Legal

Data Processing Addendum

The terms under which HeyRelio processes personal data on behalf of its customers.

Get started

Last updated: June 3, 2026

This Data Processing Addendum ("DPA") is a template provided for convenience. It is not legal advice. You should have it reviewed by your own legal counsel before relying on it.

1. Parties

This DPA forms part of the agreement between the customer ("Customer," the "Controller") and HeyRelio ("HeyRelio," the "Processor") for the provision of the Service (the "Agreement"). It applies where HeyRelio processes personal data on behalf of the Customer. In the event of a conflict between this DPA and the Agreement on the subject of data protection, this DPA controls.

2. Subject Matter & Duration

The subject matter of the processing is the provision of HeyRelio's managed Instagram outreach Service. Processing continues for the duration of the Agreement and until all Customer personal data is deleted or returned in accordance with Section 6.

3. Nature & Purpose of Processing

HeyRelio processes personal data to operate the Service: provisioning sender infrastructure, sending direct messages on the Customer's documented instructions, managing the unified inbox, applying suppression/opt-out handling, generating analytics, and delivering webhook events. Processing is carried out only as necessary to provide the Service.

4. Categories of Data Subjects & Personal Data

Data subjects: the Customer's outreach targets and recipients, and the Customer's authorized users.

Categories of personal data: Instagram usernames and profile identifiers, message content provided by the Customer, sender account credentials (encrypted), and associated engagement metadata such as sent/replied/failed events.

5. Processor Obligations

  • Documented instructions — process personal data only on the Customer's documented instructions, including as set out in the Agreement, unless required by law.
  • Confidentiality — ensure personnel authorized to process personal data are bound by confidentiality obligations.
  • Security — implement the technical and organizational measures described in Annex 2, including AES-256-GCM credential encryption and per-tenant data isolation.
  • Data-subject requests — provide reasonable assistance to enable the Customer to respond to data-subject requests.
  • Breach notification — notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer data.
  • Deletion or return — at the Customer's choice, delete or return all Customer personal data on termination, except where retention is required by law.

6. Sub-Processors

The Customer authorizes HeyRelio to engage the following sub-processors, each bound by data protection obligations no less protective than this DPA:

  • DuoPlus — cloud Android phone provisioning.
  • IPFoxy — proxy infrastructure.
  • Resend — transactional email delivery.
  • Hosting provider — compute, storage, and database hosting.

HeyRelio will give the Customer reasonable notice of any intended addition or replacement of a sub-processor, and the Customer may object on reasonable data-protection grounds.

7. International Transfers

Where processing involves transfer of personal data across borders, the parties will ensure an appropriate transfer mechanism is in place, such as the Standard Contractual Clauses or an equivalent lawful safeguard.

8. Audit Rights

HeyRelio will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for audits, including inspections, conducted by the Customer or an auditor it mandates, subject to reasonable notice, confidentiality, and frequency limits, and without compromising the security or data of other customers.

9. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

Annex 1 — Details of Processing

  • Subject matter: provision of managed Instagram outreach automation.
  • Duration: the term of the Agreement and until deletion or return of data.
  • Nature & purpose: sending outreach messages and managing campaigns on the Customer's instructions.
  • Data subjects: the Customer's outreach targets and authorized users.
  • Categories of data: Instagram usernames/identifiers, customer-provided message content, encrypted sender credentials, and engagement metadata.

Annex 2 — Technical & Organizational Measures

  • AES-256-GCM encryption of sender credentials at rest; encryption in transit (TLS).
  • Strict per-tenant data isolation across data, rate budgets, and suppression lists.
  • Signed HMAC webhooks so customers can verify event authenticity.
  • Role-based access controls and least-privilege access.
  • Rate limiting and opt-out suppression handling.
  • Audit logging of security-relevant events.

Contact

For questions about this DPA or to submit a signed copy, contact support@heyrelio.com.