{"updatedAt":"2026-07-01","note":"This packet supports self-serve DPA review. Final customer-specific legal terms are confirmed in the signed agreement.","topics":[{"title":"Role mapping","detail":"Controller, processor, subprocessor, and integration responsibilities by workflow."},{"title":"Data categories","detail":"Business account, staff, member, lead, payment-readiness, proof, and support-context data."},{"title":"Export and deletion","detail":"Customer export, deletion request, retention, and handoff expectations before signature."},{"title":"Incident notice","detail":"Notice routing, escalation owner, customer contact, and service-term alignment."},{"title":"Subprocessor changes","detail":"Named vendor review, customer-specific scope, and material-change notification path."},{"title":"Security measures","detail":"Access review, audit visibility, migration validation, vendor review, and support review cadence."}],"packet":{"roleModel":[{"role":"Customer","responsibility":"Controls business account data, staff and member operating records, customer instructions, and location policy."},{"role":"HexaFit","responsibility":"Processes customer data to provide platform, support, proof, signup, reporting, and operational workflows."},{"role":"Subprocessors","responsibility":"Provide infrastructure, communication, security, payment, or merchant-processing support under scoped vendor use."}],"commitments":["Export and deletion requests are reviewed through the customer support or enterprise review path.","Material subprocessor scope should be reviewed before production rollout and when customer-specific vendors are enabled.","Incident notice routing and support response targets are defined in the customer proposal or service terms.","Security measures are mapped publicly, while formal certifications are published only after independent evidence exists."],"selfServeLinks":[{"label":"Privacy Policy","href":"/privacy"},{"label":"Terms","href":"/terms"},{"label":"Subprocessor Register","href":"/subprocessors"},{"label":"Named Subprocessor Data","href":"/api/trust/subprocessors"},{"label":"Certification Status","href":"/certifications"},{"label":"Security Overview","href":"/resources/hexafit-architecture-review.pdf"}]},"subprocessors":[{"name":"HexaVox","category":"Messaging and communication","purpose":"Email delivery for website leads, demo requests, customer proof invitations, and internal notifications.","data":"Contact details, request context, consent records, and message metadata.","region":"Customer-specific configuration","status":"Configured when messaging credentials are enabled"},{"name":"Resend","category":"Messaging and communication","purpose":"Fallback email delivery when configured for website lead or proof workflows.","data":"Contact details, message content, and delivery metadata.","region":"Provider-managed","status":"Conditional"},{"name":"HexaFit Platform / HQ","category":"Core platform services","purpose":"Business signup routing, account discovery, customer proof administration, and customer workflow handoff.","data":"Business application details, account routing metadata, proof workflow records, and operating context.","region":"Environment-specific","status":"Core service"},{"name":"HexaPay","category":"Payment operations","purpose":"Payment workflow orchestration, merchant handoff, and payment-readiness review.","data":"Merchant application details, business entity information, settlement context, and payment workflow metadata.","region":"Customer-specific configuration","status":"Scoped per rollout"},{"name":"Payzli","category":"Merchant processing","purpose":"Merchant underwriting, payment processing, settlement, funding, statements, and chargeback workflows.","data":"Merchant legal entity, owner, banking, underwriting, transaction, funding, and chargeback records.","region":"Customer-specific configuration","status":"Scoped per legal entity"},{"name":"Cloudflare Turnstile","category":"Security and abuse prevention","purpose":"Human verification and abuse prevention for public signup flows when enabled.","data":"Challenge token, request metadata, and verification result.","region":"Provider-managed","status":"Conditional"},{"name":"Cloudflare","category":"DNS, edge, and security","purpose":"DNS, edge routing, TLS, and traffic protection where configured for public web properties.","data":"Request metadata, DNS records, TLS metadata, and security telemetry.","region":"Provider-managed","status":"Configured for public web operations"},{"name":"Hetzner Cloud","category":"Infrastructure","purpose":"Infrastructure provisioning and hosting operations where configured for deployment environments.","data":"Infrastructure metadata, server/network configuration, logs, and deployment operations metadata.","region":"Environment-specific","status":"Configured for infrastructure operations"}]}