Data Processing Addendum

Last updated: February 2026

This Data Processing Addendum ("DPA") supplements the Privacy Policy and Terms of Service of HDE (HDetailEnterprise), located at bul. "Dunav" #1, Plovdiv, Bulgaria, and is provided in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

1. Scope and Purpose

This DPA applies to the processing of personal data by HDE in the course of providing services through the Platform at hde.dev. It describes the data processing activities, security measures, and obligations that HDE undertakes as a data controller, and the safeguards in place for any sub-processors engaged.

2. Data Controller

HDE acts as the data controller for all personal data collected through the Platform. The data controller is responsible for determining the purposes and means of processing personal data.

  • Entity: HDE (HDetailEnterprise)
  • Address: bul. "Dunav" #1, Plovdiv, Bulgaria
  • Contact: info@hdetailenterprise.com

3. Categories of Data Processed

The following categories of personal data are processed through the Platform:

  • Identity data: name, email address, Discord user ID, avatar URL
  • Authentication data: password hashes (bcrypt), JWT session tokens, OAuth tokens
  • Service data: orders, cart contents, consultation bookings, support tickets, affiliate activity
  • Preference data: language preference, theme selection, custom theme configurations
  • Technical data: IP addresses (in server logs), browser timezone
  • Financial data: order amounts, commission calculations, price multiplier values
  • Communication data: ticket messages, consultation notes, questionnaire responses, file attachments

4. Processing Principles

All personal data processing is conducted in accordance with the following GDPR principles:

  • Lawfulness, fairness, and transparency: Data is processed lawfully with clear disclosure to users
  • Purpose limitation: Data is collected for specified, explicit purposes and not processed beyond those purposes
  • Data minimisation: Only data necessary for the stated purposes is collected
  • Accuracy: Reasonable measures are taken to ensure data accuracy, and users can request corrections
  • Storage limitation: Data is retained only as long as necessary, per the retention periods in the Privacy Policy
  • Integrity and confidentiality: Appropriate technical and organisational security measures are implemented
  • Accountability: HDE maintains records of processing activities and can demonstrate compliance

5. Sub-Processors

HDE engages the following sub-processors for the operation of the Platform. Each sub-processor processes data only as necessary for their specific function:

5.1 MongoDB Atlas (MongoDB, Inc.)

Function: Database hosting and storage. Data processed: All Platform data stored in the database. Location: EU region. Safeguards: Encryption at rest, access controls, SOC 2 Type II certification.

5.2 Fly.io (Fly.io, Inc.)

Function: Application hosting and infrastructure. Data processed: All data transmitted through the application, including server logs. Location: As configured (EU preferred). Safeguards: Infrastructure security, encrypted transit.

5.3 Discord (Discord, Inc.)

Function: OAuth authentication provider. Data processed: Discord user ID, email, display name, avatar. Location: United States. Safeguards: Standard Contractual Clauses (SCCs), Discord's Data Processing Agreement.

5.4 Stripe (Stripe, Inc.) [Future]

Function: Payment processing (when implemented). Data processed: Payment card information, billing details, transaction records. Location: United States and EU. Safeguards: PCI DSS Level 1 certification, Standard Contractual Clauses, Stripe's Data Processing Agreement. Note: HDE will not store full payment card information; this will be handled entirely by Stripe.

6. Data Breach Procedure

In the event of a personal data breach, HDE will:

  • Assess the nature, scope, and potential impact of the breach
  • Notify the Bulgarian Commission for Personal Data Protection (CPDP) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of individuals, in accordance with GDPR Article 33
  • Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with GDPR Article 34
  • Document the breach, including its effects and the remedial actions taken
  • Take immediate steps to contain the breach and prevent further unauthorised access

7. Security Safeguards

HDE implements the following technical and organisational security measures:

7.1 Encryption

All data in transit is protected by HTTPS/TLS encryption. Database storage uses MongoDB Atlas encryption at rest. Passwords are hashed using bcrypt with a cost factor of 12 and are never stored or transmitted in plain text.

7.2 Access Control

The Platform implements a five-tier role-based access control system (User, Support Agent, Support Manager, Administrator, Super Administrator) with 20 granular permission types. Permissions can be customised per user. Support agents can only access tickets assigned to them by default. Administrators cannot modify their own accounts, preventing self-elevation of privileges.

7.3 Authentication Security

User sessions are managed through signed JWT tokens that are verified against the database every 60 seconds. Tokens are automatically invalidated if the user account is deactivated or a forced logout is triggered. The system includes self-healing mechanisms to detect and repair stale or invalid token data.

7.4 Audit Logging

All administrative actions that affect user accounts are recorded in an immutable audit log. Logged actions include: role changes, account activation and deactivation, price multiplier changes, forced logouts, and affiliate profile modifications. Each log entry records the administrator who performed the action, the affected user, the old and new values, and a timestamp. Audit logs are accessible only to Super Administrators.

8. Data Minimisation

HDE adheres to the principle of data minimisation. We collect only the personal data necessary to provide the requested services. Optional fields (such as consultation notes, ticket tags, or custom theme configurations) are provided at the user's discretion. The Platform does not collect or process any special categories of personal data (Article 9 GDPR) such as health data, biometric data, or data revealing racial or ethnic origin.

9. Right to Audit

Data subjects may request information about how their personal data is processed by contacting info@hdetailenterprise.com. HDE will provide a summary of processing activities relevant to the requesting individual within 30 days. The supervisory authority (CPDP) has the right to conduct audits of HDE's data processing activities in accordance with applicable law.

10. Data Deletion

Upon receiving a valid data deletion request (right to erasure under GDPR Article 17), HDE will:

  • Delete or anonymise the user's personal data within 30 days
  • Retain only data that is required by law (e.g., financial records for tax compliance)
  • Anonymise audit log entries related to the user while preserving the integrity of the audit trail
  • Confirm deletion to the requesting individual

11. International Data Transfers

Where personal data is transferred to sub-processors located outside the European Economic Area (EEA), HDE ensures that appropriate safeguards are in place. Currently, Discord, Inc. (United States) is the only active sub-processor outside the EEA. When Stripe is integrated, it will also process data in the United States. In both cases, Standard Contractual Clauses (SCCs) approved by the European Commission are used to ensure an adequate level of data protection. HDE does not transfer personal data to countries without adequate protection unless appropriate safeguards are in place.

12. Supervisory Authority

The competent supervisory authority for HDE's data processing activities is:

  • Commission for Personal Data Protection (CPDP)
  • Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
  • Website: https://www.cpdp.bg
  • Data subjects also have the right to lodge a complaint with the supervisory authority in their EU member state of habitual residence.