Callvio Data Processing Agreement (DPA)
This Data Processing Agreement ("DPA") forms part of the agreement between Callvio ("Processor") and the Customer ("Controller") regarding the processing of Personal Data.
1. Roles of the Parties
For Personal Data processed through the Services:
- Customer acts as the Data Controller.
- Callvio acts as the Data Processor.
2. Subject Matter
Customer determines the purposes and means of processing.
Callvio processes Personal Data solely on behalf of the Customer.
Callvio provides communication automation services including:
- Voice agents
- Call handling
- Appointment scheduling
- Messaging automation
- WhatsApp automation
- Customer support automation
- Analytics
- Reporting
3. Categories of Personal Data
Processing occurs solely to provide these Services.
Depending on Customer usage, Personal Data may include:
- Names
- Email addresses
- Phone numbers
- Appointment information
- Call recordings
- Voice recordings
- Transcripts
- Customer communications
- Message content
- IP addresses
- Device identifiers
- CRM information
- Calendar information
4. Categories of Data Subjects
Data subjects may include:
- Customers
- Prospective customers
- Employees
- Contractors
- Vendors
- Website visitors
- Callers
- Messaging users
5. Processing Instructions
Callvio shall:
- Process Personal Data only on documented instructions from Customer.
- Process Personal Data solely to provide the Services.
- Not sell Personal Data.
- Not disclose Personal Data except as authorized by Customer or required by law.
6. Confidentiality
Callvio shall ensure that personnel with access to Personal Data:
- Are subject to confidentiality obligations.
- Access Personal Data only when necessary.
- Receive appropriate security and privacy training.
7. Security Measures
Callvio shall maintain commercially reasonable technical and organizational safeguards, including:
- Encryption in transit where applicable
- Access controls
- Authentication systems
- Security monitoring
- Logging mechanisms
- Backup procedures
8. Subprocessors
No security measure can guarantee absolute protection.
Customer authorizes Callvio to engage subprocessors necessary to provide the Services.
Subprocessors may include providers for:
- Cloud infrastructure
- Telecommunications
- Messaging services
- AI processing
- Analytics
- Payment processing
9. International Transfers
Callvio remains responsible for managing subprocessors appropriately.
Customer authorizes Callvio and its subprocessors to process Personal Data in jurisdictions necessary to provide the Services.
Where required by law, Callvio shall implement appropriate transfer safeguards.
10. Data Subject Requests
Where legally required, Callvio shall provide reasonable assistance to Customer in responding to:
- Access requests
- Deletion requests
- Correction requests
- Portability requests
- Restriction requests
11. Security Incidents
Customer remains responsible for responding to such requests.
In the event of a confirmed security incident affecting Personal Data, Callvio shall:
- Investigate the incident
- Take reasonable remediation steps
- Notify Customer without undue delay where legally required
12. Return and Deletion
Notification does not constitute an admission of fault or liability.
Upon termination of Services and upon written request:
Callvio shall:
- Delete Personal Data; or
- Return Personal Data where technically feasible
13. Audits
unless retention is required by law or legitimate operational requirements.
No more than once per calendar year, Customer may request reasonable information regarding Callvio's security and privacy practices.
Any audit:
- Must not disrupt operations.
- Must protect confidential information.
- Must be conducted at Customer's expense.
14. Liability
Liability under this DPA shall be governed by the limitation of liability provisions contained in the Callvio Terms of Service.
15. Governing Law
This DPA shall be governed by the same governing law specified in the Callvio Terms of Service.
16. Order of Precedence
If this DPA conflicts with the Terms of Service regarding Personal Data processing, this DPA shall control solely with respect to Personal Data processing obligations.