Effective February 20, 2026
GLOBAL DATA PROCESSING SCHEDULE
This Global Data Processing Schedule is part of the Hyland Master Agreement, Order Form or other agreement between Customer and Hyland, which incorporates this Global Data Processing Schedule by reference (the “Incorporating Document”). As used herein, the “Agreement” means the Incorporating Document, inclusive of this Global Data Processing Schedule, and any other agreement within which the Incorporating Document is incorporated.
1. DEFINITIONS
All capitalized terms used in this Global Data Processing Schedule (this “DPA” or this “Schedule”) shall have the meaning ascribed them in this Schedule or, if not defined in this Schedule, elsewhere in the Agreement. In the event a defined term is defined in two (2) or more places in the Agreement, the term shall be interpreted to include each or all definitions, as the context requires.
“Adequacy Determination” means a final determination by a Regulator that the laws of a third country provide an adequate level of protection for Personal Data when that Personal Data is transferred from the jurisdiction of the Regulator to a Third Country.
“Brazilian SCCs” means the Standard Contractual Clauses (SCCs) approved by Autoridade Nacional de Proteção de Dados, the Brazilian Data Protection Authority within Chapter V of Resolution CD/ANPD No. 19/2024.
“CPRA” means, collectively, the California Consumer Privacy Act as amended by the California Privacy Rights Act, codified at Cal. Civ. Code §1798.100 et seq. , and its final implementing regulations.
“Customer Personal Data” means any Personal Data submitted by, or on behalf of, Customer to Hyland for the provision of Products or the performance of Services.
“Data Protection Law(s)” means any applicable law, regulation, or directive applicable to the Processing of Personal Data based upon the location of Data Subjects, Processing activities or the establishment of the Parties.
“Data Subject” means a natural person who is the subject of the Personal Data that is Processed.
“EU SCCs” means the Commission Implementing Decision (EU) 2021/914 establishing Standard Contractual Clauses for data transfers to Third Countries.
“HIPAA” means the Health Insurance Portability and Accountability Act of 1996, as amended.
“LGPD” means the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados – LGPD, Law No. 13,709/2018).
“Parties” mean Hyland and Customer, and each are referred to in this DPA as a “Party”.
“Personal Data” means any individually identifiable information relating to an identified or identifiable Data Subject which is protected under applicable Data Protection Law.
“Personal Data Breach” means a breach of security leading to the loss or unauthorized destruction, alteration, disclosure, or access to, Customer Personal Data.
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collecting, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Regulator” means the competent supervisory authority or regulatory body under applicable Data Protection Law.
“Services” means technical support services, professional services, services relating to Hyland’s hosted offering, or other applicable services provided by Hyland to Customer as defined in the Agreement.
“Sub-Processor” means an entity that Processes Personal Data at the request of Hyland on behalf of Customer.
“Third Country” means any country that is not subject to an Adequacy Determination under applicable Data Protection Laws by the Regulator of the country where the entity that transfers Personal Data is located.
2. HYLAND’S PROCESSING OF PERSONAL DATA
2.1 Instructions for Processing Personal Data. Hyland shall Process Customer Personal Data only in accordance with Customer’s documented instructions, which include the following: (a) Processing in accordance with the Agreement or applicable Order Form, (b) Processing initiated by Customer in its use of any Product or Service, and (c) Processing to comply with other documented instructions reasonably provided by Customer where such instructions are consistent with the terms of the Agreement, unless otherwise required by law. Each Party shall comply with the obligations that apply to it under the Data Protection Laws.
2.2 Description of Processing. The description of Hyland’s Processing of Personal Data is contained in Appendix A.
3. HYLAND’S SAFEGUARDS FOR PERSONAL DATA
3.1 Physical, Technical and Organizational Safeguards. Hyland shall maintain reasonable and appropriate technical and organizational security measures designed to protect Customer Personal Data from loss or unauthorized destruction, alteration, disclosure, or access, as more fully described in Appendix B (the “Technical and Organizational Measures”).
3.2 Processing by Sub-Processors. Hyland shall engage only those Sub-Processors, listed at https://community.hyland.com/en/connect/hyland-sub-processor-list (the “Sub-Processor List”) (as may be updated by Hyland from time to time without amendment of this DPA). Hyland has entered into a written agreement with each Sub-Processor containing data protection obligations to protect Customer Personal Data no less protective of Data Subjects than the protections required by applicable Data Protection Law. Hyland shall remain liable to Customer for the acts or omissions of its Sub-Processors. Hyland shall provide Customer notification of any new Sub-Processors that Hyland intends to engage by updating the Sub-Processor List, to which Customer can subscribe, with the new Sub-Processor. Where such rights are granted by applicable Data Protection Law, Customer may object to any such new Sub-Processor solely on reasonable grounds relating to data protection concerns by notifying Hyland (in accordance with the Agreement) of the Customer’s grounds for objecting within 10 calendar days after Hyland updates the Sub-Processor List to include the new Sub-Processor. In the event of such an objection, Hyland may elect not to engage such new Sub-Processor to Process Customer Personal Data. If Hyland continues use of such new Sub-Processor after Customer’s reasonable objection, then Customer may, by notice to Hyland, elect to suspend or terminate the portions of the Service affected by the use of such new Sub-Processor (without prejudice to accrued fees or Hyland’s rights under the Agreement).
3.3 Confidentiality of Personal Data. Hyland shall treat Customer Personal Data as confidential and ensure that Hyland's personnel (including independent contractors) who are authorized to access the Customer Personal Data: (a) have entered into appropriate contractually binding confidentiality undertakings or are otherwise subject to an obligation of confidentiality; (b) are informed of the confidential nature of Customer Personal Data; and (c) have received appropriate training related to the Processing of Customer Personal Data.
3.4 Information Technology Audits. Hyland will permit Customer audits in accordance with the Agreement. If the Agreement does not address Customer audits, then where such rights are granted by applicable Data Protection Law, at Customer’s reasonable request but no more than once per annum, Hyland shall permit Customer to conduct an audit of Hyland’s security and privacy policies and records in relation to the Processing of Customer Personal Data and such other documentation as Customer may reasonably request to demonstrate Hyland’s compliance with the requirements of this DPA. To the extent that Customer elects to conduct an audit in accordance with the Agreement or the immediately preceding sentence, as applicable, at Hyland’s physical facility, such audit shall be limited to the physical areas where Processing of Customer Personal Data occurs. Customer is prohibited from distributing or publishing the results of such audit to any third party (except to a competent supervisory authority) without Hyland’s prior written approval. At Hyland’s election and upon prior notice, Customer shall reimburse Hyland’s reasonable costs in relation to any such request at Hyland’s then-current professional services rates (rates list available on request). All such audits shall be subject to the Parties’ confidentiality obligations. Should Customer retain a third party to perform an audit, the Parties agree that: (a) prior to such audit, the third-party auditor and Hyland shall directly enter into appropriate confidentiality provisions, (b) any reports or Hyland information collected during such audit can be used only for Customer internal use, and (c) the provisions of this subsection applicable to Customer apply equally to the third-party auditor.
3.5 Return or Destruction of Personal Data. Hyland shall delete or return Customer Personal Data in accordance with the Agreement. If the Agreement does not address the deletion of return of Customer Personal Data, then at Customer’s written direction, Hyland shall arrange for the prompt and secure return, and/or secure, permanent destruction, of all Customer Personal Data in Hyland’s possession and control, together with all copies (if any) within 30 calendar days of such direction and, where requested in writing by the Customer, certify that such destruction has taken place. Hyland is not required to return or destroy Customer Personal Data stored in back-up or archival media, but shall continue to extend the protections set forth in this DPA to such Customer Personal Data for as long as such Customer Personal Data remains in Hyland’s possession.
3.6 Requests Directed to Hyland. To the extent legally permitted, Hyland will notify Customer without undue delay following its receipt of: (a) any actual or purported request from (or on behalf of) a Data Subject exercising their rights under Data Protection Laws, or (b) any correspondence or communication from a Regulator or other government agency. Customer shall be responsible for responding directly to such requests. Customer acknowledges and agrees that Hyland will not disclose any Customer Personal Data in response to any such request without Customer’s prior written direction unless Hyland is otherwise required to do so by applicable law.
3.7 Requests for Information. At Customer’s reasonable request and to the extent Customer does not otherwise have access to the relevant information, Hyland shall provide Customer with reasonable cooperation and assistance necessary to assist Customer to fulfil Customer’s obligation under Data Protection Laws to conduct assessments regarding the Processing of Customer Personal Data. At Hyland’s election and upon prior notice, Customer shall reimburse Hyland’s reasonable costs in relation to any such request at Hyland’s then-current professional services rates (rates list available on request).
3.8 Reporting a Personal Data Breach. Hyland will notify the Customer without undue delay upon becoming aware of a Personal Data Breach. Hyland will take reasonable efforts to identify the cause of such Personal Data Breach and take the steps that Hyland deems necessary and reasonable to remediate the cause of the Personal Data Breach. In relation to such Personal Data Breach, Hyland shall further assist Customer, taking into account the information available to Hyland and the nature of its Processing, with Customer’s Personal Data Breach notification obligations, if any, under applicable Data Protection Laws. Any notification by Hyland under this subsection shall not be construed as an admission of fault by Hyland.
4. CUSTOMER OBLIGATIONS FOR PERSONAL DATA
4.1 Customer shall, where required to do so by applicable Data Protection Laws, make third party notification(s) in an objective manner that does not intentionally or unreasonably bring Hyland into disrepute or otherwise tarnish the reputation of Hyland. Hyland shall have a reasonable opportunity to review any notification which mentions Hyland by name and has the right to revise any statement related to Hyland and the Products or Services.
4.2 Customer shall ensure it is not subject to any prohibition or restriction which would: (a) prevent or restrict it from disclosing or transferring the Customer Personal Data to Hyland; (b) prevent or restrict it from granting Hyland access to the Customer Personal Data; and/or (c) prevent or restrict Hyland from Processing the Customer Personal Data, in each case as required for Hyland to provide any Product or perform the Services.
4.3 Customer shall ensure that all notices required by applicable Data Protection Laws have been given to Data Subjects (and, where required by applicable Data Protection Laws, consents obtained) and are sufficient in scope to enable Hyland to Process the Customer Personal Data in accordance with the Agreement and applicable Data Protection Laws.
4.4 Customer shall ensure that all Customer Personal Data disclosed or transferred to Hyland is only the minimum amount necessary to use any Product or perform the Services.
4.5 Customer shall implement and maintain reasonable and appropriate technical and organizational security measures sufficient to prevent unauthorized access to the Products or Services through Customer’s information systems.
4.6 Customer shall have sole responsibility for the accuracy, quality, and legality of the Customer Personal Data provided to Hyland and the means by which Customer acquired the Customer Personal Data.
5. JURISDICTION-SPECIFIC TERMS
5.1 The Parties acknowledge that certain jurisdictions require the Parties to provide additional protections for Personal Data through written contract terms when the Personal Data is transferred to a Third Country. Such jurisdiction-specific terms are set forth below and, to the extent applicable, are incorporated by reference into this DPA.
5.1.1 EEA Jurisdiction-Specific Terms: These terms (available at https://legal.hyland.com/jurisdiction-specific-terms-eea) apply when (a) Customer is (i) located in the European Economic Area or Switzerland (collectively, “EEA”) or (ii) contracting on behalf of any member of its corporate group located in the EEA; and (b) Hyland Processes Customer Personal Data from a country outside the EEA and not subject to an Adequacy Determination.
5.1.2 UK Jurisdiction-Specific Terms: These terms (available at https://legal.hyland.com/jurisdiction-specific-terms-uk) apply when (a) Customer is (i) located in the United Kingdom (“UK”), or (ii) contracting on behalf of a member of its corporate group located in the UK; and (b) Hyland Processes Customer Personal Data from a country outside the UK and not subject to an Adequacy Determination.
5.1.3 Brazil Jurisdiction-Specific Terms: These terms (available at https://legal.hyland.com/jurisdiction-specific-terms-brazil) apply when (a) Customer is located in Brazil, and (b) Hyland Processes Customer Personal Data from a country outside Brazil and not subject to an Adequacy Determination.
5.1.4 California Jurisdiction-Specific Terms: These terms (available at https://legal.hyland.com/jurisdiction-specific-terms-california) apply when (a) Customer is subject to the CPRA, and (b) Hyland Processes Customer Personal Data of Data Subjects who reside in California.
5.1.5 United States Jurisdiction-Specific Terms: These terms (available at https://legal.hyland.com/business-associate-agreement) apply when Hyland Processes Customer Personal Data that constitutes Protected Health Information as defined by and subject to HIPAA.
The Parties may modify or add jurisdiction-specific terms as required by applicable Data Protection Laws by written amendment to this DPA.
6. TERM AND TERMINATION
6.1 Term. This DPA shall have a term commencing on the Effective Date and will terminate automatically upon the termination or expiration of the Agreement.
6.2 Effect. Upon termination of this DPA, Hyland shall return or destroy any Customer Personal Data as set forth in Section 3.5, above.
7. GENERAL PROVISIONS
7.1 Modification. The Parties agree to amend this DPA from time to time as may be necessary to permit the Parties to remain in compliance with applicable Data Protection Laws.
7.2 Conflict. This DPA supersedes any inconsistent provision in the Agreement, and/or other existing agreements between Hyland and Customer with respect to the Parties’ obligations to comply with Data Protection Laws with respect to Customer Personal Data. If there is any conflict between this DPA, the Agreement, and the terms of any applicable Jurisdiction Specific Terms, the terms of the applicable Jurisdiction Specific Terms shall prevail regarding the Personal Data subject to those Jurisdiction Specific Terms.
APPENDIX A
Description of the Processing and Details of the Transfer
Subject Matter and Duration of the Processing | The subject matter of the Processing is Hyland’s provision of the Products and Services under the Agreement.
The duration of the Processing is the term of the Agreement, and any exit period, if applicable.
|
Categories of Data Subjects whose Personal Data is Processed
| Any Data Subject whose Personal Data is processed by Hyland under the Agreement, which could include the following categories of Data Subjects:
|
Nature and Purpose of the Processing | The purpose of the Processing is for Hyland to provide the Products and Services.
The nature of the Processing may include, but is not limited to, collection, recording, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. |
Categories of Personal Data Processed | Any Personal Data submitted by Customer to Hyland under the Agreement. |
Categories of Sensitive Personal Data Processed | ☒ No collection of any Sensitive Personal Data by Hyland is anticipated.
☐ Customer will provide the following categories of Sensitive Personal Data to Hyland under the Agreement: |
FOR USE ONLY WITH THE EU SCCS AND THE BRAZILIAN SCCS
| |
Data Exporter
| Customer, as defined in this DPA. |
Data Importer | Hyland, as defined in this DPA. |
Frequency of the Transfer
| Continuous basis (services related to Hyland’s hosted offerings or cloud services); One-off basis (technical support, professional services or other applicable services) |
Retention Period
| For hosting or cloud customers, data is retained for the duration of the Agreement or the applicable Product Subscription, including any applicable transition period subject to any shorter period which Customer may choose by permanently deleting the Personal Data from the Cloud Service. Personal Data provided to Hyland during the performance of technical support or professional services is retained for no longer than necessary for the purposes for which the Personal Data was transferred and, in no event, longer than permitted under the laws of the country of Customer. |
Sub-Processors
| Hyland may use the Sub-Processors listed at https://community.hyland.com/en/connect/hyland-sub-processor-list. |
Competent Supervisory Authority | For any Customer located in the EU/EEA, the competent supervisory authority is the supervisory authority of the EU/EEA Member State where the Customer is established. |
FOR USE ONLY WITH THE BRAZILIAN SCCS | |
Data Exporter’s Qualification
| Customer’s CNPJ number as specified in the Agreement or as otherwise provided to Hyland upon request |
Data Importer’s Qualification | N/A |
FOR USE ONLY WITH THE UK JURISDICTION-SPECIFIC TERMS
| |
Data Exporter’s Official Registration Number
| Customer’s official registration number as specified in the Agreement or as otherwise provided to Hyland upon request |
Data Importer’s Official Registration Number | Hyland’s official registration number as specified in the Agreement or as otherwise provided to Customer upon request |
APPENDIX B
Technical and Organizational Measures
Taking into account:
the state of the art,
the costs of implementation and
the nature, scope, context and
the purpose of processing as well as
the risk of varying likelihood and severity for the rights and freedoms of natural persons
Hyland shall implement the technical and organisational measures set forth in the Hyland Master Agreement. To the extent the Hyland Master Agreement does not specify the applicable technical and organizational security measures, then Hyland shall implement the technical and organizational security measures set forth in these Technical and Organizational Measures as follows:
Measures for encryption
encryption of mobile devices such as laptops, tablets, smartphones
encryption of mobile storage media (CD/DVD- ROM, USB sticks, external hard drives)
encrypted storage of passwords
encryption option for sensitive e-mails and e-mail attachments
secured data sharing (e.g. SSL, FTPS, TLS)
secured WLAN
2. Measures to ensure confidentiality
a. Measures which ensure that unauthorized persons do not have access to Customer Personal Data:
access control system, document reader (magnetic / chip card)
door protections (electric door opener, number lock, etc.)
protection of facilities, including security guards at Hyland headquarters.
alarm system
video surveillance
special protective measures for the server room
prohibited areas
visitor rules (e.g. pick-up at reception, documentation of visiting hours, visitor pass, accompanying visitors to exit after visit)
b. Measures which prevent that unauthorized persons can use the systems that process Customer Personal Data:
personal and individual user log-in for registration in the systems or company network
authorization process for access authorizations
limitation of authorized users
single sign-on
two-factor authentication
BIOS passwords for corporate laptops
password procedures (indication of password parameters with regard to complexity and update interval)
logging of access
additional system log-in for certain applications
automatic locking of the clients after expiry of a certain period without user activity (also password-protected screensaver or automatic stand-by)
firewall
c. Measures which ensure that only authorized persons have access to the systems that Process Customer Personal Data and that Customer Personal Data cannot be read, copied, modified or removed without authorization:
evaluations/logging of data processing
authorization process for authorizations
approval routines
profiles / roles
encryption at rest and in transit for Customer Personal Data transferred to Hyland via its secure file transfer tool.
Mobile Device Management system for corporate owned mobile devices and approved personal mobile devices (mobile devices are not part of the hosted solution)
segregation of functions “segregation of duties”
destruction of records and storage devices in accordance with NIST 800-88, as applicable
cyber-related logs retained for no less than six months
3. Measures to ensure integrity
access rights
system-side logging
document management system (DMS) with change history
security / logging software
functional responsibilities, organisationally specified responsibilities
tunnelled remote data connections (VPN = virtual private network)
electronic signature
logging of data transfer or data transport
logging of read accesses
4. Measures to ensure and restore availability
security concept for software and IT applications
back-up procedures, as applicable
ensuring data storage in secured network
need-based installation of security updates
set-up of an uninterrupted power supply
suitable archiving facilities for paper documents
fire and/or extinguishing water protection for the server room
air-conditioned server room
virus protection
firewall
business continuity plan
successful disaster recovery exercises
redundant, locally separated data storage (off-site storage), as applicable
5. Measures to ensure resilience
emergency plan in case of machine breakdown / business recovery plan
redundant power supply
sufficient capacity of IT systems and plants
logistically controlled process to avoid power peaks
redundant systems / plants
resilience and error management
6. Procedure for regular review, assessment and evaluation of the effectiveness of the technical and organisational measures
procedures for regular controls/audits
concept for regular review, assessment and evaluation
reporting system
penetration tests
emergency tests
applicable certifications
7. “Control of instructions / assignment control”
process of issuing and/or following instructions
specification of contact persons and/or responsible employees
control / examination that the assignment is executed in accordance with instructions
training / instruction of all access-authorized employees
independent auditing of adherence to instructions
commitment of employees to maintain confidentiality
agreement on penalties for infringements of instructions
data protection manager / coordinator
maintain records of processing activities in accordance with art. 30, para. 2 GDPR, as applicable
documented Security Incident Response Policy, which includes escalation processes for Personal Data Breaches
guidelines / instructions designed to ensure technical-organisational measures for the security of the processing
process for forwarding requests of data subjects
The most current version of this document shall be such in effect as of 12:00am EST (Eastern Standard Time) of the date stamped on such online version.