Data Processing Agreement
Effective date: April 26, 2026 · Last updated: April 26, 2026
This Data Processing Agreement ("DPA") supplements the Privacy Policy and forms part of your agreement with Hermiis ("Data Processor") when you use the Service as a business customer ("Data Controller").
1. Definitions
- Data Controller: the organization or individual that determines the purposes and means of processing personal data (you, the customer).
- Data Processor: Hermiis / aomega.co, which processes personal data on behalf of the Data Controller.
- Personal Data: any information relating to an identified or identifiable natural person processed through the Service.
- Processing: any operation performed on personal data, including collection, storage, use, and deletion.
- Applicable Law: GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and any other applicable data protection legislation.
2. Scope and purpose of processing
Hermiis processes personal data solely to provide the Service described in the Privacy Policy. The categories of personal data processed are:
| Category | Examples | Retention |
|---|---|---|
| Identifiers | Name, email address, avatar | Until account deletion |
| Workspace content | Tasks, comments, documents, file attachments | Until deletion + 30d backup |
| Usage & technical | IP address, browser, timestamps, logs | 90 days |
| AI embeddings | Vector representations of workspace content | Until entity deletion |
3. Processor obligations
Hermiis agrees to:
- Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or international organization.
- Ensure that persons authorized to process personal data have committed to confidentiality.
- Implement appropriate technical and organizational security measures (see §5).
- Not engage sub-processors without prior written authorization and ensure sub-processors are bound by equivalent obligations (see §6).
- Assist the Controller in fulfilling data subject rights requests within 30 days.
- Assist the Controller in conducting Data Protection Impact Assessments (DPIAs) where required.
- Delete or return all personal data upon termination of the agreement, at the Controller's choice, within 30 days.
- Make available all information necessary to demonstrate compliance and allow audits upon reasonable notice.
4. Controller obligations
The Controller agrees to:
- Ensure there is a legal basis for processing personal data before sharing it with Hermiis.
- Provide all necessary notices and obtain all required consents from data subjects.
- Only instruct Hermiis to process data in ways that comply with Applicable Law.
- Ensure that data subjects are informed of their rights as set out in the Privacy Policy.
5. Security measures
Hermiis implements the following technical and organizational measures:
- Encryption in transit: all data is transmitted over TLS 1.2+.
- Encryption at rest: database volumes are encrypted at the infrastructure level.
- Authentication: bcrypt password hashing; session tokens are rotated on login.
- Access control: workspace-scoped data isolation; role-based access (owner, admin, member).
- Backups: daily encrypted database backups with 30-day retention.
- Incident response: we will notify the Controller without undue delay (and within 72 hours where feasible) of any personal data breach.
6. Sub-processors
The Controller grants general authorization to use the following sub-processors:
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Anthropic PBC | Claude AI (task gen, search, review) | United States | SCCs / DPA |
| GitHub, Inc. (Microsoft) | Repository integration | United States | SCCs / DPA |
SCCs = Standard Contractual Clauses. We will notify you of any intended changes to sub-processors with at least 14 days' notice so you may object.
7. International data transfers
Where personal data is transferred outside the EEA or UK, Hermiis relies on EU Standard Contractual Clauses (Module 2 or 3 as applicable) or other recognized transfer mechanisms. Copies of applicable SCCs are available upon request.
8. Audit rights
The Controller may, upon 30 days' written notice and at its own expense, audit Hermiis's processing activities relevant to this DPA no more than once per calendar year. Hermiis may satisfy audit requests by providing relevant certifications or third-party audit reports where available.
9. Termination and deletion
Upon termination of the agreement or upon written request, Hermiis will delete or return all personal data within 30 days, including destroying copies in backup systems within the normal backup rotation cycle. Hermiis will provide written confirmation of deletion upon request.
10. Governing law
This DPA is governed by the laws of the State of Texas, United States, without regard to conflict of law principles, except to the extent that GDPR or other mandatory data protection law applies.
11. Contact
For data protection inquiries or to execute a signed copy of this DPA, contact:
aomega.co — Data Protection
Austin, Texas, USA
privacy@hermiis.com