Data processing agreement
How Hebno processes personal data on your behalf as a processor under GDPR.
Last updated 30 May 2026
Draft for review; not legal advice. This page summarises our standard B2B processing terms. Enterprise customers may request a signed version with custom annexes.
1. Parties and roles
This data processing agreement ("DPA") forms part of the agreement between Hebno("Hebno", "Processor") and the subscribing entity ("Customer", "Controller").
- Controller- Customer determines why and how personal data of its users and, where applicable, its own clients' personnel is processed in the Service.
- Processor - Hebno processes that data on documented instructions to run the platform.
Where Hebno acts as controller (account billing, website), the privacy policy applies.
2. Subject matter, duration, and nature
Processor provides the Hebno AI control platform for the term of the main agreement: unified model access with direct provider API connections, spend and budget controls, role-based access, audit logging, and EU-hosted infrastructure.
Processing includes collection, storage, organisation, retrieval, transmission, restriction, and deletion of Customer Personal Data as needed to perform the Service. Processor will not use Customer Personal Data to train AI models.
3. Categories of data subjects and data
Data subjects
Customer's employees, contractors, and authorised users; and, where Customer submits such data, individuals related to Customer's clients (for example agency or firm matters).
Categories of personal data
- Identification and contact data (name, email, role).
- Account, authentication, and organisation membership data.
- Prompts, attachments, and model outputs submitted through the Service.
- Usage metadata, token counts, cost records, and budget assignments.
- Audit, security, and support logs.
- Encrypted provider API keys Customer supplies for direct inference.
Customer is responsible for lawful basis, transparency to data subjects, and accuracy of instructions.
4. Customer instructions
Processor processes Customer Personal Data only on documented instructions: configuration of the Service, these Terms, this DPA, and order forms - unless EU or member state law requires processing and prohibits notice.
Instructions include enabling specific models, assigning roles and budgets, and choosing whether to use Customer's own provider API keys or Hebno-facilitated billing at cost.
5. Direct model provider connections
When Customer enables a model, Processor transmits prompts and receives responses through a direct API connection to that provider. Each enabled provider is a separate subprocessor. Data is not commingled across providers except as required to deliver the feature Customer selected.
If Customer supplies its own API keys, Customer remains responsible for its agreement with that provider; Processor processes data only to route requests and log usage as configured.
6. Confidentiality and personnel
Processor ensures persons authorised to process Customer Personal Data are bound by confidentiality and are trained on data protection and security appropriate to their role.
7. Security measures (Annex II summary)
Processor maintains measures appropriate to risk, including:
- EU data residency for platform hosting and primary storage.
- Prohibition on training on Customer Personal Data.
- AES-256 encryption at rest; TLS 1.2 or higher in transit.
- Role-based access control and audit logs.
- Encryption of Customer API keys at rest.
- Incident response and periodic access review.
8. Subprocessors (Annex III)
Customer grants general authorisation for subprocessors below. Processor will inform Customer of intended additions or replacements at least 30 days in advance via email to the administrator on file or notice in the product, allowing objection on reasonable grounds relating to data protection. If parties cannot resolve an objection, Customer may terminate the affected Service without penalty for that component.
Platform infrastructure
These providers host and operate the Hebno application. They do not receive your prompts unless necessary for delivery of the platform itself (for example encrypted storage or logs).
AI model providers (direct connection)
When you enable a model, inference requests are sent directly to that provider's API. Each enabled provider is a separate subprocessor and only receives data for the models you have turned on.
Processor remains liable to Customer for subprocessor performance as required by applicable law.
9. International transfers
Platform data is hosted in the EU. Model providers may process outside the EEA when Customer enables them. Processor will ensure appropriate safeguards (including EU standard contractual clauses) for transfers Processor arranges, and will make information available for transfer impact assessments on reasonable request.
10. Data subject rights
Processor will assist Customer, considering the nature of processing and information available, in responding to data subject requests under applicable law. Customer should use in-product tools where available before requesting assistance.
11. Personal data breaches
Processor will notify Customer without undue delay after confirming a personal data breach affecting Customer Personal Data, and within 72 hours where feasible, with information to help Customer meet regulatory obligations. Processor will cooperate on mitigation and documentation.
12. Deletion and return
On termination, Customer may export data using product features. Processor will delete Customer Personal Data within 30 days unless law requires retention or Customer requests earlier deletion subject to technical limits. Backup copies may persist for up to 90 days before overwrite.
13. Audits and information
Processor will make available information reasonably necessary to demonstrate compliance. Customer may audit no more than once per twelve months on 30 days' notice, during business hours, subject to confidentiality and minimal disruption, or accept third-party audit reports where available.
14. Impact assessments and prior consultation
Processor will provide reasonable assistance with data protection impact assessments and prior consultation with supervisory authorities where required, at Customer's expense for disproportionate effort.
15. Signed DPA and contact
Acceptance of the terms of service incorporates this DPA for business use. Signed versions or custom annexes: privacy@hebno.com.
16. Order of precedence
A signed DPA or order form prevails over this online summary for that Customer. Otherwise, on data protection matters this DPA prevails over conflicting Terms provisions.