H2O.ai Data Processing Addendum (DPA)
Last Updated: April 2026
This Data Processing Addendum ("DPA") forms part of and supplements any agreement governing Customer’s use of H2O.ai services, including any master agreement, order form, statement of work, click-through terms, trial, API access, or free or paid offering (collectively, the "Agreement"). By executing the Addendum, Customer enters into this Addendum on behalf of itself and, to the extent required under Applicable Data Protection Laws (defined below), in the name and on behalf of its Affiliates (defined below), if any. This Addendum incorporates the terms of the Agreement, and any terms not defined in this Addendum shall have the meaning set forth in the Agreement.
1. Definitions
1.1 “Affiliate”
means (i) an entity of which a party directly or indirectly owns fifty percent (50%) or more of the stock or other equity interest, (ii) an entity that owns at least fifty percent (50%) or more of the stock or other equity interest of a party, or (iii) an entity which is under common control with a party by having at least fifty percent (50%) or more of the stock or other equity interest of such entity and a party owned by the same person, but such entity shall only be deemed to be an Affiliate so long as such ownership exists.
1.2 “Applicable Data Protection Laws”
means all applicable privacy or data protection laws and regulations relating to the processing of personal data, including without limitation GDPR, UK GDPR, CPRA, LGPD, PIPEDA, PDPA, and similar laws as may be amended from time to time.
1.3 “Company
refers to H2O.ai, Inc. and its subsidiaries.
1.4 “Company Account Data”
means personal data that relates to Company’s relationship with Customer, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Company Account Data also includes any data Company may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.
1.5 “Customer Data"
means any data (including Personal Data) submitted to or processed through the Services by or on behalf of Customer.
1.6 "GDPR"
means Regulation (EU) 2016/679.
1.7 "Personal Data"
means any information relating to an identified or identifiable individual. This can include but is not limited to data that is classified as “Sensitive Data” and “Personally Identified Information” as classified by “Applicable Data Protection Laws”.
1.8 "Processing"
means any operation performed on Personal Data.
1.9 “Services”
shall have the meaning set forth in the Agreement.
1.10 “Standard Contractual Clauses” or “EU SCCs”
means the clauses set out in Commission Implementing Decision (EU) 2021/914.
1.11 "Subprocessor"
means a third party engaged by H2O.ai to process Personal Data.
1.12 “UK Addendum”
means the UK Addendum to the EU SCCs issued by the UK Information Commissioner.
2. Scope and Applicability
This DPA applies to all Services provided by H2O.ai, including:
● paid and enterprise offerings
● free tiers and trials
● APIs and developer services
● beta or experimental features
3. Roles of the Parties
Customer acts as a controller or processor. H2O.ai acts as a processor, except for limited data (e.g., account and usage data) where H2O.ai acts as an independent controller.
4. Processing of Personal Data
4.1 Processing Framework.
The roles described in Section 3 apply to all processing under this DPA.
4.2 Customer Responsibilities.
Customer is solely responsible for:
(a) the accuracy, quality, and legality of Personal Data;
(b) the means by which Personal Data is collected; and
(c) ensuring that its instructions comply with Applicable Data Protection Laws.
(d) final human review, as required, for any AI output.
Customer shall ensure that its instructions do not cause H2O.ai to violate Applicable Data Protection Laws. Customer shall not provide Personal Data that is unlawful or inappropriate for the nature of the Services.
4.3 Processing Obligations.
H2O.ai shall process Personal Data:
(a) only for the purposes set forth in the Agreement and this DPA;
(b) in accordance with Customer’s documented instructions, including Customer’s use, configuration, and settings within the Services; and
(c) in compliance with Applicable Data Protection Laws.
H2O.ai shall not process Personal Data for any other purpose.
4.4 Legal Requirements.
If H2O.ai is required by applicable law to process Personal Data other than as instructed by Customer, H2O.ai will inform Customer prior to such processing unless legally prohibited. Company shall promptly notify Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws. Company will promptly notify Customer if it determines it can no longer comply with its obligations under this DPA or Applicable Data Protection Laws.
4.5 Details of Processing.
The subject matter, nature, purpose, duration, and categories of Personal Data are described in Exhibit A.
4.6 Deletion or Return.
Upon termination of the Services, H2O.ai will, at Customer’s choice, delete or return Personal Data, unless retention is required by applicable law. Any retained Personal Data will remain protected in accordance with this DPA.
5. AI and Data Use Restrictions
Notwithstanding anything to the contrary:
(a) H2O.ai will not use Customer Data to train, retrain, fine-tune, or improve any artificial intelligence or machine learning models, except solely for Customer’s benefit and only where expressly agreed in writing.
(b) H2O.ai will not use Customer Data for advertising, profiling, or cross-customer model training.
(c) AI outputs may be probabilistic, incomplete, or inaccurate. Customer is responsible for validation and oversight.
(d) Customer retains all rights in Customer Data and outputs derived from Customer Data, subject to H2O.ai’s underlying technology and models.
(e) Agentic AI features may initiate or recommend actions; Customer is responsible for implementing appropriate safeguards, approvals, and controls.
(f) Customer should not provide special categories of Personal Data unless necessary for its use case, but acknowledges that such data may be included in unstructured inputs.
(g) H2O.ai may process de-identified or aggregated data for service improvement, provided that H2O.ai:
● Will not attempt to re-identify de-identified data;
● implements safeguards to prevent re-identification; and
● contractually requires subprocessors to comply with the same obligations.
(h) Company does not control or verify Customer Data and does not determine the categories of Personal Data processed.
6. Security Measures
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall implement and maintain appropriate technical and organizational measures consistent with industry standards, including SOC 2 Type II (or equivalent), encryption in transit and at rest, access controls, monitoring, and incident response procedures. Additional details regarding Company’s security program are available at: https://trust.h2o.ai/.
7. Security Incident Notification
H2O.ai will comply with the data security obligations of Applicable Data Protection Laws and will implement and maintain reasonable and appropriate technical and organizational data protection and security measures designed to ensure a level of security for the Customer Data appropriate to the risk of the relevant processing. H2O.ai may review and update these measures from time to time, provided that any such update will not materially diminish the overall security of the Customer Data during the term of the Agreement. H2O.ai will notify Customer of a Personal Data Breach without undue delay and, where feasible, within 72 hours of becoming aware.
H2O.ai will also:
● provide information reasonably necessary for Customer to meet its legal obligations;
● cooperate with Customer in investigating and remediating the breach (to the extent that remediation is within Company’s reasonable control); and
● take commercially reasonable steps to mitigate the effects of the breach.
The obligations described in this Section 7 shall not apply in the event that a Personal Data Breach results from the actions or omissions of Customer. H2O.ai’s notification of, or response to, a Personal Data Breach will not be construed as an acknowledgement by H2O.ai of any fault or liability with respect to the Personal Data Breach.
8. Subprocessors
H2O.ai may use Subprocessors to provide the Services.
● A current list of Subprocessors is available at: https://trust.h2o.ai/
● Company will provide notice of new Subprocessors via the Trust Center.
● Customer may object to a new Subprocessor within thirty (30) days of such notice on reasonable data protection grounds. If Customer objects, the parties will work in good faith to address the objection. If the parties are unable to resolve the objection, Customer may terminate the affected Services without penalty.
● Company will impose data protection obligations on Subprocessors that are no less protective than those set forth in this DPA.
If unresolved, Customer may terminate affected Services without penalty.
9. International Data Transfers
9.1 General.
Customer acknowledges that H2O.ai may process Personal Data in the United States and other jurisdictions where it or its Subprocessors operate. Where Personal Data is transferred outside of the EEA, UK, or Switzerland, H2O.ai will ensure that such transfers are made in compliance with Applicable Data Protection Laws.
9.2 Transfer Mechanisms.
To the extent required by Applicable Data Protection Laws, transfers of Personal Data will be made using one or more of the following mechanisms:
(a) adequacy decisions (including, where applicable, the EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework);
(b) the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) (“EU SCCs”); and/or
(c) other lawful transfer mechanisms.
Transfers will rely on adequacy decisions where available, including the EU-U.S. Data Privacy Framework, and otherwise on the EU SCCs and UK Addendum as applicable.
9.3 Incorporation of SCCs.
Where EU SCCs apply, they are deemed incorporated into this DPA and completed as follows:
(a) Module 2 (Controller to Processor) applies where Customer is a controller and H2O.ai is a processor;
(b) Module 3 (Processor to Subprocessor) applies where Customer is a processor and Company is processing Personal Data on behalf of Customer as a sub-processor;
(c) Clause 7 (Docking Clause) does not apply;
(d) Clause 9 (Use of Subprocessors), Option 2 (general authorization), applies, with prior notice as set forth in this DPA;
(e) Clause 11 (Redress) optional language does not apply;
(f) Clause 17 (Governing Law) shall be the law of Ireland;
(g) Clause 18(b) disputes shall be resolved in the courts of Ireland;
(h) Annex I and II are completed by the relevant sections of this DPA;
(i) For the purpose of Annex III of the Standard Contractual Clauses, the list of Subprocessors are set forth at: https://trust.h2o.ai/.
9.4 UK Transfers.
For transfers subject to UK GDPR, the EU SCCs apply as supplemented by the UK Addendum issued by the UK Information Commissioner.
9.5 Switzerland.
For transfers from Switzerland, the EU SCCs apply with the necessary modifications to reference Swiss law.
9.6 Supplementary Measures.
H2O.ai will implement appropriate technical and organizational safeguards, including:
- encryption in transit and at rest;
- access controls and monitoring;
- maintain strong password requirements;
- revoked access promptly following termination of employment;
- policies to handle government access requests, including:
- notifying Customer unless legally prohibited;
- limiting disclosure to what is legally required; and
- provide notice of legally binding requests unless prohibited by law and will challenge overbroad requests where reasonable.
9.7 Changes in Law.
If transfer mechanisms become invalid or require modification, the parties will cooperate in good faith to implement alternative lawful mechanisms.
10. Rights of Data Subjects
10.1 Company shall, to the extent permitted by law, notify Customer upon receipt of a request by a Data Subject to exercise the Data Subject’s right of: access, rectification, erasure, data portability, restriction or cessation of processing, withdrawal of consent to processing, and/or objection to being subject to processing that constitutes automated decision-making (such requests individually and collectively “Data Subject Request(s)”). If Company receives a Data Subject Request in relation to Customer’s data, Company will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to such request, including, where necessary, by using the functionality of the Services. Customer is solely responsible for ensuring that Data Subject Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Personal Data are communicated to Company, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each Data Subject.
10.2 Company shall, at the request of the Customer, and taking into account the nature of the processing applicable to any Data Subject Request, apply appropriate technical and organizational measures to assist Customer in complying with Customer’s obligation to respond to such Data Subject Request and/or in demonstrating such compliance, where possible, provided that (i) Customer is itself unable to respond without Company’s assistance and (ii) Company is able to do so in accordance with all applicable laws, rules, and regulations. Customer shall be responsible to the extent legally permitted for any costs and expenses arising from any such assistance by Company.
11. Company’s Role as a Controller
The parties acknowledge and agree that with respect to Company Account Data and Company Usage Data, Company is an independent controller, not a joint controller with Customer. Company will process Company Account Data and Company Usage Data as a controller (i) to manage the relationship with Customer; (ii) to carry out Company’s core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Company is subject; and (vi) as otherwise permitted under Applicable Data Protection Laws and in accordance with this Addendum and the Agreement. Company may also process Company Usage Data as a controller to provide, optimize, and maintain the Services, to the extent permitted by Applicable Data Protection Laws. Any processing by the Company as a controller shall be in accordance with the Company’s privacy policy set forth at https://h2o.ai/legal/privacy/.
12. Data Retention and Deletion
H2O.ai will:
● retain Personal Data only as necessary
● delete or return data within a reasonable period following termination (not to exceed 30 days) at Customer’s choice and written request, unless (i) retention is required by applicable law or (ii) retention is reasonably necessary to establish, exercise, or defend legal claims.
Aggregated or de-identified data may be retained for service improvement.
13. Confidentiality
H2O.ai ensures personnel are bound by confidentiality obligations.
14. Audits and Compliance
14.1 Audit Reports and Certifications.
Customer may rely on Company’s current security certifications and audit reports (e.g., SOC 2 Type II) to demonstrate compliance with this DPA. Upon reasonable written request, and subject to confidentiality obligations, Company will make available such reports or summaries thereof, including via its Trust Center (https://trust.h2o.ai/).
14.2 Additional Audit Rights.
To the extent required by Applicable Data Protection Laws, and only where the information provided pursuant to Section 14.1 is insufficient, Customer may conduct an audit of Company’s compliance with this DPA, subject to the following conditions:
(a) Customer provides reasonable prior written notice;
(b) the audit is conducted no more than once annually, unless required by a Supervisory Authority or following a Personal Data Breach;
(c) the audit is performed during normal business hours and in a manner that does not unreasonably disrupt Company’s business operations;
(d) the audit is limited to systems and records relevant to Customer’s Personal Data;
(e) the audit is conducted by Customer or an independent third-party auditor bound by appropriate confidentiality obligations; and
(f) Customer bears its own costs and reimburses Company for reasonable costs incurred in supporting the audit.
14.3 Records of Processing.
Company shall maintain records of processing activities as required under Applicable Data Protection Laws and make such records available to Customer upon reasonable request, subject to confidentiality obligations.
14.4 Regulatory Cooperation and Assistance.
Taking into account the nature of the processing and the information available, Company will provide reasonable cooperation and assistance to Customer, where required under Applicable Data Protection Laws, in connection with:
(a) data protection impact assessments; and
(b) consultations with Supervisory Authorities.
Customer shall be responsible for any reasonable costs arising from such assistance, to the extent permitted by law.
14.5 Use of Audit Results.
Customer may use the results of any audit solely for the purpose of verifying compliance with this DPA and meeting its regulatory obligations.
14.6 SCC Audit Alignment.
Where applicable, any audits required under the Standard Contractual Clauses shall be carried out in accordance with this Section 14.
15. U.S. State Privacy Compliance
H2O.ai acts as a service provider/processor and will not:
● sell or share Personal Data
● use Personal Data outside the business relationship
● use data for cross-context behavioral advertising
● combine Customer Personal Data with data from other customers except as permitted by Applicable Data Protection Laws and solely to provide the Services.
H2O.ai will notify Customer if it determines it can no longer meet its obligations under applicable privacy laws and will work in good faith to remediate any such issue.
16. Order of Precedence
In case of conflict:
- SCCs
- this DPA
- Agreement
17. Governing Law
As set forth in the Agreement.
Exhibit A – Processing Details
Describes categories of data, data subjects, and processing purposes.
1. Processing
1.1 Nature and Purpose of Processing.
Company will process Customer Personal Data solely as necessary to:
(a) provide, operate, support, and improve the Services in accordance with the Agreement and this DPA;
(b) perform processing activities initiated by Customer through its use and configuration of the Services;
(c) maintain the security, integrity, availability, and performance of the Services, including monitoring, troubleshooting, and debugging; and
(d) comply with applicable law.
Processing includes activities such as collection, storage, organization, structuring, retrieval, transmission, and deletion of Personal Data in connection with the Services, including where applicable within predictive, generative, or agentic artificial intelligence systems.
Company shall not process Personal Data for any purpose other than those set forth above or as otherwise instructed by Customer. Note that Personal Data does not include model weights, parameters or “learnings” derived from the data.
1.2 Controller Processing.
Notwithstanding the foregoing, Company may process limited Personal Data as an independent controller, strictly for the following purposes:
● account management and administration
● billing, invoicing, and financial compliance
● security, fraud detection, and abuse prevention
● compliance with legal and regulatory obligations
Such processing shall be limited to Company Account Data and Company Usage Data and shall not include Customer Content.
1.3 During of Processing.
Company will process Personal Data for the duration of the Agreement and, thereafter, only:
(a) as necessary to comply with applicable law; or
(b) for limited retention periods consistent with Company’s data retention policies, after which Personal Data will be deleted or anonymized.
1.4 Categories of Data Subjects.
Personal Data processed may include:
● identifiers such as name, email address, phone number, and account credentials;
● usage, log, and technical data generated through use of the Services;
● any other Personal Data submitted by or on behalf of Customer.
The specific categories and scope of Personal Data are determined and controlled by Customer.
1.5 Sensitive Data / Special Categories.
Customer may submit Special Categories of Personal Data where necessary for its use case, subject to the Agreement.
Customer is solely responsible for:
● determining whether such data is appropriate for processing;
● implementing appropriate safeguards; and
● ensuring compliance with Applicable Data Protection Laws.
Company does not control or verify Customer Data and does not determine the categories of Personal Data processed.
Exhibit B – Subprocessors
A current list of Subprocessors is available at: https://trust.h2o.ai/