Skip to main content

Documentation Index

Fetch the complete documentation index at: https://help.heydenada.com/llms.txt

Use this file to discover all available pages before exploring further.

Last updated: May 1, 2026
This statement summarizes Denada’s compliance program under the EU General Data Protection Regulation 2016/679 (“GDPR”) and the UK GDPR. It is provided as a convenience for customers conducting vendor reviews. The authoritative documents are the Privacy Policy and the Data Processing Agreement.

Roles

Denada Inc. acts as a Processor with respect to Customer Personal Data submitted through the Denada platform. The Customer is the Controller. For personal data Denada collects about its own customers, prospects, and personnel (e.g., billing contacts, website visitors), Denada acts as the Controller.

Lawful bases for processing

Denada processes personal data on the following bases under Article 6 GDPR:
  • Performance of a contract (Art. 6(1)(b)) — to deliver the platform to subscribed customers
  • Legitimate interests (Art. 6(1)(f)) — to secure the service, prevent abuse, and improve the product
  • Consent (Art. 6(1)(a)) — for optional marketing communications; withdrawable at any time
  • Legal obligation (Art. 6(1)(c)) — to comply with applicable law
Denada does not process special categories of data (Art. 9) as part of providing the Services.

Data subject rights

Under Articles 15–22 of the GDPR, data subjects have the rights to:
RightHow to exercise
Access (Art. 15)privacy@heydenada.com or Settings → Account
Rectification (Art. 16)Settings → Account, or privacy@heydenada.com
Erasure (Art. 17)Settings → Account (self-service) or privacy@heydenada.com
Restriction (Art. 18)privacy@heydenada.com
Data portability (Art. 20)privacy@heydenada.com
Object (Art. 21)privacy@heydenada.com
Not be subject to automated decision-making (Art. 22)Not applicable — see below
Lodge a complaintYour local supervisory authority (list at edpb.europa.eu)
Denada responds to verifiable rights requests within 30 days, extendable by up to 60 days for complex requests.

Automated decision-making

Denada does not make solely automated decisions that produce legal or similarly significant effects on data subjects within the meaning of Art. 22. The Denada assistant generates creative drafts that are reviewed and accepted by a human user before any business use.

International data transfers

Personal data of EEA, UK, or Swiss data subjects is processed in the United States. Denada relies on the European Commission’s Standard Contractual Clauses (Module 2: Controller to Processor), incorporated into our Data Processing Agreement, as the transfer mechanism. For UK transfers, the UK International Data Transfer Addendum (version B1.0) is incorporated by reference. For Swiss transfers, the SCCs apply with the adaptations published by the Swiss Federal Data Protection and Information Commissioner. Supplementary technical and organizational measures addressing the risks identified in Schrems II are described in Annex 2 of the Data Processing Agreement.

Sub-processors

Denada’s current sub-processors and their locations are listed at Sub-processors. All sub-processors are bound by data-protection terms no less protective than those Denada owes to its customers.

Security

Denada’s security program is audited under SOC 2 Type 2 by Prescient Assurance. The most recent report covers the period August 3 to November 3, 2025. Controls include:
  • Encryption of data in transit (TLS) and at rest
  • Multi-factor authentication for all production access
  • Role-based access control with least-privilege provisioning
  • Annual third-party penetration testing
  • Monthly vulnerability scanning
  • Documented incident response, change management, and business continuity policies
The full SOC 2 report is available under NDA — contact privacy@heydenada.com.

Breach notification

In the event of a Personal Data Breach affecting customer data, Denada notifies affected customers without undue delay and within 72 hours of confirmed discovery, consistent with Articles 33–34 of the GDPR. The notification includes the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

Records of processing (Art. 30)

Denada maintains records of processing activities as required by Article 30 of the GDPR. These records are made available to supervisory authorities on request.

Data Protection Officer

Denada is not required to appoint a Data Protection Officer under Article 37 of the GDPR. Denada has designated a Privacy Contact at privacy@heydenada.com.

Data Protection Impact Assessments

Denada conducts Data Protection Impact Assessments (Art. 35) for new processing activities likely to result in a high risk to data subjects’ rights and freedoms. Denada assists Customers acting as Controllers in conducting their own DPIAs by providing the information required under Art. 35(7).

Data retention

Retention timelines are published in Section 7 of the Privacy Policy.

Contact

Privacy Contact: privacy@heydenada.com Postal: Denada Inc., 111 SW 5th Ave, 5th Floor, Portland, OR 97204, United States

Document control

This statement summarizes Denada’s GDPR compliance program. In the event of a conflict between this statement and the Data Processing Agreement, the Data Processing Agreement controls.