Legal
GDPR CompliantData Processing Agreement
This DPA governs how Heightss processes personal data on your behalf.
Last updated December 20, 2025
About This Agreement
Introduction to this DPA
This Data Processing Agreement forms part of the agreement between you ("Controller"/"Customer") and Heightss ("Processor"/"Company") for the provision of the Heightss platform services. This DPA applies to the extent that Heightss processes Personal Data on behalf of the Customer in the course of providing the Services.
This DPA is designed to comply with GDPR (EU), IT Act 2000 (India), and other applicable data protection regulations.
Definitions
Key terms and meanings
In this DPA, the following terms shall have the meanings set out below:
- "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.
- "Controller" means the entity that determines the purposes and means of the processing of Personal Data (the Customer).
- "Processor" means the entity that processes Personal Data on behalf of the Controller (Heightss).
- "Subprocessor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Data Protection Laws" means GDPR, IT Act 2000 (India), and any other applicable privacy laws.
- "Security Incident" means any unauthorized access, disclosure, or destruction of Personal Data.
- "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for international data transfers.
Scope & Purpose
What data is processed and why
Subject Matter: This DPA applies to the processing of Personal Data by Heightss in connection with providing the Services described in the Terms of Service.
Categories of Data Subjects:
- Customer's users and account holders
- Customer's employees accessing the Service
- Individuals whose data is stored within Customer's account
Types of Personal Data:
- Identity data: Name, email address, profile picture
- Authentication data: OAuth tokens, session identifiers
- Calendar data: Event titles, dates, times (via Google Calendar integration)
- Usage data: Feature usage, preferences, settings
- User-generated content: Journal entries, notes, watchlists
Purpose of Processing:
- Providing and maintaining the Heightss platform
- User authentication and account management
- Calendar integration and event scheduling
- AI-powered features and analysis
- Customer support and communication
- Service improvement and analytics
Duration: Processing continues for the duration of the service agreement and for any retention period required by law or as specified in our Privacy Policy.
Data Processing
Processing principles and records
Heightss shall process Personal Data only:
- In accordance with the Controller's documented instructions
- As necessary to provide the Services
- As required by applicable law (with notice to Controller where permitted)
Heightss shall not:
- Process Personal Data for purposes other than those specified
- Sell, rent, or trade Personal Data to third parties
- Use Personal Data for advertising or marketing purposes without consent
- Transfer Personal Data without appropriate safeguards
Processing Records:
Heightss maintains records of processing activities as required by Article 30 of GDPR, including:
- Categories of processing performed
- Transfers to third countries
- Technical and organizational security measures
Processor Obligations
Our commitments to you
Heightss agrees to the following obligations:
Confidentiality:
- Ensure personnel processing Personal Data are bound by confidentiality obligations
- Limit access to Personal Data to personnel who need it
- Maintain confidentiality obligations that survive termination of employment
Assistance:
- Assist Controller in responding to Data Subject requests
- Assist with data protection impact assessments when required
- Assist with prior consultation with supervisory authorities
- Provide information necessary to demonstrate compliance
Instructions:
- Process data only on documented instructions from Controller
- Inform Controller if an instruction infringes Data Protection Laws
- Maintain records of instructions received
Security Measures
Technical & organizational safeguards
Heightss implements the following security measures (detailed in our Security Policy):
Technical Measures:
- Encryption: TLS 1.3 in transit, AES-256 at rest
- Access control: Role-based access, MFA, session management
- Network security: Firewalls, IDS/IPS, DDoS protection
- Monitoring: 24/7 security monitoring, SIEM, audit logging
- Vulnerability management: Regular scanning, penetration testing
Organizational Measures:
- Security policies and procedures
- Employee security awareness training
- Background checks for employees with data access
- Incident response procedures
- Business continuity and disaster recovery plans
Certifications:
- SOC 2 Type II aligned controls
- Infrastructure hosted on certified cloud providers
Subprocessors
Third parties processing data
Authorization: Controller authorizes Heightss to engage the subprocessors listed below and on our website.
Current Subprocessors:
| Subprocessor | Purpose | Location |
|---|---|---|
| Google LLC | OAuth Authentication, Calendar API | USA |
| WorkOS Inc. | Authentication Infrastructure | USA |
| Anthropic PBC | AI Processing (Claude) | USA |
| Functional Software Inc. | Error Monitoring (Sentry) | USA |
| Civo Ltd. | Database Hosting | UK |
Subprocessor Changes:
- Heightss will notify Controller of new subprocessors via email 30 days before engagement
- Controller may object to new subprocessors within 14 days
- If objection cannot be resolved, Controller may terminate affected services
Subprocessor Obligations: All subprocessors are bound by written agreements imposing equivalent data protection obligations.
Data Subject Rights
Access, correction, deletion rights
Heightss will assist Controller in fulfilling its obligations to respond to Data Subject requests, including:
- Right of Access: Provide copies of Personal Data upon request
- Right to Rectification: Correct inaccurate Personal Data
- Right to Erasure: Delete Personal Data ("right to be forgotten")
- Right to Restriction: Restrict processing of Personal Data
- Right to Portability: Export Personal Data in machine-readable format
- Right to Object: Object to certain types of processing
If Heightss receives a request directly from a Data Subject:
- We will notify the Controller promptly (within 5 business days)
- We will not respond directly unless authorized by Controller
- We will provide reasonable assistance to fulfill the request
Response Times: Heightss will respond to Controller requests for assistance within 10 business days.
Data Breach
48-hour notification commitment
Notification: Heightss will notify Controller of any Security Incident without undue delay and in any event within 48 hours of becoming aware.
Notification Contents:
- Nature of the Security Incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate number of records affected
- Likely consequences of the incident
- Measures taken or proposed to address the incident
- Contact point for further information
Assistance:
Heightss will:
- Take immediate steps to contain and mitigate the breach
- Investigate the root cause
- Preserve evidence for forensic analysis
- Assist Controller with regulatory notifications
- Provide post-incident report
Communication: Security incidents should be reported to security@heightss.com.
Audit Rights
Verification and compliance
Heightss will make available to Controller information necessary to demonstrate compliance with this DPA.
Documentation Available Upon Request:
- SOC 2 Type II report (under NDA)
- Penetration test summary (under NDA)
- Security policies and procedures summary
- Completed security questionnaires
- Subprocessor list with DPA status
On-Site Audits:
- Available for Enterprise customers
- 30 days advance written notice required
- Maximum one audit per year
- Conducted during normal business hours
- Controller bears costs of third-party auditors
- Auditors must sign confidentiality agreements
Contact security@heightss.com to request audit documentation.
International Transfers
Cross-border data handling
Heightss is based in India. Personal Data may be transferred to and processed in:
- India (primary processing location)
- United States (subprocessors)
- United Kingdom (database hosting)
Transfer Mechanisms:
- Standard Contractual Clauses (SCCs): EU-approved clauses for EU-to-third country transfers
- UK International Data Transfer Agreement: For UK data transfers
- Data Processing Agreements: With all subprocessors
Supplementary Measures:
- Encryption in transit and at rest
- Pseudonymization where feasible
- Access controls and audit logging
- Regular security assessments
Copies of executed SCCs are available upon request.
Data Retention
How long we keep data
During Service: Personal Data is retained for the duration of the service agreement.
Upon Termination:
- Controller may request data export within 30 days of termination
- Personal Data deleted within 30 days of termination (unless retention required by law)
- Backups purged within 90 days
- Certificate of deletion available upon request
Retention for Legal Compliance:
- Some data may be retained as required by applicable law
- Data retained for legal purposes is segregated and access-restricted
- Controller will be informed of any legal retention requirements
Termination
End of agreement provisions
Term: This DPA commences when you start using the Services and continues until all Personal Data processing is terminated.
Survival:
The following provisions survive termination:
- Data retention and deletion obligations
- Confidentiality obligations
- Audit rights (for 1 year post-termination)
- Liability provisions
Effect of Termination:
- Processing ceases except for deletion activities
- Data export provided upon request
- All Personal Data deleted per Section 11
Contact
Get in touch
For questions about this DPA or to exercise your rights:
Privacy & DPA Inquiries: privacy@heightss.com
Security & Compliance: security@heightss.com
General Inquiries: heightss@heightss.com