F. Sensitive or Special Categories of Personal Data

The Services are not intended to process sensitive or special categories of Personal Data. Such data may be processed only if Customer or its users include it in free-form fields, messages, notes, templates, custom fields, support communications, LinkedIn messages, attachments, or other Customer-controlled content.

G. Processing Frequency

Continuous for hosted Services and as initiated by Customer or Customer users for specific features.


Schedule 2 - Technical and Organizational Measures

TalkToHumans maintains the following technical and organizational measures, taking into account the nature, scope, context, and purposes of processing.

1. Product Privacy Architecture

  • LinkedIn message bodies, attachments, and related conversation data are synced to and stored in backend systems by default, because core product features depend on server-side message sync.
  • Local browser persistence may also be used for caches, helper data, message copies, mutation intents, local app context, quota snapshots, link previews, and local participant caches.
  • Backend canonical storage is used for business entities and workflow data such as accounts, participants, chats, messages, chat participants, tags, notes, saved views, templates, AI actions, drafts, schedules, sequence steps, template runs, sync states, billing, subscriptions, invoices, and usage records.
  • API and MCP access to Customer workspace data is authenticated and Customer-authorized.

2. Authentication and Access Control

  • User authentication and organization membership are backed by WorkOS.
  • Backend requests are authenticated and scoped to organization/user tenant context.
  • Extension authentication uses backend-brokered extension sessions and short-lived extension JWTs.
  • Extension session tokens are stored server-side as hashes, and the extension does not store a WorkOS refresh token.
  • Backend authorization uses organization and user scoping to prevent cross-tenant access.
  • API and MCP access require authenticated, Customer-authorized credentials.
  • Production access is restricted to authorized personnel and contractors with a business need.

3. Chrome Extension and LinkedIn Boundary

  • LinkedIn actions execute through the Customer user's real logged-in browser session.
  • The extension accepts external requests only from allowlisted TalkToHumans origins.
  • The extension validates the active LinkedIn session and live LinkedIn headers before privileged LinkedIn requests.
  • Backend relay requests strip unsafe caller-provided authorization, cookie, CSRF, and LinkedIn tracing headers.
  • The extension applies safety gates, hard daily caps, token-bucket throttling, spacing, concurrency limits, jitter, and quota checks to LinkedIn actions.
  • The extension uses Chrome alarms for scheduled sequence execution while the user's browser is open.

4. Infrastructure and Network Security

  • The frontend is hosted on Vercel.
  • The backend runs on AWS ECS Fargate.
  • The primary database runs on AWS Aurora PostgreSQL / RDS in private subnets.
  • Backend tasks run in private subnets and connect to the database over restricted network paths.
  • Public backend traffic is routed through an AWS Application Load Balancer.
  • Organization media is stored in an AWS S3 bucket with public access blocked, bucket-owner enforced object ownership, versioning enabled, and CloudFront origin access identity for distribution.
  • Secrets are stored in AWS Secrets Manager and injected into backend tasks as secrets.
  • GitHub Actions uses AWS OIDC for deployment access rather than long-lived AWS user credentials where configured.
  • Application endpoints use HTTPS/TLS in production.

5. Logging, Monitoring, and Observability

  • Backend logs are written to AWS CloudWatch Logs with a one-year retention period in the current infrastructure configuration.
  • Production structured logs are also sent to Better Stack where configured.
  • Product analytics are sent through Segment and Mixpanel where configured.
  • Mixpanel session replay is disabled for the Services.
  • Analytics events are typed and designed to avoid arbitrary event names and arbitrary property bags.
  • Message text is intentionally excluded from backend analytics events for message sending and AI action tracking.
  • Internal logging guidance prohibits logging secrets and raw message bodies.

6. Data Minimization in AI and Enrichment

  • AI drafting is initiated by the user and sends only the prompt and selected variables needed for the requested output.
  • AI prompt preparation removes or compacts certain identifiers and verbose fields to reduce unnecessary prompt content.
  • TalkToHumans will not use Customer Personal Data to train general-purpose AI models unless Customer expressly authorizes that use in writing.
  • Enrichment, email finding, and phone finding are user-initiated or plan/credit-gated and run through configured upstream providers.
  • Credit-consuming upstream work uses local reservations before paid provider calls.

7. Security Operations

  • TalkToHumans restricts production access to authorized personnel and contractors with a business need.
  • TalkToHumans uses secrets management for production credentials.
  • TalkToHumans investigates suspected security incidents and notifies affected Customers as described in this DPA.
  • TalkToHumans applies reasonable development, review, deployment, and change-management practices appropriate to its size and stage.
  • TalkToHumans intends to begin pursuing an initial third-party security assessment targeting SOC 2 Type I starting in 2027.

8. Availability, Backup, and Recovery

  • TalkToHumans relies on managed infrastructure providers for database, storage, hosting, and operational resilience.
  • TalkToHumans maintains reasonable backup and recovery practices for hosted production systems. The production Aurora PostgreSQL cluster has automated backups enabled with a 1-day retention period.
  • Browser-local cached data may not be recoverable by TalkToHumans if deleted locally and not stored in backend systems.

9. Deletion and Retention

  • Customer Personal Data in active hosted systems is deleted or returned as described in the DPA and Agreement.
  • Billing, security, audit, and legal records may be retained where required or permitted by law.
  • Backup deletion follows normal backup expiration cycles.
  • Browser-local data is controlled by the Customer user's browser/device and may need to be deleted locally by the user or through browser/device management.

Schedule 3 - Subprocessors

This list reflects the current Services as of the Last Updated date above.

SubprocessorPurposePersonal Data ProcessedProcessing Location / Transfer NotesUse
Amazon Web Services (AWS)Backend hosting, database, object storage, logs, secrets management, email sending, CDN/media deliveryCustomer Personal Data stored or processed in backend systems, logs, media, secrets, operational metadata, support email metadata where applicablePrimary production AWS region: eu-west-3 (Paris). Includes ECS Fargate, Aurora PostgreSQL/RDS, S3, CloudFront, Secrets Manager, CloudWatch Logs, SES where enabled. Transfer mechanisms such as DPA/SCCs apply where requiredCore
VercelFrontend hosting and deliveryBrowser request metadata, application delivery metadata, frontend logs/telemetry where enabledUsed for frontend hosting and delivery. Transfer mechanisms such as DPA/SCCs apply where requiredCore
WorkOSAuthentication, organization management, user management, invitations, OAuth/MCP authorization supportUser names, emails, organization IDs, membership metadata, auth/session identifiersUsed for app auth and organization membership. Transfer mechanisms such as DPA/SCCs apply where requiredCore
StripeBilling, checkout, subscriptions, invoices, payment methods, credit grants, metered usageBilling contacts, payment metadata, invoice data, subscription data, usage and credit metadataFull payment card data is handled by Stripe, not stored by TalkToHumans. Transfer mechanisms such as DPA/SCCs apply where requiredBilling
Better StackLogging and observabilityOperational logs, diagnostic metadata, error/security events; excluding secrets and raw message bodies by policyProduction logging where configured. Transfer mechanisms such as DPA/SCCs apply where requiredOperations
SegmentProduct analytics routingUser/account/organization identifiers, event names, safe event properties, product usage metadataUsed for typed product analytics where configured. Transfer mechanisms such as DPA/SCCs apply where requiredAnalytics
MixpanelProduct analyticsUser/account/organization identifiers, event metadata, browser/device metadata, and product usage metadataEU Mixpanel endpoints; session replay disabled. Transfer mechanisms such as DPA/SCCs apply where requiredAnalytics
OpenRouterAI model routing and generationUser-submitted AI prompts, selected variables, draft text, and conversation/profile context when Customer invokes AI featuresDownstream model provider may vary by configured model; current code references OpenAI models through OpenRouter. Transfer mechanisms such as DPA/SCCs apply where requiredOptional AI
Enrichment and contact data providersLinkedIn profile enrichment, company enrichment, work email finding, and phone findingLinkedIn profile/company identifiers and returned profile, company, work email, phone, and related enrichment data when Customer invokes or enables these featuresUsed only for enrichment, email finding, or phone finding where configured. Specific provider names may be provided during a security review or on reasonable written request. Transfer mechanisms such as DPA/SCCs apply where requiredOptional enrichment

Schedule 4 - Standard Contractual Clauses

1. EU SCCs

1.1. The EU SCCs are incorporated by reference for Restricted Transfers that require them.

1.2. Modules. Module Two (Controller to Processor) applies where Customer is Controller and TalkToHumans is Processor. Module Four (Processor to Controller) applies where TalkToHumans is Processor in the EEA and Customer is Controller outside the EEA and a Restricted Transfer from TalkToHumans to Customer occurs.

1.3. Clause 7. The optional docking clause does not apply.

1.4. Clause 9. For Module Two, Option 2 applies, and the time period for prior notice of Subprocessor changes is 30 days as described in Section 9.

1.5. Clause 11. The optional language does not apply.

1.6. Clause 17. Option 1 applies. The EU SCCs are governed by French law.

1.7. Clause 18. Disputes under the EU SCCs will be resolved before the courts of France.

1.8. Annex I. The details of the Parties and processing are set out in this DPA, the Agreement, and Schedule 1.

1.9. Annex II. The technical and organizational measures are set out in Schedule 2.

1.10. Annex III. The Subprocessor list is set out in Schedule 3.

1.11. Competent supervisory authority. The competent supervisory authority will be determined under Clause 13 of the EU SCCs. Where TalkToHumans is the Data Exporter, the competent supervisory authority is the Commission Nationale de l'Informatique et des Libertes (CNIL) in France.

2. UK Addendum

2.1. For Restricted Transfers subject to the UK GDPR, the UK Addendum is incorporated by reference and completed as follows:

  • Table 1: the Parties' details are set out in this DPA and the Agreement.
  • Table 2: the selected EU SCC modules, clauses, and annexes are described in Section 1 of this Schedule 4.
  • Table 3: Annex I is completed by this DPA, the Agreement, and Schedule 1; Annex II is completed by Schedule 2; Annex III is completed by Schedule 3.
  • Table 4: neither Party may end the UK Addendum except as permitted by the UK Addendum.

3. Supplementary Measures

3.1. For Restricted Transfers, TalkToHumans will apply the technical and organizational measures in Schedule 2 and will take reasonable steps to evaluate transfer risks where required by Applicable Data Protection Law.

3.2. If TalkToHumans receives a legally binding request from a public authority for access to Customer Personal Data, TalkToHumans will review the request, challenge it where legally available and appropriate, and notify Customer where legally permitted.