Data Processing Agreement
DRAFT — pending Quebec privacy lawyer review per
.planning/phases/05-durability-rds-cleanup-legal-kickoff/05-LAWYER-TRACKER.md. Do not rely on this version for binding agreements until the tracker shows status=drafts_received.
Version: 2026-05-08-seed Effective date: Upon click-through acceptance by the Customer
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and the platform operator (the legal entity identified at acceptance, "Processor") for the use of the Voice Platform service (the "Services"). Capitalized terms used in this DPA have the meaning given in Section 1 below or, if not defined here, in the underlying Terms of Service.
1. Definitions
- "Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including without limitation the Personal Information Protection and Electronic Documents Act (Canada) ("PIPEDA") and the Act respecting the protection of personal information in the private sector (Quebec) as amended by Law 25 (collectively, the "Quebec Act"). {{lawyer review needed: confirm scope, add provincial PIPA references for BC/AB, add cross-references to GDPR Art. 28 for EU customers when in scope}}
- "Controller" means the Customer, who determines the purposes and means of the Processing of Personal Data.
- "Processor" means the Voice Platform operator, processing Personal Data on behalf of the Controller in connection with the Services.
- "Sub-processor" means any third party engaged by the Processor to Process Personal Data on behalf of the Controller. The current list of Sub-processors is published at
/legal/subprocessorsand is incorporated by reference. - "Personal Data" means any information relating to an identified or identifiable natural person Processed by the Processor on behalf of the Controller in connection with the Services.
- "Processing" has the meaning given by Applicable Data Protection Law (collection, recording, organisation, structuring, storage, retrieval, use, disclosure, alignment, restriction, erasure, or destruction).
- "Personal Data Breach" means a confidentiality, integrity, or availability incident affecting Personal Data, as defined by Applicable Data Protection Law (including a "confidentiality incident" under the Quebec Act).
2. Subject matter and duration
The subject matter of the Processing is the provision of the Services to the Controller, including agent telephony orchestration, call recording, transcript storage, knowledge-base ingestion, and post-call follow-up. The duration of the Processing is co-extensive with the term of the Controller's subscription, plus any retention period required to meet legal obligations or, where applicable, the Controller-configured retention setting (see Section 11).
3. Nature and purpose of Processing
The Processor will Process Personal Data only for the purpose of providing and improving the Services, including:
- routing inbound and outbound calls through the Controller's configured agents,
- generating, storing, and serving call recordings and transcripts,
- ingesting and indexing knowledge-base materials supplied by the Controller,
- delivering post-call follow-up actions (email summaries, webhooks, scheduled callbacks) configured by the Controller,
- billing the Controller for usage of the Services,
- monitoring service quality, fraud, abuse, and security incidents,
- responding to support requests from the Controller's authorized users.
The Processor does not Process Personal Data for any purpose other than as instructed by the Controller, except as required by applicable law.
4. Categories of data subjects and types of Personal Data
Categories of data subjects:
- the Controller's authorized end users (employees, contractors, administrators);
- the Controller's customers, prospects, and other natural persons who interact with the Controller's voice agents (callers).
Types of Personal Data Processed:
- contact information (name, email, phone number) of the Controller's authorized users;
- voice recordings, transcripts, and call metadata (caller ID, call duration, time, routing) of natural persons who interact with the Controller's agents;
- content uploaded to the Controller's knowledge base, where such content includes Personal Data;
- billing and payment metadata (tokenized card identifiers held by the payment Sub-processor — the Processor does not store full card numbers).
{{lawyer review needed: confirm category list mirrors what the Quebec CAI expects in its service-provider disclosure templates; add explicit "no special categories without prior written consent" statement.}}
5. Obligations of the Processor
The Processor shall:
- (a) Process Personal Data only on documented instructions from the Controller, including configuration choices made through the Controller's account, except as required by applicable law (in which case the Processor will inform the Controller before Processing, unless prohibited by that law);
- (b) ensure that personnel authorized to Process Personal Data are bound by confidentiality obligations;
- (c) implement appropriate technical and organisational measures to protect the Personal Data, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, secret rotation, and least-privilege principles for personnel access;
- (d) take all measures required under Applicable Data Protection Law in respect of security of Processing;
- (e) notify the Controller of any Personal Data Breach in accordance with Section 9 below;
- (f) assist the Controller in fulfilling its obligations to respond to data subject access, correction, deletion, and portability requests, taking into account the nature of the Processing;
- (g) make available to the Controller information necessary to demonstrate compliance with this DPA.
6. Sub-processors
The Controller authorizes the Processor to engage Sub-processors to Process Personal Data on behalf of the Controller. The current list of Sub-processors is published at /legal/subprocessors and includes the categories of Processing each Sub-processor performs and the regions in which they operate.
The Processor shall:
- (a) impose data-protection obligations on each Sub-processor that are no less protective than those set out in this DPA;
- (b) remain liable to the Controller for the acts and omissions of each Sub-processor as if they were the Processor's own acts and omissions;
- (c) provide at least thirty (30) days' advance notice of any addition or replacement of a Sub-processor that materially Processes Personal Data, by updating the /legal/subprocessors page and (where the Controller has subscribed to such notifications) sending an email notice. The Controller may object to a new Sub-processor on reasonable data-protection grounds during the notice period; the Processor and the Controller will work in good faith to resolve any objection.
7. International transfers — Canadian residency commitment
The Processor's primary data-storage region for Personal Data is Canada (Central), including the Postgres database, file storage, and call-recording archive. Where Sub-processors operate outside Canada, the Processor uses contractual safeguards consistent with Applicable Data Protection Law, including the Quebec Act's transfer-impact-assessment requirement.
The Processor will not transfer Personal Data outside Canada except:
- (a) to Sub-processors disclosed at /legal/subprocessors, and
- (b) under the Controller's documented instructions (e.g., the Controller's choice of an AI provider operating outside Canada).
{{lawyer review needed: confirm Quebec Law 25 transfer-impact-assessment language; add cross-reference to GDPR Standard Contractual Clauses for EU scope when activated.}}
8. Data subject rights assistance
Taking into account the nature of the Processing and the information available to the Processor, the Processor will provide reasonable assistance to the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligations to respond to:
- access requests,
- correction requests,
- deletion ("right to erasure" / "right to be forgotten") requests,
- portability requests,
- objection or restriction requests.
The Processor exposes self-serve tooling to the Controller's owners and admins for export (/api/account/export) and deletion of an organisation account; for individual end-user requests routed to the Controller, the Processor will assist within fifteen (15) business days of the Controller's written request.
9. Personal Data Breach notification
The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notice will include, to the extent then known:
- the nature of the incident, including categories and approximate number of data subjects and records affected;
- the likely consequences of the incident;
- the measures taken or proposed to address and mitigate the incident.
Where the Processor is required by Applicable Data Protection Law to notify a regulator or affected individuals directly, the Processor will coordinate with the Controller before doing so where lawfully permitted.
The Processor maintains a written incident-response procedure consistent with the Quebec Act's "confidentiality incident" requirements (recording, internal register, materiality assessment, regulator notification thresholds). {{lawyer review needed: confirm the 72-hour cadence and the Quebec CAI register requirement specifics.}}
10. Audits and inspections
The Processor will make available to the Controller, on reasonable written request and no more than once per twelve (12) month period (except as required by Applicable Data Protection Law), information necessary to demonstrate compliance with this DPA, including:
- a current list of Sub-processors with the categories of Processing performed,
- a summary of the technical and organisational security measures in place,
- a copy of any independent third-party security audit reports the Processor maintains (e.g., SOC 2 Type II once available — see deferred items).
For Controllers requiring on-site audits, the parties will discuss in good faith and the Controller will bear the Processor's reasonable costs of the audit. The Processor may require execution of a confidentiality agreement before any on-site audit.
11. Return or deletion of Personal Data
Upon termination of the underlying agreement, the Controller may export its Personal Data via /api/account/export (a JSONL/tar.gz archive of all platform-stored Personal Data, including call recordings, transcripts, and knowledge-base content). The Controller bears responsibility for downloading and retaining the export.
The Processor will delete the Controller's Personal Data within ninety (90) days of termination, except where:
- a longer retention period is required by applicable law (in which case the Processor will retain the Personal Data only for the period and purpose required and will delete promptly thereafter), or
- the Controller has configured a retention setting that exceeds 90 days for specific data classes (e.g., the per-organisation
recordingRetentionDayssetting for call recordings).
Upon written request by the Controller, the Processor will provide written confirmation of deletion.
12. Term and termination
This DPA takes effect upon the Controller's click-through acceptance and continues in force for the duration of the Controller's subscription to the Services. Termination of the underlying Terms of Service automatically terminates this DPA, except for sections that by their nature survive (Sections 5(b), 9, 11, 13, and 14).
13. Governing law
This DPA is governed by the laws of the Province of Quebec, Canada, and the federal laws of Canada applicable therein. The parties submit to the exclusive jurisdiction of the courts of the Province of Quebec, sitting in the District of Montreal, for any dispute arising out of or relating to this DPA. {{lawyer review needed: confirm NQB legal entity name + registered office; confirm choice of forum aligns with the Terms of Service governing-law clause.}}
14. Order of precedence
In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to its subject matter. In the event of any conflict between this DPA and Applicable Data Protection Law, Applicable Data Protection Law prevails.
15. Acceptance
By clicking "Accept Data Processing Agreement" on the /legal/dpa page while logged in, the Controller's authorized representative confirms that:
- they have read and understood this DPA,
- they have the authority to bind the Controller,
- they accept this DPA on behalf of the Controller as of the date of click-through.
The Processor records the acceptance event (user identifier, version 2026-05-08-seed, timestamp, IP address, user agent) in its legal_acceptances audit table.
This document is a template seeded for plumbing purposes. The lawyer-reviewed version will replace this content in a follow-up release once the lawyer engagement (.planning/phases/05-durability-rds-cleanup-legal-kickoff/05-LAWYER-TRACKER.md) reports status=drafts_received.