This Data Processing Agreement ("DPA") forms part of the Terms of Service between Recalling AI, Inc. ("Processor," "we," "us") and you ("Controller," "you") and governs the processing of personal data by Recalling AI on your behalf in connection with the Service.
This DPA is designed to meet the requirements of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and other applicable data protection laws.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Recalling AI on your behalf through the Service. This includes caller phone numbers, caller names, email addresses, call recordings, call transcripts, and any other personal information collected through your AI voice agents.
"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
"Sub-processor" means any third party engaged by Recalling AI to process Personal Data on your behalf.
2. Scope and Roles
You are the Controller of the Personal Data processed through your use of the Service. You determine the purposes and means of processing. Recalling AI is the Processor, processing Personal Data only on your behalf and in accordance with your documented instructions as expressed through your use of and configuration of the Service.
3. Processing Instructions
Recalling AI will process Personal Data only in accordance with your documented instructions, which include the instructions described in the Terms of Service and Privacy Policy, any configuration choices you make within the Service (such as enabling call recording, configuring CRM integrations, or setting up webhooks), and any additional written instructions agreed upon between you and Recalling AI. If we believe that any of your instructions violate applicable data protection law, we will inform you promptly.
4. Categories of Data Processed
The categories of Personal Data processed through the Service include caller identification data (phone numbers, names, email addresses), voice data (call recordings), text data (call transcripts, AI-generated summaries, extracted data), business data (company names, addresses, CRM records), and technical data (IP addresses, device information, usage logs).
5. Sub-processors
You authorize us to engage the following Sub-processors to process Personal Data on your behalf.
Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
Supabase (via AWS) | Database hosting, authentication | All account and call data | United States |
Stripe | Payment processing | Billing and payment data | United States |
Twilio | Telephony, call routing, recording | Call data, phone numbers, recordings | United States |
OpenAI | AI language model processing | Call transcripts (for analysis) | United States |
Resend | Transactional email delivery | Email addresses, email content | United States |
We will notify you via email before adding or replacing any Sub-processor, providing you with at least 30 days notice to raise any objections. If you reasonably object to a new Sub-processor on data protection grounds, you may terminate the affected Service by providing notice within the 30-day period.
6. Security Measures
Recalling AI implements and maintains appropriate technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are described in our Security page at recalling.ai/security and include encryption in transit and at rest, access controls and authentication, tenant data isolation, regular security assessments, and employee security training.
7. Data Subject Rights
We will assist you in fulfilling your obligations to respond to data subject requests (such as access, rectification, deletion, and portability requests) by providing you with self-service tools to access, export, and delete data within the Service, and by responding promptly to any requests for assistance that you submit to privacy@recalling.ai.
8. Data Breach Notification
In the event of a Personal Data breach, we will notify you without undue delay and in any event within 72 hours of becoming aware of the breach. Our notification will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences of the breach, and the measures taken or proposed to address the breach and mitigate its effects.
9. Data Deletion
Upon termination of the Service or upon your request, we will delete all Personal Data processed on your behalf within 30 days, except where retention is required by applicable law. You may request a copy of your data before deletion by contacting support@recalling.ai.
10. International Data Transfers
Where Personal Data is transferred to countries outside the European Economic Area, the United Kingdom, or Switzerland, we ensure appropriate safeguards are in place, including Standard Contractual Clauses as approved by the European Commission.
11. Audits
Upon reasonable request and subject to confidentiality obligations, we will make available to you information necessary to demonstrate compliance with this DPA. You may conduct an audit or engage an independent third-party auditor to verify our compliance, no more than once per year, with reasonable advance notice and during business hours.
12. Contact
For questions about this DPA or to exercise any rights under it, contact privacy@recalling.ai.