What does the AI Agent do in TeamHero?

The agent works proactively: it spots declining engagement in teams, launches micro-surveys, drafts recognition based on company values, flags work anniversaries, and recommends concrete steps to HR. HR approves — the agent publishes. No manual feed moderation.

How is TeamHero different from Bonusly or Motivosity?

Bonusly and Motivosity are points and gamification only. TeamHero covers recognition + surveys + ideas + updates + org chart in one plan. Our recognition currency ties to company values, not HR bonus grids. The big difference is the proactive agent: it initiates engagement instead of waiting for HR to set up the next campaign.

How does it differ from Bitrix24 or other intranets?

Bitrix24 handles processes, tasks, and CRM. Most intranets focus on documents. TeamHero is about people: recognition, engagement, culture. We don't replace them — we sit alongside and integrate with your HRIS and let Bitrix do its job.

How much does it cost?

Free plan: up to 30 employees. Growth: $5 per user/month ($4 with annual billing), AI Agent included. Enterprise: $10 per user/month with dedicated manager, SLA 99.9%, and self-hosted option. Fair-use policy — we contact you before overages, never surprise bills.

How fast can we deploy?

Pilot launches in days. Org structure import, agent rules setup, company values config, go-live — no integrators needed. We guide you at every step.

Is employee data secure?

Yes. SOC 2 compliant, data stored in US, SSL encryption, SSO (SAML/OIDC) on Growth and Enterprise. Enterprise supports self-hosted and signed DPA. AI is transparent — no secret employee ratings.

Is there SSO and integration with our HRIS?

SSO (single sign-on) is available on Growth and Enterprise. HRIS integration covers org structure, employee events, and lookups. Public API for the rest.

Is there a mobile app?

Web version is mobile-optimized and works now. Native iOS and Android are in development, launching in 2026. Early access available by request.

TeamHero Data Processing Agreement

Name: TeamHero
Author: TeamHero

Version: 10 June 2026 Effective from: 10 June 2026

This Data Processing Agreement (the "DPA") forms part of the Terms of Service between TeamHero (ADCRAFT LTD, a company registered in the Republic of Bulgaria, UIC 208314115, registered address: 3 Industrialna Str., fl. 12, apt. 1202, Burgas 8130, Bulgaria) and the Customer and governs the processing of personal data carried out by TeamHero on the Customer's behalf, in accordance with Article 28 of the GDPR. The current version is published at https://theteamhero.com/dpa.

1. Parties and definitions

1.1. For the purpose of this DPA:

The Customer is the controller of the personal data it submits to the Service.
TeamHero is the processor, acting only on the Customer's documented instructions.
"GDPR", "personal data", "processing", "data subject", "sub-processor", and "supervisory authority" have the meanings given in the GDPR.
"Customer Personal Data" means personal data within Customer Data processed by TeamHero under this DPA.

1.2. Where there is a conflict between this DPA and the Terms of Service in relation to the processing of personal data, this DPA prevails.

2. Subject matter and details of processing (Art. 28(3))

2.1. The subject matter, duration, nature, and purpose of processing, the types of personal data, and the categories of data subjects are as follows:

Element	Description
Subject matter	Provision of the TeamHero Service to the Customer
Duration	For the term of the Terms of Service plus the post-termination period in Section 7
Nature and purpose	Hosting, storage, transmission, display, backup, and processing of Customer Personal Data solely to provide and support the Service
Types of personal data	Name; business/personal email and phone; job title, department, manager; date of birth; hire date and tenure; avatar; user-generated content (gratitudes, ideas, comments, reactions, survey answers, posts); activity metrics (badges, points, achievements, ranking); credentials (login, password hash, tokens, session IDs); technical data (IP address, device, browser, OS); audit logs
Special categories	None instructed. The Customer must not submit special-category data (Art. 9) unless separately agreed in writing
Categories of data subjects	The Customer's employees, contractors, administrators, and other individuals whose data the Customer submits to the Service

2.2. TeamHero processes Customer Personal Data only on the Customer's documented instructions, including those set out in the Terms and this DPA, unless required to do otherwise by EU or member-state law (in which case it informs the Customer unless prohibited).

3. Processor obligations

3.1. TeamHero shall:

process Customer Personal Data only on documented instructions (Art. 28(3)(a));
ensure persons authorised to process the data are bound by confidentiality (Art. 28(3)(b));
implement the technical and organisational measures in Section 3.2 (Art. 28(3)(c), Art. 32);
not engage sub-processors except as permitted in Section 4 (Art. 28(3)(d));
assist the Customer as set out in Section 6 (Art. 28(3)(e)–(f));
make available information necessary to demonstrate compliance and allow audits (Section 8, Art. 28(3)(h));
not use Customer Personal Data to train, fine-tune, or improve machine-learning models other than as necessary to provide and support the Service for the Customer, unless separately instructed by the Customer in writing.

3.2. Security measures (Art. 32). TeamHero implements appropriate technical and organisational measures, including: encryption in transit (TLS 1.2/1.3) and of backups; role-based access control; multi-factor authentication for administrative access; network firewalling and intrusion detection; 24/7 logging and security monitoring; regular patching and vulnerability management; malware protection; regular backups with restore testing; and confidentiality obligations for all personnel with access to Customer Personal Data.

4. Sub-processing

4.1. The Customer provides a general authorisation for TeamHero to engage sub-processors, subject to this Section. TeamHero imposes data-protection obligations on each sub-processor no less protective than this DPA and remains fully liable to the Customer for their performance.

4.2. Current sub-processors. The categories of sub-processors engaged as of the effective date are:

Sub-processor (category)	Purpose	Location
Cloud infrastructure and hosting	Hosting, storage, backups, CDN	EEA `[exact provider and country to be confirmed]`
Payment and invoicing providers	Subscription billing and payment processing	Stripe Payments Europe, Ltd (Ireland, EEA) `[confirm]`
Email delivery	Transactional and service notifications	Operated on TeamHero's own infrastructure (no external sub-processor)
SMS delivery	Not used — no SMS feature at present	—
Analytics and error monitoring	Usage analytics, error monitoring, quality	`[provider and country to be confirmed — if a US-based tool (e.g. Google) is used, a transfer mechanism and cookie consent apply]`
Support	Handling customer requests	Operated on TeamHero's own infrastructure (no external sub-processor)
CRM	Customer relationship management	Not used `[confirm]`
Identity / authentication	User authentication and authorisation	Operated on TeamHero's own infrastructure (no external sub-processor)

As most processing is performed on TeamHero's own infrastructure within the EEA, international transfers are minimal; any external sub-processor and its location is listed above and kept current.

The up-to-date named list of sub-processors is maintained by TeamHero and made available to the Customer on request and in the Customer's account.

4.3. Change notification. TeamHero notifies the Customer at least thirty (30) days before adding or replacing a sub-processor. The Customer may reasonably object within that period on data-protection grounds; the parties will then work in good faith to resolve the objection, including, if unresolved, allowing the Customer to terminate the affected Service without penalty.

5. International transfers and Standard Contractual Clauses

5.1. TeamHero does not transfer Customer Personal Data outside the European Economic Area except where an appropriate transfer mechanism under Chapter V GDPR is in place.

5.2. Where a transfer to a third country without an adequacy decision occurs, the parties incorporate the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914) by reference, with [Module Two: Controller-to-Processor] applying, together with any supplementary technical and organisational measures required following a transfer impact assessment.

5.3. The relevant sub-processor locations and the applicable safeguards are identified in Section 4 and available on request.

5.4. UK and Switzerland. For transfers of UK personal data, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs. For transfers of Swiss personal data, the SCCs apply with the amendments required by the Swiss Federal Act on Data Protection and the FDPIC. The completed SCCs (including Annexes I–III with the parties, processing details, and technical/organisational measures) are appended to or incorporated by reference into this DPA. [Module, Annexes, and signatories to be completed once the contracting entities and sub-processors are confirmed.]

5A. CCPA / CPRA (US personal information)

5A.1. To the extent TeamHero processes personal information of US residents on the Customer's behalf, TeamHero acts as a "service provider" and shall: (a) process such information only for the business purposes specified in the Terms and this DPA and for no other purpose; (b) not "sell" or "share" such information as those terms are defined under the CCPA/CPRA; (c) not retain, use, or disclose it outside the direct business relationship or as otherwise prohibited by law; and (d) comply with these restrictions and provide the same level of protection required by the CCPA. TeamHero will notify the Customer if it determines it can no longer meet these obligations.

6. Assistance to the Customer

6.1. Data subject requests. Taking into account the nature of the processing, TeamHero assists the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to data-subject requests under Chapter III GDPR. Requests received by TeamHero directly are forwarded to the Customer without undue delay (within 3 business days).

6.2. Breach notification. TeamHero notifies the Customer without undue delay, and in any event within 24 hours, after becoming aware of a personal-data breach affecting Customer Personal Data, providing the information the Customer reasonably needs to meet its Art. 33/34 obligations (nature of the breach, categories and approximate numbers affected, likely consequences, and measures taken).

6.3. DPIAs and prior consultation. TeamHero assists the Customer with data protection impact assessments and prior consultation with supervisory authorities (Art. 35–36), taking into account the nature of processing and the information available to TeamHero.

7. Deletion or return of data

7.1. On termination of the Service, TeamHero, at the Customer's choice, returns Customer Personal Data in a machine-readable format (CSV/JSON) or deletes it, within 30 days of termination, except to the extent retention is required by law.

7.2. If the Customer does not communicate its choice within 15 days of termination, TeamHero deletes the data. Backups containing Customer Personal Data are deleted on the routine backup-rotation cycle and in any event within 90 days of termination.

8. Audits and inspections

8.1. TeamHero makes available to the Customer the information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor it mandates (Art. 28(3)(h)).

8.2. To minimise disruption, the Customer may first rely on available third-party audit reports or certifications (for example ISO/IEC 27001 or SOC 2 Type II). On-site audits require at least 14 days' notice, occur no more than once per year (or following a breach), and are subject to confidentiality.

9. Liability and precedence

9.1. Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service, except where the GDPR provides otherwise. In relation to the processing of personal data, this DPA prevails over the Terms.

Disclaimer. This document is a drafting framework prepared for review. It must be reviewed and approved by qualified EU legal counsel before use in production. It does not constitute legal advice.

Cookies & personal data