Hesk Cloud Data Processing Agreement
Effective date: 1 January 2026
Version: 2.0
Processor: StyledWeb d.o.o., Novi trg 10, 8000 Novo mesto, Slovenia ("Hesk", "we", "us", or "our")
This Hesk Cloud Data Processing Agreement ("DPA") forms part of the Hesk Cloud Terms of Service (the "Terms") where Hesk processes Customer Personal Data on behalf of a customer ("Customer", "you", or "your") as a processor.
Capitalized terms not defined in this DPA have the meaning given in the Terms. The terms "controller", "processor", "processing", "personal data", "data subject", "personal data breach", and "subprocessor" have the meanings given in the GDPR.
1. Roles
For Customer Personal Data processed through Hesk Cloud:
- Customer is the controller, or processor acting on behalf of another controller, as applicable.
- Hesk is the processor, or subprocessor where Customer acts as a processor.
- Customer is responsible for the lawfulness of Customer Personal Data and for all notices, consents, lawful bases, and instructions required for Hesk to process it.
If Customer acts as a processor for another controller, Customer confirms that it is authorized to instruct Hesk and to bind the relevant controller to terms consistent with this DPA.
2. Processing details
| Item | Details |
|---|---|
| Subject matter | Hosted help desk and ticketing services provided through Hesk Cloud. |
| Duration | The term of the Services, plus any deletion, backup, legal-retention, security, fraud-prevention, tax, accounting, or dispute-resolution period permitted by the Terms or law. |
| Nature and purpose | Hosting, storing, displaying, transmitting, securing, backing up, supporting, maintaining, troubleshooting, deleting, and otherwise processing Customer Data to provide Hesk Cloud. |
| Data subjects | Customer's users, agents, employees, contractors, customers, prospective customers, contacts, ticket submitters, and other individuals whose personal data is submitted to the Service. |
| Personal data types | Names, email addresses, contact details, account and user data, ticket contents, communications, attachments, metadata, logs, configuration data, and other personal data submitted to the Service by or for Customer. |
| Special categories | Not permitted unless Hesk expressly agrees in writing. |
Customer must not submit sensitive, restricted, or high-risk data except as permitted by Section 7 of the Terms. If Customer submits such data without Hesk's written approval, Customer is responsible for all resulting risks, claims, liabilities, and obligations.
3. Customer instructions
Hesk will process Customer Personal Data only on Customer's documented instructions unless required by law. Customer's instructions are set out in the Terms, this DPA, Customer's use and configuration of the Service, and lawful support requests submitted by Customer.
Hesk may notify Customer if Hesk believes an instruction violates applicable data-protection law and may suspend the affected processing until the issue is resolved.
To the maximum extent permitted by law, Hesk is not liable for consequences resulting from Hesk's good-faith processing of Customer Personal Data in accordance with Customer's instructions.
4. Confidentiality
Hesk will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.
5. Security
Hesk will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.
These measures may include, as appropriate to the Service and the risk: access controls, internal access restrictions, confidentiality obligations, hosting and network safeguards, backup procedures, logging and monitoring, vulnerability management, incident-response procedures, and subprocessor controls.
Customer is responsible for using available security features, managing account access, choosing secure credentials, configuring permissions, and maintaining appropriate backups or exports.
6. Subprocessors
Customer gives Hesk general authorization to use subprocessors to provide, secure, bill, maintain, improve, and support the Service. Hesk may add, replace, or remove subprocessors for legitimate business reasons, including security, performance, reliability, availability, compliance, cost, support, and service improvement.
Hesk will maintain a Hesk Cloud Subprocessor List and will update it when adding or replacing subprocessors that process Customer Personal Data. Hesk will use reasonable efforts to provide at least fourteen (14) days' notice before authorizing a new subprocessor, which may be given by updating the Subprocessor List.
Customer may object to a new subprocessor on reasonable data-protection grounds by notifying Hesk in writing before the new subprocessor is authorized. If Hesk cannot reasonably address the objection, Customer's sole remedy is to terminate the affected Service without penalty before the new subprocessor is authorized.
Hesk will impose data-protection obligations on subprocessors that are materially equivalent to those in this DPA, to the extent applicable to the subprocessor's services. Hesk remains responsible for subprocessors as required by applicable data-protection law.
7. International transfers
Customer authorizes Hesk and its subprocessors to transfer Customer Personal Data outside the European Economic Area, Switzerland, or the United Kingdom where necessary to provide the Service, provided that Hesk uses a lawful transfer mechanism where required.
Lawful transfer mechanisms may include adequacy decisions, standard contractual clauses, international data transfer agreements or addenda, derogations, or other mechanisms permitted by applicable law.
8. Data-subject requests
Taking into account the nature of the processing and information available to Hesk, Hesk will provide reasonable assistance to Customer to help Customer respond to data-subject requests relating to Customer Personal Data.
If Hesk receives a data-subject request directly, Hesk may redirect the requester to Customer unless Hesk is legally required to respond.
Hesk may charge reasonable fees for assistance that goes beyond standard Service features or for excessive, repetitive, or unusually complex requests, except where prohibited by law.
9. Personal data breaches
Hesk will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data.
Hesk will provide information reasonably available to Hesk and reasonably necessary for Customer to meet its own breach-notification obligations. Hesk may provide information in phases as it becomes available.
Hesk's notification of, investigation into, or response to a personal data breach is not an admission of fault or liability.
10. DPIAs and prior consultations
Taking into account the nature of the processing and information available to Hesk, Hesk will provide reasonable assistance with data-protection impact assessments and prior consultations with supervisory authorities where required by applicable data-protection law and related to Hesk's processing of Customer Personal Data.
Hesk may charge reasonable fees for assistance that is not included in the standard Service, or for excessive, repetitive, or unusually complex requests, except where prohibited by law.
11. Deletion and retention
Customer is responsible for exporting Customer Personal Data before termination or expiration of the Service.
After termination or expiration, Hesk will delete Customer Personal Data from active systems as described in the Terms, unless retention is required or permitted for legal, security, backup, fraud-prevention, dispute-resolution, tax, accounting, or legitimate business-record purposes.
Backup copies may remain until overwritten or deleted in the ordinary backup cycle. Hesk will not restore backup copies except for disaster recovery, legal or compliance purposes, security purposes, or as otherwise appropriate under the Terms.
12. Audit and compliance information
Hesk will make available information reasonably necessary to demonstrate compliance with this DPA.
Where required by applicable data-protection law, Customer may request an audit of Hesk's compliance with this DPA. Any audit must be reasonable, limited to Hesk's processing of Customer Personal Data, subject to confidentiality, conducted during normal business hours with reasonable advance notice, and carried out in a way that does not disrupt Hesk's operations, compromise security, or expose data of other customers.
Unless mandatory law requires otherwise, audits may not occur more than once in any twelve (12) month period, except following a confirmed personal data breach affecting Customer Personal Data or where required by a supervisory authority. Hesk may require the audit to be performed by an independent, reputable auditor bound by written confidentiality obligations.
Audits must not include access to Hesk's multi-tenant production infrastructure, source code, internal security systems, internal financial information, trade secrets, or data of other customers. Hesk may satisfy audit requests by providing documentation, policies, questionnaires, summaries, certifications, or other reasonable compliance information.
Customer is responsible for all audit costs, including Hesk's reasonable time and expenses, unless mandatory law requires otherwise.
13. Liability, survival, and conflict
Each party's liability under this DPA is subject to the exclusions and limitations of liability in the Terms, to the maximum extent permitted by law.
The provisions of this DPA that by their nature should survive termination will survive, including confidentiality, deletion and retention, audit and compliance information, liability, and any provisions required by applicable data-protection law.
If this DPA conflicts with the Terms regarding the processing of Customer Personal Data, this DPA controls to the extent of the conflict.
14. Notices, law, and updates
Notices to Hesk under this DPA must be sent to privacy@hesk.com. Notices to Customer may be sent to the email address associated with Customer's Hesk Cloud account.
This DPA is governed by the laws of the Republic of Slovenia, excluding conflict-of-law rules. The courts of the Republic of Slovenia have jurisdiction, except where mandatory law provides otherwise.
Hesk may update this DPA as described in the Terms.