early access
← all legal

Data Processing Agreement

Last updated June 30, 2026

Data Processing Agreement — Heal by MYIA

This Data Processing Agreement ("DPA") supplements and forms part of the Heal Terms of Service (the "Terms") / Agreement between MYIA and the Customer (as defined in the Agreement), and is entered into pursuant to Section 8.1 of the Terms where the Service involves processing personal data on the Customer's behalf. Capitalised terms not defined here have the meaning given in the Terms.

MYIA, société par actions simplifiée, SIREN 953 111 689, RCS Paris, registered office 59 rue de Ponthieu, Bureau 326, 75008 Paris, France ("Processor").

Customer — the entity identified in the Order Form ("Controller").

1. Scope and roles

1.1. The Service is designed to operate on test data that does not contain personal data. The Controller undertakes not to submit production personal data (Terms §8.1).

1.2. To the extent MYIA nonetheless processes personal data on the Controller's behalf in providing the Service, MYIA acts as processor and the Customer as controller, and this DPA applies.

1.3. MYIA as independent controller. MYIA's processing of account, billing, usage, security and crash data for its own purposes, and its creation and use of Aggregated Data (irreversibly anonymised/aggregated data, per Terms §8.5) to improve and train its own models, is carried out by MYIA as an independent controller under its Privacy Policy, not as the Controller's processor.

1.4. Detailed crash diagnostics (opt-in). Where a User enables the optional detailed crash-diagnostics setting in the application, crash reports may capture program state and therefore include the Controller's test data. The Controller acknowledges and instructs that, where this occurs, MYIA processes such test data as processor on the Controller's behalf under this DPA, and transmits it to MYIA's error-monitoring sub-processor (Sentry, stored in the EU) for the sole purpose of reproducing and fixing crashes. The Controller remains responsible for whether its Users enable this setting and for the lawfulness of any data thereby captured. Basic crash reports (error type and code location, containing no test data) are processed by MYIA as independent controller under §1.3.

2. Processor obligations (Art. 28(3) GDPR)

MYIA shall:

(a) process Customer personal data only on the Controller's documented instructions (constituted by the Agreement, this DPA, and the Controller's configuration/use of the Service), including for transfers, unless required otherwise by EU/Member-State law (informing the Controller first unless legally prohibited);

(b) ensure persons authorised to process the data are bound by confidentiality and appropriately trained;

(c) implement the security measures in Annex 2 (Article 32 GDPR);

(d) respect the conditions for engaging sub-processors in Section 3;

(e) assist the Controller, by appropriate measures, in responding to data-subject rights requests (Chapter III) and in meeting its obligations under Articles 32–36 (security, breach notification, DPIA, prior consultation), taking into account the information available to MYIA;

(f) at the Controller's choice, delete or return Customer personal data at the end of the Service and delete existing copies, save where retention is legally required and save for irreversibly anonymised data and model parameters from which personal data cannot be extracted;

(g) make available information necessary to demonstrate compliance and allow for and contribute to audits (no more than once per 12 months absent a breach or authority request, on reasonable notice, subject to confidentiality; third-party certifications may be provided in satisfaction);

(h) inform the Controller if, in its opinion, an instruction infringes data-protection law.

3. Sub-processors

3.1. The Controller grants general authorisation to engage sub-processors, listed in our Sub-processors list / Annex 3.

3.2. MYIA will give at least 30 days' notice of any new or replacement sub-processor and the Controller may object on reasonable, documented data-protection grounds; failing resolution, the Controller may terminate the affected Service.

3.3. MYIA imposes data-protection terms substantially equivalent to this DPA on each sub-processor and remains liable for their performance. MYIA's AI providers are contractually bound not to retain Customer data and not to use it to train their own models.

4. Personal data breaches

MYIA shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer personal data, with the information reasonably available to assist the Controller's Articles 33–34 obligations.

5. International transfers

Where processing involves transfer to a third country without an adequacy decision, the Standard Contractual Clauses (Decision (EU) 2021/914) apply (Module Two or Three as relevant), or the EU–U.S. Data Privacy Framework where the recipient is certified. Annexes 1–3 populate the SCC annexes.

6. Term, liability, law

This DPA applies for as long as MYIA processes Customer personal data; liability is subject to the limitations in the Terms; it is governed by French law, and prevails over the Terms on data-protection matters.

ANNEX 1 — Details of processing

  • Subject matter / duration: provision of the Heal Service for the Term + deletion period.
  • Nature & purpose: automated testing of the Customer's applications; bug detection; results delivery.
  • Data subjects: test accounts / individuals incidentally represented in test data, if any
  • Types of data: intended: none; incidental identifiers within code, prompts, screenshots, logs, crash reports.
  • Special categories: none; not to be submitted.

ANNEX 2 — Technical and organisational measures

  • Encryption in transit: all traffic flows over TLS 1.2/1.3 with modern cipher suites.
  • Encryption at rest: data is stored in encrypted block storage using AES-256 with cloud-provider-managed keys.
  • Tenant isolation: row-level security enforces hard multi-tenancy between customers; enterprise customers may receive dedicated clusters, databases, and optionally isolated LLM deployments.
  • Access control: MYIA does not access customer source code during normal operations; access occurs only where explicitly requested by the customer for troubleshooting or necessary to address critical security vulnerabilities, limited to authorised personnel and subject to strict logging.
  • Authentication: identity is managed via Clerk; enterprise customers may request Single Sign-On (SAML) or other enterprise-grade authentication controls.
  • Certifications and testing: SOC 2 Type 2 certified; annual external penetration testing; quarterly vulnerability assessments; continuous automated security scanning.
  • Data minimisation: the Service stores only test steps, test variables, logs, screenshots, and (optionally) API keys or seeded credentials; no customer source code is collected during testing.
  • Personal data filtering: personal data is filtered out before any use of data to train MYIA's own models.
  • Secure deletion: permanent deletion of customer data is available in accordance with the Terms.
  • Sub-processors: AI providers are engaged under commercial terms that prohibit using customer data to train their own models; all sub-processors are bound by data-protection terms substantially equivalent to this DPA (see the Sub-processors list).
  • Vulnerability reporting: reports are accepted at security@heal.dev, with acknowledgement within 24 hours and initial assessment within 72 hours.

ANNEX 3 — Sub-processors

The current list of sub-processors is maintained in our Sub-processors list.