Data Processing Addendum

For the personal data you route through Chimes, you are the controller and Chimes is the processor. We process that data only on your documented instructions and to provide the service.

We apply technical and organizational measures including tenant isolation enforced at the database with row-level security, AES-256-GCM encryption of PII at rest, TLS 1.3 in transit, hashed and rotated API credentials, and hash-chained audit logging.

We use a limited set of subprocessors, listed on our subprocessors page. Because Chimes is adapter-native, you choose many of your own providers — and when you self-host, you can eliminate third-party subprocessors entirely.

Where personal data is transferred across borders, we rely on appropriate safeguards such as standard contractual clauses. Self-hosting and regional deployment options let you keep data in a chosen jurisdiction.

We assist you with data-subject requests and provide the information reasonably necessary to demonstrate compliance, subject to confidentiality and security constraints.