hiroi Legal
Docs Sign In
Terms of Service Privacy Policy Cookie Policy Acceptable Use
Security Policy Data Processing Agreement Subprocessors

Data Processing Agreement

Effective Date: February 7, 2026 Last Updated: February 7, 2026 Version: 1.0

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "Data Controller") and hiroi ("Processor", "Data Processor") for the hiroi platform ("Service").

This DPA applies where hiroi processes personal data on your behalf when providing the Service, particularly conversation data collected through chatbot widgets deployed on your websites.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion)
  • Data Subject: An identified or identifiable natural person whose personal data is processed
  • Sub-Processor: A third party engaged by hiroi to process personal data on behalf of the Controller

3. Scope and Roles

3.1 Controller

You (the registered user deploying chatbot widgets) are the Data Controller for:

  • End-user conversation data collected through your widgets
  • Any personal data submitted by end-users via chatbot interactions
  • Visitor identifiers and session data from your website visitors

3.2 Processor

hiroi is the Data Processor and will:

  • Process personal data only on your documented instructions
  • Not process personal data for any purpose other than providing the Service
  • Not sell, share, or use personal data for its own commercial purposes

4. Processing Details

4.1 Subject Matter

Processing of end-user conversation data and related metadata through AI-powered chatbot widgets.

4.2 Duration

Processing continues for the duration of the Service agreement and for the retention periods specified in our Privacy Policy.

4.3 Nature and Purpose

Processing Activity Purpose
Conversation storage Provide chat history, analytics
AI response generation Process messages through OpenAI for response generation
Voice synthesis Convert text to speech via ElevenLabs
Rate limiting Prevent abuse using IP addresses
Analytics Provide conversation metrics and insights

4.4 Categories of Data Subjects

  • Website visitors who interact with your chatbot widgets
  • Any individuals whose data is included in conversations

4.5 Types of Personal Data

  • Chat messages (may contain any personal data shared by end-users)
  • IP addresses
  • Browser user agent strings
  • Visitor identifiers (pseudonymous)
  • Referrer URLs

5. Obligations of the Processor

hiroi shall:

5.1 Processing Instructions

  • Process personal data only in accordance with the Controller's documented instructions
  • Inform the Controller if an instruction infringes applicable data protection law

5.2 Confidentiality

  • Ensure that persons authorized to process personal data are bound by confidentiality obligations
  • Limit access to personal data to personnel who need it to provide the Service

5.3 Security

Implement appropriate technical and organizational measures, including:

  • Encryption of personal data in transit (TLS 1.2+) and at rest
  • Access controls and authentication mechanisms
  • Regular security assessments
  • Incident detection and response capabilities

See our Security Policy for detailed measures.

5.4 Sub-Processing

  • Not engage a new sub-processor without prior notification to the Controller
  • Maintain an up-to-date list of sub-processors at Subprocessors
  • Ensure sub-processors are bound by equivalent data protection obligations
  • Remain liable for sub-processor compliance

5.5 Data Subject Rights

  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection)
  • Provide necessary technical capabilities for data export and deletion
  • Redirect data subject requests received directly to the Controller

5.6 Breach Notification

In the event of a personal data breach:

  • Notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach
  • Provide information about the nature of the breach, categories and number of data subjects affected, likely consequences, and measures taken
  • Cooperate with the Controller's breach response obligations
  • Document all breaches in the internal breach register

6. Obligations of the Controller

You shall:

  • Provide lawful processing instructions
  • Ensure a legal basis exists for the processing (e.g., consent, legitimate interest)
  • Maintain appropriate privacy notices for your website visitors
  • Respond to data subject requests directed to you as Controller
  • Notify hiroi of any changes to processing instructions

7. Sub-Processors

7.1 Current Sub-Processors

See Subprocessors for the current list.

7.2 Changes to Sub-Processors

  • We will notify you at least 30 days before engaging a new sub-processor
  • Notification will be via email and/or through the Service
  • You may object to a new sub-processor within 14 days of notification
  • If an objection cannot be resolved, either party may terminate the affected processing

8. International Data Transfers

Where personal data is transferred outside the European Economic Area:

  • Transfers are subject to appropriate safeguards (Standard Contractual Clauses, adequacy decisions, or other approved mechanisms)
  • We assess the data protection laws of recipient countries
  • We implement supplementary measures where necessary

9. Audit Rights

9.1 Audit

The Controller may:

  • Request information necessary to demonstrate compliance with this DPA
  • Conduct or commission audits with reasonable advance notice (at least 30 days)
  • Request and review hiroi' SOC 2 reports as evidence of compliance

9.2 Cooperation

hiroi shall:

  • Make available information reasonably necessary to demonstrate compliance
  • Allow and contribute to audits conducted by the Controller or an authorized auditor
  • Provide SOC 2 reports upon request

10. Data Return and Deletion

10.1 During the Agreement

You may request data export at any time through the Service or by contacting us.

10.2 Upon Termination

Upon termination of the Service agreement:

  • We will make your data available for export for 30 days
  • After the 30-day period, all personal data will be permanently deleted
  • We will certify deletion upon request
  • Data in backup systems will be deleted within the backup rotation cycle

10.3 Exceptions

We may retain personal data where required by applicable law, but only to the extent and for the period required.

11. Liability

The liability provisions of the Terms of Service apply to this DPA.

12. Term

This DPA is effective for as long as hiroi processes personal data on behalf of the Controller. It survives termination of the Terms of Service to the extent necessary to govern post-termination data handling.

13. Contact

For DPA-related inquiries:

hiroi - Data Protection Email: [email protected]

Cookie Preferences

We use essential cookies to make our service work. You can choose to enable optional cookies for a better experience. Learn more

Cookie Preferences

Essential

Required for the service to function

Always On

Analytics

Help us understand how the service is used