Legal

Data Processing Agreement (DPA)

Last updated: April 29, 2026

Placeholder. This page summarizes how we approach data processing agreements for customers who require a GDPR Article 28-compliant DPA. It is not a substitute for a signed agreement. Contact us for the current executable template and countersignature process.

1. When a DPA applies

When Hugo processes personal data on behalf of your organization in connection with the Services, we act as a processor and your organization is typically the controller (or a processor instructing us as a subprocessor, per your chain of contracts). A written DPA establishes the instructions, confidentiality, security, and subprocessors framework required under GDPR and comparable laws.

2. What our standard DPA covers

Our executable DPA template generally includes:

  • Subject matter, duration, nature and purpose of processing, and types of personal data.
  • Your instructions for processing and our obligations to assist with data subject requests where applicable.
  • Technical and organizational security measures and breach notification commitments.
  • Subprocessors: authorization, notice mechanism, and flow-down obligations.
  • Deletion or return of data at end of service, subject to legal retention needs.
  • Audit cooperation and Standard Contractual Clauses (SCCs) or other transfer tools where transfers occur.

3. Subprocessors

Hugo uses vetted infrastructure and service providers (hosting, auth, payment, AI inference partners, etc.). Our executed DPA references subprocessors and updates as we add or replace providers in line with contractual notice commitments.

4. Security

We implement measures appropriate to the risk, including access controls, encryption in transit, operational monitoring, and organizational policies. Details are provided in our security documentation and the executed DPA.

5. How to obtain a signed DPA

Email privacy@hugo.app or legal@hugo.app with your company legal name, workspace identifier, and billing contact. We will send the current DPA version for review and electronic signature. Enterprise customers may route through their procurement contact.

6. Related documents

See also our Privacy Policy for controller-facing disclosures, and our Terms of Service for general agreement terms. In case of conflict between a signed DPA and these public summaries, the signed DPA controls for processing matters.