Last Updated: February 2025
Data Processing Addendum
Terms governing the processing of personal data on behalf of customers
1. Introduction and Scope
This Data Processing Addendum ("DPA") forms part of the Master Service Agreement ("Agreement") between AI Receptionist ("Processor" or "Provider") and the customer entity ("Controller" or "Customer") that has executed or accepted the Agreement.
This DPA applies when Provider processes Personal Data on behalf of Customer in connection with the AI Receptionist services. This DPA is designed to address data protection requirements including those under:
- California Consumer Privacy Act (CCPA/CPRA)
- State privacy laws (Virginia, Colorado, Connecticut, Utah, etc.)
- Sector-specific requirements for government customers
- General data protection principles
2. Definitions
"Controller" means the entity that determines the purposes and means of processing Personal Data. For purposes of this DPA, Customer is the Controller.
"Processor" means the entity that processes Personal Data on behalf of the Controller. For purposes of this DPA, Provider is the Processor.
"Personal Data" means any information relating to an identified or identifiable natural person that Provider processes on behalf of Customer in connection with the Services.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, or deletion.
"Data Subject" means the individual to whom Personal Data relates.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
"Subprocessor" means any third party engaged by Provider to process Personal Data on behalf of Customer.
3. Roles and Responsibilities
3.1 Customer as Controller
Customer determines the purposes and means of processing Personal Data and is responsible for:
- Ensuring a lawful basis exists for processing
- Providing required notices to Data Subjects
- Obtaining necessary consents (e.g., call recording notices)
- Responding to Data Subject requests
- Ensuring compliance with applicable privacy laws
3.2 Provider as Processor
Provider processes Personal Data only on behalf of and under the instructions of Customer:
- Processing only as instructed by Customer or as required by law
- Implementing appropriate security measures
- Assisting Customer with Data Subject requests
- Notifying Customer of Security Incidents
- Maintaining records of processing activities
4. Processing Instructions
4.1 Scope of Processing
Provider will process Personal Data only for the following purposes:
- Operating the AI voice agent to answer calls
- Generating and storing call transcripts
- Managing appointment scheduling
- Sending notifications and messages
- Providing dashboard access and analytics
- Technical support and service improvement
4.2 Categories of Personal Data
| Category | Examples |
|---|---|
| Identifiers | Name, phone number, email address |
| Audio Data | Call recordings, voicemail |
| Communication Content | Transcripts, messages, appointment details |
| Technical Data | Call metadata, timestamps, IP addresses |
4.3 Categories of Data Subjects
- Callers who contact Customer via the AI receptionist
- Customer employees and authorized users
- Individuals mentioned in call content
4.4 Processing Restrictions
Provider will NOT:
- Sell Personal Data
- Share Personal Data for cross-context behavioral advertising
- Process Personal Data for purposes other than providing Services
- Combine Personal Data with data from other customers
- Retain Personal Data longer than necessary for the Services
5. Subprocessors
5.1 Authorization
Customer authorizes Provider to engage Subprocessors to assist in providing the Services. Provider maintains a list of current Subprocessors, which includes:
| Subprocessor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Cloud infrastructure, database hosting | United States |
| Vercel | Application hosting | United States |
| Anthropic | AI language processing | United States |
| Twilio | Telephony services | United States |
| Stripe | Payment processing | United States |
5.2 Subprocessor Obligations
Provider will ensure that Subprocessors are bound by data protection obligations at least as protective as those in this DPA.
5.3 Changes to Subprocessors
Provider will notify Customer of changes to Subprocessors via email or dashboard notification. Customer may object to a new Subprocessor within 30 days of notice.
6. Security Measures
Provider implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
6.1 Technical Measures
- Encryption in Transit: TLS 1.2 or higher for all data transmission
- Encryption at Rest: AES-256 encryption for stored data
- Access Controls: Role-based access, multi-factor authentication
- Logging: Audit logs for administrative actions
- Vulnerability Management: Regular security scanning and patching
6.2 Organizational Measures
- Security awareness training for personnel
- Background checks for employees with data access
- Confidentiality agreements
- Incident response procedures
- Business continuity planning
7. Data Retention and Deletion
7.1 Retention Period
Provider retains Personal Data for the duration of the Agreement plus:
- Call Recordings: As configured by Customer (default 90 days)
- Transcripts: As configured by Customer (default 1 year)
- Account Data: Duration of Agreement plus legal retention requirements
7.2 Deletion Upon Termination
Upon termination of the Agreement:
- Customer may request data export within 30 days
- Provider will delete Personal Data within 90 days
- Provider will provide deletion certification upon request
Provider may retain Personal Data as required by applicable law or for legitimate business purposes (e.g., billing records, legal compliance).
8. Data Subject Requests
8.1 Assistance
Provider will assist Customer in responding to Data Subject requests, including:
- Right to access/know
- Right to deletion
- Right to correction
- Right to data portability
- Right to opt-out of sale/sharing (Provider does not sell or share Personal Data)
8.2 Process
Customer should direct Data Subject requests to Provider at privacy@aireceptionist.com. Provider will respond within 10 business days with the requested information or confirmation of action taken.
8.3 Direct Requests
If Provider receives a request directly from a Data Subject, Provider will redirect the request to Customer unless legally required to respond directly.
9. Security Incident Notification
9.1 Notification
Provider will notify Customer of any Security Incident without undue delay, and in any event within 72 hours of becoming aware of the incident, unless legally prohibited.
9.2 Information Provided
Provider's notification will include, to the extent known:
- Nature of the Security Incident
- Categories and approximate number of Data Subjects affected
- Categories and approximate amount of data affected
- Likely consequences of the incident
- Measures taken or proposed to address the incident
- Contact point for additional information
9.3 Cooperation
Provider will cooperate with Customer in investigating the incident and complying with applicable breach notification requirements.
10. Data Location and Transfers
10.1 Processing Location
Personal Data is processed and stored in the United States using cloud infrastructure providers with data centers in the continental United States.
10.2 Government Customers
For government customers with specific data residency requirements, Provider can discuss deployment options. Please contact government@aireceptionist.com for details.
10.3 International Transfers
Provider does not transfer Personal Data outside the United States as part of normal service delivery. If international transfers become necessary, Provider will implement appropriate safeguards.
11. California-Specific Terms (CCPA/CPRA)
When processing Personal Information of California residents:
11.1 Service Provider Status
Provider is a "Service Provider" as defined in CCPA Section 1798.140(ag). Provider processes Personal Information only for the business purposes set forth in this DPA.
11.2 Prohibited Activities
Provider will NOT:
- Sell Personal Information
- Share Personal Information for cross-context behavioral advertising
- Retain, use, or disclose Personal Information outside the business relationship
- Combine Personal Information with data from other sources (except as permitted)
11.3 Certification
Provider certifies that it understands and will comply with CCPA/CPRA requirements applicable to Service Providers.
12. Audit Rights
Customer may audit Provider's compliance with this DPA by:
- Requesting Provider's responses to security questionnaires
- Reviewing Provider's security documentation and policies
- Requesting evidence of security certifications or assessments
On-site audits may be conducted upon reasonable notice (minimum 30 days) and subject to confidentiality obligations. Customer bears the cost of third-party audits.
13. Term and Termination
This DPA remains in effect for the duration of the Agreement. Upon termination, the data deletion provisions of Section 7 apply. Provisions that by their nature should survive (confidentiality, limitation of liability) survive termination.
14. Contact Information
Privacy/Data Protection: privacy@aireceptionist.com
Security Inquiries: security@aireceptionist.com
Government Procurement: government@aireceptionist.com
Legal/Contracts: legal@aireceptionist.com