This Data Processing Agreement ("DPA") forms part of the agreement between HushAsk and the workspace ("Customer") that has installed or subscribed to HushAsk. It governs the processing of Personal Data carried out by HushAsk on Customer's behalf and is intended to satisfy Article 28 of the EU General Data Protection Regulation (GDPR), the equivalent provisions of the UK GDPR, and analogous obligations under other applicable data protection laws.

HushAsk is designed so that very little Personal Data is processed in the first place — sender identities are cryptographically anonymized at ingestion, and we never store Slack user IDs, names, or email addresses. The terms below apply to the limited set of Personal Data we do process, which is described in Annex A.

1. Parties and applicability

Processor: Jaris LLC, a Wyoming limited liability company, doing business as HushAsk ("HushAsk," "we," or "Processor"). Contact: [email protected].

Controller: The legal entity that has installed HushAsk into a Slack workspace or that pays for a HushAsk subscription ("Customer" or "Controller"). Where a workspace admin installs HushAsk on behalf of an organization, that organization is the Controller.

This DPA applies to any Processing of Personal Data that HushAsk carries out on Customer's behalf in connection with the HushAsk service. It is incorporated by reference into the HushAsk Terms of Service and takes effect automatically upon installation or subscription. No counter-signature is required for this DPA to be binding, though Customer may request a signed copy at any time.

If there is a conflict between this DPA and the Terms of Service with respect to Processing of Personal Data, this DPA prevails.

2. Definitions

Capitalised terms not otherwise defined here have the meanings given to them in the GDPR. The following definitions apply:

• Personal Data — any information relating to an identified or identifiable natural person processed under this DPA. Within HushAsk, Personal Data is limited to the categories described in Annex A.
• Processing — any operation performed on Personal Data, including collection, storage, transmission, deletion, and, where applicable, the synchronisation of message content to a Customer-controlled Notion workspace.
• Sub-processor — any third party engaged by HushAsk to Process Personal Data on Customer's behalf (e.g., infrastructure and platform providers listed in Annex C).
• Data Subject — the natural person to whom Personal Data relates. In the context of HushAsk, Data Subjects are the workspace's installer admin and the workspace members who interact with HushAsk.
• Personal Data Breach — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
• Standard Contractual Clauses ("SCCs") — the European Commission's standard contractual clauses for the transfer of personal data to third countries, as adopted in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and the UK Information Commissioner's International Data Transfer Addendum where applicable.

3. Subject matter, duration, nature, and purpose of processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Annex A. In short:

• Subject matter: HushAsk routes anonymous messages within Customer's Slack workspace and, where Customer has connected Notion, archives answered threads to Customer's own Notion database.
• Duration: The DPA applies for as long as HushAsk Processes Personal Data on Customer's behalf — that is, until the app is uninstalled from Slack or the subscription is cancelled, whichever is later.
• Nature and purpose: Processing is limited to what is necessary to operate the service, enforce free-tier limits, detect abuse on an anonymized basis, and (optionally) sync answered threads to Notion.

4. Processing instructions

HushAsk Processes Personal Data only on documented instructions from Customer. Customer's instructions are given through:

• This DPA and the Terms of Service;
• Customer's configuration choices made through the HushAsk App Home or admin commands within Slack (for example, choosing which channels receive messages, connecting or disconnecting Notion);
• Written instructions sent to [email protected], where Customer requests deletion or other lawful action that HushAsk is technically able to perform.

HushAsk will inform Customer if, in HushAsk's opinion, an instruction infringes applicable data protection law. HushAsk may continue to Process Personal Data without Customer's instructions only where required to do so by EU, EU Member State, or other applicable law to which HushAsk is subject; in that case, HushAsk will inform Customer of the legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.

5. Confidentiality

HushAsk ensures that any person authorised to Process Personal Data is bound by an obligation of confidentiality, whether by contract or by statutory duty. As of the last-updated date of this DPA, HushAsk has no employees other than its founder, who is bound by these confidentiality obligations directly under this DPA. If HushAsk later engages employees or contractors who handle Personal Data, written confidentiality obligations equivalent to those described here will be in place before any such access is granted.

6. Security measures

HushAsk implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures referred to in Article 32 GDPR. The full list is set out in Annex B. Highlights include:

• Architectural anonymization of sender identity using a 256-bit SHA-256 hash combined with a private server-side salt — Slack user IDs are never written to disk;
• Encryption of Notion access tokens at rest using authenticated symmetric encryption (Fernet, AES-128-CBC + HMAC-SHA256), with the encryption key stored separately as a server environment variable;
• Encryption in transit (TLS 1.2+) for all customer-facing endpoints and outbound API calls;
• Principle of least privilege for infrastructure access, with admin access protected by multi-factor authentication;
• Regular review of dependencies for known vulnerabilities and timely patching;
• Incident response procedures including breach notification triggers and a published security contact.

7. Sub-processors

Customer authorises HushAsk to engage the Sub-processors listed in Annex C for the Processing of Personal Data described in Annex A. HushAsk imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA, in particular as regards the implementation of appropriate technical and organizational measures.

HushAsk remains liable to Customer for the performance of any Sub-processor's data protection obligations to the same extent as for its own.

Adding or replacing a Sub-processor: HushAsk will notify Customer at least thirty (30) days before adding or replacing any Sub-processor by updating Annex C on this page and emailing the workspace's admin contact on file. Customer may object to the change in writing during the notice period for documented data protection reasons. If the parties cannot agree on a resolution, Customer's sole remedy is to terminate the relevant subscription and request deletion of Personal Data, without further liability for either party beyond fees already accrued.

8. International transfers

HushAsk is established in the United States. Sub-processors listed in Annex C may also be located outside the European Economic Area, the United Kingdom, or Switzerland. To the extent any transfer of Personal Data to a country not subject to an adequacy decision occurs, HushAsk will rely on a valid transfer mechanism, including:

• The European Commission's Standard Contractual Clauses (Module Two: Controller-to-Processor; or Module Three: Processor-to-Processor where relevant), which are incorporated into this DPA by reference and deemed executed by the parties upon Customer's installation of HushAsk;
• The UK Information Commissioner's International Data Transfer Addendum, where the transfer is subject to UK GDPR;
• The Swiss-equivalent transfer mechanism, where the transfer is subject to the Swiss Federal Act on Data Protection.

Where the SCCs apply, the optional clauses are completed as follows: the docking clause (Clause 7) does not apply; in Clause 9, Option 2 (general written authorisation) applies with the notice period set out in Section 7 above; in Clause 11, the optional independent dispute resolution language is omitted; in Clause 17, the governing law is the law of Ireland; and in Clause 18(b), the courts of Ireland are designated. The Annexes to the SCCs are populated by Annex A, Annex B, and Annex C of this DPA.

9. Assistance with Data Subject rights

HushAsk will, taking into account the nature of the Processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to fulfil Customer's obligation to respond to requests from Data Subjects to exercise their rights under Chapter III of the GDPR.

Because HushAsk's architectural anonymization means we cannot identify which message belongs to which Data Subject, the practical scope of HushAsk's assistance is limited:

• Sender-side requests (e.g., access, deletion of an individual message): HushAsk genuinely cannot link an external request to a specific stored record. We will tell the Data Subject this directly and will support Customer in explaining the architectural reason in any response Customer makes.
• Workspace-wide deletion: On written request from a workspace admin, HushAsk will delete all message content associated with the workspace and confirm completion in writing, typically within fifteen (15) business days.
• Configuration data (workspace ID, channel IDs, Notion tokens): These can be inspected and deleted on workspace admin request.

If a Data Subject sends a rights request directly to HushAsk that relates to Customer's workspace, HushAsk will, without undue delay, forward the request to Customer's admin contact on file and instruct the Data Subject to direct further correspondence to Customer.

10. Personal data breach notification

HushAsk will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer's data. Notification will be sent by email to the workspace admin contact on file and will include, to the extent then known:

• The nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects and records concerned;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach and to mitigate its possible adverse effects;
• The name and contact details of HushAsk's data protection point of contact.

Where it is not possible to provide all of this information at once, HushAsk will provide it in phases as it becomes available, without further undue delay. Notification of a Personal Data Breach is not, by itself, an admission of fault or liability.

11. Audits

HushAsk will make available to Customer all information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer, in accordance with this Section.

In practice, given the size of HushAsk and the limited categories of Personal Data Processed:

• HushAsk will respond to written security and privacy questionnaires within fifteen (15) business days, free of charge, no more than once per twelve-month period per Customer (additional questionnaires may be subject to a reasonable fee);
• On request, HushAsk will provide documentation of its technical and organizational measures and any security certifications it holds at the time of the request;
• On-site audits are not generally available given HushAsk's remote-only operation. Where Customer has a regulatory or contractual requirement that cannot be satisfied by documentation alone, the parties will agree in good faith on an alternative assurance mechanism (for example, a remote video walkthrough);
• Audit rights described here may be exercised on at least thirty (30) days' written notice and during normal business hours, in a manner that does not unreasonably interfere with HushAsk's operations.

12. Return and deletion of personal data

On termination or expiry of the agreement between Customer and HushAsk, HushAsk will, at Customer's choice, delete or return all Personal Data Processed under this DPA, unless EU or Member State law requires further storage.

By default, HushAsk will delete:

• Pending message content within seven (7) days of uninstallation or written deletion request;
• Stored message content (retained for up to twelve (12) months to support Notion sync) within thirty (30) days of uninstallation or written deletion request;
• Workspace configuration, including OAuth tokens and channel mappings, within thirty (30) days of uninstallation;
• Notion access tokens immediately upon uninstallation or admin disconnection of the Notion integration.

Backups containing Personal Data will be overwritten according to the rolling backup retention schedule set out in Annex B; HushAsk will not restore Personal Data from backups except for genuine disaster recovery, after which the data will be re-deleted on the same schedule.

13. Liability

The liability of each party arising under or in connection with this DPA is subject to the limitations and exclusions set out in the HushAsk Terms of Service. Nothing in this DPA limits or excludes either party's liability for matters that cannot be limited or excluded under applicable law (including, where applicable, fines imposed by supervisory authorities under Article 83 GDPR).

14. Governing law and general provisions

This DPA is governed by the law of the State of Wyoming, USA, without regard to its conflict-of-law principles, except that, to the extent the SCCs apply to a transfer covered by this DPA, the SCCs are governed by the law of Ireland as specified in Section 8 above. The choice of governing law in this Section does not deprive a Data Subject of the protection afforded by the mandatory provisions of the law of their habitual residence.

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions remain in full force, and the parties will replace the invalid provision with one that achieves the original commercial intent to the maximum extent permitted by law.

This DPA, the Terms of Service, and the Privacy Policy together constitute the entire agreement of the parties with respect to the Processing of Personal Data and supersede any prior data-processing terms.

HushAsk may update this DPA from time to time, including to reflect new Sub-processors, regulatory developments, or product changes. Material changes will be communicated to workspace admins, and the "Last updated" date at the top of this page will be revised. Customer's continued use of HushAsk after a material change constitutes acceptance of the updated DPA.

---

Annex A — Details of processing

A.1 Subject matter and duration

HushAsk Processes Personal Data on Customer's behalf in order to operate the HushAsk Slack application: routing anonymous messages within Customer's Slack workspace, optionally synchronising answered threads to Customer's own Notion database, and enforcing service limits. Processing continues for as long as HushAsk is installed in Customer's Slack workspace or Customer maintains an active subscription, whichever is later.

A.2 Nature and purpose of processing

The Processing involves: temporary storage of message content while routing is selected; durable storage of routed message content for up to twelve months to support Notion sync; storage of an anonymized hashed identifier per workspace to enforce free-tier limits and detect abuse; storage of workspace configuration (Slack team ID, channel IDs, encrypted Notion tokens); and onward transmission of message content to Slack and (where the integration is enabled) Notion.

A.3 Types of personal data

• Message content authored by Slack workspace members and routed through HushAsk. This may, depending on what users choose to write, include freeform Personal Data of the sender or third parties;
• Workspace configuration data, including the Slack team ID, channel IDs, and the identifier of the workspace admin who installed HushAsk;
• An anonymized 256-bit SHA-256 hash derived from the sender's Slack user ID and workspace ID combined with a private server-side salt — this hash is not reasonably linkable to a natural person without HushAsk's salt and is retained only for abuse detection and rate-limiting;
• Encrypted OAuth access tokens for Slack and (optionally) Notion;
• Billing and contact information for paid subscriptions (handled by Stripe — see Annex C — HushAsk does not receive payment card numbers).

A.4 Categories of data subjects

• The workspace admin who installs and configures HushAsk;
• Members of Customer's Slack workspace who interact with HushAsk to send anonymous messages;
• Members of Customer's Slack workspace who receive routed messages in admin or routing channels;
• Where applicable, the billing contact for Customer's paid subscription.

A.5 Sensitive data

HushAsk does not request, encourage, or specifically design for the Processing of special categories of Personal Data under Article 9 GDPR. Customer acknowledges that anonymous feedback channels can result in users voluntarily disclosing sensitive information (for example, references to health, religious belief, or trade union membership). Where this occurs, the Personal Data is held subject to the same security and retention measures as other message content, and Customer remains responsible as Controller for the lawful basis of any such disclosure.

A.6 Frequency of processing

Continuous, in response to user-initiated activity within Customer's Slack workspace.

Annex B — Technical and organizational measures

HushAsk maintains the following technical and organizational measures, calibrated to the limited Personal Data we Process and our remote-first operation. Specific implementations may evolve as the product develops; the substance of the protections described here will not be reduced without revising this DPA.

B.1 Pseudonymisation and anonymisation

• Sender Slack user IDs are passed through SHA-256 with a private server-side salt at ingestion, producing a 64-character (256-bit) hex digest. The original Slack user ID is never written to disk;
• The hash is not reversible without the server-side salt and is not linkable to any external identity database;
• Slack display names, real names, email addresses, profile photos, and IP addresses are not collected.

B.2 Confidentiality, integrity, availability, and resilience

• TLS 1.2+ for all inbound and outbound HTTP traffic, with HSTS enabled at the edge;
• Notion OAuth tokens encrypted at rest using Fernet (AES-128-CBC + HMAC-SHA256) with the key held in a separate environment variable;
• Slack OAuth tokens stored in a database file outside the public web root, with the application server explicitly blocking download of source code, database files, and environment configuration;
• SQLite WAL mode for safe concurrent access without network exposure;
• Hosting on infrastructure with automatic vertical scaling, regional redundancy, and managed restarts;
• Daily automated backups of the production database with rolling retention of approximately seven days;
• Stateless application servers behind a managed load balancer that can be replaced or rolled back rapidly.

B.3 Restoration of availability after incident

• Documented restore procedure with rolling backups described above;
• Source code and infrastructure-as-code stored in a private repository with full revision history, enabling re-deployment to a clean environment;
• Target recovery time objective (RTO) of twenty-four (24) hours and recovery point objective (RPO) of twenty-four (24) hours for the production database, on a commercially reasonable basis.

B.4 Testing and evaluation of measures

• Dependency vulnerability monitoring with timely patching;
• Manual review of access logs and Sub-processor security advisories;
• Penetration testing or external security review on a commercially reasonable basis as the service grows.

B.5 User identification and authorisation

• Administrative access to production infrastructure is restricted to HushAsk's founder, with multi-factor authentication required for the underlying provider accounts;
• No shared admin accounts;
• Access to Customer's data is limited to what is necessary to operate the service or respond to a documented Customer instruction.

B.6 Protection of data during transmission and storage

• All inbound and outbound API traffic uses TLS;
• Data at rest is held on encrypted volumes provided by infrastructure Sub-processors (see Annex C);
• The application server explicitly blocks web access to .env, database files, source files, and other internal artefacts.

B.7 Physical security

• HushAsk does not operate its own data centres. Physical security is provided by infrastructure Sub-processors listed in Annex C, each of which maintains industry-standard certifications for the physical security of its facilities.

B.8 Event logging and incident response

• Application-level logs are retained for operational and security review;
• Documented incident response procedure including assessment, mitigation, notification, and post-incident review;
• Security contact: [email protected].

B.9 System configuration and change management

• Production deployments are made through a controlled pipeline from a private source repository;
• Configuration secrets (API keys, signing secrets, encryption keys) are stored as environment variables, not in source code;
• A documented list of blocked file paths prevents accidental exposure of internal artefacts via the public web server.

B.10 Data minimisation and quality

• By design, HushAsk collects only the data necessary to operate the service. Slack user IDs are discarded immediately after hashing; Slack display names, real names, email addresses, and IP addresses are never collected;
• Workspace admins can request deletion of stored message content at any time.

B.11 Limited retention

• Message content: retained for up to twelve (12) months to support Notion sync, then deleted;
• Pending messages awaiting routing: deleted on routing or on abandonment;
• OAuth state tokens: purged automatically after one (1) hour;
• Workspace configuration: retained until uninstallation;
• Hashed identifiers: retained alongside message content for the same period.

B.12 Accountability

• Public Privacy Policy and DPA, both versioned and dated;
• Maintained list of Sub-processors (Annex C);
• Documented breach notification procedure with a 72-hour notification commitment.

Annex C — Approved sub-processors

The Sub-processors listed below are authorised by Customer for the purposes described. HushAsk will provide thirty (30) days' notice of any changes by updating this Annex and emailing the workspace's admin contact on file, in accordance with Section 7.

Sub-processor	Purpose	Location of processing
Railway Corporation	Application hosting, primary database storage, automated backups	United States
Cloudflare, Inc.	DNS, TLS termination, CDN edge for static assets, DDoS protection	Global edge network
Stripe, Inc.	Payment processing for paid subscriptions (HushAsk does not receive card numbers)	United States
Slack Technologies, LLC (a Salesforce company)	The Slack platform itself, where Customer's workspace is hosted and where HushAsk delivers messages	United States
Notion Labs, Inc. (optional, only if Customer has connected Notion)	Sync of answered threads to Customer's own Notion workspace, at Customer's election	United States

For Sub-processors located outside the EEA, the United Kingdom, or Switzerland, transfers are governed by the mechanisms described in Section 8.

Where a Sub-processor itself maintains a list of further sub-processors (for example, the cloud regions used by an infrastructure provider), HushAsk relies on each such Sub-processor's published security and privacy commitments for those onward arrangements.

15. How to execute this DPA

This DPA is binding on both parties as soon as Customer installs or subscribes to HushAsk, and no further action is required for it to take effect.

If Customer's procurement, security, or legal team requires a counter-signed copy, email [email protected] from a verified Customer email address with:

• Customer's full legal entity name and registered address;
• The Slack workspace name and any internal vendor reference (optional);
• The DPA version number shown at the top of this page.

HushAsk will return a counter-signed PDF (typically within two business days) that mirrors the version of this DPA in force on the date of signature. The signed copy and this published page are intended to be substantively identical; in the event of any discrepancy, the most recent published version of this DPA governs.

---

HushAsk · hushask.com · See also our Privacy Policy and Terms of Service.