1. Parties

This DPA is between [Operator legal entity] (“Provider”) and [Customer legal entity] (“Customer”).

2. Roles and scope

The Customer is typically the controller and the Provider is a processor for customer content processed through the Service (for example: contact records, call metadata, and transcripts; and audio recordings if enabled). The parties should adjust roles to match their actual use case and jurisdiction.

3. Instructions

The Provider processes personal data only on documented instructions from the Customer, including through configuration of the Service. Customer is responsible for ensuring it has a lawful basis to collect and share the data (including end-user call disclosures and consent where required).

4. Subprocessors

The Service may use subprocessors (for example: hosting, telephony providers, speech providers, and realtime AI providers). A subprocessor list should be published and kept current at /subprocessors.

5. Security measures

The Provider will implement commercially reasonable technical and organizational measures appropriate to the nature of the processing (for example: access controls, encryption in transit, logging, and retention controls). The parties should attach a security schedule describing the measures in detail.

6. Breach notification

The Provider will notify the Customer of a personal data breach without undue delay after becoming aware, and will provide reasonable information to assist the Customer in meeting its notification obligations.

7. Deletion and return

Upon termination of the Service, the Provider will delete or return Customer personal data as instructed, subject to legal retention requirements. The Service may provide export and deletion tools in the dashboard.

8. Cross-border transfers

If transfers of personal data occur across borders, the parties may need to execute appropriate transfer mechanisms (for example, Standard Contractual Clauses). This section should be customized for your jurisdiction and vendor chain.