Skip to main content
Heffl stores your business data, your contacts, deals, invoices, and client information, so security and compliance matter. This page explains where to find Heffl’s official security and legal information. For the authoritative, up-to-date details, always refer to Heffl’s official documents rather than this help article.

Data security

Your workspace data is hosted by Heffl and accessed over secure (HTTPS) connections. Within your workspace, access is controlled by the roles and permissions you assign to team members, so people see only what their role allows. See Inviting your team members for how roles control access. For specifics on Heffl’s infrastructure, encryption, hosting, and security practices, contact Heffl directly, as these details are maintained by Heffl and may change over time.

Your role in keeping data secure

Much of your workspace’s day-to-day security is in your hands:
  • Assign each member the least-privilege role they need, rather than admin for everyone
  • Remove access promptly when someone leaves your team
  • Use strong, unique passwords, and keep your API keys secret. See Using the Heffl API.
  • Limit who can access sensitive areas like finance and client data

GDPR and data protection

If you handle personal data of individuals in the EU or UK, data protection regulations such as GDPR may apply to you. Under these rules, individuals have rights over their data, including access, correction, and deletion. Heffl gives you tools to act on these requests within your workspace, you can edit and delete contact and company records as needed. Note that deleting a record fails if it has linked deals, invoices, or quotations, so you may need to handle those first. For Heffl’s own role as a data processor and its compliance posture, refer to Heffl’s official privacy and legal documentation.

Data processing agreement and subprocessors

A Data Processing Agreement (DPA) and a list of subprocessors (the third-party services Heffl uses to deliver its product) are legal documents issued by Heffl. If your business requires a signed DPA or a current subprocessors list, request these directly from Heffl. Do not rely on this help article for their contents, as only Heffl can provide the accurate, current versions.

Where to get official information

For anything security or compliance related that this page does not cover, contact Heffl through your usual support channel. See Contacting support. For developer-level data access, see Using the Heffl API.

What to do next

  1. Review your team’s roles and permissions
  2. Request a DPA or subprocessors list from Heffl if your business needs one
  3. Keep passwords and API keys secure