A plain-English summary of our DPA, with the full agreement available on request for your procurement and privacy team.
Effective date: June 2026 · Last updated: May 28, 2026
A Data Processing Agreement, or DPA, is the contract between a customer (the data controller) and a service provider (the data processor) that sets out how personal data is handled.
If you process personal data through FellowHire, you are the data controller. FellowHire is the data processor. The DPA documents how we process that personal data on your behalf.
The DPA applies any time FellowHire processes personal data on your behalf. In practice, this is almost always, because the fellow operates inside your Slack or Microsoft Teams workspace and processes the messages, documents, and integration outputs you scope to it.
The DPA is part of every annual customer engagement. Counsel can sign the standard DPA, or we can negotiate reasonable customer edits during procurement.
Below is a plain-English summary of the key provisions. The full DPA is the contractually binding document. If anything in this summary appears to conflict with the full DPA, the full DPA controls.
The DPA lists the sub-processors that help us run the service (cloud hosting, model providers, payment processor, email, and others). We notify customers 30 days before adding or replacing a sub-processor.
The DPA confirms we will help you respond to data subject requests (access, correction, deletion, portability, restriction, objection) within the timelines required by the law that applies to you.
If we suffer a personal data breach affecting your data, we will notify you without undue delay and within 72 hours of becoming aware. We will give you the information you need to meet your own breach-notification obligations.
The DPA grants reasonable audit rights. We make our SOC 2 and ISO 27001 reports available under NDA as the primary audit mechanism. For Scale-tier customers and customers with specific procurement requirements, we accept reasonable customer audits.
When an engagement ends, customer data is deleted within 30 days on request or per the timeline in the DPA. Audit logs are retained per SOC 2 requirements and then deleted.
The DPA includes Standard Contractual Clauses (SCCs) for transfers out of the EEA and UK. We also rely on the EU-US Data Privacy Framework (DPF) where applicable. EU-region hosting is available on request.
The DPA confirms our security posture: SOC 2 and ISO 27001 compliance, encryption in transit (TLS 1.3) and at rest (AES-256), and no-training enterprise agreements with OpenAI and Anthropic.
The DPA states explicitly that we do not use customer data to train AI models, and that our model providers do not train on customer data either.
We provide our full Data Processing Agreement on request as part of procurement and contracting. Email [email protected] or click below and we will send the current DPA within 1 business day.
Request the DPAFor customers with specific procurement requirements, we accept reasonable customer edits to the DPA. To start a redline, talk to our team.
Talk to our team about a custom DPA →