Data Processing Agreement

Data Processing Agreement (DPA)

This DATA PROCESSING AGREEMENT (“DPA”) is entered into between:

  1. the customer agreeing to these terms (“Customer”); and

  2. CALL COMPANY OY, a private limited company incorporated under the laws of Finland with registered address Lapinlahdenkatu 16, 00180, Helsinki, Finland, and Business ID 3502674-5 (“Call Company” or “Supplier”).

Customer and Call Company are each a “Party” and together the “Parties”.

1. Background

1.1 The Parties have entered into an agreement regarding Call Company’s provision of the AI voice receptionist / AI caller service as specified in Call Company’s Terms of Service or other ordering document (the “Main Agreement”). The Services include processing of personal data on behalf of Customer.

1.2 This DPA governs Customer’s rights and obligations as a Controller and Call Company’s rights and obligations as a Processor (or where Customer is a processor, Call Company is a sub-processor), to the extent Call Company processes personal data on behalf of Customer.

1.3 This DPA forms part of the Main Agreement. In the event of conflict between the Main Agreement and this DPA, this DPA prevails for data protection matters.

1.4 Acceptance / signatures. Customer enters into this DPA by accepting the Main Agreement (including by online checkout, account creation, or use of the Services). No signature is required.

2. Definitions

2.1 Unless otherwise stated, terms and expressions used in this DPA shall be interpreted in accordance with the EU General Data Protection Regulation (2016/679) (“GDPR”), and where applicable the UK GDPR, Swiss FADP, and other Applicable Data Protection Laws.

2.2 “Customer Data” means personal data submitted to, collected by, or otherwise processed through the Services on behalf of Customer, including caller content, call metadata, logs, transcripts, and summaries.

2.3 Terms used but not defined in this DPA have the meanings given in the Main Agreement.

3. Processing of personal data

3.1 Instructions. Call Company shall process Customer Data only:

  • (a) to provide, maintain, and secure the Services in accordance with the Main Agreement and this DPA;

  • (b) in accordance with Customer’s documented instructions (including Customer’s configuration choices and settings); and

  • (c) as required by applicable law (in which case Call Company will notify Customer unless legally prohibited).

3.2 Details of processing. The nature, purpose, categories of data, and data subjects are described in Appendix 1.

3.3 Confidentiality. Call Company shall ensure that persons authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.4 Customer responsibilities. Customer is responsible for:

  • (a) providing appropriate notices to callers (including disclosures that an AI system is used, where required);

  • (b) obtaining any necessary consents (including for call recording, where applicable);

  • (c) ensuring it has a lawful basis for processing and sharing Customer Data with Call Company; and

  • (d) ensuring Customer’s instructions are lawful and do not require Call Company to process prohibited or unlawful data.

3.5 Special categories. The Services are not designed to intentionally process special categories of personal data (GDPR Art. 9). Customer will not instruct Call Company to process special categories of data or highly sensitive data. If callers voluntarily provide such data during a call, it may be processed incidentally as part of the Services.

4. Security measures

4.1 Call Company shall implement appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data.

4.2 Call Company’s security measures are described in Appendix 3 (Security Measures). Call Company may update the Security Measures to reflect technological progress and evolving risks, provided that updates do not materially reduce the overall level of security.

5. Sub-processors and international transfers

5.1 Customer authorizes Call Company to engage sub-processors to process Customer Data in order to provide the Services.

5.2 List. The current list of sub-processors is available in Appendix 2.

5.3 Notice of changes. Call Company shall inform Customer of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, giving Customer the opportunity to object. If Customer objects on reasonable data protection grounds, the Parties will work in good faith to resolve the objection (including by offering an alternative or allowing termination of the affected Services). If resolution is not possible, Customer may terminate the affected Services.

5.4 Flow-down terms. Call Company shall ensure its sub-processors are bound by written agreements imposing data protection obligations no less protective than those in this DPA. Call Company remains responsible for its sub-processors’ performance.

5.5 International transfers. For transfers of Customer Data outside the EU/EEA (or other restricted transfers under Applicable Data Protection Laws), Call Company shall ensure appropriate safeguards in accordance with GDPR Chapter V (and equivalent regimes), including where applicable:

  • adequacy decisions, including the EU-US Data Privacy Framework, where applicable

  • Standard Contractual Clauses (“SCCs”); and/or

  • other legally recognized transfer mechanisms.

5.6 SCCs by reference. Where SCCs are used, the Parties agree that:

  • the SCCs are incorporated by reference into this DPA; and

  • the annexes to the SCCs are completed using the information in Appendix 1 (processing details), Appendix 2 (sub-processors), and Appendix 3 (security measures), to the extent applicable.

6. Data subject requests and assistance

6.1 Call Company shall provide reasonable assistance to Customer, taking into account the nature of processing, to enable Customer to comply with obligations regarding data subject rights under Applicable Data Protection Laws.

6.2 If Call Company receives a request directly from a data subject relating to Customer Data, Call Company shall (unless legally prohibited) promptly notify Customer and direct the data subject to Customer.

7. Personal data breaches

7.1 Call Company shall notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data.

7.2 Call Company shall provide reasonable assistance to Customer in investigating, mitigating, and remediating the breach and complying with breach notification and documentation obligations, taking into account the information available to Call Company.

7.3 Customer is responsible for making any required notifications to supervisory authorities and data subjects under Applicable Data Protection Laws. Call Company shall cooperate with and assist Customer in meeting these obligations.

8. Audits

8.1 Customer shall have the right to audit Call Company’s compliance with this DPA, including by conducting inspections, with reasonable notice and during normal business hours.

8.2 Call Company shall contribute to audits by providing available documentation and reasonable assistance, subject to confidentiality and security requirements.

8.3 Customer may conduct or request an audit no more than once per 12-month period, unless required by a supervisory authority or following a personal data breach. Audit requests must be proportionate, scoped to relevant systems and controls, and must not unreasonably interfere with Call Company's operations.

9. Deletion or return of data

9.1 Deletion / return upon termination. Upon termination or expiry of the Main Agreement (or the affected Services), Call Company shall, at Customer’s choice (where technically feasible), delete or return Customer Data and delete existing copies, unless (a) retention is required by applicable law, or (b) Customer Data is stored in routine backups in accordance with Section 9.2.

9.2 Backups. Customer acknowledges that Customer Data stored in routine backups may be retained until the backup lifecycle completes, after which it will be deleted in accordance with Call Company’s backup retention practices. During the backup retention period, Call Company will not restore Customer Data from backups except to the extent necessary for disaster recovery, security investigations, or service integrity.

9.3 De-identified / anonymized data. Call Company may retain and use Aggregated Data and De-identified Data derived from Customer Data for analytics, security, quality assurance, product development, and improvement of the Services, including training, fine-tuning, evaluating, and benchmarking models and systems, provided that such data:

  • (a) has been de-identified or anonymized so that it cannot reasonably be used to identify any individual or Customer, taking into account reasonably available means;

  • (b) is maintained with appropriate safeguards to prevent re-identification and unauthorized access; and

  • (c) is not used to attempt to re-identify any individual or Customer.

9.4 Definitions (for this Section).

  • “Aggregated Data” means data combined across multiple customers and/or events so that it is presented in summary form and does not identify Customer or any individual.

  • “De-identified Data” means data that has been processed to remove or obscure identifiers such that it does not reasonably identify an individual, household, or Customer, and is subject to measures designed to prevent re-identification.

  • “Anonymized Data” means data irreversibly anonymized so it is no longer personal data under Applicable Data Protection Laws.

9.5 Customer request. If Customer requests, Call Company will provide a high-level description of the categories of De-identified Data retained under this Section, and the general purposes for which it is used.

10. Liability

10.1 Each Party’s liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Main Agreement, except where such limitations are not permitted under applicable law or the SCCs (where applicable).

11. U.S. privacy terms (where applicable)

11.1 To the extent U.S. state privacy laws apply (including CCPA/CPRA), Call Company will act as a service provider and/or contractor to Customer and will not:

  • sell or share personal information;

  • retain, use, or disclose personal information outside the direct business relationship with Customer except as permitted by law; or

  • combine personal information received from Customer with personal information received from other sources except as permitted by law.

12. Governing law and dispute resolution

12.1 This DPA shall be governed by the laws of Finland without its choice of law provisions.

12.2 Any disputes shall be resolved in accordance with the dispute resolution provisions of the Main Agreement.

12.3 Severability. If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

12.4 Entire agreement. This DPA, together with the Main Agreement and its appendices, constitutes the entire agreement between the Parties regarding the processing of Customer Data.

Appendix 1 — Details of Processing

A. Nature and purpose of processing

Call Company processes Customer Data as necessary to provide the Services, including:

  • receiving and handling inbound calls (and/or making outbound calls if enabled by Customer);

  • speech recognition (transcription), language understanding, and generation of responses;

  • generating call summaries and structured outputs (e.g., intents, outcomes);

  • logging call metadata (timestamps, duration, caller phone number from telecom metadata where available);

  • delivering notifications and integrations configured by Customer

  • hosting, maintaining, securing, monitoring, and supporting the Services;

  • billing and usage measurement (e.g., minutes used).

B. Categories of data subjects

  • individuals who call Customer (e.g., restaurant guests, leads, delivery couriers);

  • Customer staff and authorized users (administrators, agents) who configure or test the Services.

C. Types / categories of personal data

Depending on Customer configuration and caller input:

  • caller phone number (telephony metadata);

  • caller name (spoken; recognition accuracy not guaranteed);

  • caller email address (if spoken; recognition accuracy not guaranteed);

  • call content (spoken inquiries, reservation details, preferences);

  • call audio, transcripts, summaries, tags/classifications;

  • technical data for dashboard users (account email, login events, access logs).

D. Special categories of data

Not intentionally processed. Potential incidental disclosure by callers in free-form speech.

E. Duration of processing

For the duration of the Main Agreement and any additional period:

  • required by law; or

  • required to provide the Services (including standard backup retention); or

  • as configured by Customer in the Services (if configurable retention exists).

Appendix 2 — Sub-processors

Updated as of 01.01.2026.

Sub-processor Purpose Location(s) Data processed Transfer mechanism
Twilio Call routing, numbers, call metadata EU/EEA & verified regions Phone number, call metadata, audio SCC
Google, LLC Hosting & storage [Regions] Logs, transcripts/summaries, configs SCC
Gemini (Google) Speech-to-text / text-to-speech / language processing United States & Europe Call audio/transcripts/prompts SCC
Cloudflare Security & CDN EU/US HTTP request metadata, IP addresses SCC
GitHub, Inc. Code Repository United States Source codes SCC
Stripe, Inc. Payment Processing United States Customer billing information, payment metadata DPF/SCC
Linear Orbit, Inc. Provision of a software-as-a-service (SaaS) platform for team collaboration, project planning, issue tracking, and product roadmapping EU Internal operational data EU GDPR
Vercel, Inc. Provision of cloud hosting and deployment services for web applications, including frontend hosting EU/US Frontend application data, session metadata SCC
Note: Changes to the sub-processor list will be notified in accordance with Section 5.3.

Appendix 3 — Security Measures (TOMs)

Call Company maintains a security program designed to protect Customer Data. Measures include:

Encryption

  • Encryption in transit using industry-standard TLS.

  • Encryption at rest for stored Customer Data where supported by the underlying storage systems.

Access Controls

  • Role-based access control (least privilege).

  • Access to production systems restricted to authorized personnel.

  • Multi-factor authentication for administrative access where supported.

Operational Security

  • Logging and monitoring of systems and access.

  • Controlled deployment and change management processes.

  • Separation of environments (e.g., production vs. test) where feasible.

Vulnerability and Patch Management

  • Regular updates and patching of systems and dependencies.

  • Vulnerability remediation based on risk and severity.

Backups and Recovery

  • Backups taken on a regular schedule.

  • Disaster recovery and restoration processes tested periodically where feasible.

Incident Response

  • Procedures to detect, respond to, and remediate security incidents.

  • Breach notification workflow aligned with Section 7 of this DPA.

Sub-processor Oversight

  • Contractual requirements for sub-processors to protect Customer Data.

  • Due diligence and periodic review appropriate to the sub-processor’s role.

#1 AI-puhelinagentti varmistaa, että ravintolasi pöydät täyttyvät joka päivä

Ota yhteyttä

#1 AI-puhelinagentti varmistaa, että ravintolasi pöydät täyttyvät joka päivä

Ota yhteyttä