hej logo

Data Processing Addendum

hej.chat

This Data Processing Addendum ("DPA") forms part of the agreement between Customer and Algorithma Technologies AB ("Company") for Hej.chat (the "Services"). It applies when Company processes Personal Data on behalf of Customer.

1. Definitions and Hierarchy

"Data Protection Laws" means the GDPR, UK GDPR, and applicable national privacy laws. Customer is the Controller and Company is the Processor. In the event of any conflict between this DPA and the Agreement regarding the processing of Personal Data, this DPA shall prevail.

2. Instructions

Company processes Customer Personal Data only to provide the Services and in accordance with Customer's documented instructions. The parties agree that the Agreement, this DPA, and the Customer's configuration and use of the Services constitute such documented instructions.

3. Confidentiality and Personnel

Company ensures that all persons authorized to process Customer Personal Data (including employees and contractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Details of Processing

The processing concerns Customer data in the Services (web pages, documents, messages, logs, metadata) to facilitate the chat functionality. Customer controls the data Hej.chat has been instructed to receive or that has been submitted through the Services. Customer agrees not to submit special categories of data (e.g., health, biometric, political) or payment card data, unless the parties agree in writing on specific additional safeguards.

5. Security

Company implements appropriate technical and organizational measures to protect Customer Personal Data, as described in the Security Policy available in Exhibit B.

6. Sub-processors

Customer authorizes Company to engage Sub-processors to Process Customer Personal Data for the provision of the Services.

Company maintains an up-to-date list of Sub-processors (including a description of the service provided) at hej.chat/sub-processors (the "Sub-processor List").

Company will notify Customer of any intended addition or replacement of Sub-processors by email and/or in-app notification at least thirty (30) days in advance.

Customer may object to a new Sub-processor on reasonable grounds relating to data protection by notifying Company within thirty (30) days of receipt of the notice. The parties will cooperate in good faith to address the objection. If the parties cannot resolve the objection, either party may terminate the affected Services.

Company remains liable for the performance of its Sub-processors' obligations.

7. International Transfers

Company may process data outside the EEA/UK. Where Personal Data is transferred to the United States, the parties rely on the EU-US Data Privacy Framework (DPF) and the UK Extension to the DPF, provided the sub-processor is certified. If a sub-processor is not DPF certified or is located in another country without an adequacy decision, the parties agree to the Standard Contractual Clauses (EU SCCs - Module Three (Processor-to-Processor)) and the UK International Data Transfer Addendum, which are incorporated by reference.

8. Assistance

Company provides reasonable assistance for data subject requests (e.g., access, deletion), security/DPIA needs, and breach notifications. Customer agrees to cover Company's reasonable costs for assistance that requires distinct engineering resources, legal counsel involvement, or custom data extraction.

9. Personal Data Breaches

Company notifies Customer without undue delay (and in any event within 72 hours) after confirming a Personal Data Breach affecting Customer Personal Data.

10. Deletion or Return

Upon termination of the Services, Company will delete Customer Personal Data from active systems within thirty (30) days. Data stored in backup archives will be deleted or overwritten in accordance with Company's standard backup retention cycles.

11. Audits

Customer may verify compliance via Company's available security reports (e.g., SOC2, ISO, or penetration tests). These reports are presumed sufficient. An on-site audit is permitted only if (a) legally required by a supervisory authority, or (b) a confirmed security incident occurred.

12. Governing Law

This DPA shall be governed by the laws and jurisdiction defined in the Agreement (Swedish Law, Stockholm District Court), unless required otherwise by Data Protection Laws.

Exhibit A: Data Description

Data Subjects: Customer's employees/agents (users) and Customer's end-users (chat participants).
Categories of Data: Contact details (name, email), connection data (IP, logs), and free-text content submitted via the chat interface.
Nature and Purpose: Hosting, storage, and AI processing to provide the Hej.chat service.
Duration: Term of the Agreement plus the deletion period.

Exhibit B: Security Measures

Technical and Organizational Measures (TOMs)

1. Encryption & Data Protection

  • Encryption in Transit: All data transmitted between the Customer, End Users, and the Service is encrypted using strong industry-standard protocols (TLS 1.2 or higher).
  • Encryption at Rest: Personal Data stored in the database (Firestore/Supabase) and file systems is encrypted using standard AES-256 encryption.
  • Data Separation: The Service uses logical separation (row-level security and unique tenant identifiers) to ensure that one customer's data cannot be accessed by another customer.

2. Access Control and Personnel

  • Least Privilege: Access to production systems (Google Cloud, Supabase) is restricted to authorized engineering personnel.
  • Authentication: Multi-Factor Authentication (MFA) is enforced for all administrative access to cloud infrastructure.
  • Offboarding: Access rights are revoked immediately upon termination of an employee or contractor's engagement.

3. Infrastructure and Physical Security

  • Cloud Hosting: The Service is hosted primarily on Google Cloud Platform (GCP) and Supabase. These providers maintain top-tier security certifications (ISO 27001, SOC 2 Type II).
  • Physical Security: Company relies on the physical security measures of its cloud providers (24/7 onsite security, biometric access, video surveillance). Company does not maintain physical servers on its own premises.

4. Availability and Resilience

  • Backups: Database backups are performed automatically on a regular schedule to ensure data can be restored in the event of a technical failure.
  • Redundancy: The Service architecture is designed to withstand component failures without significant interruption.

5. Incident Management

  • Monitoring: Company uses error tracking tools (e.g., Sentry) to detect anomalies.
  • Notification: In the event of a confirmed Personal Data Breach, Company will notify affected customers in accordance with DPA timelines (72 hours).

View our current list of Sub-processors

← Back to home