1. Scope and Applicability
This DPA applies where Hexa processes personal data on behalf of the Customer in the course of providing its Services. It supplements the Terms of Service and forms part of the agreement between Hexa and the Customer.
2. Roles and Responsibilities
Customer is the data controller.
Hexa is the data processor (as defined under GDPR Article 4).
Both parties shall comply with their respective obligations under applicable data protection laws.
3. Types of Personal Data
Hexa may process the following categories of personal data:
Name
Email address
Company information
IP addresses
Audio recordings or transcripts (if call recording/transcript features are used)
Usage logs and activity metadata
CRM and calendar data (if integrated)
Hexa does not knowingly process special categories of personal data (e.g. racial or ethnic origin, political opinions, health data).
4. Purpose of Processing
Hexa processes personal data solely for the purpose of:
Providing and improving the Services
Enabling AI-powered features (e.g., summaries, forecasting, follow-ups)
Ensuring account and billing management
Monitoring system performance and security
Hexa does not process customer data for advertising or model training without explicit consent.
5. Subprocessors
Hexa uses vetted subprocessors to help provide the Services (e.g., AWS, Stripe, analytics tools). A full list is available at [hexa.so/legal/subprocessors].
All subprocessors are bound by contractual terms equivalent to this DPA.
Customers may subscribe to change notifications or object (reasonably) to new subprocessors.
6. Data Transfers
Where personal data is transferred outside the EEA, UK, or Switzerland, Hexa ensures adequate protection through:
Standard Contractual Clauses (SCCs)
Data Privacy Framework (DPF) (where applicable)
Additional security controls
7. Security Measures
Hexa implements appropriate technical and organizational security measures, including:
Data encryption in transit and at rest
Access controls and user authentication
Network monitoring and intrusion detection
Regular vulnerability scanning and audits
Employee confidentiality agreements and training
8. Data Subject Rights
Hexa will assist the Customer in responding to data subject requests related to:
Access
Correction
Erasure
Portability
Restriction or objection to processing
Hexa will promptly notify the Customer of any such requests.
9. Breach Notification
In the event of a personal data breach, Hexa shall:
Notify the Customer without undue delay
Provide relevant details of the incident
Assist in any investigation or regulatory communication
10. Data Deletion and Return
Upon termination or expiration of the Agreement, Hexa will:
Delete Customer data within 30 days (unless legally required to retain it)
Provide confirmation of deletion upon written request
Allow for secure export of Customer data prior to deletion
11. Audits and Certifications
Hexa will:
Make available relevant information to demonstrate compliance (e.g., security documentation, audit logs)
Allow audits by Customer or third-party auditors with reasonable notice
Maintain compliance with data protection certifications or frameworks (as applicable)
12. Governing Law
This DPA is governed by the same jurisdiction as the main agreement, unless otherwise required by applicable law.
13. Contact
For all data protection inquiries:
📧 Email: privacy@hexa.so
🏢 Address: Hexa Inc., [Insert physical address]