← Back to HulloDesk

Data Processing Agreement

Effective Date: March 1, 2026Last Updated: May 4, 2026Version 1.1.0

This Data Processing Agreement ('DPA') forms part of the Master Service Agreement or Terms of Service between HulloDesk and the Customer.

1. Definitions

"Applicable Data Protection Law" means the EU General Data Protection Regulation (GDPR) 2016/679, the UK GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, and any other applicable privacy or data protection laws in the jurisdiction(s) where HulloDesk or Customer operates.

The terms "Controller", "Processor", "Data Subject", and "Processing" shall have the meanings given in Applicable Data Protection Law.

"Personal Data" means any information relating to an identified or identifiable natural person (e.g., names, email addresses, phone numbers, IP addresses, call recordings).

"Subprocessor" means any third-party vendor engaged by HulloDesk to assist in Processing Personal Data (e.g., database hosting, AI voice processing, telephony providers).

2. Scope and Responsibility

Customer acts as a Data Controller and HulloDesk acts as a Data Processor. HulloDesk shall process Personal Data only on behalf of and in accordance with the Customer's documented instructions.

3. Technical & Organizational Measures (TOMs)

HulloDesk implements the following security safeguards in accordance with GDPR Article 32:

A. Encryption

  • At Rest: AES-256 encryption for all database records and file storage.
  • In Transit: TLS 1.3 for all data transmissions (API calls, webhooks, web traffic).
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.

B. Access Controls

  • Role-Based Access Control (RBAC): Least-privilege principle enforced across all systems.
  • Multi-Factor Authentication (MFA): Required for all admin and privileged accounts.
  • Audit Logs: Comprehensive logging of all data access, modifications, and deletions.

C. Infrastructure Security

  • Hosted on SOC 2 Type II certified cloud infrastructure (Supabase on AWS).
  • Row-Level Security (RLS) policies, automated backups, and Point-in-Time Recovery (PITR).
  • Firewalls, DDoS protection (Cloudflare), and intrusion detection systems.
  • Measures to restore availability and access to Personal Data in a timely manner following any incident.

D. Application Security

  • Annual third-party penetration testing and vulnerability scanning.
  • Automated dependency scanning (Snyk, Dependabot) and static analysis.
  • Code review procedures and security training for all engineers.

E. Data Minimization & Anonymization

  • PII automatically excluded from product analytics (PostHog).
  • AI training only with explicit opt-in consent using anonymized data.
  • A process for regularly testing, assessing, and evaluating the effectiveness of security measures.

F. Incident Response

  • 24/7 real-time monitoring and automated security anomaly alerts.
  • Documented breach notification procedures compliant with GDPR Article 33 (72-hour notification to supervisory authorities) and applicable state breach notification laws.
  • Affected parties notified within 72 hours of discovering a breach.

4. Subprocessors

Customer provides a general authorization to HulloDesk to engage subprocessors. HulloDesk shall:

  • Maintain a current list of subprocessors (available at hullodesk.com/subprocessors).
  • Enter into a written agreement with each subprocessor containing data protection obligations no less protective than those in this DPA.
  • Remain liable for the acts and omissions of its subprocessors.

5. Data Subject Rights

HulloDesk shall, to the extent legally permitted, promptly notify Customer if HulloDesk receives a request from a Data Subject to exercise their rights. HulloDesk shall assist Customer in fulfilling its obligations to respond to such requests.

6. Audit Rights

HulloDesk shall make available to Customer all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer.

7. Deletion & Return of Data

In accordance with GDPR Article 28(3)(g), upon termination or expiry of the Agreement, HulloDesk shall, at Customer's election:

  • Delete: Permanently delete all Personal Data from production systems within 90 days of account termination. Encrypted backups will be purged within the same 90-day window.
  • Return: Provide Customer with a complete data export (JSON format) via Settings → Privacy → Download My Data, upon request made before account deletion.

Retention Exceptions (Legal Compliance)

  • TCPA consent records: retained for 5 years (FCC regulations)
  • Billing & payment records: retained for 7 years (US tax & accounting law)
  • Data required for ongoing legal proceedings or regulatory investigations

Upon request, HulloDesk will provide written certification of data deletion to [email protected].

8. International Transfers

To the extent HulloDesk processes Personal Data originating from the European Economic Area (EEA), Switzerland, or the United Kingdom, the parties agree that the Standard Contractual Clauses (Module Two: Controller-to-Processor), as adopted by the European Commission under Decision 2021/914/EU, are hereby incorporated by reference and shall apply to such transfers. In the event of conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail for EEA, Swiss, and UK transfers.

9. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the State of California, without regard to its conflict of law provisions, except where otherwise required by Applicable Data Protection Law (e.g., GDPR Article 79 for EU data subjects).

Annex I — Description of Processing Activities

Required under GDPR Article 28(3) and Appendix 1 of Standard Contractual Clauses

Subject Matter & Purpose

HulloDesk processes Personal Data to provide AI voice agent services: automated lead follow-up calls, post-job review calls, inbound receptionist calls, SMS messaging sequences, appointment scheduling, and call analytics.

Types of Personal Data Processed

CategoryExamplesSource
Contact InformationNames, phone numbers, email addresses, business namesCustomer uploads, API integrations
Call DataAudio recordings, AI transcripts, call duration, timestamps, call outcomesAutomated call processing
Communication DataSMS message content, email notificationsAutomated SMS sequences
Appointment DataCalendar availability, booking timestamps, meeting linksCalendar integrations
Usage DataIP addresses, browser type, session logs, feature interactionsPlatform analytics
Billing DataPayment card details (tokenized), billing addresses, subscription statusStripe (payment processor)
Consent RecordsDate/time of consent, IP address, consent method, opt-out requestsTCPA compliance tracking

Categories of Data Subjects

  • Customer's leads (potential customers)
  • Customer's existing customers (end-users of Customer's business)
  • Customer's employees (platform users)
  • Customer's calendar contacts (appointment bookings)

Duration of Processing

  • Account data: active subscription + 90 days after cancellation
  • Call recordings & transcripts: 2 years (configurable; earlier deletion available on request)
  • TCPA consent records: 5 years (FCC regulatory requirement)
  • Financial records: 7 years (US tax and accounting law)

Enterprise & Custom DPA

This page constitutes the standard Data Processing Agreement for self-serve customers. Enterprise customers are governed by our custom Data Processing Addendum (v2.0), which includes Standard Contractual Clauses (SCCs), custom annexes, and negotiated terms.

EU/UK customers, enterprise accounts, or any customer requiring a countersigned DPA may request the full Data Processing Addendum (v2.0) through our legal portal.

Request Enterprise DPA →