This Data Processing Addendum (“DPA”) is entered into between DMHub Inc. (“DMHub”, “Processor”) and the customer who agrees to it (“Customer”, “Controller”). It supplements and is incorporated into the DMHub Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA governs with respect to data protection.

This DPA reflects the requirements of the EU General Data Protection Regulation (GDPR 2016/679), the UK GDPR, and other applicable data protection laws. It is designed to be signed by reference — by accepting the Terms of Service, Customer agrees to this DPA. Customers requiring a countersigned copy for enterprise procurement should contact privacy@dmhub.ai.

1. Definitions

Controller means the Customer who determines the purposes and means of processing Customer Data.
Processor means DMHub, who processes Customer Data on behalf of the Controller.
Customer Datameans all personal data that Customer submits to, or that is generated within, the Service on Customer’s behalf, including contact records, conversation history, and message content.
Data Subject means any identified or identifiable natural person to whom Customer Data relates.
Processing means any operation performed on Customer Data, including storage, retrieval, use, disclosure, and deletion.
SCCs means the Standard Contractual Clauses adopted by the European Commission Decision 2021/914 (Controller-to-Processor module).
Sub-Processor means any third party engaged by DMHub to process Customer Data.

2. Roles

Customer is the Controller and DMHub is the Processor with respect to Customer Data. DMHub acts only on Customer’s documented instructions when processing Customer Data, unless required by law to process it otherwise. In that case, DMHub will notify Customer before processing unless prohibited by law.

Where DMHub processes its own customer records (billing contacts, account holders) for its own business purposes, DMHub acts as Controller for that data, and that processing is described in the Privacy Policy.

3. Scope of Processing

DMHub processes Customer Data for the following purposes: operating and delivering the Service; providing customer support; generating analytics and reports made available to Customer; and complying with legal obligations. The categories of personal data processed include names, phone numbers, email addresses, message content, and any other data Customer inputs.

The duration of processing matches the duration of the Terms of Service plus any post-termination retention period required by law or agreed in the Terms of Service.

4. Processing Customer Data

DMHub will process Customer Data only on Customer’s documented instructions, which include the instructions in the Terms of Service, this DPA, and any configuration Customer applies within the Service (such as automation rules or AI agent settings).

DMHub personnel who access Customer Data are bound by confidentiality obligations. DMHub will promptly notify Customer if it becomes aware of a breach of security affecting Customer Data (a “Personal Data Breach”), and will provide reasonable assistance to Customer in meeting Customer’s own notification obligations under applicable law.

5. Security Measures

DMHub implements and maintains appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures include:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Integration credentials stored encrypted using AES-256-GCM
Access controls limiting personnel access to Customer Data to those with a business need
Regular security reviews and penetration testing
Automated vulnerability scanning of dependencies
Incident response procedures with defined escalation paths
Daily automated backups with point-in-time recovery

DMHub will ensure that any personnel authorized to process Customer Data are subject to appropriate confidentiality obligations.

6. Sub-Processors

Customer provides general authorization for DMHub to engage the following sub-processors. DMHub will enter into written agreements with each sub-processor imposing data protection obligations no less protective than those in this DPA.

Neon — database hosting (United States)
Vercel — application hosting and edge functions (United States / Global)
Stripe — payment processing (United States)
Twilio — SMS and WhatsApp message routing (United States)
Meta Platforms — WhatsApp Cloud API message delivery (United States)
Resend — transactional email delivery (United States)
Cloudflare — CDN, R2 file storage (United States / Global)
PostHog — product analytics (United States / EU)
Sentry — error monitoring (United States)
Pusher — real-time WebSocket events (United States / EU)
Inngest — background job processing (United States)
Loops — marketing email sequences (United States)

DMHub will notify Customer of any intended changes to sub-processors at least 14 days before the change takes effect by email or notice in the platform. Customer may object to a new sub-processor by written notice within 14 days; if no resolution is reached, Customer may terminate the Service without penalty.

7. Data Subject Requests

If DMHub receives a request directly from a Data Subject exercising their rights (access, erasure, portability, etc.) regarding Customer Data, DMHub will redirect the request to Customer and not fulfill it directly, unless instructed to do so by Customer or required by law.

DMHub will provide Customer with technical means (API endpoints, account settings) to respond to Data Subject requests for Customer Data. DMHub will make reasonable assistance available to Customer at Customer’s request to help fulfill such requests, where DMHub has the technical capability to do so.

8. Audits

DMHub will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. Customer may conduct an audit of DMHub’s data protection practices at most once per year, with 30 days’ advance written notice, at Customer’s expense. Audits must be conducted during normal business hours and must not unreasonably disrupt DMHub’s operations.

In practice, most audit requests can be satisfied by reviewing this DPA, DMHub’s security documentation, and any applicable third-party certifications or reports that DMHub makes available.

9. International Transfers

Where Customer Data is transferred from the EEA, UK, or Switzerland to a country that the European Commission has not recognized as providing an adequate level of protection, DMHub relies on Standard Contractual Clauses (SCCs) — specifically the Controller-to-Processor module of Commission Decision 2021/914. By accepting this DPA, Customer and DMHub agree that the SCCs are incorporated herein and form part of this agreement.

Where DMHub or its sub-processors participate in the EU-US Data Privacy Framework (DPF) or the UK Extension thereof, that Framework may serve as an additional transfer mechanism. DMHub’s current transfer mechanisms are described in the Privacy Policy.

10. Termination

This DPA terminates when the Terms of Service terminate. On termination, DMHub will, at Customer’s choice, return or delete Customer Data within 90 days. DMHub may retain Customer Data after that period only where required by applicable law, and only for the duration and to the extent required.

11. Liability

Each party’s liability under this DPA is subject to the limitations of liability in the Terms of Service, except to the extent that applicable data protection law requires otherwise (for example, GDPR Art. 82 which permits data subjects to claim compensation directly from processors).

12. Incorporation by Reference

This DPA is incorporated into and forms part of the DMHub Terms of Service. Customers who have executed a separate Master Services Agreement (MSA) with DMHub should reference the DPA addendum in that MSA. For enterprise customers requiring a separately signed DPA, contact privacy@dmhub.ai.