Data Processing Agreement

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between AY Tech Systems LLC, operating as Calls Orbit ("Processor," "we," "us," or "our") and the customer ("Controller," "you," or "your") who has agreed to our Terms of Service.

This DPA applies to the processing of personal data by the Processor on behalf of the Controller in connection with the provision of CallsOrbit's AI voice agent services.

2. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.
• "Data Controller" means the entity that determines the purposes and means of processing Personal Data.
• "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller.
• "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" means the individual to whom the Personal Data relates.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for international data transfers.

3. Scope and Purpose of Processing

3.1 Subject Matter

The Processor shall process Personal Data on behalf of the Controller for the purpose of providing AI voice agent services, including call handling, lead capture, call recording, transcription, and related analytics.

3.2 Categories of Data Subjects

• Controller's customers and prospective customers who call the AI agent
• Controller's employees and authorized users
• Any other individuals whose data is processed through the Services

3.3 Types of Personal Data

• Contact information (name, phone number, email address)
• Voice recordings and transcripts of calls
• Service requests and inquiries
• Location data (if provided during calls)
• Any other information disclosed during voice interactions

3.4 Duration of Processing

Processing shall continue for the duration of the Agreement, plus any retention period required by law or as specified in our Privacy Policy (default: 90 days for call recordings and transcripts).

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required by applicable law.
• Ensure that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (as described in Section 7).
• Assist the Controller in fulfilling its obligations to respond to Data Subject requests for exercising their rights under applicable data protection laws.
• Assist the Controller in ensuring compliance with security, breach notification, impact assessments, and prior consultation obligations.
• At the Controller's choice, delete or return all Personal Data after the end of the provision of services, unless storage is required by law.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits.

5. Controller Obligations

The Controller shall:

• Ensure it has all necessary rights and legal bases to transfer Personal Data to the Processor for processing.
• Provide clear and documented instructions for Personal Data processing.
• Ensure compliance with applicable data protection laws, including providing appropriate notices to and obtaining necessary consents from Data Subjects.
• Be responsible for configuring appropriate call recording disclosures in AI agent greetings to comply with consent requirements.

6. Sub-processors

6.1 Authorization

The Controller provides general authorization for the Processor to engage Sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object.

6.2 Current Sub-processors

The following Sub-processors are currently engaged to process Personal Data:

6.3 Sub-processor Obligations

The Processor shall ensure that each Sub-processor is bound by data protection obligations no less protective than those contained in this DPA. The Processor remains fully liable for the acts and omissions of its Sub-processors.

7. Security Measures

The Processor implements the following technical and organizational security measures:

• Encryption: AES-256 encryption for data at rest; TLS 1.3 for data in transit.
• Access Controls: Role-based access control, multi-factor authentication for administrative access, principle of least privilege.
• Network Security: Firewalls, intrusion detection systems, DDoS protection, regular security assessments.
• Audit Logging: Comprehensive logging of access and changes to Personal Data, retained for security monitoring.
• Data Segregation: Logical separation of customer data to prevent unauthorized access between tenants.
• Backup & Recovery: Regular backups with tested recovery procedures.
• Employee Training: Regular security awareness training for all personnel with access to Personal Data.
• Incident Response: Documented incident response procedures with defined escalation paths.

8. Data Breach Notification

8.1 Notification Timeline

The Processor shall notify the Controller without undue delay, and in any event within 72 hours after becoming aware of a Personal Data breach that affects the Controller's data.

8.2 Notification Content

Such notification shall include:

• Description of the nature of the breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

8.3 Cooperation

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of any breach.

9. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under applicable data protection laws, including:

• Right of Access: Confirmation of processing and copy of data
• Right to Rectification: Correction of inaccurate data
• Right to Erasure: Deletion of data ("right to be forgotten")
• Right to Restriction: Limitation of processing
• Right to Portability: Data in structured, machine-readable format
• Right to Object: Objection to processing

Requests should be directed to: privacy@callsorbit.com

10. International Data Transfers

10.1 Transfer Mechanisms

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries not recognized as providing adequate data protection, the Processor relies on the following transfer mechanisms:

• EU Standard Contractual Clauses (SCCs) as approved by the European Commission
• UK International Data Transfer Agreement (IDTA) for UK transfers
• Swiss Standard Contractual Clauses for Swiss transfers

10.2 Supplementary Measures

Where required, the Processor implements supplementary technical and organizational measures to ensure the transferred data remains protected, including encryption, pseudonymization, and access controls.

11. Data Retention and Deletion

11.1 Retention Periods

• Call recordings and transcripts: 90 days (default), configurable
• Lead data: Duration of account plus 30 days
• Account data: Duration of account plus legal retention requirements
• Audit logs: Minimum 1 year for security purposes

11.2 Deletion Process

Upon termination of services or upon request, the Processor shall delete all Personal Data within 30 days, unless retention is required by applicable law. The Controller may request a certificate of deletion.

11.3 Backup Deletion

Personal Data in backup systems will be deleted in accordance with our backup rotation schedule, typically within 90 days of the primary deletion.

12. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. Such audits may be conducted:

• By the Controller or an appointed third-party auditor
• Upon reasonable notice (minimum 30 days, except in case of breach)
• During normal business hours
• Subject to confidentiality obligations

The Processor shall also make available relevant certifications, audit reports (such as SOC 2 reports), and documentation upon request.

13. Liability

Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Agreement (Terms of Service). Nothing in this DPA shall limit either party's liability for breaches of its data protection obligations where such limitation is prohibited by applicable law.

14. Governing Law

This DPA shall be governed by the laws specified in the Agreement (Terms of Service). For Data Subjects in the EEA, the provisions of this DPA shall be interpreted in accordance with GDPR.

15. Contact Information

For questions about this DPA or to exercise data protection rights:

16. Amendments

This DPA may be amended by the Processor to reflect changes in data protection laws or our processing activities. Material changes will be communicated to Controllers via email or through the Services. Continued use of the Services after such notice constitutes acceptance of the amended DPA.