Legal

Data Processing Addendum

The terms under which Hania processes personal data on your behalf, including for GDPR, UK GDPR, and CCPA compliance.

Last updated: May 1, 2026 · Version 4.1
Download signed PDF Request a counter-signed copy

1. Scope & roles

This DPA is incorporated into your agreement with Hania, Inc. ("Hania", "Processor") and governs how Hania processes Customer Personal Data on behalf of you ("Customer", "Controller"). For Personal Data of Hania's own users (e.g., billing contacts), Hania is the Controller, and processing is governed by our Privacy Policy.

2. Subject matter and instructions

Hania processes Customer Personal Data solely to provide the Service, in accordance with Customer's documented instructions — including those reflected in product configuration, the API, and applicable agreements. Hania will inform Customer if it believes an instruction violates Data Protection Laws.

Categories of data subjects: Customer's end users, employees, contacts, and any other individuals about whom Customer submits Personal Data.

Categories of Personal Data: Identifiers (name, email, phone), contact information, conversation content, voice recordings (if enabled), tool call inputs/outputs, and metadata necessary to provide the Service.

3. Confidentiality

Personnel authorized to process Customer Personal Data are bound by confidentiality obligations at least as strict as those in this DPA, and only have access on a need-to-know basis.

4. Security measures

Hania maintains the technical and organizational measures described in Annex II, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Network segmentation, least-privilege access, and role-based access controls.
  • Tamper-evident audit logging with cryptographic chaining.
  • Penetration testing and vulnerability scanning at least annually.
  • Background checks on personnel with access to production systems.
  • SOC 2 Type II certification, audited annually.
  • Incident response procedures with on-call rotation and runbook.

5. Subprocessors

Customer authorizes Hania to engage Subprocessors listed at hania.ai/subprocessors. Hania will notify Customer of new Subprocessors at least 14 days before they're engaged. Customer may object to new Subprocessors on reasonable grounds; if the parties can't resolve the objection, Customer may terminate the affected portion of the Service with prorated refund.

6. International transfers

Where Customer Personal Data is transferred outside the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the Standard Contractual Clauses (Module 2) by reference. Customers in the EEA who select an EU region keep all processing inside the EEA.

7. Data subject rights

Hania will assist Customer in fulfilling its obligations to respond to data subject requests, including by providing tooling in the dashboard for export and deletion of Personal Data on a per-end-user basis. Where Hania receives a data subject request directly, it will forward it to Customer without responding (except to acknowledge receipt) unless legally required.

8. Personal data breach notification

Hania will notify Customer of any Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 72 hours of becoming aware of it. The notice will include the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

9. Audit rights

Hania will make available to Customer, on request, a summary of its most recent SOC 2 Type II report, a completed CAIQ-Lite, and its penetration test summary. Customers on Production plans may, no more than once per year and on 30 days' notice, conduct an audit of Hania's compliance with this DPA, at Customer's expense, subject to a mutually agreed scope, schedule, and confidentiality terms.

10. Return and deletion of data

Upon termination of the Agreement, Customer may export all Customer Personal Data for 30 days using the in-product tooling. After that grace period, Hania will delete all Customer Personal Data within 60 days, except where retention is required by law (e.g., billing records).

11. Standard Contractual Clauses

The European Commission's Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries, adopted by Decision 2021/914, are incorporated into this DPA. Module Two applies between Customer (data exporter) and Hania (data importer). The optional docking clause is engaged. UK transfers are governed by the UK International Data Transfer Addendum to the SCCs.

Questions about this DPA? Email [email protected]. Need a counter-signed copy on your paper? We'll do that on Production plans.