If you use HermesRecall in a professional context and your employer needs a signed DPA, this page is the standing agreement. Your subscription acceptance binds it.
Controller: you (or the legal entity you represent), the HermesRecall subscriber. Processor: HermesRecall SAS, 32 rue Moni, 33000 Bordeaux, France.
HermesRecall processes personal data on your instructions for the sole purpose of providing the service defined in our Terms of Service.
Categories of data: messages sent through Telegram/WhatsApp/chat, memory facts extracted by the agent, uploaded files, account identifiers (email, plan).
Categories of data subjects: you, the people you mention in your conversations, any correspondents of your agent.
Purpose: operating a persistent-memory AI agent on your behalf. Nothing else.
We use the following subprocessors under appropriate contractual guarantees:
• Hetzner Cloud (Germany) — infrastructure hosting. • Vercel (USA, EU region) — frontend hosting. Standard Contractual Clauses in place. • Stripe Payments Europe (Ireland) — payment processing. • Your chosen AI provider (Anthropic / OpenAI / Google / etc.) — token inference. You grant the AI provider access through your own API key; we merely route requests.
We notify you 30 days before adding a new subprocessor. You can object by cancelling your subscription at no penalty.
Data in transit: TLS 1.3. Data at rest: AES-256-GCM. API keys: encrypted with a separate KMS-managed key. Access logs retained for audit. Production access limited to two engineers, audited quarterly.
Primary processing occurs in the EU (Germany). Any transfer outside the EEA (e.g., to Vercel's US edge) is covered by Standard Contractual Clauses and additional technical measures (encryption, pseudonymisation where applicable).
If a data subject (you or anyone you've added to your memory) exercises their rights under GDPR — access, rectification, erasure, portability — we will assist you in responding within the statutory time limits, at no additional cost.
In the unlikely event of a personal data breach affecting your data, we will notify you without undue delay and within 72 hours, with whatever information is known at that time. We'll update you as the investigation progresses.
You may audit our compliance with this DPA once per year, with 30 days' notice, by reviewing our most recent SOC 2 Type II report or equivalent certification. On-site audits are available on request for enterprise contracts.
On termination, we delete all your data within 30 days, except where law requires longer retention (invoices: 10 years). Written confirmation of deletion is available on request.
Data Protection Officer: dpo@hermesrecall.com. Supervisory authority: CNIL (France), 3 place de Fontenoy, 75007 Paris.
Questions? Write to legal@hermesrecall.com. We answer within 5 business days.