heldly
Sign in

Data Processing Addendum

Effective: 2026-05-23 — Version 1.2

This Data Processing Addendum (“DPA”) forms part of the agreement between Capable Agents AB(org.nr 559504-0444), Bäckaskiftsvägen 68, 122 42 Enskede, Sweden (“Heldly”, “Processor”) and the customer that has accepted the Terms of Service (the “Customer”, “Controller”). It governs the processing of Personal Data carried out by Heldly on behalf of the Customer in connection with the Heldly service (the “Service”).

This DPA is binding on the Customer the moment the Service is used. No countersignature is required. If your procurement process requires a counter-signed PDF, email hello@heldly.io with your company name and we'll send one within two business days.

1. Definitions

Capitalised terms used and not otherwise defined have the meaning set out in the EU General Data Protection Regulation 2016/679 (“GDPR”). “Personal Data”, “Controller”, “Processor”, “Sub-processor”, “Data Subject”, “Processing” and “Personal Data Breach” have the meanings given in the GDPR.

2. Roles

The Customer is the Controller of the Personal Data described in Annex A. Heldly is the Processor, processing Personal Data only on documented instructions from the Customer (which include the configuration the Customer chooses through the Service and the use the Customer's employees make of the Service).

3. Subject matter, duration, nature and purpose

Heldly processes Personal Data for the duration of the Customer's subscription to the Service, plus the retention period defined in Section 9, for the purpose of providing scheduling functionality between hosts (the Customer's users) and external invitees.

4. Categories of Data Subjects and Personal Data

See Annex A.

5. Confidentiality

Heldly ensures that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and access is limited to those with a need to know.

6. Security measures

Heldly implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in Annex B and on our Security page.

7. Sub-processors

The Customer authorises Heldly to engage the Sub-processors listed at /security/subprocessors. Heldly will provide at least 30 days' prior notice of any addition or replacement of a Sub-processor by updating that page (and, on request, by email). The Customer may object to a new Sub-processor on reasonable grounds; if the parties cannot agree on a resolution, the Customer may terminate the Service for the affected functionality.

8. Data Subject rights

Heldly shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for exercising Data Subject rights. Workspace admins can read, export, and delete most Personal Data directly from the Service; anything not exposed in the UI can be obtained by writing to privacy@heldly.io.

9. Retention and deletion

Active workspace data is retained for the duration of the subscription. The audit log default retention is 400 days, configurable per workspace up to 7 years. Within 30 days of termination, Heldly deletes or returns all Personal Data, unless retention is required by Union or Member State law.

10. Personal Data Breach notification

Heldly notifies the Customer without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach. The notification includes (i) the nature of the breach, (ii) categories and approximate volumes of Data Subjects and records concerned, (iii) likely consequences, and (iv) measures taken or proposed.

11. International transfers

Personal Data is stored exclusively in the European Union. Onward transfers to non-EU Sub-processors (Stripe, Resend, WorkOS) are covered by the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework certification of the Sub-processor.

12. Audit

The Customer may, on reasonable notice and no more than once per 12-month period, request a copy of Heldly's most recent third-party penetration test attestation and a written summary of its security control set. On-site audits are available to enterprise customers at the Customer's expense.

13. Liability and term

The liability and term provisions of the Terms of Service apply to this DPA. In case of conflict between this DPA and the Terms of Service in respect of Personal Data processing, this DPA prevails.

Annex A — Categories of Data Subjects and Personal Data

Data Subjects

  • The Customer's users (hosts) — anyone the Customer assigns a Heldly seat.
  • External invitees — recipients of meeting invitations sent through the Service.

Categories of Personal Data

  • Identification: name, email address.
  • Professional: company name (optional, invitee).
  • Authentication metadata: Google subject id, SSO subject id (where applicable).
  • Usage metadata: meeting topic, slot times, picker open/click events, IP address and user-agent of audit-relevant actions.
  • Cookieless analytics events (hosts only — Heldly does not send invitee data to PostHog): anonymous in-memory session identifier, page paths, event names, and a small set of non-PII event properties (e.g. meeting duration, co-host count). After sign-in the events are associated with the host's user id and email address for cross-session analysis.

Sensitive categories

None processed.

Annex B — Technical and organisational measures

  • EU-only data residency (Vercel Stockholm + Supabase Dublin).
  • TLS 1.2+ in transit; AES-256 at rest.
  • Append-only audit log with PII redaction.
  • SSO (SAML/OIDC) and SCIM available on enterprise plans.
  • OAuth 2.1 + PKCE-S256 for the MCP connector; tokens stored as sha256 hashes.
  • Branch protection, code review, CI typecheck/build gates, Dependabot.
  • Quarterly Supabase PITR restore drill (RPO ≤ 5 min, RTO ≤ 4 h).
  • Annual third-party penetration test (first within 6 months of GA).

Contact