Data Processing Agreement

DRAFT — pending Quebec privacy lawyer review per .planning/phases/05-durability-rds-cleanup-legal-kickoff/05-LAWYER-TRACKER.md. Do not rely on this version for binding agreements until the tracker shows status=drafts_received.

Version: 2026-05-08-seed Effective date: Upon click-through acceptance by the Customer

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Controller") and the platform operator (the legal entity identified at acceptance, "Processor") for the use of the Voice Platform service (the "Services"). Capitalized terms used in this DPA have the meaning given in Section 1 below or, if not defined here, in the underlying Terms of Service.


1. Definitions

2. Subject matter and duration

The subject matter of the Processing is the provision of the Services to the Controller, including agent telephony orchestration, call recording, transcript storage, knowledge-base ingestion, and post-call follow-up. The duration of the Processing is co-extensive with the term of the Controller's subscription, plus any retention period required to meet legal obligations or, where applicable, the Controller-configured retention setting (see Section 11).

3. Nature and purpose of Processing

The Processor will Process Personal Data only for the purpose of providing and improving the Services, including:

The Processor does not Process Personal Data for any purpose other than as instructed by the Controller, except as required by applicable law.

4. Categories of data subjects and types of Personal Data

Categories of data subjects:

Types of Personal Data Processed:

{{lawyer review needed: confirm category list mirrors what the Quebec CAI expects in its service-provider disclosure templates; add explicit "no special categories without prior written consent" statement.}}

5. Obligations of the Processor

The Processor shall:

6. Sub-processors

The Controller authorizes the Processor to engage Sub-processors to Process Personal Data on behalf of the Controller. The current list of Sub-processors is published at /legal/subprocessors and includes the categories of Processing each Sub-processor performs and the regions in which they operate.

The Processor shall:

7. International transfers — Canadian residency commitment

The Processor's primary data-storage region for Personal Data is Canada (Central), including the Postgres database, file storage, and call-recording archive. Where Sub-processors operate outside Canada, the Processor uses contractual safeguards consistent with Applicable Data Protection Law, including the Quebec Act's transfer-impact-assessment requirement.

The Processor will not transfer Personal Data outside Canada except:

{{lawyer review needed: confirm Quebec Law 25 transfer-impact-assessment language; add cross-reference to GDPR Standard Contractual Clauses for EU scope when activated.}}

8. Data subject rights assistance

Taking into account the nature of the Processing and the information available to the Processor, the Processor will provide reasonable assistance to the Controller, by appropriate technical and organisational measures, in fulfilling the Controller's obligations to respond to:

The Processor exposes self-serve tooling to the Controller's owners and admins for export (/api/account/export) and deletion of an organisation account; for individual end-user requests routed to the Controller, the Processor will assist within fifteen (15) business days of the Controller's written request.

9. Personal Data Breach notification

The Processor will notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notice will include, to the extent then known:

Where the Processor is required by Applicable Data Protection Law to notify a regulator or affected individuals directly, the Processor will coordinate with the Controller before doing so where lawfully permitted.

The Processor maintains a written incident-response procedure consistent with the Quebec Act's "confidentiality incident" requirements (recording, internal register, materiality assessment, regulator notification thresholds). {{lawyer review needed: confirm the 72-hour cadence and the Quebec CAI register requirement specifics.}}

10. Audits and inspections

The Processor will make available to the Controller, on reasonable written request and no more than once per twelve (12) month period (except as required by Applicable Data Protection Law), information necessary to demonstrate compliance with this DPA, including:

For Controllers requiring on-site audits, the parties will discuss in good faith and the Controller will bear the Processor's reasonable costs of the audit. The Processor may require execution of a confidentiality agreement before any on-site audit.

11. Return or deletion of Personal Data

Upon termination of the underlying agreement, the Controller may export its Personal Data via /api/account/export (a JSONL/tar.gz archive of all platform-stored Personal Data, including call recordings, transcripts, and knowledge-base content). The Controller bears responsibility for downloading and retaining the export.

The Processor will delete the Controller's Personal Data within ninety (90) days of termination, except where:

Upon written request by the Controller, the Processor will provide written confirmation of deletion.

12. Term and termination

This DPA takes effect upon the Controller's click-through acceptance and continues in force for the duration of the Controller's subscription to the Services. Termination of the underlying Terms of Service automatically terminates this DPA, except for sections that by their nature survive (Sections 5(b), 9, 11, 13, and 14).

13. Governing law

This DPA is governed by the laws of the Province of Quebec, Canada, and the federal laws of Canada applicable therein. The parties submit to the exclusive jurisdiction of the courts of the Province of Quebec, sitting in the District of Montreal, for any dispute arising out of or relating to this DPA. {{lawyer review needed: confirm NQB legal entity name + registered office; confirm choice of forum aligns with the Terms of Service governing-law clause.}}

14. Order of precedence

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to its subject matter. In the event of any conflict between this DPA and Applicable Data Protection Law, Applicable Data Protection Law prevails.

15. Acceptance

By clicking "Accept Data Processing Agreement" on the /legal/dpa page while logged in, the Controller's authorized representative confirms that:

The Processor records the acceptance event (user identifier, version 2026-05-08-seed, timestamp, IP address, user agent) in its legal_acceptances audit table.


This document is a template seeded for plumbing purposes. The lawyer-reviewed version will replace this content in a follow-up release once the lawyer engagement (.planning/phases/05-durability-rds-cleanup-legal-kickoff/05-LAWYER-TRACKER.md) reports status=drafts_received.