hremia
Hremia

Avenant relatif au traitement des données

Conditions selon lesquelles Hremia traite les données personnelles en tant que sous-traitant pour le compte du client (le responsable du traitement).

Dernière mise à jour: 2026-06-27

Modèle — à examiner avec votre conseil juridique avant de vous y fier. Ce document est fourni à titre informatif uniquement et ne constitue pas un avis juridique.

1. Roles & scope

This Addendum forms part of the agreement between the customer (the controller) and Hremia (the processor). It applies to Hremia's processing of personal data on the customer's behalf in connection with the service. Hremia processes such data only on the customer's documented instructions, including those set out in the agreement and configuration of the service.

2. Processing details

  • Subject matter & duration — provision of the wellbeing companion and speak-up channel for the term of the agreement.
  • Nature & purpose — hosting, securing and operating the service.
  • Categories of data — account identifiers, usage metadata and the encrypted, isolated content employees choose to share with the companion.
  • Data subjects — the customer's employees and authorised users.

3. Security measures

Hremia implements appropriate technical and organisational measures, including:

  • Encryption — data encrypted in transit and at rest, with sensitive content protected using AES-256-GCM.
  • Tenant isolation — schema- and role-level isolation between customers.
  • Row-level security (RLS) — database policies enforcing per-tenant and per-role access at the data layer.
  • least-privilege access, audit logging and ongoing monitoring.

4. Sub-processors

The customer authorises Hremia to engage vetted EU-based sub-processors, each bound by written terms imposing data-protection obligations no less protective than this Addendum. Hremia maintains a current list and notifies material changes in advance so the customer may object.

5. International transfers (EU-only)

Personal data is processed and stored within the EU/EEA. Hremia does not transfer production personal data outside the EU/EEA in the ordinary course of providing the service.

6. Data-subject requests

Taking into account the nature of the processing, Hremia assists the controller by appropriate technical and organisational measures, insofar as possible, to respond to requests from data subjects exercising their rights. Where Hremia receives such a request directly, it promptly refers the data subject to the controller.

7. Breach notification

Hremia notifies the controller without undue delay after becoming aware of a personal-data breach affecting the controller's data, providing the information reasonably needed for the controller to meet its own notification obligations.

8. Audit

Hremia makes available the information necessary to demonstrate compliance with this Addendum and allows for and contributes to audits, including inspections, conducted by the controller or an auditor it mandates, subject to reasonable confidentiality and security arrangements.

9. Deletion or return

On termination, and at the controller's choice, Hremia deletes or returns the personal data it processes and deletes existing copies, unless retention is required by law.

10. Contact

To request or execute this Addendum, or for data-processing questions, write to dpa@hremia.eu.

AES-256-GCM · EU-only · Encrypted & isolated by design.