Updated June 2026

Data Processing Agreement

This Data Processing Agreement (the “DPA”) applies where you act as a data controller and HumanOps B.V. (“we”, “us”) acts as your processor under Article 28 of the GDPR. It covers personal data of other people that you choose to enter into your persistent memory or expose through connected services (the “Customer Personal Data”). It forms part of, and is incorporated into, the Terms of Service.

For personal data we process as our own controller (for example your account and payment data), the Privacy Policy applies instead of this DPA.

1. Roles

1.1. You are the controller of the Customer Personal Data. We are your processor and process it only on your documented instructions, which include your use of the Service’s features and these legal terms.

1.2. You are responsible for having a lawful basis for the Customer Personal Data, for the lawfulness of your instructions, and for your own controller obligations toward the people the data is about.

2. Subject matter, duration, nature, and purpose

2.1. Subject matter and duration: processing for the duration of your subscription and until deletion or return under Section 9.

2.2. Nature and purpose: to operate the Service — storing your memory, generating responses, and carrying out tasks and actions you instruct or approve.

2.3. Types of personal data: as determined by you, this may include contact details, communications content, and other information you choose to store.

2.4. Categories of data subjects: as determined by you, for example your clients, contacts, or colleagues.

3. Our obligations

We will:

  • process Customer Personal Data only on your documented instructions, including for transfers, unless required by EU or member-state law (in which case we will inform you, unless that law prohibits it);
  • ensure that persons authorised to process the data are bound by confidentiality;
  • implement appropriate technical and organisational measures (Section 4);
  • respect the sub-processor rules (Section 5);
  • assist you, taking account of the nature of processing, with data-subject requests (Section 6) and with your obligations under Articles 32–36 GDPR (security, breach notification, impact assessments);
  • at your choice, delete or return the data at the end of the service (Section 9);
  • make available the information needed to demonstrate compliance and allow for and contribute to audits as set out in Section 7.

4. Security measures

We implement appropriate technical and organisational measures, including: access controls and authentication; encryption of personal data in transit and at rest; EU-based hosting of your account data and memory; logical separation of customer data; an action/audit log; and processes to restore availability after an incident. We review these measures and may update them, provided the level of protection is not reduced.

5. Sub-processors

5.1. You give general authorisation for us to engage sub-processors to provide the Service. Our current sub-processors are listed in the Sub-processor List, with their role and location.

5.2. We impose data-protection obligations on each sub-processor that are no less protective than this DPA, and we remain responsible for their performance.

5.3. We will inform you of intended changes to sub-processors (by updating the Sub-processor List and, where you ask, by notice), giving you a chance to object on reasonable data-protection grounds.

6. Assistance with data-subject rights

Taking account of the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights (access, rectification, erasure, restriction, portability, objection). Where a data subject contacts us directly about Customer Personal Data, we will refer them to you, unless the law requires otherwise.

7. Audits

We will make available the information reasonably necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. Audits take place on reasonable prior notice, no more than once a year except where required by a supervisory authority or following a personal-data breach, during business hours, and without unreasonable disruption to the Service.

8. International transfers

Where providing the Service involves a transfer of Customer Personal Data outside the EEA (for example AI inference or the WhatsApp channel), we rely on a lawful transfer mechanism under Chapter V GDPR (an adequacy decision or Standard Contractual Clauses, with supplementary measures where appropriate). The Sub-processor List states the location and transfer basis for each sub-processor.

9. Deletion or return

On termination of the Service, at your choice and on request, we will delete or return the Customer Personal Data and delete existing copies, unless EU or member-state law requires us to keep it. You may request an export before access ends; your server and your data stay yours.

10. Breach notification

We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, and will provide the information you reasonably need to meet your own notification obligations.

11. Liability and precedence

Liability under this DPA is subject to the limitations in the Terms of Service, to the extent permitted by law. If there is a conflict between this DPA and the rest of the Terms on the processing of Customer Personal Data, this DPA prevails.

12. Contact

HumanOps B.V., Amsterdam, 1091EE, Netherlands. Email: hello@intakto.eu. KvK number: [KvK number - to be added]. VAT/BTW number: [BTW number - to be added].

This document is provided for information and is not legal advice.