Hermes
HomeFor AgenciesFor BusinessesFor CreatorsPricing
Apply for Beta · 100 spots

/ data processing addendum

Data Processing Addendum.

Effective date · June 7, 2026

The plain-English version

  • This Addendum applies when you (the Operator) use Hermes to process personal data of individuals located in the EEA, the UK, or Switzerland.
  • You are the data controller. Hermes is the data processor. We only process personal data on your documented instructions.
  • We use the European Commission Standard Contractual Clauses (Decision (EU) 2021/914) for transfers out of the EEA.
  • We notify you of personal data breaches affecting your data within 72 hours of becoming aware.
  • You can request deletion of personal data at any time, and we will delete it within 30 days of the Account closing.
  • For the full sub-processor list, see Section 5 below or our Privacy Policy.

1. Definitions

Terms used but not defined in this Addendum have the meanings given to them in the Terms of Service or in the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”). “Customer Personal Data” means personal data processed by Hermes on behalf of the Operator pursuant to the Terms of Service. “SCCs” means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Roles of the Parties

For Customer Personal Data, the Operator is the data controller and Hermes is the data processor. Hermes will process Customer Personal Data only on the documented instructions of the Operator, including with regard to transfers to a third country, unless required to do so by applicable law to which Hermes is subject, in which case Hermes will inform the Operator of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3. Subject Matter, Duration, Nature, and Purpose

The subject matter, duration, nature, and purpose of the processing, the type of personal data processed, and the categories of data subjects are as follows:

  • Subject matter: Provision of the Hermes Service to the Operator.
  • Duration: The term of the Terms of Service plus the retention period specified in our Privacy Policy.
  • Nature and purpose: Hosting, transmitting, processing, and analyzing Customer Personal Data as necessary to provide AI voice agent services, including call placement, recording, transcription, scheduling, and contact management.
  • Type of personal data: Contact information (name, phone, email), call recordings and transcripts, calendar event metadata, and any other personal data submitted to or processed through the Service by the Operator.
  • Categories of data subjects: The Operator’s end customers, prospects, employees, and any other individuals whose personal data is processed through the Service.

4. Security Measures

Hermes implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: encryption in transit (TLS 1.3), encryption at rest provided by the underlying cloud storage infrastructure, least-privilege access controls, audit logging, regular vulnerability scans, and incident response procedures. These measures are described further in Section 10 of our Privacy Policy.

5. Sub-processors

The Operator authorizes Hermes to engage the following sub-processors for the processing of Customer Personal Data:

  • MongoDB Atlas (database hosting, US-East region)
  • Vercel (frontend hosting and CDN)
  • Render (backend hosting)
  • Retell AI (voice agent infrastructure)
  • Stripe (payment processing — for Operator billing only, no End Customer data)
  • Resend (transactional email)
  • Google LLC (Calendar API integration, only where the Operator has explicitly connected a Google account)

Hermes will notify the Operator at least thirty (30) days in advance of any addition or replacement of a sub-processor by updating this section. The Operator may object to such changes in writing within thirty (30) days; if the objection cannot be resolved, the Operator may terminate the affected portion of the Service.

6. International Transfers

For transfers of Customer Personal Data from the EEA, the UK, or Switzerland to a third country that the European Commission has not deemed to provide an adequate level of protection, the parties incorporate the SCCs (Module Two: Controller to Processor) into this Addendum by reference, with Hermes acting as the data importer and the Operator acting as the data exporter. The optional Clauses 7, 9(a) option 2, 11(a), and the docking clause are excluded; the supervisory authority is the Irish Data Protection Commission. For transfers from the UK, the parties incorporate the UK International Data Transfer Addendum to the SCCs.

7. Data Subject Rights

Hermes will, to the extent legally permitted, promptly notify the Operator of any request received from a data subject to exercise rights under the GDPR (including rights of access, rectification, erasure, restriction, portability, and objection) with respect to Customer Personal Data. Hermes will not respond directly to such requests except on the documented instructions of the Operator or as required by applicable law. Hermes will provide reasonable assistance to the Operator in responding to such requests through technical and organizational measures proportionate to the nature of the processing.

8. Personal Data Breach Notification

Hermes will notify the Operator without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

9. Audits

Hermes will make available to the Operator information reasonably necessary to demonstrate compliance with this Addendum and the GDPR. The Operator may, at its expense and on reasonable prior written notice, audit Hermes’s compliance with this Addendum no more than once per twelve-month period, except where an additional audit is required by a competent supervisory authority or following a personal data breach. Audits will be conducted in a manner that does not interfere unreasonably with Hermes’s business operations.

10. Deletion or Return of Personal Data

On termination of the Operator’s Account or on the Operator’s written request, Hermes will delete or return all Customer Personal Data, including all copies, within thirty (30) days, unless retention is required by applicable law. Backup copies are deleted in accordance with our retention schedule but no later than ninety (90) days after the primary deletion.

11. Changes to this Addendum

Hermes may update this Addendum from time to time. Material changes will be communicated to the Operator at least thirty (30) days in advance by email. Continued use of the Service after the effective date of an updated Addendum constitutes acceptance of the changes.

12. Conflict

In the event of a conflict between this Addendum and the Terms of Service with respect to the processing of Customer Personal Data, this Addendum prevails. In the event of a conflict between this Addendum and the SCCs, the SCCs prevail.

13. Contact

Questions about this Addendum or requests for the executed countersigned copy should be directed to hello@buildwithhermes.com. For data protection matters specifically, you may also contact our designated Data Protection contact at the same address.

Hermes

The operating platform for AI voice agencies. By builders, for builders.

Public launch · June 6, 2026

no-reply@buildwithhermes.com

Product

  • Founders' Beta
  • For Agencies
  • For Businesses
  • For Creators
  • Pricing
  • Integrations
  • Demo

Resources

  • Playbook
  • Stack guide
  • Pricing playbook
  • Blog
  • Manifesto

Compare

  • vs Synthflow
  • vs Vapi + GHL
  • vs Voicerr
  • vs DIY build

Company

  • About
  • Careers
  • Contact

Community

  • Discord
  • X (Twitter)
  • Instagram

Legal

  • Privacy
  • Terms
  • Acceptable Use
  • DPA
  • TCPA Compliance

© 2026 Hermes · All rights reserved

By builders, for builders · Last reviewed May 2026