GDPR

1.     Our Commitment to Data Protection

HashMove is committed to protecting the privacy, confidentiality, and integrity of personal data processed through its SaaS platform and related services.

In alignment with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), HashMove implements appropriate technical and organizational measures to ensure that personal data is processed lawfully, fairly, and transparently. Our data protection framework is designed to safeguard the rights of individuals (“Data Subjects”) while enabling our customers to meet their own regulatory obligations.

Depending on the nature of the services provided, HashMove may act as either a Data Controller or a Data Processor, as defined under GDPR.
‍

2.     Roles and Responsibilities under GDPR

The GDPR establishes distinct roles with specific responsibilities:

• Data Subject
  An identified or identifiable natural person whose personal data is collected, processed, or stored.
  ‍
• Data Controller
  The entity that determines the purposes and means of processing personal data.
  In most cases, HashMove’s customers act as Data Controllers when using the platform.
  ‍
• Data Processor
  The entity that processes personal data on behalf of the Data Controller.
  HashMove typically acts as a Data Processor when providing SaaS services to customers.
  HashMove ensures that all processing activities performed on behalf of customers are governed by appropriate contractual arrangements, including Data Processing Agreements (DPAs), in accordance with GDPR requirements.
  ‍

3.     Data Protection Principles

HashMove adheres to the core GDPR principles, including:

• Lawfulness, Fairness, and Transparency – Personal data is processed in a lawful and transparent manner
• Purpose Limitation – Data is collected for specified, explicit, and legitimate purposes only.
• Data Minimization – Only data necessary for the intended purpose is processed.
• Accuracy – Reasonable steps are taken to ensure data is accurate and up to date
• Storage Limitation – Data is retained only for as long as necessary
• Integrity and Confidentiality – Data is protected using appropriate security measures
  ‍

4.     Security and Compliance Measures

HashMove maintains a comprehensive security framework aligned with industry best practices to protect personal data, including:

• role-based access controls and authentication mechanisms;
• data encryption (in transit and at rest, where applicable);
• secure cloud infrastructure with redundancy and monitoring;
• periodic vulnerability assessments and security testing;
• incident detection, response, and breach notification procedures.

HashMove also ensures that any third-party subprocessors engaged in delivering services provide sufficient guarantees of compliance with GDPR and maintain equivalent data protection standards.
‍

5.     Subprocessors and Third-Party Services

HashMove may engage trusted third-party service providers (e.g., cloud hosting, analytics, CRM platforms) to support service delivery.

In such cases:

• sub processors are carefully evaluated for security and compliance;
• appropriate contractual safeguards are implemented;
• data processing is limited to what is necessary for service provision.

A list of sub processors may be made available upon request or through designated documentation.
‍

6.     Data Subject Rights

HashMove supports its customers in enabling Data Subjects to exercise their rights under GDPR, including:

• right to access personal data;
• right to rectification and erasure;
• right to restrict or object to processing;
• right to data portability.

Where HashMove acts as a Data Processor, it assists the Data Controller in fulfilling such requests in accordance with applicable agreements.
‍

7.     Data Transfers

Where personal data is transferred outside the European Economic Area (EEA), HashMove ensures that appropriate safeguards are in place, such as:

• Standard Contractual Clauses (SCCs);
• reliance on adequacy decisions where applicable;
• implementation of supplementary security measures where required.
  ‍

8.     Understanding GDPR Applicability

The General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies to any organization that processes personal data of individuals located within the European Economic Area (EEA), regardless of the organization’s geographic location.

• organizations offering goods or services to individuals in the EEA;
• organizations monitoring the behaviour of individuals within the EEA;
• both Data Controllers and Data Processors involved in the processing of personal data.

HashMove ensures that its platform, processes, and contractual frameworks are aligned with GDPR requirements where applicable.
‍

9.     Future-Ready Compliance Approach

HashMove adopts a proactive and forward-looking approach to data protection and regulatory compliance.

Our compliance framework is designed to:

• continuously monitor evolving data protection laws and industry standards;
• incorporate privacy-by-design and security-by-design principles into our platform;
• engage with internal and external data protection and security experts;
• periodically review and enhance policies, procedures, and controls.

This approach enables HashMove to maintain ongoing compliance with GDPR and other applicable data protection regulations across jurisdictions.
‍

10.     Policies and Governance

HashMove maintains a comprehensive set of policies and contractual frameworks to support GDPR compliance, including:

• Terms of Use
• Privacy Policy
• Data Processing Agreements (DPAs)
• Information Security and Access Control Policies

These documents collectively define how personal data is collected, processed, stored, and protected across the HashMove platform and services.
‍

11.     Platform Capabilities and Data Management

HashMove’s cloud-based SaaS platform is designed to support customers in meeting their GDPR obligations through built-in data management capabilities, including:

• Data Access and Portability: Customers can access and export their data to respond to data subject requests.
• Data Rectification and Deletion: Customers can update or delete personal data in accordance with applicable legal requirements.
• Data Minimization Controls: Configurable data fields and workflows to limit unnecessary data collection.
• Audit and Traceability: System logs and tracking mechanisms to monitor data access and changes.

These features enable customers (as Data Controllers) to effectively manage personal data within the platform.

For data-related requests (e.g., access, deletion, restriction), please contact: info@hashmove.com
‍

12.     Data Hosting and International Transfers

HashMove leverages secure cloud infrastructure (e.g., Microsoft Azure and/or AWS) to host its platform and customer data.

Where applicable:

• personal data of EEA data subjects may be hosted within EU-based data centers;
• cross-border data transfers are governed by appropriate safeguards, including Standard Contractual Clauses (SCCs) or equivalent legal mechanisms;
• technical and organizational measures are implemented to ensure data security and regulatory compliance.
  ‍

13.     Data Processing Commitments

• processes personal data strictly in accordance with documented customer instructions;
• implements appropriate technical and organizational safeguards to protect personal data;
• ensures that all personnel with access to personal data are subject to confidentiality obligations;
• supports customers in fulfilling their GDPR obligations, including data subject rights and regulatory compliance;
• provides timely notification of any personal data breaches in accordance with applicable legal requirements.

HashMove formalizes these obligations through Data Processing Agreements (DPAs) with its customers.
‍

14.     Sub processor Management

HashMove may engage carefully selected third-party subprocessors (e.g., cloud providers, infrastructure services) to support service delivery.

In such cases:

• subprocessors are subject to due diligence and security assessments;
• contractual agreements ensure GDPR-compliant processing and data protection obligations;
• HashMove remains accountable for the actions of its subprocessors.

A list of subprocessors may be provided upon request or through designated documentation.
‍

15.     Employee Confidentiality and Training

HashMove enforces strict internal controls to safeguard personal data, including:

• mandatory confidentiality agreements for all employees and contractors;
• regular training on data protection, privacy, and information security;
• adherence to a formal Code of Conduct governing data handling practices;
• role-based access controls to limit data exposure.
  ‍

16.     Contact and Data SubjectRequests

For any queries, concerns, or requests related to personal data or privacy rights, please contact:

Email: info@hashmove.com

HashMove will respond to all requests in accordance with applicable data protection laws and contractual obligations.
‍

17.      Lawful Basis for Processing

HashMove ensures that all personal data is processed on a valid legal basis under Article 6 of GDPR, including:

• performance of a contract;
• compliance with legal obligations;
• legitimate interests pursued by HashMove or its customers;
• consent, where applicable.
  ‍

18.     Personal Data Breach Notification

HashMove shall notify the Customer of any Personal Data Breach:

• without undue delay, and
• where feasible, within seventy-two (72) hours of becoming aware of the breach.
  ‍

19.      Data Processing Agreements

• nature of the breach;
• affected data categories;
• likely consequences;
• remedial actions taken.
  ‍

20.     Records of Processing Activities

HashMove shall maintain records of processing activities in accordance with Article 30 GDPR, including:

• categories of processing activities;
• types of personal data processed;
• categories of recipients;
• international transfers and safeguards.
  ‍

21.     Security Measures Alignment

HashMove’s technical and organizational measures shall be implemented in accordance with its Information Security Policy and applicable industry standards.
‍

22.     End of Processing

Upon termination of services, HashMove shall:

• cease processing personal data;
• securely delete or return personal data; and
• confirm completion upon request.
‍