Data Processing Agreement (DPA)


Do I need to sign the DPA?
By using Hyvor Talk, you agree to Terms in our Terms of Service and this GDPR DPA (if applicable to you). Therefore, signing the DPA is optional.

How do I sign if required by my organization?
Here is the link to a PDF version of this document. Fill in the Company Details in Page 1 and sign in Page 6 and send the document to [email protected] from your account email with the title "DPA". We will sign and send a copy back to you.

Hyvor Talk is operated by HYVOR, a company based in France. As a European company, it is extremely important for us to process and store data securely in accordance with the strong GDPR privacy rules.

HYVOR provides Customers with the Hyvor Talk commenting system. Hyvor Talk collects personal data from users who visit and choose to comment on the websites that load Hyvor Talk. Hyvor Talk provides the ability for Customers to access these personal data to some level.

This Data Processing Agreement (“Agreement“) is an addendum to our Terms of Service of Hyvor Talk and is signed between

(the “Company”) and

(the "Customer")

The parties agree as follows:


Applicability of DPA

This DPA applies where and only to the extent that Hyvor Talk Commenting System ( processes Personal Data on your behalf in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

This DPA only applies to the Hyvor Talk Service of HYVOR.

Roles and Responsibilities

Hyvor Talk and Customer both act as a Data Controller. User data collection depends on whether the Customer uses Single Sign-on. EXHIBIT 1 of this document describes data that Hyvor Talk collects and makes available to the Customer.

Both parties shall be responsible for ensuring they have complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including but not limited to the EU Data Protection Legislation

Customers shall process the Personal Data for the purposes described in EXHIBIT 1, except where required by applicable law.


Customer shall integrate Hyvor Talk on their websites securely using the best practices mentioned in our documentation. Customer shall securely communicate with Hyvor Talk when transmitting personal data (ex: Single Sign-on). Customer shall implement other appropriate technical and organisational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

Personal Data Breach

HYVOR shall notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

HYVOR shall co-operate with the Customer and take reasonable commercial steps as directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Data Protection Impact Assessment and Prior Consultation Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

Data Subject Rights

HYVOR shall promptly notify Customer if it receives a request from a data subject under any Data Protection Laws in respect of Personal Data, including requests by a data subject to exercise rights in Chapter III GDPR, and shall provide full details of that request. HYVOR shall reasonably co-operate as requested by Customer to enable Customer to comply with any exercise of rights by a data subject under Chapter III GDPR in respect of Personal Data.

Deletion of data

Upon termination or expiry of the Agreement, Customer shall delete the Personal Data (including copies) then in Customer's possession, except to the extent that Customer is required by applicable law to retain some or all of the Personal Data.


Customer hereby provides general authorization for HYVOR to subcontract the Processing of Personal Data to Subprocessors. HYVOR shall be liable for the acts and omissions of its Sub-processors to the same extent as if the acts and omissions were performed by HYVOR.

The current list of Sub-processors can be found on the EXHIBIT 2 of this document. An up-to-date list is available at the public online version of this DPA at

If Customer has legitimate reason under Data Protection Laws to object to a new Sub-processor, Customer shall provide written notice of such objection to HYVOR. If Customer objects, HYVOR and Customer will discuss a commercially reasonable resolution. If no commercially reasonable resolution can be reached within thirty (30) days, either party may terminate the applicable Services that cannot be provided by HYVOR without the use of the objected Sub-processor.

Security Reports and Audits

HYVOR shall maintain records of its security standards. HYVOR shall further provide written responses (on a confidential basis) to all reasonable requests for information made by you, including responses to information security and audit questionnaires, that you (acting reasonably) consider necessary to confirm HYVOR's compliance with this DPA, provided that you shall not exercise this right more than once per year.

International Transfers

HYVOR stores and processes data of all Customers within the European Union in data centers in Frankfurt, Germany. HYVOR shall implement appropriate safeguards to protect the Personal Data in accordance with the requirements of Data Protection Laws.

HYVOR acknowledges that Customer may disclose the privacy provisions in this DPA and the Terms to any judicial or regulatory body upon their lawful request.

General Terms

Except as amended by this DPA, the Terms of Service will remain in full force and effect. If there is a conflict between the Terms of Service and this DPA, the terms of this DPA will control.

The DPA is effective as of the 1st of July and replaces and supersedes any previously agreed data processing agreement between you and Hyvor Talk relating to the GDPR. Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.

EXHIBIT 1 - Data Processing Details

Hyvor Talk is operated by HYVOR and provides a commenting system for the Customer to use on their websites and applications. Visitors may react, vote, and comment within the comments section, which requires authentication and collection of personal data. Customer may select one the following authentication methods:

  1. Hyvor Login (at
  2. Single Sign-on (SSO)
Hyvor SSO
How data is collected User data is collected at when the User creates an account. HYVOR will share name, username, IP address, and other profile-related public data to the Customer. User data is collected by the Customer on their website, and then shared with Hyvor Talk securely using HMAC digital signatures. The Customer agrees that they have the right to share
What data can Customer Access Name, username, IP address, activity (comments, reactions, etc.) on Customer's website All personal data shared with Hyvor Talk, activity on Customer's website.
Deleting Data The User can delete their Hyvor account, which will delete their personal details. The Customer can delete activity on their website, but cannot delete user accounts. Email request or API

Customer can disable IP Address collection through the Moderation Console.

EXHIBIT 2 - Sub-Processors

Sub-processor for Customer & End Users:

These sub-processors are used to provide the services to the Customer and End Users of the customer's website (ex: commenters, visitors).

1. Cloudflare uses Cloudflare for DNS and CDN services. All DNS traffic is routed through Cloudflare. The majority of HTTP traffic is proxied through Cloudflare. See Cloudflare’s Privacy Policy for more details (concerns “Public DNS Resolver Users” and “End users”).

2. Hetzner

We use Hetzner Online GmbH’s virtual private servers and dedicated servers to store and process data. All servers and storage instances are hosted at Hetzner’s Falkenstein and Nuremberg data centers in Germany 🇩🇪.

3. DigitalOcean

We use DigitalOcean Spaces to store end-user-uploaded data (ex: images uploaded through the commenting embed). The data we store in Spaces is encrypted at rest using the AES-256 encryption algorithm, ensuring that our data is secure and protected from unauthorized access. All Spaces are hosted in the Europe 🇪🇺.

4. Mailgun

We use Mailgun’s transactional email services to send email notifications (ex: comment reply notifications) to end users. At this time, we use Mailgun’s USA servers to send emails. We have disabled Mailgun’s email tracking (ex: link click tracking) to enhance user privacy.

5. Akismet

If your website uses automatic spam detection (enabled by default), all comments will be sent to Akismet to detect spam along with the following data:

Akismet uses this data to detect spam patterns. They have a 14-day logs policy, after which all data will be deleted permanently from their systems. Additionally, when a comment is marked as spam, we send this data to Akismet to improve their spam detection. Each Website ID in Hyvor Talk has a self-trained model for spam detection at Akismet, which is trained by the data provided by moderators marking comments as spam or not. Spam detection can be disabled if needed.

6. Iframely

Hyvor Talk uses Iframely to convert URLs to embeds in the comments section (ex: Youtube embeds, link previews, etc). In most cases, a vendor-provided Javascript code can be added to load embeds (ex: a Youtube embed requires Javascript from Therefore, when a service is embedded, the vendor may track the user’s browser-related data. Embeds can be disabled if needed.

Sub-processor for Customer:

These sub-processors are used to provide the services to the Customer (ex: website owner, administrator). End user data is never shared with these providers. For example, Web Analytics service is only used in our marketing pages, but never in comments embed or any of our Javascript widgets added to your website.