Data Processing Addendum (DPA)

1. Scope and Roles

• Purpose. This DPA governs Company’s Processing of Customer Personal Data in providing the Service.
• Roles. GDPR/UK GDPR: Customer is Controller and Company is Processor. CPRA/CCPA: Customer is Business and Company is Service Provider/Contractor.
• Instructions. Company Processes Customer Personal Data only on documented instructions from Customer (including for transfers) unless required by law; if required by law, Company will notify Customer where legally permitted.

2. Customer Responsibilities

• Lawfulness. Customer is responsible for the accuracy, quality, and lawfulness of Customer Personal Data and for providing required notices and obtaining required consents (including call-recording and telecommunications consents).
• Configuration. Customer controls retention, recording, export, and integration settings and is responsible for users’ access and actions.
• Prohibited Data. The Service is not intended to process PHI or special categories of data unless separately agreed in writing with additional safeguards.

3. Company Obligations

• Confidentiality. Authorized personnel are bound by confidentiality obligations.
• Security. Company maintains appropriate technical and organizational measures (“TOMs”) described in Annex B.
• Subprocessors. Authorized engagement with flow-down protections no less protective than this DPA; Company remains liable. Representative list/categories appear in Annex C. Customer may reasonably object within 10 days of notice; if unresolved, Customer may terminate only the affected functionality.
• Assistance. Taking into account the nature of Processing, Company will assist Customer (at Customer’s cost where permitted) with Data Subject Requests, security, DPIAs, and regulator consultations. Assistance beyond self-service tools may be billed at current professional services rates.
• Records. Company maintains records of Processing as required by law.
• Return/Deletion. Upon termination or written request, Company will return or delete Customer Personal Data, unless retention is required by law or for legal claims. Export available for 30 days; backups/logs deleted on normal cycles subject to legal holds.

4. Personal Data Breach

• Definition. Confirmed unauthorized access or disclosure of unencrypted Customer Personal Data compromising confidentiality, integrity, or availability. Unsuccessful attempts (e.g., scans, blocked malware) are not a breach.
• Notification SLA. Notify Customer without undue delay and in any case within 72 hours of confirmation, with details consistent with Article 33(3) GDPR to the extent known. This does not apply to incidents caused by Customer or Customer-controlled third-party services.

5. Data Subject Requests

Company will promptly notify Customer of Data Subject requests relating to Customer Personal Data and will not respond except on Customer’s documented instructions or where required by law. Customer verifies identity and provides instructions.

6. Audits and Information

• Reports. Security overviews and third-party attestations/reports (e.g., SOC/ISO summaries) available under confidentiality.
• On-Site Audit. If insufficient, a reasonable audit no more than once per 12 months with 30 days’ notice, during business hours, limited to relevant facilities/documents, by an independent auditor (not a competitor). Customer bears all costs.
• Regulators. Nothing limits a supervisory authority’s rights.
• Cost Cap. Company’s internal support for any single audit is capped at 4 hours; additional time billable at professional services rates.

7. International Transfers

• General. Processing may occur in the United States and other jurisdictions where Company or Subprocessors operate.
• EEA/UK. Where required, the EU SCCs (Module Two, 2021/914) and the UK IDTA/Addendum are incorporated as set out in Annex D; they prevail in case of conflict for transfers.
• Supplementary Measures. Implemented as reasonable considering Processing and risks.

8. CPRA/CCPA Service Provider/Contractor Terms

Company Processes Customer Personal Data only to provide, maintain, secure, and improve the Service; does not sell or share Customer Personal Data as defined by CPRA; does not combine Customer Personal Data with other data except as permitted for fraud/security or Service improvement; will notify if unable to meet obligations; and allows reasonable assessments as in Section 6.

9. Liability; Precedence

• Liability. Aggregate and category-specific liability under this DPA follows the limitations and exclusions in the Agreement.
• Precedence. This DPA controls over the Agreement for Processing of Customer Personal Data; SCCs/UK Addendum control over this DPA for cross-border transfers.
• Customer Indemnity. Customer defends and indemnifies Company for claims/fines arising from Customer’s failure to provide notices or obtain consents (including call-recording/telecom consents) or from unlawful instructions, except to the extent caused by Company’s willful misconduct.

10. Term; Changes; Law; Government Requests

• Term. This DPA remains in effect while Company Processes Customer Personal Data for Customer under the Agreement.
• Changes. Company may update this DPA to reflect changes in law/industry standards; material changes will be notified, and continued use after effective date constitutes acceptance.
• Governing Law; Disputes. This DPA follows the governing law and dispute resolution terms of the Agreement (including any arbitration/class-action waiver).
• Government Requests. Company may disclose Customer Personal Data to comply with law/regulation/subpoena/valid governmental request; where permitted, Company will use reasonable efforts to notify Customer before disclosure and may be legally prohibited from doing so.

Annex A — Details of Processing

• Subject Matter & Duration. Processing Customer Personal Data to deliver the Service (AI voice assistant, call handling, transcription, summarization, routing, notifications, dashboards, APIs, integrations) for the Agreement term and post-termination retention per Section 3.6.
• Nature & Purpose. Hosting, storage, transmission, call processing, transcription, analysis, summarization, notifications, logging, support, billing, security, monitoring, troubleshooting, quality improvement, and integrations enabled by Customer.
• Data Subjects. Authorized users; Customer’s prospects/clients/end callers/message senders; Customer personnel; website visitors via Customer widgets/integrations.
• Personal Data. Identifiers, account/profile data, call metadata, audio/transcripts (if enabled), summaries/extracted fields, telemetry (IP, device/browser, cookies/logs), scheduling/CRM fields, integration identifiers/tokens, and other data submitted by or for Customer. No special categories intended; no PHI intended.
• Retention. As configured by Customer or described in the Agreement/Privacy Policy; backups/logs retained per retention schedules and legal holds.
• Locations. United States and other locations where Company/Subprocessors operate (see Annex C).

Annex B — Technical and Organizational Measures (TOMs)

• Security governance & training; confidentiality commitments; annual policy reviews.
• Access control with least privilege, role-based access, MFA for privileged access, periodic reviews.
• Encryption in transit (TLS 1.2+) and at rest (e.g., AES-256) with managed keys and rotation.
• Secure SDLC, code review, dependency scanning, patch management; prioritized remediation.
• Network/app security (segmentation, firewalls/WAF, IDS/IPS as applicable); DDoS and rate-limit protections.
• Centralized logging/monitoring; alerting; audit trails per policy.
• Incident response with 24×7 escalation; RCA and corrective actions.
• Business continuity/DR: backups, tested restoration, availability targets.
• Vendor/Subprocessor risk management: due diligence, contractual flow-down, periodic reviews.
• Data minimization & retention; deletion/anonymization; legal holds respected.
• Physical security aligned with leading cloud providers (access controls, CCTV, visitor logs).
• Customer controls: roles/permissions, retention, recording, integrations; export tools where available.

Annex C — Subprocessors (Categories / Representative List)

• Hosting/Cloud Infrastructure — compute, storage, databases, CDN.
• Telephony/VoIP — PSTN/SIP carriers and routing providers.
• Analytics/Logging/Monitoring — log management, metrics, performance monitoring.
• Support/Communications — email delivery, ticketing, in-app messaging.
• Payment Processing — payment gateway/processor for billing.
• AI/ML Services — model inference/ASR/TTS services essential to core functionality.

Company may maintain a public page or dashboard listing current Subprocessors and will provide notice of material changes per Section 3.3.

Annex D — Cross-Border Transfer Mechanisms

• EU SCCs (2021/914). Module Two (Controller→Processor) applies. Clause 9 (Subprocessing): general authorization with notice; Clause 11: not applicable; Clause 17: governing law of the EU Member State where Customer is established (if not determinable, Irish law); Clause 18: courts of that Member State.
• UK Transfers. UK IDTA/Addendum incorporated; table information drawn from this DPA/Annexes; controls for UK transfers in case of conflict.
• Switzerland. FADP alignment; Swiss law/courts apply as required.
• If SCCs are updated/replaced, the updated version applies automatically.

Related Documents

• Terms of Service
• Privacy Policy

Contact

Questions about this DPA: privacy@missedcalls.help.