The Huckleberry Feedback Company
Last Updated: March 31, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Terms”) between The Huckleberry Feedback Company, a Delaware corporation (“Huckleberry,” “Processor,” “we,” or “us”), and the entity subscribing to a Huckleberry Team or Enterprise plan (“Customer,” “Controller,” or “you”).
This DPA is automatically incorporated into the Terms of Service for all Team and Enterprise plan subscribers. Acceptance of the Terms constitutes acceptance of this DPA. No separate signature or execution is required. This document is also available as a standalone download for procurement and compliance review purposes.
Where this DPA conflicts with the Terms, this DPA governs with respect to the Processing of Personal Data.
Capitalized terms not defined in this DPA have the meanings given in the Terms. In this DPA:
1.1 “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR, and as further defined under applicable Data Protection Laws.
1.2 “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4(2) of the GDPR.
1.3 “Data Subject” means the identified or identifiable natural person to whom Personal Data relates — specifically, Customer’s employees and authorized users of the Service, and colleagues who provide 360 feedback.
1.4 “Controller” means the Customer, which determines the purposes and means of the Processing of Personal Data.
1.5 “Processor” means Huckleberry, which Processes Personal Data on behalf of the Controller.
1.6 “Sub-processor” means any third-party service provider engaged by Huckleberry to Process Personal Data in connection with the Service.
1.7 “Coaching Content” means session transcripts, AI-generated summaries, coaching notes, technique preferences, and other content generated through a Data Subject’s use of the coaching features. Coaching Content is Processed for the benefit of the Data Subject, not the Controller.
1.8 “Usage Data” means aggregate metrics relating to Service usage that are visible to the Customer, including session counts, frequency, and last active dates.
1.9 “Portable Data” means the Data Subject’s Coaching Profile and 360 Feedback received, which are owned by and remain with the Data Subject.
1.10 “Company Data” means team profiles, organizational structure, HRIS data, and company documents provisioned by the Customer.
1.11 “Data Protection Laws” means all applicable laws and regulations relating to the Processing of Personal Data, including the EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), the UK General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and any other applicable privacy or data protection legislation.
1.12 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in Implementing Decision (EU) 2021/914.
1.13 “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed.
2.1 This DPA applies to the Processing of Personal Data by Huckleberry on behalf of the Customer under a Team or Enterprise plan subscription.
2.2 This DPA is automatically incorporated into the Terms. No separate execution, signature, or countersignature is required. The Customer’s acceptance of the Terms constitutes acceptance of this DPA.
2.3 This DPA supersedes any prior data processing terms, agreements, or addenda between the parties relating to the Processing of Personal Data in connection with the Service.
2.4 This DPA does not apply to data that Huckleberry Processes as a controller in its own right (for example, data used to maintain and improve the Service in an anonymized and aggregated form), as described in the Privacy Policy.
3.1 Subject Matter. The Processing concerns the provision of Huckleberry’s AI coaching, 360 feedback, and professional development services to the Customer’s employees.
3.2 Duration. Processing continues for the term of the Customer’s subscription, plus any retention periods specified in the Privacy Policy.
3.3 Nature and Purpose. Huckleberry Processes employee Personal Data to: provide voice-first AI coaching sessions; generate coaching insights and summaries; collect and synthesize 360 feedback from colleagues; integrate with the Customer’s HR systems; deliver aggregate usage reporting to the Customer; and maintain individual Coaching Profiles and Portable Data for Data Subjects.
3.4 Types of Personal Data. The categories of Personal Data Processed are detailed in Annex A and include: employee names, email addresses, professional profiles, role and team information, Coaching Content, 360 feedback, Usage Data, and assessment data.
3.5 Categories of Data Subjects. The Customer’s employees and authorized users of the Service, and colleagues or contacts who provide 360 feedback.
4.1 The Customer shall ensure that it has a lawful basis for the Processing of Personal Data under this DPA, including legitimate interest or consent as applicable under Data Protection Laws.
4.2 The Customer shall inform its employees about the Processing of their Personal Data through Huckleberry, including by referencing Huckleberry’s Privacy Policy where appropriate.
4.3 The Customer shall ensure that the employee data it provides to Huckleberry is accurate and up to date.
4.4 The Customer acknowledges and agrees that Coaching Content is private to the individual Data Subject and shall not attempt to access, request, or compel disclosure of any Data Subject’s Coaching Content. This restriction is enforced both contractually and architecturally within the Service.
4.5 The Customer shall promptly notify Huckleberry of any changes to applicable Data Protection Laws that may affect Huckleberry’s Processing obligations.
5.1 Instructions. Huckleberry shall Process Personal Data only on the Customer’s documented instructions, which are constituted by the Terms and this DPA, unless required to do otherwise by applicable law.
5.2 Confidentiality. Huckleberry shall ensure that all personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.
5.3 Security. Huckleberry shall implement and maintain appropriate technical and organizational security measures as described in Section 8 and Annex B.
5.4 Assistance. Huckleberry shall assist the Customer in fulfilling the Customer’s obligations to respond to Data Subject rights requests (Section 7), and in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
5.5 Deletion. Huckleberry shall delete or return Personal Data on termination as described in Section 11.
5.6 Purpose Limitation. Huckleberry shall not Process Personal Data for any purpose other than providing the Service as described in the Terms and this DPA.
5.7 Coaching Content — Special Provisions. The Customer acknowledges that Huckleberry Processes Coaching Content for the benefit of the individual Data Subject, not the Controller. Specifically:
(a) Coaching Content is not accessible to the Customer through the Service or otherwise;
(b) Coaching Content is Processed based on the Data Subject’s direct interaction with the Service;
(c) Coaching Content is permanently purged upon the Data Subject’s departure from the Customer’s plan; and
(d) Huckleberry staff do not have access to Coaching Content in the ordinary course of operations.
6.1 General Authorization. The Customer provides general authorization for Huckleberry to engage Sub-processors to Process Personal Data in connection with the Service. The current list of Sub-processors is set out in Annex C.
6.2 Notification of Changes. Huckleberry shall notify the Customer of any intended addition or replacement of Sub-processors at least thirty (30) days before the change takes effect.
6.3 Objection. The Customer may object to a new Sub-processor by notifying Huckleberry in writing within fifteen (15) days of receiving notice. The parties shall work in good faith to resolve the objection. If no resolution is reached, the Customer may terminate the affected portion of the Service without penalty.
6.4 Sub-processor Obligations. Huckleberry shall impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA. Huckleberry remains liable for the acts and omissions of its Sub-processors.
7.1 Huckleberry shall assist the Customer in fulfilling its obligations to respond to Data Subject requests to exercise their rights under Data Protection Laws.
7.2 Given Huckleberry’s privacy architecture, many Data Subject rights can be exercised directly by the individual through the Service, without Customer involvement.
7.3 Where Huckleberry receives a Data Subject request directly, it will: (a) inform the Data Subject that their employer is the Controller and direct them to the Customer for Controller-level requests; or (b) fulfill the request through self-service functionality within the Service, as appropriate.
8.1 Huckleberry shall implement and maintain appropriate technical and organizational measures to protect Personal Data, including:
(a) Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest (AES-256);
(b) Strict access controls with no staff access to Coaching Content;
(c) Regular security assessments and vulnerability testing;
(d) Documented incident response procedures;
(e) Multi-factor authentication for infrastructure access; and
(f) Administrative, technical, and physical safeguards appropriate to the nature of the Personal Data Processed.
8.2 Huckleberry is pursuing SOC 2 Type II certification and will make compliance reports available to Enterprise customers upon request.
9.1 Huckleberry shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Data Breach affecting the Customer’s Personal Data.
9.2 The notification shall include: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed.
9.3 Huckleberry shall cooperate with the Customer’s investigation and response.
10.1 Huckleberry shall make available information necessary to demonstrate compliance with this DPA.
10.2 The Customer may conduct audits with at least thirty (30) days’ notice, during business hours, no more than once per twelve (12) month period, at Customer’s expense. Audits must not compromise the security or privacy of other customers or Coaching Content.
10.3 SOC 2 Type II reports (when available) may serve as an alternative to on-site audits.
11.1 Upon termination or expiration of the Customer’s subscription:
(a) The Customer may export Company Data and aggregate Usage Data within thirty (30) days;
(b) Individual Portable Data remains with the Data Subjects and is not returned to the Customer;
(c) Coaching Content is permanently purged in accordance with the Privacy Policy;
(d) After thirty (30) days, remaining Customer data is permanently deleted;
(e) Encrypted backups may persist for up to ninety (90) days, after which they are destroyed.
11.2 Huckleberry shall provide written confirmation of deletion upon request.
12.1 Personal Data may be transferred to and Processed in the United States.
12.2 For EEA transfers, the Standard Contractual Clauses (Module Two: Controller to Processor) are incorporated by reference.
12.3 For UK transfers, the UK International Data Transfer Addendum applies.
12.4 Huckleberry shall ensure onward transfers to Sub-processors are subject to appropriate safeguards.
Each party’s liability under this DPA is subject to the limitations in the Terms. This DPA does not create additional liability beyond the Terms.
This DPA takes effect on the date the Customer subscribes to a Team or Enterprise plan and remains in effect for the duration of the subscription. Provisions that by their nature should survive termination shall survive.
Data Exporter (Controller): The Customer
Data Importer (Processor): The Huckleberry Feedback Company
Categories of Data Subjects: Customer’s employees, authorized users, and colleagues who provide 360 feedback.
Categories of Personal Data:
CategoryExamplesIdentity dataName, email address, job title, department, team, reporting managerProfessional dataCareer history, education, skills, public professional profile (enriched via Apollo.io)Coaching dataSession transcripts, AI-generated summaries, Coaching Profile, technique preferencesFeedback data360 feedback responses (voice transcripts and synthesized insights)Assessment dataUploaded personality and professional assessmentsUsage dataSession counts, duration, frequency, last active dateTechnical dataIP address, device information, browser type
Sensitive Data: None collected intentionally. Coaching conversations may incidentally contain sensitive information, subject to enhanced protections.
Purpose: Provision of AI coaching, 360 feedback, and professional development services.
For questions about this Data Processing Agreement, contact privacy@gethuckleberry.com.
