Yes. HIBP's Data Processing Addendum is publicly available at haveibeenpwned.com/DPA.
The DPA is incorporated into the Terms of Use, available at haveibeenpwned.com/TermsOfUse. When you purchase a subscription, you are required to tick "I accept the terms of use" before completing your purchase. This acceptance automatically includes the DPA. No separate signature is required on HIBP's DPA, and we do not sign other organisations' DPAs.
This intent is clarified in the opening sentence of the DPA itself:
This Data Processing Addendum ("Addendum", "DPA") is supplementary to, and forms part of, the terms of use available at https://haveibeenpwned.com/TermsOfUse, as updated from time to time (the "Agreement") between Superlative Enterprises Pty Ltd (ABN 62 085 442 020) of Level 11, 2 Corporate Court, Bundall, Queensland, Australia ("Superlative", "we" or "us") and the entity or person(s) subscribing to our services ("Customer").
The DPA covers the following privacy frameworks:
• EU General Data Protection Regulation (GDPR)
• UK Data Protection Act 2018
• Swiss Federal Act on Data Protection (FADP)
• Australian Privacy Act 1988
If your organisation requires a signed or customised DPA, we are not able to accommodate this for our subscriptions available to purchase from https://haveibeenpwned.com/subscription. The Enterprise channel may offer additional flexibility for larger organisations with bespoke requirements.
International Transfers, Standard Contractual Clauses, and Permitted Processing
Our Data Processing Addendum (DPA) addresses international data transfers and the safeguards that may be required for our overseas customers where cross‑border transfers are regulated under privacy laws that apply to them.
Incorporation of Standard Contractual Clauses (SCCs) into our DPA
Clause 2.3 (Cross‑border disclosures) of the DPA provides that where HIBP discloses personal data in a way that constitutes a regulated onwards international transfer, it will first take such measures as are necessary to ensure the transfer is made in compliance with applicable privacy laws. These measures may include (without limitation) the relevant SCCs.
Importantly, clause 2.4 (Standard Contractual Clauses) provides that, where SCCs are required, the relevant SCCs are incorporated into the DPA by reference, together with any amendments set out in the Annexes to the DPA. This means that the SCCs operate as part of the contractual framework established by the DPA, rather than as a separate standalone agreement. The DPA then incorporates the necessary amendments and mechanics for SCCs through the Annexes (see Annexes 1-3), rather than requiring a separate standalone SCC agreement to be executed in all cases. This ensures the contracting process is streamlined but flexible.
Subscribers may access the applicable SCCs in their standard published form (for example, the European Commission approved SCCs), and the Annexes to the DPA provide the relevant commercial and operational details (including the scope of processing, security measures and transfer context) necessary for those SCCs to operate as part of the contractual framework.
From an operational perspective, HIBP maintains a list of its sub-processors, including their locations, to provide transparency regarding any potential cross-border data transfers. Where a transfer scenario requires the use of Standard Contractual Clauses, the DPA anticipates and supports their application within its framework.
HIBP’s processing for permitted purposes including for our own commercial purpose (DPA, clause 2.2)
The inclusion of HIBP’s own commercial purposes in the purposes for which personal data is process in clause 2.2 is intended to reflect the limited and necessary processing HIBP undertakes to operate, maintain and improve our services. This does not involve using personal data for unrelated activities or for purposes separate from the service provided to subscribers. Rather, it intends to cover processing that is ancillary to, and required for, service delivery, such as operating and maintaining the platform, detecting, analysing and validating data breaches, preventing misuse or fraud, and improving service reliability, accuracy and functionality, which is consistent with the uses described in HIBP’s Privacy Policy and the nature of the service itself which is available here: HIBP’s Privacy Policy.
Our Privacy Policy explains that personal information is used and disclosed solely for the purpose of providing and supporting our services. This includes matching subscriber details against newly received breach data, sending breach notification emails to subscribers who have completed a double opt‑in and email verification process, and operating controls to prevent misuse. The Policy also explains that personal information may be used for closely related purposes, such as generating aggregated insights and statistics, informing relevant groups about data breaches, contacting impacted organisations, and for other uses consented to by individuals or where required or authorised by law.
Subscribers can be assured that HIBP does not sell personal data, nor does it use personal data for independent marketing, profiling, or other activities unrelated to providing the breach‑monitoring service.