HachimiHachimi
Sign inGet started

Legal

Data Processing Addendum

Last updated April 28, 2026

This Data Processing Addendum (“DPA”) supplements the Hachimi Terms of Service and governs how Hachimi Labs processes Customer Personal Data on the Customer’s behalf. The full GDPR-aligned addendum is being adapted from a standard template — this page is a placeholder summary until that adaptation is complete.

1. Roles and scope

For the purposes of GDPR and equivalent regulations, the Customer is the Controller of Personal Data submitted to the Hachimi service, and Hachimi acts as the Processor . This DPA covers all processing activities Hachimi performs on the Customer’s behalf while delivering the service.

2. Subject matter and duration

Hachimi processes Personal Data only to the extent necessary to operate and improve the service for the Customer, for the duration of the Customer’s subscription. After cancellation, Personal Data is retained for 30 days for restore-from-backup purposes, then deleted.

3. Data categories

Hachimi processes:

  • Account data (email, name, billing address)
  • Authentication tokens for connected third-party services (encrypted at rest)
  • Conversation messages and uploaded files inside agent workspaces
  • Operational telemetry (run logs, latency, error rates)

4. Subprocessors

Hachimi uses the following subprocessors to deliver the service. The Customer authorizes Hachimi to engage these parties and will be notified of changes with 30 days’ notice.

  • Anthropic — LLM inference (US)
  • AWS — agent compute (us-east-1; eu-central-1 on request)
  • Supabase — application database + auth (US)
  • Stripe — billing (US)
  • Vercel — web hosting (global edge)

5. Security measures

Hachimi implements technical and organizational measures appropriate to the risks, including credential encryption at rest, per-agent VPS isolation, and least-privilege access for engineering staff. SOC 2 Type I observation period is currently active. See /security for details.

6. Data subject rights

The Customer remains responsible for responding to data-subject requests. Hachimi will assist the Customer with appropriate technical and organizational measures within 5 business days of a written request to privacy@hachimi.io.

7. International transfers

Where Personal Data is transferred outside the EEA / UK / Switzerland, Hachimi relies on the European Commission’s Standard Contractual Clauses (2021/914/EU). EU customers can request that agent compute be pinned to eu-central-1 to avoid cross-border transfer of agent data.

8. Audits

Hachimi will provide reasonable assistance with the Customer’s audit rights under Art. 28(3)(h) GDPR through its SOC 2 reports (when available) and written responses to security questionnaires. On-site audits may be arranged for enterprise customers under NDA.

9. Contact

For DPA-related questions or to execute a counter-signed copy, email privacy@hachimi.io.