Data Processing Agreement

Last Updated: January 5, 2026

This Data Processing Agreement (DPA) is part of AIVA Connect's commitment to GDPR compliance for enterprise customers.

Enterprise Compliance

This DPA is automatically incorporated into your service agreement if you process personal data of EU/EEA residents through our platform. For custom DPAs or enterprise agreements, contact our legal team.

Contact Legal Team

Parties

This Data Processing Agreement ("DPA") forms part of the Terms of Service between:

Data Controller

You (the "Customer") - The organization using AIVA Connect's services who determines the purposes and means of processing personal data.

Data Processor

AIVA Connect (the "Processor") - Processes personal data on behalf of the Customer in accordance with their instructions.

Definitions

For the purposes of this DPA, the following terms have the meanings set forth below:

"Personal Data" means any information relating to an identified or identifiable natural person processed through the Services.

"Processing" means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, or deletion.

"Data Subject" means the individual to whom Personal Data relates (e.g., your customers, employees, or contacts).

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

"Sub-processor" means any third party appointed by AIVA Connect to process Personal Data on behalf of the Customer.

Scope and Purpose

Subject Matter

Provision of AI receptionist services, including call handling, transcription, and contact management.

Duration

The term of processing corresponds to the duration of your service agreement.

Nature and Purpose of Processing

Processing is necessary to provide AI-powered call handling, voice transcription, contact management, and related services as described in the Terms of Service.

Types of Personal Data

Contact information (names, phone numbers, email addresses)
Voice recordings and call metadata
Call transcripts and AI-generated summaries
Business information (company name, job title)
Usage and analytics data

Categories of Data Subjects

Customer's clients and business contacts
Customer's employees and team members
Callers who interact with the AI receptionist

Data Processing Terms

4.1 Processing Instructions

AIVA Connect shall process Personal Data only on documented instructions from the Customer, unless required to do so by applicable law. The Terms of Service, together with this DPA, constitute the Customer's complete instructions for processing.

4.2 Confidentiality

AIVA Connect ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Unauthorized Processing

If AIVA Connect believes that a Customer instruction violates GDPR or other data protection laws, it will immediately inform the Customer and may suspend processing until the instruction is confirmed or modified.

Security Measures

AIVA Connect implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Safeguards

Encryption in transit (TLS 1.3)
Encryption at rest (AES-256)
Secure API authentication
Regular security testing and audits
Intrusion detection systems

Organizational Safeguards

Role-based access controls
Multi-factor authentication
Employee security training
Background checks for personnel
Incident response procedures

Physical Security

Data centers: AWS and Supabase (ISO 27001, SOC 2)
Access logging and monitoring
Redundant power and cooling
24/7 security monitoring

Backup and Recovery

Automated daily backups
Geographic redundancy
Disaster recovery plan
Business continuity procedures

Sub-processors

The Customer authorizes AIVA Connect to engage the following sub-processors for processing Personal Data:

Sub-processor	Service	Location
AWS (Amazon Web Services)	Cloud hosting and storage	United States
Supabase	Database and authentication	United States
Twilio	Phone number provisioning and routing	United States
Retell AI	AI voice processing and transcription	United States
Stripe	Payment processing	United States

Changes to Sub-processors

AIVA Connect will notify the Customer with at least 30 days' notice before adding or replacing sub-processors. The Customer may object to such changes by terminating the service agreement within 30 days of notification.

Data Subject Rights

AIVA Connect will assist the Customer in responding to Data Subject requests, including:

Requests for access to Personal Data
Requests for rectification or deletion
Requests to restrict processing
Data portability requests
Objections to processing

Customer Responsibility

The Customer is responsible for verifying the identity of Data Subjects and determining the appropriate response. AIVA Connect will provide necessary data within 7 business days of a valid request.

Data Breaches

8.1 Notification Timeline

AIVA Connect will notify the Customer without undue delay and, where feasible, no later than 72 hours after becoming aware of a Personal Data breach.

8.2 Breach Information

Notifications will include:

Nature of the breach and affected data categories
Approximate number of Data Subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach
Contact point for further information

8.3 Cooperation

AIVA Connect will cooperate with the Customer and regulatory authorities in investigating and mitigating any Personal Data breach.

International Transfers

Personal Data may be transferred to and processed in the United States and other countries where AIVA Connect or its sub-processors maintain facilities. AIVA Connect ensures appropriate safeguards for such transfers:

Standard Contractual Clauses

AIVA Connect has implemented Standard Contractual Clauses (SCCs) approved by the European Commission for transfers of Personal Data outside the EEA.

Adequacy Decisions

Where possible, AIVA Connect relies on adequacy decisions by the European Commission for specific countries or frameworks.

Audit Rights

The Customer may audit AIVA Connect's compliance with this DPA, subject to the following conditions:

Audits may be conducted no more than once per year
Customer must provide at least 30 days' written notice
Audits must be conducted during business hours
Customer must execute a confidentiality agreement
Audits must not unreasonably interfere with operations

AIVA Connect will provide relevant documentation, including SOC 2 reports, security assessments, and compliance certifications, in lieu of on-site audits where appropriate.

Term and Termination

11.1 Duration

This DPA remains in effect for the duration of the service agreement between AIVA Connect and the Customer.

11.2 Data Return and Deletion

Upon termination of the service agreement, AIVA Connect will:

Provide the Customer with 30 days to export Personal Data
Delete or return all Personal Data within 60 days
Certify deletion upon Customer request

11.3 Legal Retention

AIVA Connect may retain Personal Data to the extent required by applicable law or for legitimate business purposes (e.g., tax records, dispute resolution).

Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. The parties agree that:

AIVA Connect's total liability for all claims under this DPA shall not exceed the amount paid by Customer in the preceding 12 months
Neither party shall be liable for indirect, consequential, or punitive damages
Liability caps do not apply to breaches of confidentiality or data security obligations

Important: This limitation of liability is subject to applicable law and may not limit liability for gross negligence, willful misconduct, or violations of data protection laws.

Questions About This DPA?

For enterprise agreements, custom DPAs, or legal inquiries, contact our legal team.

Contact Legal Team Privacy Questions