Data Processing Agreement (DPA)

This DATA PROCESSING AGREEMENT (“DPA”) is entered into between:

1. the customer agreeing to these terms (“Customer”); and
   
   
   

2. CALL COMPANY OY, a private limited company incorporated under the laws of Finland with registered address Lapinlahdenkatu 16, 00180, Helsinki, Finland, and Business ID 3502674-5 (“Call Company” or “Supplier”).

Customer and Call Company are each a “Party” and together the “Parties”.

1. Background

1.1 The Parties have entered into an agreement regarding Call Company’s provision of the AI voice receptionist / AI caller service as specified in Call Company’s Terms of Service or other ordering document (the “Main Agreement”). The Services include processing of personal data on behalf of Customer.

1.2 This DPA governs Customer’s rights and obligations as a Controller and Call Company’s rights and obligations as a Processor (or where Customer is a processor, Call Company is a sub-processor), to the extent Call Company processes personal data on behalf of Customer.

1.3 This DPA forms part of the Main Agreement. In the event of conflict between the Main Agreement and this DPA, this DPA prevails for data protection matters.

1.4 Acceptance / signatures. Customer enters into this DPA by accepting the Main Agreement (including by online checkout, account creation, or use of the Services). No signature is required.

2. Definitions

2.1 Unless otherwise stated, terms and expressions used in this DPA shall be interpreted in accordance with the EU General Data Protection Regulation (2016/679) (“GDPR”), and where applicable the UK GDPR, Swiss FADP, and other Applicable Data Protection Laws.

2.2 “Customer Data” means personal data submitted to, collected by, or otherwise processed through the Services on behalf of Customer, including caller content, call metadata, logs, transcripts, and summaries.

2.3 Terms used but not defined in this DPA have the meanings given in the Main Agreement.

2.4 "Applicable Data Protection Laws" means all laws and regulations applicable to the processing of personal data under this DPA, including: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"); (b) Directive 2002/58/EC (the "ePrivacy Directive") and its national implementations, including the Finnish Information Society Code (917/2014); (c) the UK GDPR and the UK Data Protection Act 2018; (d) the Swiss Federal Act on Data Protection; and (e) any other data protection or privacy law applicable to a Party's processing of Customer Data.

3. Processing of personal data

3.1 Instructions. Call Company shall process Customer Data only:

• (a) to provide, maintain, and secure the Services in accordance with the Main Agreement and this DPA;

• (b) in accordance with Customer’s documented instructions (including Customer’s configuration choices and settings); and

• (c) as required by applicable law (in which case Call Company will notify Customer unless legally prohibited).

3.2 Details of processing. The nature, purpose, categories of data, and data subjects are described in Appendix 1.

3.3 Confidentiality. Call Company shall ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.4 Customer responsibilities. Customer is responsible for:

• (a) providing appropriate notices to callers (including disclosures that an AI system is used, where required);

• (b) obtaining any necessary consents (including for call recording, where applicable);

• (c) ensuring it has a lawful basis for processing and sharing Customer Data with Call Company; and

• (d) ensuring Customer’s instructions are lawful and do not require Call Company to process prohibited or unlawful data.

• (e) where Customer is a Deployer of the AI voice agent under Regulation (EU) 2024/1689 (the "EU AI Act"), complying with applicable obligations of deployers under Articles 26 and 50(3)–(4) of the EU AI Act, including human oversight, monitoring of operation, and informing data subjects where Customer is the controller of their data.

3.5 Special categories.

(a) The Services are not designed to intentionally process special categories of personal data within the meaning of Article 9 GDPR. Customer will not instruct Call Company to process special categories of data and will not configure the Services in a way that is intended to capture such data.

(b) Call Company does not use call audio to create voiceprints, perform biometric identification, or perform biometric categorization of callers, and does not process voice data as biometric data within the meaning of Article 9 GDPR.

(c) If callers voluntarily provide special category data during a call, Call Company may process it incidentally as part of the Services on Customer's instructions. Customer (as controller) is responsible for identifying the applicable Article 9(2) GDPR basis where required.

4. Security measures

4.1 Call Company shall implement appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

4.2 Call Company’s security measures are described in Appendix 3 (Security Measures). Call Company may update the Security Measures to reflect technological progress and evolving risks, provided that updates do not materially reduce the overall level of security.

5. Sub-processors and international transfers

5.1 Customer authorizes Call Company to engage sub-processors to process Customer Data in order to provide the Services.

5.2 List. The current list of sub-processors is available in Appendix 2.

5.3 Notice of changes. Call Company shall inform Customer of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving Customer the opportunity to object. If Customer objects on reasonable data protection grounds, the Parties will work in good faith to resolve the objection (including by offering an alternative or allowing termination of the affected Services). If resolution is not possible, Customer may terminate the affected Services.

5.4 Flow-down terms. Call Company shall ensure its sub-processors are bound by written agreements imposing data protection obligations no less protective than those in this DPA. Call Company remains responsible for its sub-processors’ performance.

5.5 International transfers. For transfers of Customer Data outside the EU/EEA (or other restricted transfers under Applicable Data Protection Laws), Call Company shall ensure appropriate safeguards in accordance with GDPR Chapter V (and equivalent regimes), including where applicable:

• adequacy decisions, including the EU-US Data Privacy Framework, where applicable

• Standard Contractual Clauses (“SCCs”); and/or

• other legally recognized transfer mechanisms.

For transfers of personal data from the United Kingdom that require a  transfer mechanism under UK data protection law, the Parties incorporate  the UK International Data Transfer Addendum to the EU Standard Contractual  Clauses (issued by the UK Information Commissioner's Office in March 2022),  with Tables 1, 2, and 3 completed using the information in this DPA and  its appendices.

5.6 SCCs by reference. Where SCCs are used, the Parties agree that:

• the SCCs are incorporated by reference into this DPA; and

• the annexes to the SCCs are completed using the information in Appendix 1 (processing details), Appendix 2 (sub-processors), and Appendix 3 (security measures), to the extent applicable.

6. Data subject requests and assistance

6.1 Call Company shall provide reasonable assistance to Customer, taking into account the nature of processing, to enable Customer to comply with obligations regarding data subject rights under Applicable Data Protection Laws.

6.2 If Call Company receives a request directly from a data subject relating to Customer Data, Call Company shall (unless legally prohibited) promptly notify Customer and direct the data subject to Customer.

6.3 Caller-initiated requests via Call Company. Where Customer has enabled Caller Memory or similar features and a caller submits a rights request directly to Call Company (for example, via caller-requests@callcompany.ai), Call Company will (i) route the request to the relevant Customer (controller) without undue delay, (ii) provide Customer with the information and tooling necessary to respond, and (iii) where Customer instructs, take operational steps within the Services (such as deletion or export) to assist Customer in responding within the timeframes required by Applicable Data Protection Laws.

7. Personal data breaches

7.1 Call Company shall notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data.

7.2 Call Company shall provide reasonable assistance to Customer in investigating, mitigating, and remediating the breach and complying with breach notification and documentation obligations, taking into account the information available to Call Company.

7.3 Customer is responsible for making any required notifications to supervisory authorities and data subjects under Applicable Data Protection Laws. Call Company shall cooperate with and assist Customer in meeting these obligations.

8. Audits

8.1 Customer shall have the right to audit Call Company’s compliance with this DPA, including by conducting inspections, with reasonable notice and during normal business hours.

8.2 Call Company shall contribute to audits by providing available documentation and reasonable assistance, subject to confidentiality and security requirements.

8.3 Customer may conduct or request an audit no more than once per 12-month period, unless required by a supervisory authority or following a personal data breach. Audit requests must be proportionate, scoped to relevant systems and controls, and must not unreasonably interfere with Call Company's operations.

9. Deletion or return of data

9.1 Deletion / return upon termination. Upon termination or expiry of the Main Agreement (or the affected Services), Call Company shall, at Customer’s choice (where technically feasible), delete or return Customer Data and delete existing copies, unless (a) retention is required by applicable law, or (b) Customer Data is stored in routine backups in accordance with Section 9.2.

9.2 Backups. Customer acknowledges that Customer Data stored in routine backups may be retained until the backup lifecycle completes, after which it will be deleted in accordance with Call Company’s backup retention practices. During the backup retention period, Call Company will not restore Customer Data from backups except to the extent necessary for disaster recovery, security investigations, or service integrity.

9.3 De-identified / anonymized data. Call Company may retain and use Aggregated Data and De-identified Data derived from Customer Data for analytics, security, quality assurance, product development, and improvement of the Services, including training, fine-tuning, evaluating, and benchmarking models and systems, provided that such data:

• (a) has been de-identified or anonymized so that it cannot reasonably be used to identify any individual or Customer, taking into account reasonably available means;

• (b) is maintained with appropriate safeguards to prevent re-identification and unauthorized access; and

• (c) is not used to attempt to re-identify any individual or Customer.

9.4 Definitions (for this Section).

• “Aggregated Data” means data combined across multiple customers and/or events so that it is presented in summary form and does not identify Customer or any individual.

• “De-identified Data” means data that has been processed to remove or obscure identifiers such that it does not reasonably identify an individual, household, or Customer, and is subject to measures designed to prevent re-identification.

• “Anonymized Data” means data irreversibly anonymized so it is no longer personal data under Applicable Data Protection Laws.

9.5 Customer request. If Customer requests, Call Company will provide a high-level description of the categories of De-identified Data retained under this Section, and the general purposes for which it is used.

10. Liability

10.1 Each Party’s liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Main Agreement, except where such limitations are not permitted under applicable law or the SCCs (where applicable).

11. U.S. privacy terms (where applicable)

11.1 To the extent U.S. state privacy laws apply (including CCPA/CPRA), Call Company:
(a) acts as a service provider and/or contractor to Customer;
(b) will not sell or share personal information;
(c) will not retain, use, or disclose personal information for any purpose other than the specific business purpose of providing the Services described in the Main Agreement, or as otherwise permitted by law;
(d) will not retain, use, or disclose personal information outside the direct business relationship with Customer;
(e) will not combine personal information received from Customer with personal information received from other sources, except as permitted by law;
(f) will assist Customer in responding to consumer rights requests; and
(g) will notify Customer if Call Company determines that it can no longer meet its obligations under applicable U.S. state privacy laws. 

Customer has the right, upon notice, to take reasonable and appropriate steps to stop and remediate Call Company's unauthorised use of personal information.

12. Governing law and dispute resolution

12.1 This DPA shall be governed by the laws of Finland without its choice of law provisions.

12.2 Any disputes shall be resolved in accordance with the dispute resolution provisions of the Main Agreement.

12.3 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

12.4 Entire agreement. This DPA, together with the Main Agreement and its appendices, constitutes the entire agreement between the Parties regarding the processing of Customer Data.

Appendix 1 — Details of Processing

A. Nature and purpose of processing

Call Company processes Customer Data as necessary to provide the Services, including:

• receiving and handling inbound calls (and/or making outbound calls if enabled by Customer);

• speech recognition (transcription), language understanding, and generation of responses;

• generating call summaries and structured outputs (e.g., intents, outcomes);

• logging call metadata (timestamps, duration, caller phone number from telecom metadata where available);

• delivering notifications and integrations configured by Customer

• hosting, maintaining, securing, monitoring, and supporting the Services;

• billing and usage measurement (e.g., minutes used).

- where Customer has enabled the Caller Memory feature: storage and retrieval of caller-related data within Customer's tenant for personalisation purposes, in accordance with Appendix 4.

B. Categories of data subjects

• individuals who call Customer (e.g., restaurant guests, leads, delivery couriers);

• Customer staff and authorized users (administrators, agents) who configure or test the Services.

C. Types / categories of personal data

Depending on Customer configuration and caller input:

• caller phone number (telephony metadata);

• caller name (spoken; recognition accuracy not guaranteed);

• caller email address (if spoken; recognition accuracy not guaranteed);

• call content (spoken inquiries, reservation details, preferences);

• call audio, transcripts, summaries, tags/classifications;

• technical data for dashboard users (account email, login events, access logs).

D. Special categories of data

Not intentionally processed. Potential incidental disclosure by callers in free-form speech.

E. Duration of processing

For the duration of the Main Agreement and any additional period:

• required by law; or

• required to provide the Services (including standard backup retention); or

• as configured by Customer in the Services (if configurable retention exists).