If you use HermesRecall in a professional context and your employer needs a signed DPA, this page is the standing agreement. Your subscription acceptance binds it.
Controller: you (or the legal entity you represent), the HermesRecall subscriber. Processor: the HermesRecall team.
HermesRecall processes personal data on your instructions for the sole purpose of providing the service defined in our Terms of Service.
Categories of data: messages sent through Telegram/WhatsApp/chat, memory facts extracted by the agent, uploaded files, account identifiers (email, plan).
Categories of data subjects: you, the people you mention in your conversations, any correspondents of your agent.
Purpose: operating a persistent-memory AI agent on your behalf. Nothing else.
We use the following subprocessors under appropriate contractual guarantees:
• Cloud infrastructure provider — agent hosting. • Frontend hosting provider — web delivery. • Stripe — payment processing. • AI model providers (Anthropic / OpenAI / Google / etc.) — token inference for your agent's responses.
We notify you 30 days before adding a new subprocessor. You can object by cancelling your subscription at no penalty.
Data in transit: TLS 1.3. Data at rest: AES-256-GCM. API keys: encrypted with a separate KMS-managed key. Access logs retained for audit. Production access limited to two engineers, audited quarterly.
Cross-border data transfers between our subprocessors are covered by appropriate contractual safeguards and technical measures (encryption in transit and at rest, pseudonymisation where applicable).
If a data subject (you or anyone you've added to your memory) exercises their rights — access, rectification, erasure, portability — we will assist you in responding within the applicable statutory time limits, at no additional cost.
In the unlikely event of a personal data breach affecting your data, we will notify you without undue delay and within 72 hours, with whatever information is known at that time. We'll update you as the investigation progresses.
You may audit our compliance with this DPA once per year, with 30 days' notice, by reviewing our most recent SOC 2 Type II report or equivalent certification. On-site audits are available on request for enterprise contracts.
On termination, we delete all your data within 30 days, except where law requires longer retention (invoices: 10 years). Written confirmation of deletion is available on request.
Data Protection Officer: dpo@hermesrecall.com. Subscribers may also contact their local data protection authority.
Questions? Write to legal@hermesrecall.com. We answer within 5 business days.