HeyFred Logo

    Data Processing Agreement HeyFred B.V.

    Last update: December 16, 2025

    1. Definitions

    • 1.1 GDPR: General Data Protection Regulation (Regulation (EU) 2016/679).
    • 1.2 Personal Data: Any information relating to an identified or identifiable natural person, as defined in the GDPR.
    • 1.3 Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    • 1.4 Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In the context of this agreement, this is the Customer.
    • 1.5 Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. In the context of this agreement, this is HeyFred B.V.
    • 1.6 Customer: The natural or legal person who uses the services of HeyFred B.V. and in that context provides personal data to HeyFred B.V. for processing.
    • 1.7 Service: The services provided by HeyFred B.V. to the Customer, including the Voice AI platform, telephony integrations, dashboards and related functionalities.
    • 1.8 Data Breach: A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

    2. Subject of the agreement

    2.1 This data processing agreement (hereinafter "Agreement") applies to all processing of personal data that HeyFred B.V. performs on behalf of the Customer in the context of the Service.

    2.2 The Customer is the Data Controller and HeyFred B.V. is the Data Processor.

    2.3 The nature and purpose of the processing, the type of personal data, the categories of data subjects and the duration of the processing are described in Appendix 1 to this Agreement.

    3. Obligations of the Data Processor (HeyFred B.V.)

    3.1 General

    • HeyFred B.V. processes personal data solely on instructions from and on behalf of the Customer, and in accordance with the written instructions of the Customer, unless a legal provision requires HeyFred B.V. to carry out other processing. In that case, HeyFred B.V. will inform the Customer of this before processing, unless that law prohibits such notification on important grounds of public interest.
    • HeyFred B.V. will not process the personal data for its own purposes.
    • HeyFred B.V. will not keep the personal data longer than necessary for the performance of the Service and in accordance with the Customer's instructions.

    3.2 Security

    • HeyFred B.V. takes appropriate technical and organizational measures to secure personal data against loss, destruction, unauthorized access, modification or any other form of unlawful processing. These measures are described in Appendix 2 to this Agreement.
    • HeyFred B.V. guarantees a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

    3.3 Confidentiality

    • HeyFred B.V. ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

    3.4 Data Breaches

    • HeyFred B.V. shall notify the Customer without undue delay after becoming aware of a Data Breach relating to the processing of personal data on behalf of the Customer.
    • The notification contains at least the information required by the GDPR.
    • HeyFred B.V. will assist the Customer in fulfilling its obligations regarding Data Breaches, including informing the Data Protection Authority and/or data subjects.

    3.5 Rights of data subjects

    • HeyFred B.V. will, as far as possible, assist the Customer in fulfilling its obligation to respond to requests for exercising the data subject's rights laid down in the GDPR (e.g. right of access, rectification, erasure, restriction, data portability and objection).
    • If a data subject sends a request to exercise his rights directly to HeyFred B.V., HeyFred B.V. will forward this request to the Customer without delay.

    3.6 Audits and inspections

    • HeyFred B.V. makes available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Agreement and the GDPR.
    • The Customer has the right to have audits carried out by an independent third party to verify compliance with this Agreement. The costs for this are borne by the Customer.

    3.7 Deletion and return of data

    • Upon termination of the Service and/or this Agreement, HeyFred B.V. shall, at the choice of the Customer, delete or return all the personal data to the Customer, and delete existing copies unless Union or Member State law requires storage of the personal data.

    4. Obligations of the Data Controller (Customer)

    • The Customer guarantees that the processing of personal data is lawful and that the instructions to HeyFred B.V. are in accordance with the GDPR and other applicable laws and regulations.
    • The Customer is responsible for informing data subjects about the processing of their personal data and obtaining the necessary consents or having another lawful basis for the processing.
    • The Customer indemnifies HeyFred B.V. against all claims from third parties, including fines from supervisors, arising from the Customer's failure to comply with the GDPR or other laws and regulations.

    5. Sub-processors

    5.1 The Customer hereby grants HeyFred B.V. general authorization to engage sub-processors for the execution of the Service.

    5.2 HeyFred B.V. shall inform the Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Customer the opportunity to object to such changes. If the Customer objects, parties will consult to find a solution. If no solution is found, the Customer has the right to terminate the agreement.

    5.3 HeyFred B.V. imposes the data protection obligations set out in this Agreement on its sub-processors by way of a contract.

    6. Liability

    6.1 The liability of HeyFred B.V. for damage arising from or related to this Agreement is limited to what is stipulated in the Terms of Service of HeyFred B.V.

    6.2 HeyFred B.V. is not liable for damage resulting from failure to comply with the instructions of the Customer, unless this is due to intent or gross negligence on the part of HeyFred B.V.

    7. Term and termination

    7.1 This Agreement enters into force when the Customer uses the Service and remains in force as long as HeyFred B.V. processes personal data on behalf of the Customer.

    7.2 Upon termination of the Service and/or this Agreement, the provisions of Article 3.7 shall apply.

    8. Applicable law and dispute resolution

    8.1 Dutch law applies to this Agreement.

    8.2 All disputes arising from or related to this Agreement will be submitted to the competent court in Amsterdam.

    Appendix 1: Specification of data processing

    1. Nature and purpose of processing

    The processing of personal data by HeyFred B.V. on behalf of the Customer aims to provide Voice AI services, including:

    • Setting up, configuring and managing AI voice assistants.
    • Handling inbound and outbound phone calls.
    • Processing speech to text and text to speech.
    • Performing automated tasks such as scheduling appointments, providing information, conducting surveys and qualifying leads.
    • Storing call logs, transcripts and related metadata.
    • Providing a dashboard for the Customer to monitor and manage the performance of the AI assistants.
    • Integrating with Customer's external systems (CRM, calendar, etc.).

    2. Type of personal data

    The following categories of personal data may be processed:

    • Contact details: Name, phone number, email address of end users and/or contact persons of the Customer.
    • Call data: Audio recordings of calls, call transcripts, call duration, call status, date and time of calls.
    • Metadata: IP addresses, device information, browser information.
    • Other data: All other personal data that the Customer includes in the Customer Content (prompts, scripts, knowledge base texts, contact lists, etc.) and which are necessary for the execution of the Service.

    3. Categories of data subjects

    The personal data concerns the following categories of data subjects:

    • End users who contact the Customer or are called by the Customer via the Service.
    • Customer contacts who use or manage the Service.

    4. Duration of processing

    The personal data will be processed for the duration of the agreement between Customer and HeyFred B.V. and as long as necessary for the execution of the Service. Upon termination of the agreement, the personal data will be deleted or returned to the Customer, in accordance with Article 3.7 of this Agreement, unless a statutory retention obligation applies.

    Appendix 2: Security measures

    HeyFred B.V. has taken the following technical and organizational security measures:

    • Physical security: Access controls to data centers, surveillance, fire protection.
    • Network security: Firewalls, intrusion detection systems, network segmentation, DDoS protection.
    • Access management: Strong password policy, multi-factor authentication, least privilege principle, access logging.
    • Data encryption: Encryption of data at rest and data in transit using industry-standard protocols (e.g. TLS, AES-256).
    • Logging and monitoring: Continuous monitoring of systems and applications, audit trails, alert systems for anomalies.
    • Backup and recovery: Regular backups, test procedures for recovery, redundancy of systems.
    • Incident response: Procedures for handling security incidents and data breaches.
    • Software development: Secure coding practices, regular security reviews of code.
    • Supplier management: Assessment of sub-processors on security standards.
    • Personnel: Confidentiality agreements, training and awareness of employees on information security and privacy.