Data Processing Agreement.

Scope & roles

This Data Processing Agreement ("DPA") is entered into between the Customer and CEL EDUCATION LLC, a Delaware limited liability company with its registered office at 8 The Green, Suite A, Dover, DE 19901, which operates the Hellow service ("CEL Education", "Hellow", "we", "us"). It governs our processing of Personal Data on behalf of the Customer in connection with the services described in the underlying Subscription Agreement ("Order").

For the purposes of applicable data-protection laws (including the GDPR and the CCPA), Customer is the "Controller" and CEL Education is the "Processor".

Subject matter & duration

Hellow processes Personal Data only for the duration of the Order and only to deliver the services. Categories of data subjects include the Customer's end-customers and authorized users of the Customer's account; categories of Personal Data include contact details, voice recordings, transcripts, conversation metadata, and scheduling information.

Customer instructions

Hellow processes Personal Data only on documented instructions from Customer, as set out in the Order, this DPA, and any subsequent instructions Customer provides through the dashboard or in writing. Hellow will inform Customer if it believes an instruction conflicts with applicable law.

Subprocessors

Hellow may engage subprocessors to deliver the services. A current list is available at privacy@hellow.ai. Hellow imposes data-protection obligations on subprocessors that are no less protective than those in this DPA and remains liable for their performance.

Hellow will provide reasonable advance notice of new subprocessors; Customer may object on reasonable grounds within 14 days of notice.

Security measures

Hellow implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. A description of these measures is available on our Security page and in our SOC 2 report.

International transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country not deemed adequate by the European Commission, Hellow relies on the Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum, which are incorporated into this DPA by reference and take precedence in the event of conflict.

Data subject requests

Hellow will provide commercially reasonable assistance to enable Customer to fulfil requests from data subjects exercising their rights under applicable law (access, correction, deletion, portability, objection).

Breach notification

Hellow will notify Customer without undue delay after becoming aware of a Personal Data Breach, and provide information reasonably required for Customer to comply with its own breach-notification obligations.

Audits

Hellow will make available to Customer its current SOC 2 Type II report and Trust Pack on request and under NDA. Additional audits may be conducted under the conditions described in the Order.

Return & deletion

Upon termination of the Order, Hellow will delete or return all Personal Data within 30 days, except where retention is required by applicable law.