we collect:

• Support Requests: Messages, attachments, and interaction history
• Feedback and Surveys: Responses to surveys, feature requests, and feedback
• Email Communications: Correspondence via email
• Platform Messages: In-platform messaging and notifications

3.1.5 Payment Information

When you pay fees, we collect:

• Billing Information: Billing name and address
• Payment Method Details: Last four digits of credit card, bank account details (for bank transfers)
• Transaction Records: Payment amounts, dates, invoices, receipts

Note: We do not store complete credit card numbers. Payment processing is handled by third-party payment processors who maintain their own privacy policies.

3.2.1 Usage Data and Analytics

When you use the Platform, we automatically collect:

• Access Logs: IP addresses, timestamps, pages accessed, actions performed
• Device Information: Browser type and version, operating system, device type
• Session Information: Login times, session duration, idle times
• Feature Usage: Which Platform features you use and how frequently
• Performance Data: Page load times, error messages, system performance metrics
• Click and Navigation Data: Buttons clicked, pages navigated, user flow paths

3.2.2 Audit and Security Logs

For security and compliance purposes, we maintain comprehensive logs of:

• Authentication Events: Login attempts (successful and failed), 2FA verifications, password changes
• User Activities: All actions taken within the Platform, including wallet creation, transaction initiation and approval, permission changes
• Administrative Actions: User management, role assignments, configuration changes
• Security Events: Suspicious activity alerts, access from new devices or locations, potential security incidents
• System Events: Errors, warnings, system health events
• Policy Engine Configuration: Policy rules, approval thresholds, signer requirements, and configuration changes

These logs are retained for seven (7) years to comply with regulatory requirements.

3.2.3 Cookies and Tracking Technologies

We use cookies and similar technologies to enable core functionality, enhance security, provide analytics, remember your preferences, and improve Platform performance. You can control cookies through your browser settings, but disabling certain cookies may impair Platform functionality.

3.3.1 DFNS (MPC Infrastructure Provider)

We receive wallet infrastructure data, signature requests, service logs, and security events from DFNS solely for the purpose of providing MPC wallet infrastructure. DFNS does not have custody or control of your Digital Assets.

3.3.2 Exchange Service Providers

When you use exchange services through the Platform, exchange providers may share KYC verification results, transaction data, compliance data, and account status information. Each provider's privacy policy applies to their processing of your data.

3.3.3 Blockchain Data

We collect publicly available blockchain data such as transaction confirmations, network status, wallet balances, and smart contract interactions. Blockchain data is public and immutable.

3.3.4 Other Third-Party Services

We may receive additional information from authentication providers (e.g., WorkOS), payment processors, cloud providers, and fraud prevention services, as needed to operate and secure the Platform.

We do not require and discourage you from providing sensitive personal data (e.g., health or genetic data), private keys or authentication secrets, or any information unrelated to Platform operation or compliance.

4. How We Use Personal Data

We process your personal data based on contract performance, legal obligations, legitimate interests, and, where applicable, your consent. Specific legal bases are indicated in relation to each processing purpose.

We use your personal data to provide and operate the Platform, ensure security and fraud prevention, comply with legal and regulatory obligations, improve and develop services, communicate with you (including for marketing with your consent), support business operations, and protect our legal rights and interests.

5. How We Share Personal Data

We share personal data with carefully selected third-party service providers who process data on our behalf:

5.1.1 DFNS (MPC Infrastructure Provider)

Data Shared: Wallet creation requests, transaction signature requests, infrastructure usage data
Purpose: Provision of non-custodial wallet infrastructure
Legal Basis: Contract performance
Safeguards: Data processing agreement, technical and organizational security measures

5.1.2 Exchange Service Providers

Data Shared: Identity information (for KYC), transaction details, wallet addresses
Purpose: Provision of exchange and conversion services
Legal Basis: Contract performance, legal obligations
Note: You must separately accept each exchange provider’s terms and privacy policy

5.1.3 WorkOS (Authentication Provider)

Data Shared: Login credentials, authentication events, organizational structure
Purpose: Identity and access management
Legal Basis: Contract performance
Safeguards: Data processing agreement

5.1.4 Cloud Infrastructure Providers

Data Shared: All Platform data (encrypted)
Purpose: Hosting and infrastructure services
Legal Basis: Legitimate interests
Safeguards: Data processing agreements, encryption, access controls

5.1.5 Payment Processors

Data Shared: Billing information, payment details
Purpose: Payment processing
Legal Basis: Contract performance
Note: Payment processors maintain their own privacy policies

5.1.6 Analytics and Monitoring Services

Data Shared: Usage data, performance metrics (anonymized where possible)
Purpose: Platform analytics and performance monitoring
Legal Basis: Legitimate interests
Safeguards: Data minimization, anonymization where feasible

5.1.7 Customer Support and Communication Tools

Data Shared: Contact information, support tickets, communications
Purpose: Customer support and communication
Legal Basis: Contract performance, legitimate interests

5.2.1 With Regulatory Authorities

When required by law or regulatory obligation, we may share data with:

• Financial regulatory authorities
• Anti-money laundering authorities
• Tax authorities
• Law enforcement agencies
• Courts and tribunals
• Other government agencies

Legal Basis: Legal obligations

5.2.2 In Response to Legal Process

We may disclose data in response to:

• Subpoenas, court orders, or legal process
• Legal investigations or proceedings
• Requests from law enforcement
• National security requests (where applicable)

Legal Basis: Legal obligations

5.2.3 For Fraud Prevention and Security

We may share data with:

• Fraud prevention services
• Security service providers
• Other financial institutions (for fraud investigations)

Legal Basis: Legitimate interests, legal obligations

We may share or transfer personal data in connection with:

• Mergers, acquisitions, or consolidations
• Sale of all or substantially all of our assets
• Corporate reorganizations or restructuring
• Bankruptcy or insolvency proceedings

In such events, the acquiring entity will be bound by this Privacy Policy unless you consent to a different policy.
Legal Basis: Legitimate interests

We may share personal data with third parties when you provide explicit consent, including:

• Integration with third-party services you authorize
• Disclosure to professional advisors you designate
• Other specific purposes for which you provide consent

Legal Basis: Consent

IMPORTANT: Blockchain transactions are publicly visible and immutable.

When you transact on public blockchains:

• Transaction details (addresses, amounts, timestamps) are publicly recorded
• Anyone can view transactions associated with your wallet addresses
• Blockchain data cannot be deleted or modified
• Third parties may analyze blockchain data and potentially link it to your identity

We have no control over publicly available blockchain data.

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you:

• For research and analytics
• For industry benchmarking
• In public reports or publications
• With business partners and investors

Such data is not considered personal data and is not subject to data protection restrictions.

6. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to, stored in, and processed in countries outside your country of residence, including:

• Switzerland: Where Hyperstandard is headquartered
• European Union: Where some service providers are located
• United States: Where some service providers (e.g., cloud infrastructure) are located
• Other Countries: Where service providers or partners operate

When we transfer personal data internationally, we implement appropriate safeguards, including:

6.2.1 Adequacy Decisions

We rely on adequacy decisions recognizing equivalent data protection, including:

• Swiss-EU data protection adequacy
• Swiss-UK data protection adequacy
• EU adequacy decisions for certain countries

6.2.2 Standard Contractual Clauses (SCCs)

For transfers not covered by adequacy decisions, we use:

• EU Standard Contractual Clauses approved by the European Commission
• Swiss Standard Contractual Clauses approved by Swiss authorities
• Additional contractual protections as required

6.2.3 Additional Safeguards

We implement supplementary measures including:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security assessments
• Data minimization
• Contractual commitments from data recipients

You have the right to:

• Obtain information about data transfers
• Request copies of transfer safeguards
• Object to transfers (in certain circumstances)

Contact privacy@hyperstandard.com for more information about our international data transfers.

7. DATA RETENTION

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

7.2.1 Account Data

• Active Accounts: Data retained for the duration of your Account
• After Termination: Data retained for seven (7) years after Account termination for compliance and legal purposes
• Deletion: After retention period expires, data is securely deleted unless legal hold applies

7.2.2 Audit Logs

• Retention: Seven (7) years
• Scope: All authentication events, user activities, transactions, permission changes, system events

7.2.3 Transaction Records

• Retention: Seven (7) years from transaction date
• Purpose: Compliance with financial recordkeeping obligations
• Deletion: After retention period expires, securely deleted unless legal hold applies

7.2.4 Identity Verification Documents

• Retention: Seven (7) years after relationship termination
• Purpose: Compliance with AML/CTF obligations
• Deletion: Securely deleted after retention period

7.2.5 Communications and Support

• Support Tickets: Three (3) years after resolution
• Email Communications: Three (3) years
• Platform Messages: Retained with Account, deleted seven (7) years after Account termination

7.2.6 Marketing Communications

• Consent Records: Three (3) years after consent withdrawal or relationship termination
• Marketing Lists: Updated upon opt-out; historical records retained for three (3) years

7.2.7 Payment and Billing Records

• Retention: Ten (10) years from payment date
• Purpose: Compliance with accounting and tax obligations
• Deletion: Securely deleted after retention period

If data becomes subject to legal hold (due to litigation, regulatory investigation, or other legal proceedings), we will retain such data until the legal hold is released, which may exceed standard retention periods.

Where possible, we anonymize personal data after the retention period expires rather than deleting it entirely, enabling us to use the data for analytics and research without privacy implications.

You may request deletion of your personal data (subject to legal retention requirements and legitimate interests). See Section 9 for information about exercising this right.

8. DATA SECURITY

We are committed to protecting the security of your personal data. We implement comprehensive technical and organizational measures designed to safeguard data against unauthorized access, disclosure, alteration, and destruction.

8.2.1 Encryption

• Data in Transit: TLS 1.3 encryption for all data transmission
• Data at Rest: AES-256 encryption for stored data
• Database Encryption: Encrypted databases with secure key management
• Backup Encryption: All backups encrypted

8.2.2 Access Controls

• Authentication: Multi-factor authentication (2FA) required for all users
• Authorization: Role-based access control (RBAC) with least privilege principle
• Session Management: Automatic session timeout, secure session tokens
• Credential Security: Passwords hashed with bcrypt, salted
• API Security: Secure API authentication and authorization

8.2.3 Network Security

• Firewalls: Next-generation firewalls protecting infrastructure
• Intrusion Detection: Real-time monitoring for intrusion attempts
• DDoS Protection: Distributed denial-of-service mitigation
• Network Segmentation: Isolation of production, development, and administrative networks
• VPN Access: Secure VPN required for administrative access

8.2.4 Application Security

• Secure Development: Secure coding practices, code reviews
• Vulnerability Scanning: Regular automated and manual security assessments
• Penetration Testing: Annual third-party penetration testing
• Patch Management: Timely application of security patches
• Input Validation: Protection against injection attacks (SQL, XSS, etc.)

8.2.5 Infrastructure Security

• Cloud Security: Infrastructure hosted with reputable cloud providers implementing industry-leading security
• Redundancy: Geographically distributed infrastructure for resilience
• Backup and Recovery: Regular encrypted backups with tested recovery procedures
• Monitoring: 24/7 infrastructure and security monitoring

8.3.1 Access Management

• Background Checks: Background screening for employees with data access
• Need-to-Know Basis: Access granted only when necessary for job functions
• Access Reviews: Regular reviews of access privileges
• Termination Procedures: Immediate revocation of access upon employee departure

8.3.2 Training and Awareness

• Security Training: Mandatory security and privacy training for all employees
• Awareness Programs: Regular security awareness communications
• Phishing Simulation: Periodic phishing awareness testing
• Incident Response Training: Regular incident response drills

8.3.3 Policies and Procedures

• Information Security Policy: Comprehensive security policy framework
• Data Protection Policy: Data handling and protection procedures
• Incident Response Plan: Documented incident response procedures
• Business Continuity Plan: Disaster recovery and business continuity planning
• Vendor Management: Third-party security assessment and management

8.3.4 Compliance and Audits

• Security Audits: Regular internal and external security audits
• Compliance Assessments: Regular assessments against regulatory requirements
• Certifications: Pursuit of relevant security certifications (e.g., ISO 27001, SOC 2)
• Continuous Improvement: Ongoing enhancement of security measures

In the event of a security incident:

8.4.1 Detection and Assessment

• Real-time monitoring detects potential incidents
• Incident response team activated
• Scope and impact assessment conducted

8.4.2 Containment and Remediation

• Immediate containment actions to prevent further harm
• Forensic analysis to understand root cause
• Remediation measures implemented
• Affected systems restored and secured

8.4.3 Notification

• Affected individuals notified without undue delay
• Regulatory authorities notified as required by law
• Transparency regarding incident details, impact, and remediation

8.4.4 Post-Incident Review

• Lessons learned analysis
• Security improvements implemented
• Incident documentation and reporting

• Notify you without undue delay (within 72 hours where required by law)
• Describe the nature and scope of the breach
• Explain the likely consequences
• Describe measures taken or proposed to address the breach
• Provide contact information for further inquiries
• Recommend steps you can take to protect yourself

IMPORTANT:

While we implement robust security measures, no system is completely secure. Security risks include:

• Sophisticated cyber-attacks beyond our defenses
• Vulnerabilities in third-party services
• Social engineering attacks targeting users
• Insider threats
• Zero-day exploits in software or infrastructure

You are responsible for:

• Safeguarding your account credentials
• Implementing strong passwords and 2FA
• Securing your devices and systems
• Recognizing and avoiding phishing attacks
• Reporting suspicious activity immediately

9. YOUR DATA PROTECTION RIGHTS

Subject to applicable data protection laws (including GDPR, Swiss FADP), you have the following rights regarding your personal data:

You have the right to:

• Confirm whether we process your personal data
• Obtain a copy of your personal data
• Receive information about how we process your data

How to Exercise: Submit a request to privacy@hyperstandard.com. We will respond within one (1) month (extendable by two months for complex requests).

You have the right to:

• Correct inaccurate personal data
• Complete incomplete personal data

How to Exercise: Contact privacy@hyperstandard.com or update information directly in your Account settings.

You have the right to request deletion of your personal data when:

• Data is no longer necessary for the purposes collected
• You withdraw consent (where processing is based on consent)
• You object to processing (where processing is based on legitimate interests)
• Data was unlawfully processed
• Deletion is required by legal obligation

Limitations: We may not be able to delete data if retention is necessary for:

• Compliance with legal obligations (e.g., 7-year audit log retention)
• Establishment, exercise, or defense of legal claims
• Archiving purposes in the public interest
• Other legal grounds

How to Exercise: Submit a request to privacy@hyperstandard.com. We will assess whether deletion is appropriate under applicable law.

You have the right to restrict processing when:

• You contest the accuracy of data (restriction during verification)
• Processing is unlawful but you prefer restriction to deletion
• We no longer need the data but you need it for legal claims
• You have objected to processing (restriction pending verification of legitimate grounds)

How to Exercise: Contact privacy@hyperstandard.com. We will restrict processing except for storage and processing with your consent or for legal claims.

You have the right to:

• Receive your personal data in a structured, commonly used, machine-readable format
• Transmit your data to another controller (where technically feasible)

Scope: This right applies to data you provided to us and where processing is based on consent or contract and carried out by automated means.

How to Exercise: Submit a request to privacy@hyperstandard.com. We will provide data in CSV, JSON, or other appropriate format.

9.7.1 Objection to Processing Based on Legitimate Interests

You have the right to object to processing based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.

9.7.2 Objection to Direct Marketing

You have the absolute right to object to processing for direct marketing purposes. We will cease processing for such purposes immediately upon receipt of your objection.

How to Exercise:
For marketing: Click “unsubscribe” in emails or contact privacy@hyperstandard.com
For other objections: Submit detailed objection to privacy@hyperstandard.com

Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

How to Exercise: Contact privacy@hyperstandard.com or adjust consent preferences in your Account settings.

You have the right to lodge a complaint with a supervisory authority, particularly in:

• Your habitual residence
• Your place of work
• The place of the alleged infringement

Switzerland:

Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
3003 Bern, Switzerland
Email: info@edoeb.admin.ch
Website: www.edoeb.admin.ch

European Union:

Contact the supervisory authority in your EU Member State. List available at: https://edpb.europa.eu/about-edpb/board/members_en

We do not make decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you.
If we implement automated decision-making in the future, we will:

• Notify you explicitly
• Obtain consent where required
• Provide information about the logic involved
• Allow you to request human intervention
• Enable you to contest the decision

9.11.1 How to Submit Requests

Submit requests to: privacy@hyperstandard.com
Include in your request:

• Your full name and Account email address
• Description of the right you wish to exercise
• Specific data or processing activities involved
• Any supporting information

9.11.2 Identity Verification

To protect your privacy, we will verify your identity before responding to rights requests. Verification may require:

• Confirmation of email address
• Account credentials
• Answers to security questions
• Government-issued identification (in certain cases)

9.11.3 Response Timeline

We will respond to requests without undue delay and within:

• One (1) month of receipt (standard)
• Three (3) months for complex or numerous requests (we will inform you of the extension and reasons)

9.11.4 Fees

Rights requests are generally free of charge. However, we may charge a reasonable fee based on administrative costs if:

• Requests are manifestly unfounded or excessive
• You request additional copies of data beyond the first copy

9.11.5 Refusal of Requests

We may refuse requests if:

• Legally prohibited from complying
• Request is manifestly unfounded or excessive
• Request conflicts with legal obligations or legitimate interests
• Request would adversely affect the rights of others

If we refuse a request, we will explain the reasons and inform you of your right to lodge a complaint with a supervisory authority.

10. CHILDREN’S PRIVACY

The Platform is not intended for use by individuals under the age of eighteen (18) years. We do not knowingly collect personal data from children.

If you are a parent or guardian and believe your child has provided personal data to us, please contact privacy@hyperstandard.com immediately. We will promptly delete such data from our systems.

If we learn that we have collected personal data from a child without parental consent, we will delete that information as quickly as possible.

11. COOKIES AND TRACKING TECHNOLOGIES

Cookies are small text files stored on your device by websites you visit. They enable websites to remember your actions and preferences over time.

11.2.1 Strictly Necessary Cookies

• Purpose: Essential for Platform operation; cannot be disabled
• Examples: Authentication and session management, Security and fraud prevention, Load balancing and performance
• Legal Basis: Legitimate interests (Platform functionality)

11.2.2 Functional Cookies

• Purpose: Enable enhanced functionality and personalization
• Examples: Language preferences, User interface settings, Feature toggles
• Legal Basis: Consent (where required), legitimate interests

11.2.3 Analytics Cookies

• Purpose: Understand how users interact with the Platform
• Examples: Page views and navigation paths, Feature usage statistics, Error tracking and debugging
• Legal Basis: Consent (where required), legitimate interests

11.2.4 Performance Cookies

• Purpose: Monitor and improve Platform performance
• Examples: Page load times, Response times, Infrastructure performance
• Legal Basis: Legitimate interests

We may use third-party services that set cookies, including: Analytics Providers: Google Analytics, Mixpanel (if applicable); Error Tracking: Sentry (if applicable); Customer Support: Intercom, Zendesk (if applicable). Each third party’s use of cookies is governed by their own privacy policy.

11.4.1 Browser Controls

You can control cookies through your browser settings: Block all cookies: May prevent Platform functionality; Block third-party cookies: May prevent some features; Delete existing cookies: Resets preferences and sessions

Browser Instructions: Chrome: Settings > Privacy and Security > Cookies; Firefox: Settings > Privacy & Security > Cookies; Safari: Preferences > Privacy > Cookies; Edge: Settings > Privacy, search, and services > Cookies

Some browsers offer “Do Not Track” (DNT) signals. Our Platform does not currently respond to DNT signals due to lack of industry consensus on interpretation.

In addition to cookies, we may use: Web Beacons (Pixels): Small images that track page views and email opens; Local Storage: Browser storage for application data; Session Storage: Temporary storage cleared when browser closes; JavaScript: For interactive functionality and analytics

12. UPDATES TO THIS PRIVACY POLICY

We may update this Privacy Policy to reflect: Changes in data practices, New Platform features, Legal or regulatory requirements, Improved privacy protections, User feedback

We will notify you of material changes via:

Email to your registered address,
Prominent notice on the Platform,
In-app notification.

Notice will be provided at least thirty (30) days before changes take effect.

The effective date of changes will be clearly indicated at the top of this Privacy Policy.

Your continued use of the Platform after changes become effective constitutes acceptance of the updated Privacy Policy.

If you do not agree with changes, you should:

Cease using the Platform,
Terminate your Account before the effective date,
Request deletion of your data (subject to retention requirements)

Previous versions of this Privacy Policy are available upon request to privacy@hyperstandard.com.

13. CONTACT US

For questions, concerns, or requests regarding this Privacy Policy or our data practices:
Email: privacy@hyperstandard.com;
Mail:
Hyperstandard SAGL,
Attention: Privacy Officer,
Contrada di Sassello 10,
6900 Lugano, Switzerland

For data protection compliance matters:
Email: privacy@hyperstandard.com

To report security incidents or vulnerabilities:
Email: privacy@hyperstandard.com

To exercise your data protection rights (access, rectification, erasure, etc.):
Email: privacy@hyperstandard.com;
Subject: [Specific Right] Request (e.g., “Data Access Request”)

We strive to respond to all privacy inquiries within: 5 business days: Initial acknowledgment; 30 days: Substantive response (may be extended for complex matters)

14. GLOSSARY

Personal Data: Information relating to an identified or identifiable natural person.
Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
Data Controller: Entity that determines the purposes and means of processing personal data.
Data Processor: Entity that processes personal data on behalf of a data controller.
Consent: Freely given, specific, informed, and unambiguous indication of data subject’s wishes.
Legitimate Interests: Processing necessary for legitimate interests pursued by the controller or a third party, except where overridden by the interests or fundamental rights of the data subject.
Supervisory Authority: Independent public authority responsible for monitoring application of data protection law.
Data Subject: Identified or identifiable natural person to whom personal data relates.
Third Party: Natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons authorized to process data.

15. APPENDIX: DATA PROCESSING DETAILS

For customers who are data controllers and require a Data Processing Agreement (DPA) to comply with GDPR or other data protection laws, we offer a standard DPA. Contact legal@hyperstandard.com to execute a DPA.

We engage the following sub-processors:

We will notify customers of sub-processor changes at least 30 days in advance.

Technical and organizational measures include:

Technical:

• Encryption (TLS 1.3, AES-256)
• Access controls (MFA, RBAC)
• Network security (firewalls, IDS/IPS)
• Secure development practices
• Regular security testing

Organizational:

• Security policies and procedures
• Employee training
• Background checks
• Incident response plan
• Vendor management