Last updated: 24 June 2026
For client personal data processed within the product, the customer is the controller and Pop Hasta Labs Ltd is the processor. This DPA forms part of the agreement between us.
We process personal data only to provide the service and on the customer’s documented instructions, including as configured in the Control Center.
Personal data is detected and tokenised by the Secure Context Retrieval System (SCRS) before any AI model or search index processes it, and rehydrated only for authorised users at egress. We do not use customer content to train shared models.
Personnel with access to personal data are bound by confidentiality obligations.
We implement appropriate technical and organisational measures, including encryption, the SCRS firewall, field-level access controls, BYOK options, a tamper-evident audit trail, and our SOC 2 / ISO 27001 / ISO 42001 programme.
We engage vetted sub-processors (for example infrastructure, payments and governed AI inference). A current list is available on request, and we give notice of changes with a right to object.
We host in the UK/EU and support data residency. Where transfers occur, we use the UK IDTA or EU SCCs as appropriate.
We assist the customer in responding to data subject requests and in meeting security, breach-notification and impact-assessment obligations, including via the Governance module.
We notify the customer without undue delay after becoming aware of a personal data breach affecting their data.
On termination, the customer can export data for a limited period, after which we delete it — including by crypto-shred where keys are customer-managed.
We make available information needed to demonstrate compliance and allow for audits in line with the agreement.
dpo@otherme.example · Pop Hasta Labs Ltd, United Kingdom. See also our Privacy Policy.