Data Processing Agreement
Last updated: July 2026 · GDPR Article 28
This Data Processing Agreement (“DPA”) forms part of the Terms & Conditions (the “Agreement”) between the customer (“Customer”) and NPE Holding B.V., trading as “HEA World”, a company established in the Netherlands (“HEA World”). It governs the processing of personal data by HEA World on behalf of the Customer in connection with the Service.
1. Roles of the parties
For personal data relating to the Customer’s own visitors, end-users, leads, and contacts that is processed through the Service, the Customer acts as the controller (or as a processor acting on behalf of its own controller) and HEA World acts as the processor. HEA World processes such personal data only on behalf of, and under the documented instructions of, the Customer. Where HEA World engages other suppliers, they act as sub-processors as described in Section 7 and Annex III.
HEA World remains an independent controller for limited data processed for its own purposes (for example account administration, billing, security, and service improvement), as described in the Privacy Policy. Such processing is outside the scope of this DPA.
2. Definitions
Terms such as “personal data”, “processing”, “controller”, “processor”, “sub-processor”, “data subject”, and “personal data breach” have the meanings given to them in the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). “Applicable Data Protection Law” means the GDPR and any other data protection law applicable to the processing.
3. Subject matter and details of processing
The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are described in Annex I.
4. Processing on documented instructions
HEA World shall:
- process personal data only on the Customer’s documented instructions, including the Agreement, this DPA, and the Customer’s configuration and use of the Service, unless required to do so by applicable law (in which case HEA World shall inform the Customer, unless the law prohibits it);
- immediately inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law;
- not use personal data for its own purposes outside the scope of this DPA.
5. Confidentiality
HEA World ensures that persons authorized to process personal data are bound by an appropriate duty of confidentiality and process personal data only as necessary to provide the Service.
6. Security of processing
HEA World implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account Article 32 GDPR. A summary of these measures is set out in Annex II. HEA World may update its security measures over time provided the level of protection is not materially reduced.
7. Sub-processors
The Customer provides general authorization for HEA World to engage sub-processors to process personal data. The current list of sub-processors is maintained at Annex III — Sub-processors.
HEA World shall impose data protection obligations on each sub-processor that are substantially equivalent to those set out in this DPA, and remains responsible for the performance of its sub-processors’ obligations. HEA World shall inform the Customer of any intended addition or replacement of a sub-processor, giving the Customer a reasonable opportunity to object on reasonable data protection grounds. If an objection cannot be resolved, the Customer may terminate the affected part of the Service as its exclusive remedy.
8. Assistance with data subject rights
Taking into account the nature of the processing, HEA World shall assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer’s obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, and objection). Where a data subject contacts HEA World directly, HEA World shall, where it can identify the relevant Customer, forward the request to that Customer.
9. Personal data breach
HEA World shall notify the Customer without undue delay after becoming aware of a personal data breach affecting the Customer’s personal data, and shall provide the Customer with information reasonably required to meet the Customer’s obligations under Articles 33 and 34 GDPR, including the nature of the breach, likely consequences, and measures taken or proposed.
10. Data protection impact assessments
HEA World shall provide reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities under Articles 35 and 36 GDPR, taking into account the nature of the processing and the information available to HEA World.
11. International transfers
Where HEA World or a sub-processor transfers personal data outside the European Economic Area, the transfer shall be subject to appropriate safeguards under Chapter V GDPR, principally the European Commission’s Standard Contractual Clauses or an applicable adequacy decision, together with supplementary measures where required. Details of sub-processor locations are set out in Annex III.
12. Deletion and return of personal data
Upon termination or expiry of the Service, HEA World shall, at the Customer’s choice, delete or return the personal data processed on the Customer’s behalf and delete existing copies, unless applicable law requires continued storage. Deletion follows the timelines and retention rules described in the Privacy Policy. Minimal operational logs and backups may persist for a limited period until their scheduled expiry.
13. Audits and information
HEA World shall make available to the Customer information reasonably necessary to demonstrate compliance with Article 28 GDPR, and shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer. Audits shall be subject to reasonable notice, confidentiality, frequency, and scope limitations, and may be satisfied where appropriate through third-party certifications, reports, or documentation provided by HEA World.
14. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
15. Term and termination
This DPA takes effect on the date the Customer accepts the Agreement (or accepts this DPA, if later) and remains in force for as long as HEA World processes personal data on behalf of the Customer under the Agreement.
16. Governing law and order of precedence
This DPA is governed by the laws of the Netherlands. In the event of a conflict between this DPA and the Agreement in respect of the processing of personal data, this DPA prevails. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.
Annex I — Description of the processing
A. Parties
Controller / data exporter: the Customer, as identified in its HEA World account.
Processor / data importer: NPE Holding B.V. (HEA World), the Netherlands.
B. Description
| Subject matter | Provision of the HEA World Service (AI-assisted agents, chat, CRM, and related features). |
|---|---|
| Duration | For the term of the Agreement and until deletion/return under Section 12. |
| Nature and purpose | Hosting, storage, transmission, AI inference, retrieval, indexing, encryption, and display of personal data to operate the Customer’s HEAs and related features. |
| Types of personal data | Identifiers and contact data (names, email addresses, phone numbers); visitor and conversation content; pseudonymous visitor identifiers and session data; IP addresses and device/log metadata; CRM contact and lead data; and any personal data contained in User Content the Customer uploads or connects. |
| Special categories | Not intended. The Customer should not submit special-category data unless expressly agreed and lawfully justified. |
| Categories of data subjects | The Customer’s website visitors, prospects, leads, customers, contacts, and the Customer’s own authorized users. |
| Frequency | Continuous, for the duration of the Service. |
C. Competent supervisory authority
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens), unless another supervisory authority is competent for the Customer.
Annex II — Technical and organizational measures
HEA World maintains, at minimum, the following measures (subject to ongoing improvement):
- Encryption of data in transit (TLS) and at rest for private content, including AES-256-GCM for sensitive stored objects and tokens.
- Strict separation between private and public data boundaries in storage.
- Authentication and access control with multi-factor authentication for administrative access, and least-privilege access to production systems.
- Per-customer and per-HEA isolation of stored data (scoped storage keys and encrypted OAuth tokens).
- Logging, monitoring, and alerting with structured error metadata for observability.
- Build-time and deploy-time guardrails, security-header controls, and change-management gates.
- Backups and documented recovery/repair procedures.
- Governed AI skills with bounded state and human-oversight capabilities.
- Vendor/sub-processor management and periodic review.
A fuller description is available on request and, where published, on the HEA World trust page.
Annex III — Sub-processors
The current list of sub-processors is maintained at /legal/subprocessors.html and forms part of this DPA.
Contact
Data protection enquiries: privacy@hea-world.com.
Language versions
This DPA may be provided in multiple languages. In the event of any inconsistency, the English version prevails and is legally binding.
See also: Sub-processors · Privacy Policy · Terms & Conditions
HEA World