Version: 2.0
Effective Date: January 1, 2026
This Data Processing Agreement (“DPA”) forms part of the contractual relationship between HeyScore and the customer (“Client”) using the HeyScore SaaS application. It governs processing on behalf pursuant to Art. 28 GDPR.
This DPA sets out the terms under which HeyScore processes personal data on behalf of the Client in accordance with Art. 28 GDPR (“processing on behalf”). It applies to processing activities performed by HeyScore to provide the HeyScore SaaS application and related services.
Third-party services used by the Client that act as independent controllers (e.g., payment providers) are not covered by this DPA.
The Client is the Controller and determines the purposes and means of processing Personal Data in connection with the Client’s use of the HeyScore service. HeyScore acts as Processor and processes Personal Data only on documented instructions of the Client, unless required to do so by Union or Member State law.
The Client is responsible for ensuring a valid legal basis, providing required notices to Data Subjects, and for the lawfulness of the Personal Data submitted to HeyScore.
Subject matter: Provision of the HeyScore SaaS application for collecting, storing, analyzing and reporting customer feedback.
Duration: For the term of the main agreement between the Parties and thereafter as described in Section 13.
Nature of processing: Collection, storage, structuring, retrieval, analysis (including AI-based analysis in EU data centers), display, export, and deletion of feedback data and related metadata.
Purpose: Operating the HeyScore platform and providing analytics results and reporting to the Client.
Categories of Data Subjects
Categories of Personal Data
HeyScore shall process Personal Data only on documented instructions from the Client. Instructions are generally provided through the Client’s configuration and use of the HeyScore service. Additional instructions must be issued in text form (e.g., email).
HeyScore shall inform the Client if, in its opinion, an instruction infringes GDPR or other applicable data protection provisions.
HeyScore implements appropriate technical and organisational measures (“TOMs”) to ensure a level of security appropriate to the risk, including measures as described in Annex 2.
HeyScore ensures that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
HeyScore will not disclose Personal Data to third parties except as necessary to provide the service, to comply with law, or as instructed by the Client.
The Client authorises HeyScore to engage Sub-processors listed in Annex 3. HeyScore will ensure that Sub-processors are bound by equivalent data protection obligations as set out in this DPA (Art. 28(4) GDPR). HeyScore remains responsible for the performance of Sub-processors’ obligations.
HeyScore will inform the Client of intended changes regarding the addition or replacement of Sub-processors. The Client may object to such changes for legitimate data protection reasons within 14 days of notification. If the Client objects and no reasonable alternative can be provided, the Client may terminate the affected services.
HeyScore primarily processes Personal Data within the European Union / EEA. HeyScore’s default setup is designed to keep customer feedback data stored and processed in EU data centers.
If a third-party service used by the Client acts as an independent controller (e.g., payment providers), any international transfers by such providers are governed by their own terms and notices.
Taking into account the nature of processing, HeyScore shall assist the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising Data Subject rights (Art. 12–22 GDPR).
HeyScore shall assist the Client in ensuring compliance with obligations pursuant to Art. 32–36 GDPR (security, breach notifications, DPIA, prior consultation), taking into account the information available to HeyScore and the nature of processing.
HeyScore will notify the Client without undue delay after becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification will include available information required under Art. 33 GDPR to the extent relevant for the Client.
HeyScore will take reasonable steps to contain, investigate and remediate the breach.
HeyScore will make available to the Client information reasonably necessary to demonstrate compliance with this DPA (Art. 28(3)(h) GDPR). Audits shall generally be conducted as remote audits (e.g., documentation review, written confirmations).
On-site audits require prior written notice of at least 30 days and are permitted only where strictly necessary, taking into account the nature of processing, the protection of confidential information, and the security of other customers. Audits shall be limited to once per calendar year unless required by law or following a material incident.
Upon termination of the main agreement, and at the choice of the Client, HeyScore shall delete or return all Personal Data processed on behalf of the Client, unless Union or Member State law requires storage of the Personal Data.
HeyScore provides export functionality for customer data within the application, enabling the Client to export data before termination.
Liability between the Parties shall be governed by the main agreement and applicable data protection law. Nothing in this DPA limits either Party’s liability for willful misconduct, or where liability cannot be excluded under applicable law.
This DPA is incorporated into and forms part of the main agreement between the Parties. In case of conflict between this DPA and the main agreement regarding data protection, this DPA shall prevail.
HeyScore may update this DPA from time to time. The Client will be informed of material changes, in particular changes concerning Sub-processors or international transfers. The Client may object to such changes within 14 days. If no objection is raised, the updated DPA shall be deemed accepted.
Governing law is Germany. Exclusive place of jurisdiction is Munich, Germany, where legally permissible.
The following TOMs describe the general security measures implemented by HeyScore. Measures may evolve over time to address new risks.
Note: The Client remains responsible for configuring access rights within their organisation and for the lawfulness of the data provided to HeyScore.
The legal entity names below should match the respective contracts/DPAs. If you update providers, please update this annex and the DPA version.
| Purpose | Sub-processor (legal entity) | Country / Region | Notes |
|---|---|---|---|
| Hosting & infrastructure | Platform.sh SAS, France | EU | Core platform hosting |
| Support email / mailbox processing | ALL-INKL.COM - Neue Medien Münnich, Germany | Germany | Support and contact communications |
| AI feedback analysis (EU) | Mistral AI, France | EU | Topic and sentiment analysis |
| Transactional email delivery | AWS (SES), Ireland | EU region (provider headquartered outside EU) | Only if used for sending transactional emails |
Note: The Client’s acceptance (version and timestamp) may be stored for compliance purposes.