Data Processing Agreement
This agreement governs how Hello processes personal data on behalf of healthcare practice Clients, including security measures, sub-processor disclosures, and data subject rights.
1. Definitions
The following terms have the meanings set forth below when used in this Data Processing Agreement ("DPA"). Capitalized terms not defined here have the meanings given in the underlying service agreement between Hello and the Client (the "Agreement").
- "CCPA" means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 et seq.).
- "CPA" means the Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.).
- "Controller" means the entity that determines the purposes and means of processing Personal Data. Under this DPA, the Client is the Controller.
- "Client Personal Data" means any Personal Data that Hello processes on behalf of the Client in connection with the Services.
- "Data Protection Law" means all applicable laws and regulations relating to the processing of Personal Data, including the CCPA, CPA, HIPAA, and any other federal or state privacy and data protection statutes.
- "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
- "Personal Data" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to a Data Subject.
- "Process" (and "Processing") means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.
- "Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, Hello is the Processor.
- "Security Incident" means any unauthorized access, acquisition, use, disclosure, alteration, or destruction of Client Personal Data, or any breach of security leading to the accidental or unlawful destruction, loss, or alteration of Client Personal Data.
- "Service Data" means data generated by Hello through the operation of the Services, including aggregated, de-identified analytics and platform performance data that cannot reasonably be used to identify any individual or Client.
- "Services" means the AI voice agent platform, communication tools, and related professional services provided by Hello under the Agreement.
- "Sub-processor" means any third party engaged by Hello to process Client Personal Data on behalf of the Client.
2. Scope of Processing
2.1 Categories of Data Subjects
Hello processes Client Personal Data relating to the following categories of Data Subjects:
- Patients and callers: Individuals who contact the Client's practice via telephone or other communication channels handled by Hello AI voice agents
- Practice staff: Employees, contractors, and agents of the Client who interact with or are referenced within the Hello platform
- Business contacts: Vendors, referral partners, and other third parties whose contact information is stored within the platform
2.2 Categories of Personal Data
The types of Client Personal Data processed by Hello include:
- Contact information: Names, phone numbers, email addresses, and mailing addresses
- Call recordings and transcripts: Audio recordings and text transcriptions of AI voice agent conversations
- Appointment data: Requested dates, times, provider preferences, service types, and scheduling confirmations
- Payment information: Deposit amounts and payment confirmations processed via PCI-compliant third-party processors (Hello does not store full payment card numbers)
- Health-related information: Information voluntarily shared by callers, such as symptoms, conditions, or treatment inquiries
- Device and usage data: IP addresses, browser type, operating system, pages visited, and interaction patterns collected through the Hello website and platform
2.3 Purpose of Processing
Hello processes Client Personal Data solely for the following purposes:
- Operating AI voice agents on behalf of the Client, including inbound and outbound call handling
- Scheduling appointments and sending confirmations, reminders, and follow-ups
- Facilitating deposit collection and payment processing through PCI-compliant third parties
- Providing call analytics, performance dashboards, and reporting to the Client
- Maintaining, monitoring, and improving the Hello platform and infrastructure
2.4 Duration of Processing
Hello will process Client Personal Data for the duration of the Agreement, unless earlier termination or deletion is requested by the Client, or as otherwise required by applicable law. Upon termination of the Agreement, processing will cease in accordance with Section 9 (Data Return and Deletion).
3. Processing Instructions
Hello will process Client Personal Data only in accordance with the Controller's documented instructions. The Agreement, this DPA, and the Client's configuration of the Services constitute the Controller's initial instructions.
Hello will not sell, share, or otherwise make available Client Personal Data to any third party except as necessary to provide the Services or as required by applicable law.
If Hello determines that a processing instruction from the Controller may infringe applicable Data Protection Law, Hello will promptly notify the Controller in writing before carrying out the instruction, unless prohibited by law from doing so.
4. Security Measures
Hello implements and maintains appropriate technical and organizational measures to protect Client Personal Data against unauthorized access, loss, destruction, alteration, or disclosure. For a comprehensive description of our security program, see our Security page.
Security measures include, but are not limited to:
- Encryption at rest: strong encryption in transit and at rest, with post-quantum-ready key management for all stored data, including call recordings, transcripts, and Client configurations
- Encryption in transit: TLS 1.2 or higher for all data transmitted between systems
- Role-based access controls (RBAC): Granular permissions ensuring personnel access only the data necessary for their role
- Multi-factor authentication (MFA): Required for all administrative access to the Hello platform and internal systems
- Tenant isolation: Strict logical separation of Client data at the database level, preventing cross-tenant access
- Audit trails: Immutable logging of all data access and system modifications, retained for a minimum of 6 years
- Risk assessments: Comprehensive security risk assessments conducted at least annually
- Vulnerability management: Continuous vulnerability scanning with defined remediation SLAs based on severity
Hello may update its security measures from time to time, provided that any update does not materially reduce the overall level of protection afforded to Client Personal Data.
5. Sub-processors
5.1 Authorization
The Client provides general written authorization for Hello to engage Sub-processors to process Client Personal Data in connection with the Services, subject to the requirements of this Section.
5.2 Sub-processor Obligations
Before engaging any Sub-processor, Hello will enter into a written agreement with the Sub-processor that imposes data protection obligations no less protective than those set forth in this DPA. Hello remains responsible to the Client for the acts and omissions of its Sub-processors.
5.3 Change Notification
Hello will notify the Client at least 14 days in advance of any intended addition or replacement of a Sub-processor, including the Sub-processor's name, the nature of the processing, and the location of processing. Notification will be provided via email to the Client's designated contact.
5.4 Objection Right
If the Client has a reasonable, good-faith objection to a new or replacement Sub-processor, the Client must notify Hello in writing within 14 days of receiving the notification. The parties will work together in good faith to find a mutually acceptable resolution. If no resolution can be reached within 30 days, the Client may terminate the affected Services without penalty by providing written notice.
5.5 Current Sub-processors
The following table lists the Sub-processors currently authorized to process Client Personal Data:
| Category | Provider | Purpose | Location |
|---|---|---|---|
| Voice AI Platform | Synthflow | Primary voice agent orchestration | US/EU |
| Voice AI Platform | Bland AI | Backup voice agent provider | US |
| LLM | OpenAI | GPT models for conversation intelligence | US |
| LLM | Anthropic | Claude for complex conversations | US |
| STT | Deepgram | Speech-to-text transcription | US |
| TTS | ElevenLabs | Text-to-speech voice synthesis | US/EU |
| TTS | Cartesia | Backup text-to-speech | US |
| Telephony | Twilio | Call routing, SIP trunking, SMS | US |
| Telephony | Vonage | Backup call routing | US |
| Cloud Infrastructure | AWS | Hosting, database, storage, compute | US |
| Payment Processing | Stripe | Payment and deposit collection | US |
| Analytics | Google LLC | Website analytics (Google Analytics) | US |
| Analytics | Apollo.io | Website visitor identification | US |
| Security | Google LLC | reCAPTCHA bot prevention | US |
6. Security Incident Notification
Hello will notify the Client of any confirmed Security Incident without undue delay and in any event within 72 hours of becoming aware of the incident.
The notification will include, to the extent reasonably available:
- A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected
- The name and contact details of the Hello point of contact for further information
- A description of the likely consequences of the Security Incident
- A description of the measures taken or proposed to address the Security Incident, including measures to mitigate potential adverse effects
Where it is not possible to provide all information at the time of the initial notification, Hello will provide the information in phases without further undue delay as it becomes available.
Where a Security Incident involves Protected Health Information (PHI), notification and response will also be governed by the applicable Business Associate Agreement and HIPAA Breach Notification Rules (45 CFR Part 164, Subpart D).
7. Data Subject Rights
Hello will assist the Controller in fulfilling its obligations to respond to Data Subject requests to exercise their rights under applicable Data Protection Law, including rights of access, correction, deletion, portability, and objection.
If Hello receives a request directly from a Data Subject regarding Client Personal Data, Hello will promptly redirect the Data Subject to the Controller and notify the Controller of the request, unless prohibited by law.
Hello will provide reasonable technical and organizational assistance to enable the Controller to respond to Data Subject requests, taking into account the nature of the processing. The Controller acknowledges that Hello's ability to assist depends on the information available within the Services.
8. Audits
Hello will make available to the Controller all information reasonably necessary to demonstrate compliance with the obligations set forth in this DPA.
Where available, Hello will provide SOC 2 Type II reports or equivalent third-party audit reports upon request, subject to reasonable confidentiality obligations.
The Controller (or a qualified, independent third-party auditor appointed by the Controller) may conduct an audit of Hello's processing activities and security measures no more than once per 12-month period. The Controller must provide at least 30 days' written notice of the intended audit. Audits will be conducted during normal business hours and in a manner that minimizes disruption to Hello's operations. The Controller is responsible for the costs of any audit it initiates.
9. Data Return and Deletion
Upon termination or expiration of the Agreement, or upon the Controller's written request, Hello will:
- Return all Client Personal Data to the Controller in a commonly used, machine-readable format, or securely delete all Client Personal Data, at the Controller's election
- Complete the return or deletion within 60 days of the request or termination date
- Provide written confirmation that Client Personal Data has been returned or deleted
Hello may retain copies of Client Personal Data in automated backup systems for up to 90 days following deletion, after which backup copies will be securely destroyed through cryptographic erasure.
Where Client Personal Data includes PHI, data return and deletion will also be governed by the applicable Business Associate Agreement. In the event of a conflict, the BAA controls with respect to PHI.
10. CCPA and CPA Provisions
10.1 CCPA
To the extent that the CCPA applies to Client Personal Data, Hello acts as a "service provider" (as defined under the CCPA) with respect to such data. Hello:
- Will not sell or share Client Personal Data
- Will not retain, use, or disclose Client Personal Data for any purpose other than performing the Services, as permitted by the CCPA
- Will not combine Client Personal Data with personal information received from other sources, except as permitted by the CCPA
- Will assist the Controller in responding to verifiable consumer requests, as required by the CCPA
10.2 CPA
To the extent that the CPA applies to Client Personal Data, Hello will:
- Adhere to the Controller's instructions with respect to processing Client Personal Data
- Assist the Controller in meeting its obligations under the CPA, including obligations related to data protection assessments
- Ensure that each Sub-processor is bound by a written contract that requires the Sub-processor to meet the obligations of a processor under the CPA
- Provide the Controller with information reasonably necessary to enable the Controller to conduct and document data protection assessments
11. HIPAA and BAA
Where Client Personal Data includes Protected Health Information ("PHI") as defined under the Health Insurance Portability and Accountability Act ("HIPAA"), the parties will execute a Business Associate Agreement ("BAA") prior to the processing of any PHI.
The BAA sets forth Hello's obligations regarding the use, disclosure, and safeguarding of PHI in accordance with HIPAA and the HITECH Act. In the event of a conflict between this DPA and the BAA with respect to PHI, the terms of the BAA will control.
For details on Hello's HIPAA compliance program and to review the standard BAA, see our Business Associate Agreement (BAA) page.
12. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in the Agreement. This DPA does not create liability beyond what is established in the Agreement.
13. General Provisions
13.1 Governing Law
This DPA is governed by and construed in accordance with the laws of the State of Delaware, without regard to conflict of law principles.
13.2 Amendments
Hello may update this DPA from time to time to reflect changes in applicable Data Protection Law or our processing practices. Hello will provide the Controller with at least 30 days' written notice of any material changes. Continued use of the Services after the effective date of the updated DPA constitutes acceptance of the revised terms.
13.3 Entire Agreement
This DPA, together with the Agreement and any applicable BAA, constitutes the entire agreement between the parties regarding the processing of Client Personal Data and supersedes all prior agreements and understandings on this subject.
13.4 Contact Information
For questions about this Data Processing Agreement or to exercise any rights under this DPA, please contact us:
- Compliance inquiries: compliance@usehello.ai
- Privacy inquiries: privacy@usehello.ai
- Phone: (314) 972-3674
- Mail: Hello, Inc., Attn: Legal/Compliance, Denver, CO, United States
Related policies: Privacy Policy · Terms of Service · Business Associate Agreement (BAA) · Security · Business Continuity and SLA · Cookie Policy
Compliance Verified. Ready to Move Forward?
You've done your due diligence. Hello meets HIPAA, CCPA, and CPA requirements with enterprise-grade data processing controls, BAA coverage, and 99.99% uptime SLA.