Data Processing Agreement
This Data Processing Agreement ("DPA") supplements and forms part of the Terms of Service between you ("Customer", "Controller") and Voctiv Inc ("Voctiv", "Processor"). This DPA applies to the extent that Voctiv processes Personal Data on behalf of Customer in connection with the Voctiv Assistant MCP service.
1. Definitions
In this DPA, the following terms have the meanings set out below. Terms not defined here have the meanings given in the Terms of Service or applicable data protection law.
- "Controller" means the Customer who determines the purposes and means of processing Personal Data (i.e., you).
- "Processor" means Voctiv Inc, which processes Personal Data on behalf of the Controller.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates, including Called Parties.
- "Personal Data" means any information relating to a Data Subject that is processed by Voctiv in connection with the Service, including phone numbers, call recordings, transcriptions, and call metadata.
- "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
- "Sub-processor" means a third party engaged by Voctiv to process Personal Data on behalf of the Controller.
- "Data Protection Laws" means all applicable data protection and privacy laws, including GDPR (EU 2016/679), UK GDPR, CCPA/CPRA, and other applicable national or state laws.
- "SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries, as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
- "Security Incident" means any unauthorized or unlawful access to, acquisition of, use of, or disclosure of Personal Data.
2. Scope & Roles
2.1 Roles
With respect to Call Data (phone numbers provided by Customer, call recordings, transcriptions, and call metadata), the parties agree that:
- Customer is the Controller: Customer determines the purposes for which calls are made, the phone numbers to be called, and the content of calls.
- Voctiv is the Processor: Voctiv processes Call Data solely to provide the Service to Customer in accordance with Customer's instructions and these Terms.
2.2 Scope of Processing
| Element | Description |
|---|---|
| Subject matter | Provision of AI voice calling service via MCP |
| Duration | For the term of the Terms of Service plus any retention period |
| Nature & purpose | Initiating outbound calls, recording, transcription, call management |
| Types of Personal Data | Phone numbers, voice recordings, transcriptions, call metadata (duration, timestamps, status) |
| Categories of Data Subjects | Individuals called by Customer through the Service (Called Parties) |
3. Processing Instructions
3.1 Customer Instructions
Voctiv shall process Personal Data only in accordance with Customer's documented instructions. The Terms of Service, this DPA, and Customer's use of the Service (including API calls) constitute Customer's instructions to Voctiv.
3.2 Additional Instructions
If Customer requires Voctiv to process Personal Data in a manner not covered by the existing instructions, Customer must provide new documented instructions in writing. Voctiv may charge additional fees for processing outside the scope of the Service.
3.3 Legal Requirements
If Voctiv is required by applicable law to process Personal Data other than as instructed by Customer, Voctiv will inform Customer of that legal requirement before processing, unless prohibited from doing so by law.
3.4 Personnel
Voctiv ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Data Security Measures
Voctiv implements and maintains appropriate technical and organizational measures to protect Personal Data, including:
4.1 Technical Measures
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256)
- Network segmentation and firewall protection
- Intrusion detection and prevention systems
- Regular security patching and vulnerability management
- Secure API authentication (API key hashing, rate limiting)
- Automated backup with encrypted storage
4.2 Organizational Measures
- Role-based access controls with principle of least privilege
- Employee security awareness training
- Background checks for personnel with access to Personal Data
- Documented information security policies and procedures
- Incident response plan with defined roles and responsibilities
- Regular security reviews and risk assessments
4.3 Data Disposal
Upon expiration of retention periods, Personal Data is securely deleted using industry-standard methods that render the data unrecoverable.
5. Sub-processors
5.1 Pre-approved Sub-processors
Customer authorizes Voctiv to engage the sub-processors listed in the Privacy Policy. The current list includes providers for telecommunications, cloud infrastructure, AI/ML, speech processing, and payment processing.
5.2 Notification of Changes
Voctiv will notify Customer at least 14 days before engaging a new sub-processor or replacing an existing one. Notification will be sent to the email address associated with Customer's account.
5.3 Objection Rights
If Customer objects to a new sub-processor on reasonable data protection grounds, Customer must notify Voctiv within 14 days of receiving notice. The parties will work in good faith to resolve the objection. If no resolution is reached, Customer may terminate the affected portion of the Service without penalty.
5.4 Sub-processor Obligations
Voctiv imposes data protection obligations on each sub-processor that are substantially similar to those in this DPA. Voctiv remains fully liable to Customer for the performance of each sub-processor's obligations.
6. Data Subject Rights Assistance
6.1 Requests
If Voctiv receives a request from a Data Subject to exercise their rights under Data Protection Laws (e.g., access, rectification, erasure, portability), Voctiv will promptly notify Customer and will not respond to the request directly unless authorized by Customer or required by law.
6.2 Assistance
Voctiv will provide reasonable assistance to Customer in fulfilling Data Subject requests, taking into account the nature of the processing. This includes providing relevant data, facilitating deletion, and supporting data portability requests.
6.3 Response Time
Voctiv will respond to Customer's requests for assistance with Data Subject rights within 10 business days.
7. Data Breach Notification
7.1 Notification
Voctiv will notify Customer of a confirmed Security Incident without undue delay and in any event within 72 hours of becoming aware of the incident, to the extent required by applicable Data Protection Laws.
7.2 Content of Notification
The notification will include, to the extent available:
- The nature of the Security Incident, including categories and approximate number of Data Subjects and records affected
- The name and contact details of the point of contact at Voctiv
- A description of the likely consequences of the Security Incident
- A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its effects
7.3 Cooperation
Voctiv will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident.
7.4 Notification to Authorities
Customer, as Controller, is responsible for determining whether notification to supervisory authorities or Data Subjects is required. Voctiv will assist Customer in making this assessment upon request.
8. International Data Transfers
8.1 Transfer Mechanism
Personal Data is processed and stored in the United States. For transfers from jurisdictions that restrict international data transfers, the following mechanisms apply:
8.2 European Economic Area (EEA)
Transfers of Personal Data from the EEA are governed by the Standard Contractual Clauses (SCCs) as adopted by the European Commission (Implementing Decision (EU) 2021/914). For the purposes of the SCCs:
- Module Two (Controller to Processor) applies
- The optional docking clause (Clause 7) is included
- For Clause 9, Option 2 (general written authorization) applies with a 14-day prior notice period
- The governing law is that of the EU Member State where the Customer is established
- Disputes shall be resolved before the courts of the EU Member State where the Customer is established
8.3 United Kingdom
For transfers from the UK, the UK International Data Transfer Addendum (IDTA) to the EU SCCs applies, as issued by the UK Information Commissioner's Office.
8.4 Switzerland
For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Act on Data Protection (FADP).
8.5 Supplementary Measures
Voctiv implements supplementary technical measures (encryption at rest and in transit) and organizational measures (access controls, security policies) to ensure that Personal Data remains protected during and after transfer.
9. Audit Rights
9.1 SOC 2 Reports
Voctiv will maintain SOC 2 Type II certification (or equivalent) and will make the most recent audit report available to Customer upon written request, subject to appropriate confidentiality obligations.
9.2 Additional Audits
Customer may conduct or commission an independent audit of Voctiv's compliance with this DPA, subject to the following conditions:
- Customer must provide at least 30 days' written notice
- Audits shall be conducted during normal business hours
- Audits shall not unreasonably interfere with Voctiv's operations
- No more than one audit per 12-month period, unless required by a supervisory authority
- The cost of the audit is borne by Customer
- The auditor must agree to appropriate confidentiality obligations
9.3 Supervisory Authority Audits
Voctiv will cooperate with audits initiated by competent supervisory authorities as required by applicable Data Protection Laws.
10. Data Deletion & Return
10.1 Upon Termination
Upon termination of the Terms of Service, Voctiv will, at Customer's election:
- Return all Personal Data to Customer in a commonly used, machine-readable format; or
- Delete all Personal Data, including all copies, within 14 days of the termination date.
Customer must notify Voctiv of its choice within 30 days of termination. If no instruction is received, Voctiv will delete the data.
10.2 Certification
Upon deletion, Voctiv will provide written certification that all Personal Data has been securely deleted, except to the extent that retention is required by applicable law.
10.3 Legal Retention
Voctiv may retain Personal Data beyond the deletion period where required by applicable law (e.g., billing records for tax purposes, compliance records for TCPA). Such retained data will continue to be protected in accordance with this DPA.
11. Liability
Each party's liability under this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service, except that:
- Nothing in this DPA limits either party's liability for breaches of Data Protection Laws that cannot be limited under applicable law
- Customer's indemnification obligations under the Terms of Service (Sections 7, 8, and 16) are not limited by this DPA
12. Term & Termination
This DPA takes effect on the date Customer accepts the Terms of Service and remains in effect for as long as Voctiv processes Personal Data on behalf of Customer. It terminates automatically upon termination of the Terms of Service, subject to the data deletion obligations in Section 10.
Sections that by their nature should survive termination (including Sections 7, 8, 9, 10, and 11) shall survive.