Answering Agent Logo Answering Agent

Data Processing Agreement

Last Updated: July 4, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Answering Agent, Inc. ("Processor") and the Customer ("Controller") and applies when Processor processes personal data on behalf of Controller.

1. Definitions

  • "Personal Data" means call recordings, transcripts, phone numbers, and any information relating to identified or identifiable individuals
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, and deletion
  • "Data Subject" means the individual calling Customer's phone number
  • "Subprocessor" means any third party engaged by Processor to process Personal Data

2. Processing of Personal Data

2.1 Scope of Processing

Subject Matter: AI-powered phone answering services

Duration: For the term of the service agreement

Nature: Answering calls, recording conversations, transcription, analysis

Purpose: To provide Customer with AI phone answering services

Categories of Data: Voice recordings, transcripts, phone numbers, call metadata

Categories of Data Subjects: Individuals calling Customer's business

2.2 Processor's Obligations

  • Process Personal Data only on documented instructions from Controller
  • Ensure persons authorized to process Personal Data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist Controller with data subject rights requests
  • Delete or return Personal Data at the end of services
  • Make available information necessary to demonstrate compliance

3. Security of Processing

Processor implements and maintains the following security measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls with role-based permissions and multi-factor authentication
  • Regular security assessments and vulnerability scanning
  • Incident response procedures with 72-hour breach notification
  • Employee security training and background checks
  • Secure software development lifecycle practices

4. Subprocessors

4.1 Authorized Subprocessors

Controller agrees to the use of the following categories of subprocessors:

Category Purpose Location
Cloud Infrastructure Provider Hosting and data storage United States
Telephony Services Provider Call routing and connectivity United States
AI Voice Technology Provider Voice synthesis and conversation United States / EU
Natural Language Processing Provider Transcript analysis United States

4.2 Adding or Changing Subprocessors

Processor shall notify Controller of any intended changes concerning the addition or replacement of subprocessors, giving Controller the opportunity to object to such changes. Notification will be provided via email to the account administrator with at least 30 days notice.

5. International Data Transfers

Personal Data may be processed in the United States and other countries where our subprocessors operate. We ensure appropriate safeguards are in place for any international transfers:

  • Standard Contractual Clauses with all subprocessors
  • Encryption and access controls for all transfers
  • Compliance with applicable data transfer regulations

6. Data Subject Rights

Processor shall assist Controller in responding to data subject requests for:

  • Access to their personal data
  • Correction of inaccurate data
  • Deletion of their data
  • Data portability
  • Objection to processing

Processor will forward any data subject requests received directly to Controller within 48 hours.

7. Audits and Compliance

Processor will make available to Controller all information necessary to demonstrate compliance with this DPA and allow for audits:

  • Annual security assessment reports
  • Security questionnaire responses
  • On-site audits with 30 days notice (at Controller's expense)

8. Personal Data Breach

In the event of a personal data breach, Processor shall:

  • Notify Controller without undue delay and within 72 hours
  • Provide details of the breach, affected data, and potential consequences
  • Take immediate measures to mitigate the breach
  • Cooperate with Controller in any investigation

9. Duration and Termination

This DPA shall remain in effect for the duration of the Service Agreement. Upon termination:

  • Processor will delete or return all Personal Data within 30 days
  • Deletion certificate will be provided upon request
  • Legal retention requirements may override deletion

Contact for Privacy Inquiries

Data Protection Officer
Answering Agent, Inc.
Email: privacy@answeringagent.com
Response time: Within 48 hours

This DPA is designed to meet GDPR, CCPA, and other privacy law requirements.