Data Processing Agreement

Last updated: March 2026

Our DPA outlines how HeyDrop processes personal data on behalf of our customers, in compliance with GDPR Article 28.

What is this DPA?

This Data Processing Agreement ("DPA") forms part of the agreement between HeyDrop P.S.A. ("Processor") and your organization ("Controller") for the processing of personal data in connection with HeyDrop services. This DPA is designed to meet the requirements of Article 28 of the GDPR.

What data does HeyDrop process?

HeyDrop processes contact data (names, email addresses, phone numbers, job titles, company names, social profile URLs) and usage analytics to provide digital business card creation, sharing, contact scanning, and CRM synchronization services.

How is the data protected?

HeyDrop implements appropriate technical and organizational measures including encryption at rest (AES-256 via AWS KMS) and in transit (TLS 1.2+), role-based access controls, automated security monitoring, regular security audits, and a documented incident response plan.

What about subprocessors?

We maintain a transparent, up-to-date list of all subprocessors. We provide 30 days advance notice before adding new subprocessors and allow controllers to object. All subprocessors are bound by Data Processing Agreements and undergo security assessment.

What are the data subject rights?

HeyDrop assists controllers in fulfilling data subject requests including access, rectification, erasure, restriction, portability, and objection. We respond to controller instructions within 72 hours and provide necessary data exports in standard formats.

What happens at contract termination?

Upon termination, HeyDrop will delete or return all personal data within 30 days at the controller's instruction. Backup data is purged within 90 days. We provide written confirmation of deletion upon request.

Request a Signed DPA

Enterprise and Teams customers can request a signed copy of our DPA. Contact us at legal@heydrop.app.