Terms of Service Privacy Policy Cookie Policy Acceptable Use
Security Policy Data Processing Agreement Subprocessors

Data Processing Agreement

Effective Date: April 5, 2026 Last Updated: May 24, 2026 Version: 2.1

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "Data Controller") and hiroi ("Processor", "Data Processor") for the hiroi omni-channel AI agent platform ("Service").

This DPA applies where hiroi processes personal data on your behalf when providing the Service, including:

  • Contact records you upload or create
  • Conversation data from AI phone calls, SMS messages, email campaigns, and chat interactions
  • Call recordings and transcripts
  • Opt-out and consent records

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)
  • Data Subject: An identified or identifiable natural person whose personal data is processed
  • Sub-Processor: A third party engaged by hiroi to process personal data on behalf of the Controller
  • Communication Data: Call recordings, transcripts, SMS content, and email content generated through the Service

3. Scope and Roles

3.1 Controller

You (the registered user) are the Data Controller for:

  • Contact records and lists you import or create
  • Communication data generated by your AI agents (calls, SMS, email)
  • Call recordings involving your contacts
  • Opt-out and consent records for your contacts
  • End-user conversation data from AI agent chat widgets deployed on your websites

3.2 Processor

hiroi is the Data Processor and will:

  • Process personal data only on your documented instructions
  • Not process personal data for any purpose other than providing the Service
  • Not sell, share, or use personal data for its own commercial purposes
  • Act in accordance with this DPA and applicable data protection law

4. Processing Details

4.1 Subject Matter

Processing of contact data, communication data, and metadata generated through AI-powered calling, SMS, email, and chat features.

4.2 Duration

Processing continues for the duration of the Service agreement and for the retention periods specified in our Privacy Policy.

4.3 Nature and Purpose

Processing Activity Purpose
Contact data storage Store and manage contact records for campaigns and AI agent context
Outbound call initiation Deliver AI phone calls to contacts on your behalf
Inbound call handling Receive and route calls to AI agents
Call recording and transcription Provide call records, transcripts, and AI summaries
SMS sending and receiving Deliver messages and receive replies on your behalf
Email campaign delivery Send outbound email campaigns and receive replies
AI response generation Process conversations through AI providers for response generation
Voice synthesis Convert AI text responses to speech for phone calls
Opt-out processing Record and enforce contact opt-outs across channels
Campaign analytics Provide performance metrics and conversation insights
Microsoft 365 integration Access calendar and email to send messages and manage appointments on your behalf

4.4 Categories of Data Subjects

  • Your business contacts (individuals you contact via calls, SMS, or email)
  • Website visitors who interact with your deployed AI agent chat widgets
  • Any individuals whose data is included in conversations

4.5 Types of Personal Data

  • Contact names, phone numbers, and email addresses
  • Call recordings (audio)
  • Call transcripts (text)
  • SMS message content (sent and received)
  • Email content (sent and received)
  • IP addresses (for chat widget interactions)
  • Browser user agent strings
  • Visitor identifiers (pseudonymous)
  • Consent and opt-out records
  • Interaction history and campaign engagement data

5. Obligations of the Processor

hiroi shall:

5.1 Processing Instructions

  • Process personal data only in accordance with the Controller's documented instructions
  • Inform the Controller if an instruction infringes applicable data protection law before proceeding

5.2 Confidentiality

  • Ensure that persons authorized to process personal data are bound by confidentiality obligations
  • Limit access to personal data to personnel who need it to provide the Service

5.3 Security

Implement appropriate technical and organizational measures, including:

  • Encryption of personal data in transit (TLS 1.2+) and at rest
  • Encrypted storage of call recordings
  • Access controls and organization-level data isolation
  • Regular security assessments
  • Incident detection and response capabilities

See our Security Policy for detailed measures.

5.4 Sub-Processing

  • Not engage a new sub-processor without prior notification to the Controller (at least 30 days)
  • Maintain an up-to-date list of sub-processors at Subprocessors
  • Ensure sub-processors are bound by equivalent data protection obligations
  • Remain liable for sub-processor compliance

5.5 Data Subject Rights

  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
  • Provide necessary technical capabilities for data export and deletion
  • Redirect data subject requests received directly by hiroi to the Controller
  • Process opt-out requests (STOP, UNSUBSCRIBE, do-not-call) automatically and notify the Controller

5.6 Breach Notification

In the event of a personal data breach:

  • Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
  • Provide information about the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed
  • Cooperate with the Controller's breach response and regulatory notification obligations
  • Document all breaches in the internal breach register

6. Obligations of the Controller

You shall:

  • Provide lawful processing instructions
  • Ensure a legal basis exists for processing and contacting each data subject (e.g., consent, legitimate interest)
  • Obtain and maintain records of TCPA consent before initiating automated calls or SMS
  • Maintain appropriate privacy notices for contacts and website visitors
  • Respond to data subject requests directed to you as Controller
  • Notify hiroi of any changes to processing instructions
  • Scrub contact lists against the National DNC Registry where required
  • Ensure campaign content complies with CAN-SPAM, CASL, and other applicable laws

7. Sub-Processors

7.1 Current Sub-Processors

See Subprocessors for the current list.

7.2 Changes to Sub-Processors

  • We will notify you at least 30 days before engaging a new sub-processor
  • Notification will be via email and/or through the Service
  • You may object to a new sub-processor within 14 days of notification
  • If you object, we will make reasonable efforts to provide an alternative. If no alternative is available within 30 days of your objection, either party may terminate the affected processing activities with 30 days' written notice. During the resolution period, we will not share your data with the objected-to sub-processor.

8. International Data Transfers

Where personal data is transferred outside the European Economic Area or United Kingdom:

  • Transfers are subject to appropriate safeguards (Standard Contractual Clauses, adequacy decisions, or other approved mechanisms)
  • We assess the data protection laws of recipient countries
  • We implement supplementary measures (encryption in transit and at rest) where necessary

The EU Standard Contractual Clauses (Module 2: Controller to Processor) are incorporated into this DPA for transfers from the EEA to hiroi.

9. Audit Rights

9.1 Audit

The Controller may:

  • Request information necessary to demonstrate compliance with this DPA
  • Conduct or commission audits with reasonable advance notice (at least 30 days) and at Controller's expense
  • Request hiroi's SOC 2 reports as evidence of compliance

9.2 Cooperation

hiroi shall:

  • Make available information reasonably necessary to demonstrate compliance
  • Allow and contribute to audits conducted by the Controller or an authorized auditor
  • Provide SOC 2 reports upon request

10. Data Return and Deletion

10.1 During the Agreement

You may request data export at any time through the Service (account settings > Export Data) or by contacting us.

10.2 Upon Termination

Upon termination of the Service agreement:

  • We will make your data available for export for 30 days
  • After the 30-day period, all personal data will be permanently deleted
  • Call recordings will be deleted from storage within the same 30-day period
  • We will certify deletion upon written request
  • Data in backup systems will be deleted within the backup rotation cycle (typically 30 days)

10.3 Exceptions

We may retain personal data where required by applicable law (e.g., audit logs for tax purposes), but only to the extent and for the period required.

11. Liability

The liability provisions of the Terms of Service apply to this DPA.

12. Term

This DPA is effective for as long as hiroi processes personal data on behalf of the Controller. It survives termination of the Terms of Service to the extent necessary to govern post-termination data handling and deletion.

13. Contact

For DPA-related inquiries:

hiroi - Data Protection Email: privacy@hiroi.ai

Cookie Preferences

We use essential cookies to make our service work. You can choose to enable optional cookies for a better experience. Learn more

Cookie Preferences

Essential

Required for the service to function

Always On

Analytics

Help us understand how the service is used