1. Roles
The customer is the data controller for personal data about its prospects, users, and contacts. Swarmhit is the data processor and processes that data only on the customer’s documented instructions, which include the configuration of the service and this DPA.
2. Subject matter and duration
The subject matter is the provision of the Swarmhit platform. Processing lasts as long as the customer’s subscription is active and during the 30-day post-termination deletion window.
3. Nature and purpose of processing
Hosting, organizing, sending, and reporting on outbound communications between the customer and its prospects, including AI-generated personalization of those communications.
4. Categories of data subjects and personal data
- Data subjects.The customer’s prospects, contacts, end users, and team members.
- Personal data. Name, work email, job title, company, public LinkedIn profile data, message content, reply content, meeting bookings, and any other data the customer chooses to upload.
5. Sub-processors
The customer authorizes Swarmhit to use the sub-processors listed below. We notify customers at least 30 days before adding or replacing a sub-processor. You can object to a change by writing to dpa@swarmhit.com; if we cannot accommodate the objection, you may terminate with a pro-rata refund.
| Sub-processor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Cloud hosting | EU (Frankfurt) / US |
| Vercel | Edge hosting for the marketing site | Global |
| Stripe | Payments | US / EU |
| Postmark | Transactional email | US |
| OpenAI | AI personalization (zero retention) | US |
| Anthropic | AI personalization (zero retention) | US |
| Sentry | Error monitoring | EU |
| Datafast | Privacy-friendly product analytics | EU |
6. International transfers
When personal data is transferred outside the EEA or UK, we rely on the European Commission’s Standard Contractual Clauses (Module Two) and the UK International Data Transfer Addendum, together with supplementary measures including TLS in transit, AES-256 at rest, least-privilege access, and contractual zero retention with our AI sub-processors.
7. Security
Swarmhit maintains technical and organizational measures including encryption in transit and at rest, SSO and 2FA for employee access, role-based access controls, vulnerability scanning, annual penetration tests, and a documented incident response plan.
8. Personal data breach
We notify the customer without undue delay, and in any case within 72 hours of becoming aware, of any personal data breach affecting the customer’s data, together with the information needed to fulfil the customer’s own notification obligations.
9. Assistance and audits
We help customers respond to data subject requests through workspace tools. We make available the information necessary to demonstrate compliance and, where reasonable, allow audits by the customer or an independent auditor under appropriate confidentiality terms.
10. Return and deletion
On termination, we delete or return all customer personal data within 30 days, except where retention is required by law.
11. Acceptance
By using Swarmhit you accept this DPA. Enterprise customers may request a signed copy from dpa@swarmhit.com.