This Data Processing Agreement (“Agreement”) forms part of the Terms of Service or any other written or electronic agreement (“Principal Agreement”) between:

1. Customer (the “Controller”) – the entity that determines the purposes and means of the processing of personal data.

2. Hexfit Solutions Inc. (the “Processor”) – a company incorporated in Canada, acting as a service provider and processor of personal data under the GDPR.

1. Subject Matter and Duration

The Processor shall process personal data on behalf of the Controller in connection with the provision of the Hexfit platform.
This Agreement remains in force as long as the Processor processes personal data for the Controller.

2. Nature and Purpose of Processing

The Processor shall process personal data solely to provide the Services described in the Principal Agreement, including:

• Hosting and storage of customer data,

• Management of training programs, progress tracking, and related analytics,

• Technical support and maintenance.

3. Categories of Data and Data Subjects

• Data categories: Identification (name, email, phone), account data, usage data, training/fitness-related information, communications.

• Data subjects: Employees, clients, and end-users of the Controller.

4. Obligations of the Processor

The Processor shall:

• Process data only on documented instructions from the Controller.

• Ensure confidentiality of authorized personnel.

• Implement appropriate security measures (see Annex II).

• Not engage sub-processors without proper safeguards (see Annex I).

• Assist the Controller in GDPR obligations (breach notifications, DPIAs, rights requests).

• Delete or return all data upon termination unless required by law.

• Provide evidence of compliance and allow audits.

5. Sub-Processors

The Controller authorizes the Processor to use sub-processors as listed in Annex I.
The Processor shall ensure equivalent data protection obligations are imposed on any sub-processor.

Where the Controller elects to use optional integrations, connectors, or third-party services connecting to Hexfit, the Controller is solely responsible for reviewing and accepting the data protection terms of such providers. Hexfit shall not be deemed a processor with respect to data shared with those services.

6. International Data Transfers

The Processor may transfer personal data outside the EEA provided that:

• Transfers are subject to an adequacy decision or

• The parties rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
  The Controller consents to such transfers where necessary.

7. Liability

Each party is liable for damages caused by its breach of this Agreement or applicable data protection laws, subject to the liability limits in the Principal Agreement.

8. Termination

Upon termination, the Processor shall delete or return all personal data, unless law requires retention.

ANNEX I – List of Sub-Processors

Hexfit Solutions Inc. currently engages the following sub-processors:

ANNEX II – Technical and Organizational Security Measures

Hexfit Solutions Inc. maintains, at a minimum, the following measures:

• Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256).

• Access Control: Role-based access, strong authentication, MFA for administrators.

• Audit & Monitoring: Logging, monitoring, and regular reviews of system access.

• Data Isolation: Segregated environments for production/test, least privilege principles.

• Availability & Continuity: Backups, disaster recovery plan, redundancy across regions.

• Personnel Security: Confidentiality agreements, security awareness training.

• Certifications: ISO 27001 certified Information Security Management System.

ANNEX III – Standard Contractual Clauses (SCCs)

Where data is transferred outside the EEA to a third country not covered by an adequacy decision, the parties agree to rely on the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914).