This Data Processing Agreement (“DPA”) forms part of the agreement between Heimdell Tech Ai Ltd (“Heimdell”, “Processor”) and each client company using the platform (“Client”, “Controller”), and applies whenever Heimdell processes personal data on the Client’s behalf.
1. Roles
The Client is the data controller for the personal data of the customers it submits to Heimdell for verification. Heimdell is the data processor, acting only on the Client’s documented instructions (which include the ordinary operation of the platform as described in our How It Works page).
2. Subject matter, duration, and purpose
Heimdell processes personal data for the purpose of generating verified consent evidence for sales the Client submits — sending verification links or phone calls, recording the customer’s confirmation or decline, and producing a tamper-evident certificate. Processing continues for as long as the Client’s account is active, plus a reasonable retention period afterwards as described in our Privacy Policy.
3. Categories of data subjects and data
Data subjects: the Client’s customers who are submitted for verification.
Categories of data: name, phone number, email address, postal address; product and price agreed; where relevant, bank name, sort code, and account number (encrypted at rest, with only the last 4 digits ever displayed); verification timestamp, a masked IP address, and a short device summary; the customer’s confirmation or decline.
4. Heimdell's obligations
- Process personal data only on the Client’s documented instructions
- Ensure staff and systems accessing the data are bound by confidentiality
- Implement appropriate technical and organisational security measures (see Section 6)
- Only engage sub-processors as disclosed in Section 5, and remain responsible for their compliance
- Assist the Client in responding to data subject rights requests and, where relevant, data protection impact assessments
- Notify the Client without undue delay after becoming aware of a personal data breach affecting their data
- Delete or return personal data at the end of the relationship, except where retention is required by law
5. Sub-processors
Heimdell uses the following sub-processors to run the platform. We’ll update this list and make reasonable efforts to notify active clients if it changes.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database hosting and authentication | EU (Ireland) |
| Stripe | Payment processing for credit purchases | US / global, with UK GDPR-standard safeguards |
| Twilio | Phone-call and SMS verification delivery | US / global, with UK GDPR-standard safeguards |
| Resend | Transactional email delivery | US / global, with UK GDPR-standard safeguards |
Where a sub-processor is outside the UK/EEA, we rely on that provider’s standard contractual clauses or equivalent UK GDPR-recognised transfer safeguards.
6. Security measures
- Bank account numbers encrypted at rest using AES-256-GCM; only the last 4 digits are ever displayed
- Passwords and API keys stored as salted hashes, never in plain text
- All data in transit encrypted via HTTPS
- Role-based access control — staff only see data relevant to their role and organization
- Every certificate is cryptographically fingerprinted, so tampering is detectable
- Audit logging of key account and administrative actions
7. Audits
On reasonable written request, and no more than once per year unless required by a regulator or following a security incident, Heimdell will provide the Client with information reasonably necessary to demonstrate compliance with this DPA.
8. Contact
Questions about this DPA or a specific processing activity: andrew@heimdell-tech-ai.co.uk