Data Processing Addendum
Last updated: April 28, 2026 · Version 1.0
This Data Processing Addendum ("DPA") supplements the Voxalytics Terms of Service. It applies whenever Voxalytics processes Personal Data on behalf of the customer ("Controller") and Voxalytics acts as Processor.
1. Scope and roles
- Controller: the customer ("you"). Determines the purpose of processing.
- Processor: Voxalytics. Processes only on documented instructions from the Controller.
- Sub-processors: Google (Gemini), AWS S3 (or equivalent), HBL Pay, Sentry (optional). See the Privacy Policy for the current list.
2. Subject matter and duration
Processing is limited to providing the Voxalytics Service for the duration of the subscription, plus 30 days of data-export availability after termination.
3. Categories of data
- Audio recordings of phone calls and any speakers identified therein.
- Voice transcripts and AI-derived metadata (sentiment, scoring, compliance flags).
- Account holder identifiers (operator names, emails, phones) of the Controller's users.
4. Categories of data subjects
End-customers of the Controller (the people on the phone calls) and the Controller's own employees / agents using the Voxalytics platform.
5. Processor obligations
- Process Personal Data only on documented instructions from the Controller.
- Ensure all personnel with access to Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures (Article 32 GDPR equivalent — encryption in transit + at rest, audit logs, RBAC).
- Assist the Controller in responding to data-subject access requests within 30 days.
- Notify the Controller of any personal data breach within 72 hours of becoming aware.
- Delete or return all Personal Data at the Controller's choice within 30 days of termination.
- Make available all information necessary to demonstrate compliance and submit to audits (with reasonable notice and confidentiality).
6. Sub-processor controls
Voxalytics may engage sub-processors. Material changes to the sub-processor list will be announced at least 30 days in advance via in-product notification, allowing the Controller to object before the change takes effect.
7. International transfers
Where Personal Data is transferred outside the Controller's jurisdiction, the parties rely on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms. On-prem customers avoid international transfers entirely.
8. Security incidents
Voxalytics will notify the Controller without undue delay (at most 72 hours) of any security incident that affects Personal Data. The notice will include: nature of the breach, affected data, contact for the data protection officer, and mitigation steps taken.
9. Audit rights
The Controller may, on reasonable notice (no less than 30 days) and at its expense, audit Voxalytics' compliance with this DPA. In lieu of an on-site audit, Voxalytics may provide its most recent third-party penetration-test report and the sub-processor compliance attestations available at the time of the request. SOC 2 Type II and ISO 27001 certifications are targeted but not yet completed; status is published at voxalytics.com/security and updated quarterly.
10. Liability and law
This DPA is governed by the same law as the underlying agreement. Liability under this DPA is subject to the limitations in the Terms of Service.
11. Contact
Data protection officer: [email protected].
Notice: v1 baseline. Procurement teams will likely send back redlines on §6 (sub-processor objection window), §9 (audit cadence), and §8 (notification scope) — all normal. Counsel must finalise before signing.