Data Processing Agreement

1. Definitions

• Controller means the Voycee customer that determines the purposes and means of the processing of Personal Data.
• Processor means Voycee, which processes Personal Data on behalf of the Controller.
• Personal Data has the meaning given in the GDPR Article 4(1) and the CCPA Cal. Civ. Code 1798.140(v).
• Subprocessor means any third party engaged by Voycee to process Personal Data on behalf of the Controller.
• Supervisory Authority means an independent public authority established under GDPR Article 51.
• Standard Contractual Clauses or SCCs means the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Subject matter, duration, nature and purpose of processing

Voycee processes Personal Data to provide the Voycee voice receptionist platform, including answering inbound calls, transcribing audio, generating call summaries, booking appointments through integrated calendars, sending SMS notifications, and producing analytics for the Controller. Processing continues for the duration of the Controller's subscription, plus the data retention period set in Section 11.

3. Categories of data subjects and Personal Data

Categories of data subjects

• Controller's authorized users (account holders)
• End callers (the Controller's customers and prospects)
• Recipients of outbound communications initiated by the Controller

Categories of Personal Data

• Identifiers: name, email, phone number, account credentials
• Audio recordings of inbound and outbound calls
• Transcripts and summaries generated from those recordings
• Call metadata: time, duration, caller ID, routing
• Captured fields supplied by the caller (for example appointment time)
• Billing details supplied for payment processing
• Technical data: IP address, browser type, device identifiers

4. Obligations of the Processor (Voycee)

Voycee will:

• Process Personal Data only on documented instructions from the Controller, including the instructions contained in the Voycee Terms of Service and any applicable order form
• Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
• Implement the technical and organizational measures described in Annex A
• Assist the Controller in responding to data subject requests under GDPR Chapter III
• Notify the Controller without undue delay, and in any event within 72 hours, of becoming aware of a Personal Data Breach
• Make available to the Controller all information necessary to demonstrate compliance with this DPA

5. Subprocessing

The Controller grants Voycee general authorization to engage subprocessors, subject to the following:

• The current list of subprocessors is published at /legal/subprocessors and updated as needed
• Voycee will provide at least 30 days' notice before engaging a new subprocessor that processes Personal Data
• The Controller may object to a new subprocessor on reasonable grounds. If the parties cannot agree on a resolution, the Controller may terminate the affected services without penalty
• Voycee remains liable for the acts and omissions of its subprocessors as if they were Voycee's own

6. International data transfers

Where Personal Data of EEA, UK, or Swiss data subjects is transferred outside its origin region, the parties incorporate the EU Standard Contractual Clauses (2021/914), Module Two (Controller to Processor), by reference. The UK International Data Transfer Addendum and the Swiss FDPIC adaptations apply where relevant. Voycee maintains a transfer impact assessment available on request.

7. Data subject rights

Voycee will, taking into account the nature of the processing, assist the Controller with appropriate technical and organizational measures to fulfill requests to exercise data subject rights under GDPR Chapter III, including access, rectification, erasure, restriction, portability, and objection. Self-serve tooling is exposed in the Voycee portal where feasible.

8. Personal Data Breach notification

Voycee will notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include the information required by GDPR Article 33(3) to the extent reasonably available, and Voycee will provide updates as additional information becomes available.

9. Data Protection Impact Assessment

Voycee will, at the Controller's reasonable request, provide information and assistance reasonably necessary to enable the Controller to conduct a Data Protection Impact Assessment under GDPR Article 35 or to consult a Supervisory Authority under GDPR Article 36.

10. Audit rights

Voycee will make available, on request, the most recent third-party audit reports, security questionnaires, and policy summaries necessary to demonstrate compliance with this DPA. The Controller may, no more than once per calendar year and at the Controller's expense, conduct an audit on at least 30 days' written notice, subject to confidentiality and reasonable scheduling.

11. Return or deletion of Personal Data

Upon termination of the Controller's subscription, Voycee will, at the Controller's choice, return or delete all Personal Data within 30 days, except where retention is required by applicable law. Audit logs may be retained for up to seven years to comply with contractual and statutory record-keeping obligations.

12. Liability

The aggregate liability of each party under this DPA is subject to the limitations and exclusions of liability set forth in the underlying Voycee Terms of Service or applicable order form.

13. Governing law and jurisdiction

This DPA is governed by the laws of the State of Delaware, United States, without regard to conflict of law provisions, except where local data protection law mandates otherwise. Disputes will be resolved in the manner set forth in the underlying Voycee Terms of Service.

Annex A. Technical and organizational measures

• Encryption in transit: TLS 1.2 or higher on all customer-facing and vendor-facing endpoints
• Encryption at rest: Microsoft Azure Storage server-side encryption and PostgreSQL Transparent Data Encryption on Azure Database for PostgreSQL Flexible Server
• Authentication: Clerk-managed single sign-on with multi-factor support; webhook signature verification on Stripe, Clerk, Twilio, and LiveKit callbacks
• Access controls: role-based access enforced at the API guard layer; tenant scoping on every Prisma query
• Audit logging: write operations on billing, roles, integrations, and BAA-related actions are logged
• Backups: PostgreSQL point-in-time restore with a 7-day window; Azure Blob geo-redundant storage
• Vulnerability management: dependency monitoring via Dependabot; security reporting policy published at SECURITY.md
• Subprocessor management: see /legal/subprocessors

Annex B. Contact

Privacy contact: privacy@voycee.com. Security contact: security@voycee.com.