Data Processing Addendum
This page summarizes our DPA. The full executable document is available on request — email [email protected] to receive the PDF for counter-signature.
This Data Processing Addendum ("DPA") supplements the CommunicaAI Terms of Service. It applies whenever Customer is a data controller of personal data processed by CommunicaAI as a data processor in connection with the Services.
1. Definitions
"Personal data," "data controller," "data processor," "data subject," "processing," and "supervisory authority" have the meanings given in the GDPR. "Customer Data" means personal data Customer or its end-users supply to the Services.
2. Roles
For Customer Data processed in the course of providing the Services, Customer is the controller and CommunicaAI is the processor.
3. Subject matter and duration
Subject matter: provision of AI voice-agent services. Duration: term of the underlying Terms of Service plus any retention period required by law.
4. Nature and purpose of processing
- Receiving and processing inbound and outbound call audio.
- Speech-to-text transcription.
- Generating spoken responses using customer-supplied scripts and knowledge bases.
- Logging call metadata for analytics and audit.
- Routing escalation to human staff per customer-defined rules.
5. Types of personal data
- Caller phone numbers (where law permits collection).
- Voice audio and derived transcripts.
- Any personal data Customer transmits via scripts or knowledge base content.
6. Categories of data subjects
- Customer's end-users / callers.
- Customer's staff with access to the dashboard.
7. Subprocessor list
Current subprocessors:
- Twilio — SIP telephony
- OpenAI Whisper / Deepgram — speech-to-text
- Groq / Anthropic — language reasoning
- ElevenLabs — text-to-speech
- Stripe — payments only
- Clerk — authentication only
- OVH / Vercel / Cloudflare — hosting, DNS, edge
We provide 30 days' notice of new subprocessors. Customer may object on reasonable grounds; if we cannot accommodate, customer may terminate the affected portion of the Service.
8. Security measures
TLS 1.2+ in transit; AES-256 at rest; quarterly key rotation; role-based access; audit log retention 1 year; annual third-party penetration testing (Growth and Enterprise).
9. International transfers
Standard Contractual Clauses (EU/EEA, UK, Switzerland) where transfers occur. Module Two for controller-to-processor transfers.
10. Data subject rights assistance
We will assist Customer in responding to data-subject requests using technically appropriate measures. Bulk export available via dashboard.
11. Breach notification
We will notify Customer of a data breach without undue delay and in any event within 72 hours of becoming aware.
12. Audit rights
Customer may audit CommunicaAI's compliance with this DPA once per year on 30 days' written notice. Audits are conducted at customer expense and may rely on our SOC 2 report (Growth and Enterprise) in lieu of on-site audit.
13. Return or deletion of Customer Data
On termination, Customer Data is deleted per Customer's retention policy (30-day default). Customer may request earlier deletion or export at any time.