All legal documents

teamhatcher Data Processing Addendum (DPA)

Last updated: July 1, 2026

This Data Processing Addendum ("DPA") forms part of the teamhatcher Terms of Service (the "Agreement") between TEAMHATCHER LLC ("teamhatcher", the "Processor") and the Customer identified in the Agreement (the "Customer", the "Controller"). It applies whenever teamhatcher processes Personal Data on the Customer's behalf in providing the Services, in particular data about the Customer's employees, contractors, hires, and other workspace members ("Members"). It is effective upon the Customer's acceptance of the Agreement, no signature required; a countersigned copy is available on request to legal@teamhatcher.com.

1. Definitions

"Data Protection Laws" means all laws applying to the Processing of Personal Data under this DPA, including, as applicable: the EU General Data Protection Regulation 2016/679 ("GDPR"); the GDPR as incorporated into UK law ("UK GDPR") and the UK Data Protection Act 2018; the Swiss Federal Act on Data Protection; and U.S. state privacy laws including the California Consumer Privacy Act as amended by the CPRA ("CCPA") and comparable laws of Colorado, Connecticut, Texas, Utah, Virginia, and other states ("US State Privacy Laws").

"Personal Data" means information relating to an identified or identifiable natural person that teamhatcher Processes on the Customer's behalf under the Agreement, as described in Annex A. "Processing", "Controller", "Processor", "Data Subject", "Supervisory Authority", and "Personal Data Breach" have the meanings in the GDPR; under the CCPA, "Controller" includes "Business", "Processor" includes "Service Provider", "Personal Data" includes "Personal Information", and "Data Subject" includes "Consumer".

"Subprocessor" means a third party engaged by teamhatcher to Process Personal Data on the Customer's behalf.

"SCCs" means the standard contractual clauses approved by European Commission Decision (EU) 2021/914. "UK Addendum" means the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner.

2. Roles, scope, and instructions

2.1. For Personal Data in the Customer's workspace, the Customer is the Controller (or Business) and teamhatcher is the Processor (or Service Provider). The Customer is responsible for the accuracy and lawfulness of the Personal Data it submits, including providing notices to and obtaining any required consents from Data Subjects (for example, Members whose information, recordings, or paperwork are processed).

2.2. teamhatcher will Process Personal Data only on the Customer's documented instructions, including with respect to transfers, unless required to do otherwise by law (in which case teamhatcher will inform the Customer of the legal requirement before Processing, unless the law prohibits it). The Agreement, this DPA, and the Customer's configuration and use of the Services (including invoking AI generation, transcription, Q&A, e-signature, email, and export features) constitute the Customer's complete documented instructions. teamhatcher will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws.

2.3. The subject matter, duration, nature and purpose of Processing, and the categories of Personal Data and Data Subjects are set out in Annex A.

3. teamhatcher's obligations as Processor

3.1. Confidentiality. teamhatcher ensures that persons authorized to Process Personal Data are bound by confidentiality obligations.

3.2. Security. teamhatcher implements and maintains appropriate technical and organizational measures to protect Personal Data, as described in Annex B, taking into account the nature of the data (which may include sensitive identifiers in Customer-uploaded paperwork).

3.3. Data Subject requests. Taking into account the nature of the Processing, teamhatcher will assist the Customer, through the Services' built-in tools (access, correction, deletion, and export functions) and, where those are insufficient, through reasonable additional assistance, in fulfilling the Customer's obligation to respond to Data Subject requests. If teamhatcher receives a request directly from a Member relating to workspace data, it will direct the requester to the Customer and notify the Customer, and will not respond substantively except as instructed or required by law.

3.4. Breach notification. teamhatcher will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to help the Customer meet its own notification obligations, followed by updates as the investigation proceeds. teamhatcher's notification is not an admission of fault.

3.5. Assistance. teamhatcher will provide reasonable assistance with the Customer's data protection impact assessments and consultations with Supervisory Authorities, insofar as they relate to the Services and information available to teamhatcher.

3.6. Deletion and return. Upon termination or expiry of the Agreement, and after the 30-day export window described in the Agreement, teamhatcher will delete or de-identify Personal Data within 60 days and purge backups within a further 90 days, unless retention is required by law. On written request, teamhatcher will confirm deletion.

3.7. CCPA and US State Privacy Laws. teamhatcher (a) will not sell or share Personal Information, (b) will not retain, use, or disclose Personal Information for any purpose other than performing the Services under the Agreement or as otherwise permitted by the CCPA, (c) will not retain, use, or disclose Personal Information outside the direct business relationship with the Customer, (d) will not combine Personal Information with personal information from other sources except as permitted for Service Providers, (e) certifies that it understands and will comply with these restrictions, and (f) will notify the Customer if it determines it can no longer meet its obligations, in which case the Customer may take reasonable steps to stop or remediate unauthorized use.

4. Subprocessors

4.1. General authorization. The Customer authorizes teamhatcher to engage the Subprocessors listed in Annex C, and grants general written authorization for teamhatcher to appoint or replace Subprocessors.

4.2. Changes and objection. teamhatcher maintains the current Subprocessor list at https://www.teamhatcher.com/subprocessors and will give at least 30 days' notice of any new Subprocessor (by updating that page and emailing account owners, or an equivalent mechanism) before the new Subprocessor Processes Personal Data. The Customer may object on reasonable data protection grounds within that period; the parties will discuss in good faith, and if no resolution is reached, the Customer may terminate the affected Services and receive a prorated refund of prepaid fees for the terminated portion.

4.3. Flow-down and liability. teamhatcher will impose data protection obligations on each Subprocessor that are materially no less protective than this DPA, and remains liable for its Subprocessors' performance.

5. International transfers

5.1. Personal Data is processed in the locations shown in Annex C, principally the United States.

5.2. Where Personal Data protected by the GDPR is transferred to teamhatcher in a country without an adequacy decision, the SCCs are incorporated into this DPA: Module Two (Controller to Processor) where the Customer is a Controller, and Module Three (Processor to Processor) where the Customer acts as a Processor for its own controllers, with teamhatcher as data importer and the Customer as data exporter. The parties select: Clause 7 (docking) included; Clause 9(a) Option 2 (general written authorization, 30 days' notice); Clause 11 optional language not included; Clause 17 Option 1, the law of Ireland; Clause 18(b), the courts of Ireland. Annexes A, B, and C of this DPA serve as Annexes I, II, and III of the SCCs.

5.3. For transfers subject to the UK GDPR, the UK Addendum applies, with Table information completed by the details in this DPA and either party able to end the Addendum as set out in its Section 19. For transfers subject to Swiss law, the SCCs apply with the adaptations required by the Swiss data protection authority.

6. Audits

Upon written request no more than once per 12 months (or following a Personal Data Breach), teamhatcher will make available information reasonably necessary to demonstrate compliance with this DPA, including responses to security questionnaires and summaries of third-party assessments where available. If that information is insufficient, the Customer may conduct an audit through a mutually agreed independent auditor, during business hours, on at least 30 days' notice, at the Customer's expense, no more than once per 12 months, subject to confidentiality, and without access to other customers' data or systems.

7. Liability and order of precedence

Each party's liability under this DPA is subject to the limitations and exclusions in the Agreement, except where Data Protection Laws do not permit such limits. If this DPA conflicts with the Agreement on a data protection matter, this DPA controls; if the SCCs conflict with this DPA, the SCCs control.

8. Term

This DPA applies for as long as teamhatcher Processes Personal Data on the Customer's behalf.


Annex A: Details of Processing

  • Subject matter: provision of the teamhatcher platform (SOP generation and management, ask-your-SOPs Q&A, knowledge checks, onboarding paths, tasks and compliance reporting, team chat, time tracking, offer letters and e-signature, and related support).
  • Duration: the term of the Agreement plus the export and deletion periods in Section 3.6.
  • Nature and purpose: hosting, storage, transmission, display, transcription, embedding, retrieval, AI-assisted generation and question answering, e-signature execution and storage, transactional email delivery, and error monitoring, in each case to provide the Services the Customer configures and invokes.
  • Categories of Data Subjects: the Customer's employees, contractors, candidates, hires, and other individuals the Customer invites to or references in its workspace, including signers of documents.
  • Categories of Personal Data: identification and contact data (names, work emails, time zones, roles); user-generated content that may contain personal data (SOPs, screen and voice recordings, transcripts, notes, chat messages, file attachments); employment and onboarding records (tasks, knowledge check results, onboarding progress, time entries); documents and e-signed paperwork, which may include home addresses and government identifiers such as Social Security numbers or tax IDs; e-signature audit data (signer email, IP address, timestamps); and billing contact details.
  • Sensitive data: not required by the Services, but Customer-uploaded paperwork may incidentally contain sensitive identifiers (for example SSNs or tax IDs on offer letters). Processing of such data is limited to storage, display to authorized workspace roles, e-signature execution, and export, with the safeguards in Annex B.
  • Frequency: continuous, for the duration above.

Annex B: Technical and organizational measures

  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
  • Logical tenant separation, including row-level security policies isolating each Customer's workspace data.
  • Role-based access control within the product; least-privilege, need-to-know access for teamhatcher personnel, protected by multi-factor authentication.
  • Personnel confidentiality commitments and security awareness.
  • Secure development practices, including code review and dependency and vulnerability management.
  • Logging, error monitoring, and alerting (Sentry) to detect and respond to incidents.
  • Documented incident response process, including the breach notification commitments in Section 3.4.
  • Regular backups with tested restoration, and defined deletion and backup-purge timelines (Section 3.6).
  • Vendor management: due diligence on Subprocessors and contractual flow-down of data protection obligations (Section 4.3).
  • Data minimization defaults: card data held only by Stripe; AI providers receive only the content needed for the invoked feature; sensitive documents restricted by role-based permissions.

Annex C: Subprocessors

Subprocessor Purpose Data types Location
Supabase Database, authentication, file storage (system of record) All workspace content and account data United States
Vercel Application hosting Data in transit through the application United States (global edge network)
Anthropic AI SOP generation and question answering (Claude) Content submitted to AI features (recordings context, notes, SOP text, questions) United States
OpenAI Audio transcription (Whisper) and text embeddings Audio submitted for transcription; text embedded for search and Q&A United States
Stripe Subscription billing and payment processing Billing contact and transaction data; card data held solely by Stripe United States
Resend Transactional email Recipient name, email, message content United States
Documenso E-signature processing and storage of signed documents Documents for signature (may include sensitive identifiers), signer identity and audit data United States
Sentry Error monitoring Technical diagnostics that may include account identifiers United States

Note: teamhatcher maintains data protection terms with each Subprocessor, including an executed DPA with Documenso, which stores executed documents that may contain sensitive identifiers.

Data Processing Addendum · teamhatcher · teamhatcher