Data Processing Agreement (DPA)

Effective Date: March 30, 2026

1. DEFINITIONS

For purposes of this DPA, the following terms have the meanings set forth below:

Controller

The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor

The natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller (HeyDrop in this Agreement).

Data Subject

Any individual to whom personal data relates.

Personal Data

Any information relating to an identified or identifiable natural person.

Processing

Any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, erasure or destruction.

Sub-processor

A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Processor.

Supervisory Authority

An independent public authority established by a Member State to be responsible for monitoring the application of GDPR.

GDPR

The General Data Protection Regulation (EU 2016/679).

SCCs

Standard Contractual Clauses as approved by the European Commission for international data transfers.

Data Privacy Framework (DPF)

The EU-U.S. Data Privacy Framework enabling adequate protection for personal data transferred from the EU to the United States.

2. SCOPE AND ROLES

HeyDrop P.S.A. acts as the Processor under this DPA. The Customer acts as the Controller.

The Processor shall process personal data only on documented instructions from the Controller, including regard to international transfers of data, unless required to do so by Union or Member State law.

This DPA applies to all processing activities performed by HeyDrop in connection with the provision of its digital business card and networking platform services, including but not limited to HeyDrop Teams, HeyDrop Pro, and related features.

3. PROCESSING DETAILS

Subject Matter

Provision of digital business card and networking platform services.

Duration of Processing

For the duration of the service agreement between Customer and HeyDrop, and for any additional period as required by applicable law or the service agreement.

Nature and Purpose of Processing

Storage and secure management of digital business card data
Display and distribution of business card information to authorized contacts
Contact management, team administration, and collaboration features
AI-powered business card scanning and data extraction
Usage analytics and performance monitoring
Backup and disaster recovery

Categories of Data Subjects

Customer's employees and team members
Business contacts and associates of the Customer
Individuals whose contact information is imported or shared within the platform

Types of Personal Data

Name, email address, phone number
Job title, company name, department
Profile photo and bio
Social media links and URLs
Business card scan data and extracted information
Usage analytics and interaction patterns
IP addresses and device identifiers
Billing and subscription information

4. OBLIGATIONS OF THE PROCESSOR

4.1 Instruction Limitation

The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law.

4.2 Confidentiality

The Processor shall ensure that any persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate legal obligation of confidentiality. All HeyDrop personnel are bound by non-disclosure agreements (NDAs) that include confidentiality obligations with respect to personal data.

4.3 Security and Technical Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include:

Encryption of data at rest using AES-256 via AWS Key Management Service (KMS)
Encryption in transit using TLS 1.2 or higher
Role-based access control (RBAC) and AWS Identity & Access Management (IAM)
Authentication via AWS Cognito with multi-factor authentication (MFA) support
Continuous monitoring and logging via CloudWatch, X-Ray, and CloudTrail
Regular security audits and penetration testing
Automated backup and disaster recovery with point-in-time recovery (PITR)
Data isolation and tenant segregation

4.4 Sub-processors

The Processor shall not engage sub-processors without prior general written authorization from the Controller. The Controller grants general authorization for the sub-processors listed at heydrop.app/security/subprocessors. The Processor shall provide the Controller with details of any changes concerning the addition or replacement of sub-processors. The Controller shall have the right to object to any new sub-processor within 14 days of notification. If the Controller objects, the Processor shall use reasonable efforts to resolve the objection. If the Processor cannot resolve the objection, the Customer may terminate the affected part of the service without penalty.

4.5 Data Subject Rights

The Processor shall, taking into account the nature of processing, assist the Controller by implementing appropriate technical and organizational measures, so far as is possible, in fulfilling the Controller's obligation to respond to data subject requests, including requests for:

Access to personal data (GDPR Article 15)
Rectification of inaccurate data (GDPR Article 16)
Erasure or restriction of processing (GDPR Articles 17-18)
Portability of personal data (GDPR Article 20)

4.6 Assistance with Data Protection Obligations

The Processor shall assist the Controller in fulfilling its obligations under GDPR, including:

Conducting Data Protection Impact Assessments (DPIAs) when required
Prior consultation with the Supervisory Authority (where required)
Implementation and maintenance of security measures
Cooperation with data protection audits and inspections

4.7 Data Deletion and Return

The Processor shall, at the Controller's choice, delete or return all personal data after the end of the provision of services relating to processing. This shall apply to all copies unless Union or Member State law requires storage of the personal data. The Processor shall complete deletion or return within 30 days of service termination, and shall provide written certification of deletion upon request.

4.8 Audit and Inspection

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and GDPR Article 28, and shall allow for and contribute to audits and inspections by the Controller or an auditor mandated by the Controller.

5. SUB-PROCESSORS

HeyDrop uses third-party sub-processors to provide certain services. A complete and current list of sub-processors is maintained at:

heydrop.app/security/subprocessors

The Controller grants general authorization for the sub-processors listed on that page. HeyDrop shall notify the Controller of any addition or replacement of sub-processors with at least 30 days advance notice. The Controller may object to new sub-processors by contacting [email protected] within 14 days of notification.

6. INTERNATIONAL DATA TRANSFERS

6.1 Transfer Mechanism

Personal data is processed and stored on servers operated by Amazon Web Services (AWS) located in the United States (us-east-1 region). International transfers of personal data are governed by:

EU-U.S. Data Privacy Framework (DPF): Where applicable and recognized as providing adequate protection
Standard Contractual Clauses (SCCs): As approved by the European Commission (Commission Implementing Decision 2021/914/EU) as a supplementary safeguard

6.2 Adequacy Decisions

AWS is certified under the EU-U.S. Data Privacy Framework and commits to the framework principles.

6.3 Supplementary Measures

In addition to DPF and SCCs, HeyDrop implements supplementary technical and organizational measures to protect data in transit and at rest:

End-to-end encryption (AES-256 KMS at rest, TLS 1.2+ in transit)
Access controls and authentication mechanisms
Audit logging and monitoring
Data minimization practices
Regular security assessments

6.4 Onward Transfers

HeyDrop shall not transfer personal data to any third country or international organization unless explicitly authorized by the Controller or required by law. All sub-processors must commit to equivalent levels of protection.

7. SECURITY MEASURES

HeyDrop implements and maintains the following security measures:

Encryption

At Rest: AES-256 encryption via AWS Key Management Service (KMS)
In Transit: TLS 1.2 or higher for all data transmission

Access Control

AWS Identity and Access Management (IAM) with principle of least privilege
Amazon Cognito for authentication and authorization
Role-based access control (RBAC) within the application
Multi-factor authentication (MFA) support

Monitoring and Logging

Amazon CloudWatch for infrastructure monitoring
AWS X-Ray for request tracing and debugging
AWS CloudTrail for audit logging of API calls
Application-level logging and alerting

Backup and Recovery

DynamoDB point-in-time recovery (PITR) for continuous backup
Automated snapshot management
Documented disaster recovery procedures
Regular recovery drills and testing

Additional Measures

Regular security assessments and penetration testing
Vulnerability scanning and patch management
Network segmentation and firewalls
DDoS mitigation via AWS Shield Standard

8. DATA BREACH NOTIFICATION

In the event of a confirmed or suspected personal data breach, the Processor shall notify the Controller without undue delay and in no case later than 48 hours of becoming aware of the breach. The notification shall include:

Nature and scope of the personal data breach
Categories of data subjects affected
Approximate number of data subjects involved
Likely consequences and risks to the data subjects
Measures taken or proposed to address the breach and mitigate harm
Contact point for further information

The Processor shall cooperate fully with the Controller's breach notification and investigation obligations under GDPR Articles 33-34.

9. TERM AND TERMINATION

9.1 Effective Date

This DPA is effective as of the date first written above and shall remain in effect for the duration of the service agreement between the Parties.

9.2 Termination

This DPA shall terminate automatically upon termination or expiration of the underlying service agreement. Upon termination, the Processor shall comply with Section 4.7 regarding deletion or return of personal data.

9.3 Data Deletion Timeline

All personal data shall be securely deleted or returned within 30 days of service termination, unless applicable law requires extended retention. The Processor shall provide written certification of deletion upon request.

10. LIABILITY

Liability with respect to processing of personal data shall be governed by the terms and conditions set forth in the Master Service Agreement or Terms of Service between the Parties. Nothing in this DPA limits or excludes either Party's liability for breaches of this DPA or GDPR.

11. GOVERNING LAW AND JURISDICTION

This DPA shall be governed by and construed in accordance with the laws of the Republic of Poland, without regard to its conflict of law principles. Each Party irrevocably submits to the exclusive jurisdiction of the courts of Kraków, Poland for resolution of any disputes arising out of or relating to this DPA.

EXECUTION: This DPA is incorporated by reference into and forms an integral part of the service agreement between Customer and HeyDrop. To execute this DPA, please send a signed copy to [email protected] or contact your HeyDrop account manager.

Questions about this DPA?

Contact our Data Protection Officer or Privacy Team:

Email: [email protected]
DPO: [email protected]

Send us a message