Data Processing Addendum

1. Roles

The customer is the controller or business for customer personal data processed through the services. Hyponema is the processor or service provider for that customer personal data. For account administration, billing, security, fraud prevention, product analytics, and legal compliance, Hyponema may act as an independent controller as described in the Privacy Policy.

2. Processing instructions

• Hyponema will process customer personal data to provide, secure, support, and improve the services according to the agreement, product configuration, documented instructions, and applicable law.
• Customer instructions include use of the workspace, APIs, SDKs, widget, telephony settings, provider settings, memory settings, retention settings, and support requests.
• Hyponema will notify the customer if it believes an instruction violates applicable data protection law, unless prohibited by law.

3. Categories of data and data subjects

• Data subjects may include workspace users, administrators, subjects, callers, end users, support contacts, billing contacts, and people mentioned in conversation content.
• Customer personal data may include identifiers, contact information, voice recordings, transcripts, messages, memory records, preferences, emotional tone labels, support content, usage data, and other content submitted by or for the customer.
• Sensitive data should not be submitted unless the customer has a lawful basis, proper notices, required consents, and a signed agreement if legally required.

4. Security measures

• Workspace isolation and row-level access controls.
• Encryption in transit and encryption at rest for production systems.
• Envelope encryption for provider credentials.
• Role-based workspace access, audit history, and scoped API keys.
• Backups, logging, monitoring, incident triage, and least-privilege operational access.
• Vendor-neutral provider configuration so customers can control where session content is sent.

5. Confidentiality

Hyponema will ensure that personnel authorized to process customer personal data are bound by confidentiality obligations and access customer personal data only as needed for the services, support, security, compliance, or legal obligations.

6. Subprocessors

Customer authorizes Hyponema to use subprocessors listed on the Subprocessors page. Hyponema will impose data protection obligations on subprocessors and remains responsible for their processing as required by applicable law.

7. New subprocessor notice and objection

Hyponema will update the Subprocessors page before adding a material new production subprocessor for customer personal data. Customers may object on reasonable data protection grounds by emailing [email protected] within 30 days of the update. The parties will work in good faith to resolve the objection.

8. Data subject requests

Hyponema will provide reasonable assistance for data subject access, export, deletion, correction, and restriction requests. If Hyponema receives a request relating to customer personal data, it may direct the requester to the customer or notify the customer where appropriate.

9. Security incidents

Hyponema will notify affected customers without undue delay after confirming a security incident involving customer personal data. Notice will include information reasonably available to help customers meet their obligations.

10. Return and deletion

Upon termination or request, Hyponema will delete or return customer personal data according to product capabilities, legal obligations, backup retention, and any signed agreement. Audit logs, billing records, security logs, and legal records may be retained where required.

11. International transfers

Where customer personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties will use appropriate transfer safeguards such as standard contractual clauses or another lawful transfer mechanism.

12. Audits

Hyponema will make reasonable security and compliance information available to customers under confidentiality. On-site audits require a separate written agreement and must avoid compromising other customers, systems, or confidential information.

13. Contact

DPA requests and signed-enterprise requests can be sent to [email protected].