Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person processed by us on your behalf through the Services.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, or deletion.
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, CCPA, Australian Privacy Act 1988, and India DPDP Act 2023.
• "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
• "Data Subject" means the individual to whom Personal Data relates.
• "Security Incident" means any unauthorized access to, or acquisition, use, or disclosure of Personal Data.

2. Scope and Roles

2.1 Controller and Processor

You are the Controller determining the purposes and means of processing Personal Data. We act as your Processor, processing Personal Data only on your documented instructions.

2.2 Categories of Data Processed

2.3 Data Subjects

Data Subjects include individuals who call phone numbers configured with our Services, including your customers, prospects, and other callers.

3. Processing Instructions

3.1 Your Instructions

We will process Personal Data only in accordance with your documented instructions, unless required by applicable law (in which case we will inform you before processing, unless prohibited).

3.2 Compliance

You warrant that your instructions comply with Data Protection Laws. We will inform you if we believe an instruction violates applicable law.

3.3 Service-Inherent Processing

Your use of the Services constitutes instructions for us to process Personal Data as necessary to provide the Services, including:

• Receiving and processing voice calls
• Using AI to generate responses and summaries
• Recording calls (if enabled by you)
• Storing call data for your access and analysis
• Generating transcripts and analytics

4. Security Measures

We implement appropriate technical and organizational measures to protect Personal Data, including:

• Encryption: TLS 1.3 for data in transit; AES-256 for data at rest
• Access Controls: Role-based access, multi-factor authentication for administrative access
• Infrastructure: SOC 2 Type II certified cloud providers (Google Cloud, Cloudflare)
• Network Security: Firewalls, intrusion detection, DDoS protection
• Monitoring: Continuous security monitoring and logging
• Personnel: Background checks, security training, confidentiality agreements
• Incident Response: Documented incident response procedures

5. Sub-processors

5.1 Authorization

You authorize us to engage Sub-processors to process Personal Data on your behalf. Our current Sub-processors are listed at /subprocessors.

5.2 Sub-processor Obligations

We ensure each Sub-processor is bound by data protection obligations substantially similar to those in this DPA. We remain liable for the acts and omissions of our Sub-processors.

5.3 Changes to Sub-processors

We will provide at least 30 days' notice before engaging new Sub-processors. You may object to a new Sub-processor by notifying us within 14 days. If we cannot address your objection, you may terminate the affected Services.

To receive Sub-processor change notifications, contact privacy@infercall.com.

6. Data Subject Rights

We will assist you in responding to Data Subject requests to exercise their rights under Data Protection Laws, including:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to data portability
• Right to object to processing
• Right to restrict processing

If we receive a request directly from a Data Subject, we will promptly forward it to you unless prohibited by law. We will not respond to such requests without your authorization, except to direct the requestor to contact you.

7. Security Incidents

7.1 Notification

We will notify you of any Security Incident without undue delay (and in any event within 72 hours) after becoming aware of it. Notification will include:

• Nature of the incident, including categories and approximate number of Data Subjects affected
• Contact point for further information
• Likely consequences of the incident
• Measures taken or proposed to address the incident

7.2 Cooperation

We will cooperate with you and provide reasonable assistance in investigating the incident, notifying affected parties and regulators, and mitigating harm.

8. International Transfers

8.1 Transfer Mechanisms

Personal Data may be transferred to countries outside the EEA, UK, or other jurisdictions with data transfer restrictions. We ensure such transfers are lawful by implementing appropriate safeguards:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs for EEA transfers
• UK International Data Transfer Agreement: UK IDTA or UK Addendum to SCCs
• Adequacy Decisions: Transfers to countries with adequate protection status
• Supplementary Measures: Technical and organizational measures where required

8.2 Incorporation of SCCs

Where applicable, the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) are incorporated by reference. For UK transfers, the UK Addendum to the SCCs applies. Copies are available upon request.

9. Audit Rights

9.1 Information and Audit

Upon reasonable request, we will provide information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws. You may conduct audits (or have them conducted by an independent third party) subject to:

• At least 30 days' advance written notice
• Audit conducted during normal business hours
• Reasonable confidentiality obligations on auditor
• No more than one audit per 12-month period (unless required by law or following a Security Incident)

9.2 Third-Party Certifications

We will provide upon request copies of relevant third-party certifications and audit reports (e.g., SOC 2 reports) that may satisfy your audit requirements.

10. Data Retention and Deletion

10.1 During the Agreement

We retain Personal Data for the duration necessary to provide the Services and as specified in our data retention settings. You can configure retention periods for call recordings and other data through the dashboard.

10.2 Upon Termination

Upon termination of Services, we will:

• Return Personal Data to you in a standard format upon request (within 30 days)
• Delete all Personal Data within 90 days of termination (unless legal retention required)
• Certify deletion upon request

11. Controller Responsibilities

You are responsible for:

• Ensuring lawful basis for processing (consent, contract, legitimate interest, etc.)
• Providing privacy notices to Data Subjects about the use of AI voice agents
• Complying with AI disclosure requirements in your jurisdiction
• Obtaining consent for call recording where required
• Responding to Data Subject requests
• Conducting data protection impact assessments where required
• Ensuring your instructions to us comply with applicable law

12. Liability and Indemnification

Each party's liability under this DPA is subject to the liability limitations in the main Services agreement (Terms of Service). This DPA does not limit liability for:

• Death or personal injury caused by negligence
• Fraud or fraudulent misrepresentation
• Any liability that cannot be limited by law

13. Term and Termination

This DPA remains in effect for the duration of our processing of Personal Data on your behalf. It automatically terminates when all Personal Data has been returned or deleted following termination of the Services.

14. Governing Law

This DPA is governed by the same law as the main Services agreement, except that:

• For EEA Data Subjects, disputes concerning GDPR shall be subject to the jurisdiction of courts in the EU Member State of the Data Subject
• For UK Data Subjects, disputes concerning UK GDPR shall be subject to English courts
• Mandatory provisions of local Data Protection Laws apply regardless of governing law

15. Changes to this DPA

We may update this DPA to reflect changes in Data Protection Laws or our processing practices. Material changes will be communicated with at least 30 days' notice. Continued use of the Services after the effective date constitutes acceptance of the updated DPA.

16. Contact

For questions about this DPA or to exercise your rights:

• Email: privacy@infercall.com
• DPA Requests: legal@infercall.com