HomeLegalGDPR DPA

Data Processing Agreement

Terms of ServicePrivacy PolicyGDPR DPA

HummingTribe (hummingtribe.com)

Effective date: March 11, 2026  |  Last updated: March 11, 2026

This Data Processing Agreement (“DPA”) supplements the Terms of Service (“Terms”) between HummingTribe (“Processor”, “we”, “us”) and the Customer (“Controller”, “you”, “your”) and governs the processing of personal data by HummingTribe on behalf of the Customer in connection with the services provided.

This DPA is entered into in accordance with Article 28 of the EU General Data Protection Regulation (GDPR — Regulation 2016/679).

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.

“Processing” means any operation performed on personal data, as defined in Article 4(2) of the GDPR.

“Data Subject” means an identified or identifiable natural person whose personal data is processed.

“Sub-processor” means a third party engaged by the Processor to process personal data on behalf of the Controller.

“Supervisory Authority” means the relevant data protection authority, which for Romania is the ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal).

“Services” means the services provided by HummingTribe under the Terms, including but not limited to S3-compatible storage, shared hosting, managed VPS, managed dedicated servers, and managed backup.

2. Scope and Roles

2.1. The Customer acts as the Data Controller and determines the purposes and means of processing personal data using the Services.

2.2. HummingTribe acts as the Data Processor and processes personal data solely on behalf of the Controller and in accordance with the Controller’s documented instructions.

2.3. This DPA applies to all personal data that the Controller stores, transmits, or otherwise processes using the Services.

3. Subject Matter and Details of Processing

3.1. Subject Matter

The processing of personal data by HummingTribe is necessary for the performance of the Services as described in the Terms of Service.

3.2. Duration

Processing continues for the duration of the service agreement between the Controller and HummingTribe, plus any retention period specified in Section 10.

3.3. Nature and Purpose of Processing

Storage, hosting, transmission, backup, and retrieval of personal data as directed by the Controller through use of the Services.

3.4. Types of Personal Data

The types of personal data processed depend on the Controller’s use of the Services and may include, but are not limited to:

  • Names, email addresses, phone numbers
  • Addresses and location data
  • Financial and transaction data
  • Employee or customer records
  • Any other personal data the Controller chooses to store or process using the Services

3.5. Categories of Data Subjects

Data subjects may include, but are not limited to:

  • The Controller’s customers and end users
  • The Controller’s employees and contractors
  • Any individuals whose data the Controller stores or processes using the Services

4. Controller’s Obligations

4.1. The Controller is responsible for:

  • Ensuring that the processing of personal data using the Services has a valid legal basis under the GDPR.
  • Providing any required notices to data subjects regarding the processing.
  • Obtaining any necessary consents from data subjects.
  • Ensuring that any instructions given to HummingTribe comply with applicable data protection law.

4.2. The Controller warrants that it has the right to transfer personal data to HummingTribe for processing in accordance with this DPA.

5. Processor’s Obligations

5.1. HummingTribe shall:

  1. Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU or Romanian law, in which case HummingTribe shall inform the Controller of that legal requirement before processing (unless prohibited by law).
  2. Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7.
  4. Assist the Controller in fulfilling its obligations to respond to Data Subject requests, as described in Section 8.
  5. Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation, taking into account the nature of processing and information available to HummingTribe.
  6. At the Controller’s choice, delete or return all personal data upon termination of the Services, and delete existing copies unless EU or Romanian law requires storage.
  7. Make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

5.2. HummingTribe shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection provisions.

6. Sub-processors

6.1. The Controller provides general authorization for HummingTribe to engage sub-processors for the provision of the Services.

6.2. The current list of sub-processors is:

Sub-processorPurposeLocationData Processed
Hetzner Online GmbHInfrastructure hosting (servers, storage, network)Germany (Falkenstein, Nuremberg)All service data stored by Controller
Stripe, Inc.Payment processingEU (primary), US (corporate)Controller billing data only (not Controller’s customer data)
Brevo (Sendinblue)Transactional email deliveryEUEmail addresses for service notifications

6.3. HummingTribe shall inform the Controller of any intended changes to the list of sub-processors by providing at least 30 days’ advance notice via email. The Controller may object to the new sub-processor within that period. If the Controller objects on reasonable grounds, the parties shall work in good faith to find a resolution. If no resolution can be reached, the Controller may terminate the affected Services.

6.4. HummingTribe shall impose on each sub-processor, by way of a contract, data protection obligations no less protective than those set out in this DPA.

6.5. HummingTribe remains fully liable to the Controller for the performance of each sub-processor’s obligations.

7. Security Measures

7.1. HummingTribe implements the following technical and organizational measures to protect personal data:

Technical Measures:

  • Encryption of data in transit using TLS 1.2+ (HTTPS for all web traffic, encrypted connections between internal services)
  • Storage on RAID-redundant disk arrays
  • Server hardening: SSH key-based authentication, fail2ban intrusion prevention, automated security patching
  • Firewalls on all servers (UFW/firewalld) restricting access to necessary ports only
  • Internal network isolation via encrypted VPN (Tailscale/WireGuard)
  • Credential management via HashiCorp Vault with auto-seal and encrypted storage
  • Database access restricted to internal network with TLS and SCRAM-SHA-256 authentication
  • No public exposure of management interfaces
  • Continuous automated monitoring with alerting

Organizational Measures:

  • Access to personal data limited to the data controller (sole proprietor) on a need-to-know basis
  • All infrastructure managed by a single individual with direct accountability
  • No outsourced support staff with access to customer data
  • Regular review of security configurations and access controls
  • Documented incident response procedures (Section 9)

7.2. HummingTribe shall regularly review and update security measures to maintain an appropriate level of protection.

8. Data Subject Rights

8.1. HummingTribe shall assist the Controller in responding to requests from data subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection).

8.2. If HummingTribe receives a request directly from a data subject, HummingTribe shall promptly forward it to the Controller and shall not respond directly unless instructed by the Controller.

8.3. The Controller has direct access to most data via the self-service dashboard and can delete, modify, or export data without requiring assistance from HummingTribe.

9. Data Breach Notification

9.1. HummingTribe shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting the Controller’s data.

9.2. The notification shall include, to the extent available:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and records affected.
  • The name and contact details of HummingTribe’s contact point.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach, including measures to mitigate its adverse effects.

9.3. HummingTribe shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Data Deletion and Return

10.1. Upon termination or expiration of the Services, HummingTribe shall, at the Controller’s choice:

  • Return all personal data to the Controller in a standard, machine-readable format (e.g., via S3 API download, SFTP transfer, or database export); or
  • Delete all personal data and certify deletion in writing.

10.2. The Controller has a period of 30 days from the end of the service term to request data return. After this period, HummingTribe will proceed with deletion.

10.3. Deletion includes the removal of data from all active storage systems. Data in backups may persist for up to 30 additional days until backup rotation cycles complete.

10.4. HummingTribe may retain personal data to the extent required by Romanian or EU law (e.g., billing records for fiscal compliance), with such data remaining subject to the protections of this DPA.

11. International Data Transfers

11.1. All customer data processed under this DPA is stored and processed within the European Economic Area (EEA), specifically in Germany.

11.2. HummingTribe does not transfer personal data stored by the Controller outside the EEA.

11.3. Billing data processed by Stripe may be transferred to the United States under the EU-US Data Privacy Framework and Standard Contractual Clauses maintained by Stripe.

11.4. If any future transfer outside the EEA becomes necessary, HummingTribe will ensure appropriate safeguards are in place (Standard Contractual Clauses, adequacy decisions, or other mechanisms approved under the GDPR) and will notify the Controller in advance.

12. Audits

12.1. HummingTribe shall make available to the Controller all information necessary to demonstrate compliance with Article 28 of the GDPR.

12.2. The Controller or its authorized auditor may conduct audits, including inspections, of HummingTribe’s data processing activities, subject to the following conditions:

  • The Controller provides at least 30 days’ written notice.
  • Audits are conducted during normal business hours.
  • The Controller takes reasonable steps to minimize disruption to HummingTribe’s operations.
  • Audit findings and any confidential information obtained are treated as confidential.

12.3. If multiple controllers request audits, HummingTribe may provide a single consolidated audit report or certification to satisfy the requests, where appropriate.

13. Liability

13.1. Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service.

13.2. HummingTribe’s total aggregate liability under this DPA shall not exceed the total fees paid by the Controller in the twelve (12) months preceding the event giving rise to the claim.

14. Term and Termination

14.1. This DPA takes effect when the Controller begins using the Services and remains in effect for the duration of the service agreement.

14.2. This DPA terminates automatically when all Services provided to the Controller have ended and all personal data has been deleted or returned in accordance with Section 10.

14.3. Obligations that by their nature should survive termination (including data deletion, confidentiality, and liability) shall survive.

15. Governing Law

15.1. This DPA is governed by Romanian law and the EU General Data Protection Regulation (GDPR).

15.2. Any disputes relating to this DPA shall be subject to the exclusive jurisdiction of the competent courts in Bucharest, Romania.

16. Contact

For questions about this DPA or data processing practices, contact:

HummingTribe
Email: hello@hummingtribe.com

This Data Processing Agreement was last updated on March 11, 2026.

Last updated: March 11, 2026