How to request the DPA
Email legal@withherald.co from the address on your Herald account. Use the subject line "DPA request." We will reply within one business day with a Mutual NDA and the Herald DPA template for your review. Once both parties have signed, we store the executed agreement and associate it with your account.
We do not require a DPA for customers on the Hobby tier. For Starter and Team customers, a DPA is available on request at no additional charge. For Scale customers, the DPA is typically included as part of the order form process.
What the DPA covers
- EU/UK GDPR. Herald acts as a data processor under Article 28 GDPR. The DPA sets out our obligations as processor: processing only on your documented instructions, binding our sub-processors to equivalent obligations, maintaining a record of processing activities, cooperating with supervisory authorities, implementing appropriate technical and organisational measures, and notifying you of any personal data breach without undue delay.
- EU Standard Contractual Clauses. For transfers of personal data from the European Economic Area or the United Kingdom to countries without an adequacy decision, the DPA incorporates the European Commission's Standard Contractual Clauses (Processor-to-Controller and, where applicable, Controller-to-Processor module). These clauses are pre-signed on Herald's side.
- CCPA. Herald acts as a "service provider" under the California Consumer Privacy Act. The DPA confirms that Herald does not sell personal information, does not retain or use personal information for any purpose outside providing the Herald service, and does not disclose personal information to third parties except as permitted by the CCPA and the Terms.
- Sub-processor commitments. The DPA incorporates our public sub-processors list and commits to giving you 30 days' advance notice of material sub-processor additions. The DPA includes a mechanism for you to object to a new sub-processor.
- Security measures. The DPA describes the technical and organisational security measures Herald applies — tenant-isolated Durable Objects, encryption at rest and in transit, access controls, Sentry error monitoring with PII redaction, and the responsible-disclosure policy.
- Audit rights. For Scale customers, the DPA includes audit rights exercisable annually with 30 days' written notice, or immediately in the event of a confirmed security incident.
- Data subject requests. The DPA confirms Herald's obligations to assist you in fulfilling data subject rights requests (access, rectification, erasure, portability, restriction, and objection) within the timeframes required by applicable law.
What the DPA does not cover
The DPA governs Herald's processing of personal data on your behalf — it does not govern your processing of your customers' data in your own products. If you use Herald to understand user behavior in your SaaS, you remain the controller of your customers' data; Herald is your processor. Your obligations to your customers under applicable law remain your own.
Related documents
- Privacy Policy — how Herald handles data across the service
- Sub-processors — the full public list
- Terms & Conditions — the master service agreement
Contact
Herald
Legal: legal@withherald.co
Privacy: privacy@withherald.co