Data Processing Agreement

1. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data.
• "Controller" means the entity that determines the purposes and means of Processing.
• "Processor" means the entity that Processes Personal Data on behalf of the Controller.
• "Data Subject" means the individual to whom Personal Data relates.
• "Sub-processor" means any Processor engaged by the Processor.

2. Processing of Personal Data

2.1 Processor's Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to process Personal Data are subject to confidentiality
• Implement appropriate technical and organizational measures
• Assist the Controller in responding to Data Subject requests
• Delete or return Personal Data at the end of the provision of services

2.2 Nature and Purpose of Processing

• Nature: Collection, recording, storage, retrieval, use, and transmission of call data
• Purpose: Provision of AI-powered phone answering services
• Duration: For the term of the Agreement plus any retention period

3. Types of Personal Data

The following categories of Personal Data may be processed:

• Contact information (names, phone numbers)
• Voice recordings and transcripts
• Call metadata (timestamps, duration, caller ID)
• Message content
• Business inquiry details

Categories of Data Subjects

• Customers of the Controller
• Prospective customers
• Employees or representatives of customers
• Other individuals who contact the Controller

4. Security Measures

Technical Measures

• Encryption of data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and authentication mechanisms
• Network security and firewall protection
• Regular security updates and patches

Organizational Measures

• Security awareness training for personnel
• Access on a need-to-know basis
• Confidentiality agreements with staff
• Incident response procedures
• Regular security audits

5. Sub-processors

Authorized Sub-processors

The Controller agrees to the use of the following sub-processors:

• Cloud Infrastructure: Amazon Web Services (Data hosting)
• Voice Processing: ElevenLabs (AI voice synthesis)
• Telephony: Twilio (Call routing and connectivity)
• Analytics: Various providers for service improvement

Changes to Sub-processors

• Processor will notify Controller of intended changes
• Controller has 30 days to object to new sub-processors
• If objection cannot be resolved, Controller may terminate affected services

6. International Transfers

Personal Data may be transferred to countries outside the EEA. Such transfers will be subject to appropriate safeguards:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions
• Other valid transfer mechanisms under applicable law

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling obligations to respond to Data Subject requests for:

• Access to Personal Data
• Rectification or erasure
• Restriction of Processing
• Data portability
• Objection to Processing

8. Personal Data Breach

Breach Notification

• Processor will notify Controller without undue delay upon becoming aware of a breach
• Notification will include all available information about the breach
• Processor will cooperate in investigation and mitigation

Breach Records

Processor maintains records of all breaches including:

• Facts relating to the breach
• Effects and remedial action taken
• Documentation sufficient for regulatory compliance

9. Audit and Compliance

Audit Rights

• Controller may conduct audits up to once per year
• 30 days advance written notice required
• Audits conducted during business hours
• Controller bears costs unless material non-compliance found

Certifications

Processor will maintain and provide upon request:

• SOC 2 Type II reports
• Security certifications
• Compliance attestations

10. Return and Deletion

Upon termination of services:

• Processor will return or delete all Personal Data
• Controller has 30 days to retrieve data
• Deletion certificate provided upon request
• Legal retention requirements may apply

11. Liability and Indemnification

Processor Liability

• Processor liable for Processing outside Controller instructions
• Processor liable for failure to comply with direct obligations
• Liability subject to limitations in main Agreement

Indemnification

Each party indemnifies the other against damages arising from their respective breaches of data protection law.

12. GDPR Compliance

For Processing subject to GDPR:

• Processor will comply with Articles 28-33 of GDPR
• Processor will assist with DPIAs where required
• Processor will maintain Article 30 records
• Standard Contractual Clauses apply for transfers

13. California Privacy Rights

For Processing subject to CCPA/CPRA:

• Processor is a "Service Provider" under CCPA
• Processor will not sell Personal Information
• Processor will not retain, use, or disclose for commercial purposes
• Processor certifies understanding of restrictions

14. Term and Termination

• DPA effective for duration of main Agreement
• Survives termination for Processing obligations
• Data deletion/return obligations survive termination

15. Governing Law

This DPA is governed by the same law as the main Agreement, except where data protection law requires otherwise.

16. Contact Information