HydraHydra

Legal

Data Processing Addendum

Effective May 15, 2026

Draft notice. This DPA is a good-faith summary intended to support procurement conversations. A counsel-reviewed final version will replace this text. If your team requires a counter-signed DPA today, email privacy@hydra-help.com.

1. Roles

Tenant is the controller of personal data submitted to Hydra in the course of using the service. Hydra is the processor and acts on documented instructions from the tenant. Tenant warrants that it has a lawful basis to provide that data to Hydra.

2. Subject matter and duration

Subject matter: provision of the Hydra customer support and CRM platform.

Duration: for the term of the tenant’s subscription, plus the deletion windows described below.

3. Categories of data and data subjects

Data subjects: tenant employees, end customers, and any individuals whose data the tenant chooses to store in Hydra.

Categories: identification and contact details, communication content (chat, email, ticket replies, internal notes), CRM attributes the tenant configures, and operational metadata (timestamps, IP, user agent).

4. Processor obligations

Hydra processes personal data only on documented instructions from the tenant, including with regard to international transfers.

Hydra ensures that personnel authorized to process personal data are bound by confidentiality.

Hydra implements the technical and organizational measures described on the Trust page, including encryption in transit and at rest, tenant isolation via row-level security, two-factor authentication, audit logging, scoped API keys, and least-privilege access.

Hydra assists the tenant, taking into account the nature of the processing, in fulfilling its obligation to respond to requests from data subjects, including export and deletion via the dashboard.

Hydra notifies the tenant without undue delay (and within 24 hours of confirmation) on becoming aware of a confirmed personal-data breach affecting the tenant.

5. Subprocessors

Tenant gives general authorization to Hydra to engage subprocessors. The current list is published on the Trust page. Hydra gives 30 days advance notice before engaging a new subprocessor; tenant may object on reasonable grounds within that window.

Hydra remains responsible for the acts and omissions of its subprocessors.

6. International transfers

Hydra and the subprocessors listed on the Trust page primarily operate from the United States. Where personal data is transferred from the EEA, UK, or Switzerland, Hydra relies on the Standard Contractual Clauses (Module 2: Controller to Processor) and the UK Addendum, both of which are incorporated by reference into this addendum and take effect automatically when applicable.

7. Audits

Hydra makes available to the tenant the information necessary to demonstrate compliance with this addendum, including third-party attestations once available (e.g., SOC 2 reports under NDA).

8. Return or deletion

On termination, the tenant may export data via the dashboard. After termination, Hydra deletes tenant data within 30 days, and backups roll off within a further 30 days, unless retention is required by applicable law.

9. Contact

Privacy or DPA questions: privacy@hydra-help.com. Security incidents: security@hydra-help.com.

← Back to Trust & security