Data Processing Addendum

This Data Processing Addendum (the “DPA”) forms part of the Terms of Service between Receptionist On Call, Inc. (“Processor”) and the customer identified at sign-up (“Controller”). It applies to the processing of Personal Data within the scope of the General Data Protection Regulation (Regulation (EU) 2016/679), the UK General Data Protection Regulation, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the CPRA, and other substantially similar laws.

1. Definitions

Capitalized terms not defined here have the meaning given in the GDPR. “Personal Data” means personal information processed by Processor on Controller’s behalf under the Terms of Service. “Sub-processor” means any third party engaged by Processor to process Personal Data.

2. Roles and Subject Matter

Controller determines the purposes and means of processing. Processor processes Personal Data on documented instructions from Controller, including those set out in the Terms of Service and in Controller’s configuration of the Service (for example, agent prompts, retention overrides, and recording toggles).

3. Nature, Purpose, and Duration

The processing is performed to provide an AI voice receptionist service that answers and places calls, transcribes audio, generates synthetic voice replies, and stores call records for review. Processing continues for the duration of the subscription and the retention periods described in Section 9.

4. Categories of Data and Data Subjects

Categories of Personal Data include identifiers (name, business email, phone number), call audio, transcripts, structured outputs from the AI agent, IP address, and product-usage events. Categories of Data Subjects include Controller’s personnel, end-user callers and callees, and prospects in Controller’s outbound campaigns.

5. Processor Obligations

• Process Personal Data only on Controller’s documented instructions;
• Promptly inform Controller if, in Processor’s opinion, an instruction infringes applicable data-protection law;
• Ensure that personnel authorized to process Personal Data are bound by confidentiality;
• Implement appropriate technical and organizational measures described in Annex II, including TLS 1.2+ in transit, AES-256 at rest, least-privilege access, audit logging, and periodic vulnerability scanning;
• Assist Controller in responding to Data-Subject requests and supervisory-authority inquiries;
• Notify Controller of a Personal Data Breach without undue delay and in any event within seventy-two (72) hours of becoming aware, providing all information reasonably necessary to satisfy Controller’s own notification obligations.

6. Sub-processors

Controller authorizes Processor to engage the Sub-processors listed in Annex I. Processor will notify Controller at least thirty (30) days before adding or replacing a Sub-processor. Controller may object on reasonable data-protection grounds; if the parties cannot agree on a resolution, Controller may terminate the subscription on a pro-rata refund basis.

7. International Data Transfers

Where the GDPR or UK GDPR applies and Personal Data is transferred outside the EEA, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties incorporate Modules 2 and 3 of the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, and the Swiss equivalent, as applicable. The optional docking clause is accepted; Clause 17 (governing law): Ireland; Clause 18 (forum and jurisdiction): Ireland; Annex I.A names the parties as identified in the Terms of Service.

8. Audits

Processor will make available to Controller, on reasonable written notice and no more than once per calendar year (except in the event of a Personal Data Breach or a supervisory-authority demand), information necessary to demonstrate compliance with this DPA, including the most recent third-party audit summaries (for example, SOC 2 Type II once available) under reasonable confidentiality terms. Onsite audits may be conducted by an independent auditor agreed by the parties and subject to Processor’s reasonable security requirements.

9. Data Retention and Deletion

Unless otherwise configured by Controller:

• Call transcripts are retained for ninety (90) days from the date of the call;
• Call audio (when recording is enabled) is retained for thirty (30) days;
• Account and billing data are retained while the account is active and for the periods set out in the Privacy Policy;
• Server logs are retained for thirty (30) days.

Upon termination, Processor will delete or return Personal Data within sixty (60) days, except where retention is required by applicable law (in which case the Personal Data will be isolated and protected from further processing until deletion).

10. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits liabilities that cannot be excluded under applicable data-protection law.

11. Order of Precedence

In the event of any conflict between this DPA, the Standard Contractual Clauses, and the Terms of Service, the order of precedence is: (i) the Standard Contractual Clauses, (ii) this DPA, (iii) the Terms of Service.

Annex I — Sub-processors

• Twilio, Inc. (United States) — telephony, call signaling, optional call recording, SMS metadata.
• Deepgram, Inc. (United States) — real-time speech-to-text on streamed call audio; transient processing only.
• ElevenLabs, Inc. (United States) — neural text-to-speech generation for outbound audio frames.
• Anthropic, PBC (United States) — large-language-model responses for agent conversations; inputs are not used to train Anthropic’s general models.
• Stripe, Inc. (United States) — payment processing and tax calculation; processed under Stripe’s own DPA as an independent controller for compliance purposes.
• Google LLC (United States) — optional Google Calendar integration when enabled by Controller.
• Cloud infrastructure providers used to host the application and database (United States and European regions).

Annex II — Technical and Organizational Measures

• Encryption in transit (TLS 1.2+) and at rest (AES-256);
• Role-based access control, least-privilege provisioning, and quarterly access reviews;
• Audit logging of administrative and security-relevant events;
• Secrets management with rotation policies;
• Network segmentation and DDoS protection at the edge;
• Vulnerability scanning, dependency monitoring, and a documented patch-management process;
• Backup and disaster-recovery procedures with documented recovery objectives;
• Security awareness and confidentiality training for personnel;
• Defined incident-response plan with roles, escalation, and post-mortem requirements.

Annex III — Contact

DPA-related notices and requests should be sent to dpa@receptionistoncall.com, with a copy to legal@receptionistoncall.com.