Data Processing Agreement

Processor: Vocito.ai B.V., registered in the Netherlands
Last Updated: May 2026
Effective Date: May 2026
GDPR Reference: Article 28 of Regulation (EU) 2016/679

This Data Processing Agreement ("DPA") is entered into between the customer identified in the Vocito.ai account ("Controller", "Customer", "you") and Vocito.ai B.V. ("Processor", "Vocito", "we"), and forms an integral part of the Terms of Service and the agreement between the parties for the provision of the Vocito Service.

This DPA reflects the parties' agreement with regard to the processing of personal data by the Processor on behalf of the Controller, in accordance with the requirements of Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Definitions
Scope and Roles
Details of Processing
Obligations of the Processor
Obligations of the Controller
Sub-Processors
Security Measures
Data Breach Notification
Data Subject Requests
Data Protection Impact Assessment
International Transfers
Audit Rights
Data Deletion and Return
Liability
Term and Termination
General Provisions
Annex A: Processing Details
Annex B: Technical and Organizational Measures
Annex C: List of Sub-Processors

Beta period addendum (May 2026 – GA): While Vocito is in Beta, the retention period in Annex A applies as 90 days for call recordings, transcripts, and AI conversation metadata (the GA period defaults apply once Beta ends). Sub-processors and TOMs in Annex B/C apply unchanged during Beta. Controller (Customer) acknowledges that Beta-period processing may include short outages, feature regressions, or data resets as described in our Terms of Service §2 (Beta Program). Vocito will continue to honour data subject rights, breach notification, and audit obligations under this DPA during Beta without modification.

1. Definitions

Unless otherwise defined herein, capitalized terms have the meanings given in the GDPR or the Terms of Service. The following additional definitions apply:

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
"Processing" means any operation or set of operations performed on Personal Data, as defined in Article 4(2) GDPR.
"Controller" means the Customer, who determines the purposes and means of the processing of Personal Data through the Service.
"Processor" means Vocito.ai B.V., which processes Personal Data on behalf of the Controller.
"Sub-processor" means a third party engaged by the Processor to process Personal Data on the Processor's behalf.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
"SCCs" means the Standard Contractual Clauses approved by the European Commission pursuant to Commission Implementing Decision (EU) 2021/914.
"Service" means the Vocito.ai AI voice receptionist platform and all related features and services.
"Customer Data" means all data, including Personal Data, processed through the Customer's use of the Service.

2. Scope and Roles

2.1 Roles of the Parties

The Customer is the Controller and Vocito is the Processor with respect to Personal Data processed through the Service. The Processor shall process Personal Data only on behalf of and in accordance with the documented instructions of the Controller.

2.2 Scope of Processing

This DPA applies to all Personal Data that the Processor processes on behalf of the Controller in connection with the provision of the Service, as further described in Annex A.

2.3 Relationship to Terms of Service

This DPA supplements and forms part of the Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding data protection matters, this DPA shall prevail.

3. Details of Processing

The details of the processing activities are set forth in Annex A and include:

Subject matter: Provision of the Vocito AI voice receptionist platform.
Duration: For the term of the agreement between the Controller and the Processor, plus any applicable data retention period.
Nature and purpose: Receiving and handling inbound phone calls via AI, recording and transcribing calls, sending SMS follow-ups, managing leads and bookings, email integration, CRM data management, and providing analytics.
Types of Personal Data: Names, phone numbers, email addresses, voice recordings, call transcripts, SMS content, email content, lead and booking information, business contact details.
Categories of Data Subjects: End users (callers), the Controller's customers and prospects, the Controller's employees and representatives.

4. Obligations of the Processor

4.1 Processing Instructions

The Processor shall:

Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information.
Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

4.2 Confidentiality

The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex B and in accordance with Article 32 GDPR.

4.4 Sub-Processing

The Processor shall comply with the conditions set forth in Section 6 for engaging sub-processors.

4.5 Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests, as set forth in Section 9.

4.6 Assistance with Compliance

Taking into account the nature of the processing and the information available to the Processor, the Processor shall assist the Controller in ensuring compliance with Articles 32 to 36 GDPR, including obligations regarding security of processing, notification of personal data breaches, data protection impact assessments, and prior consultation with supervisory authorities.

4.7 Deletion or Return

The Processor shall, at the choice of the Controller, delete or return all Personal Data after the end of the provision of services, as set forth in Section 13.

4.8 Audit and Information

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, as set forth in Section 12.

5. Obligations of the Controller

The Controller shall:

Ensure that there is a lawful basis for the processing of Personal Data, including obtaining any required consents from Data Subjects (e.g., for call recording).
Provide documented processing instructions to the Processor.
Comply with its obligations under the GDPR and applicable data protection laws.
Ensure that Data Subjects are informed about the processing of their Personal Data in accordance with Articles 13 and 14 GDPR, including the use of AI systems in accordance with the EU AI Act.
Respond to data subject requests, with the assistance of the Processor.
Notify the Processor of any changes to its processing instructions.
Ensure that Customer Data provided to the Processor does not infringe the rights of any third party.

6. Sub-Processors

6.1 General Authorization

The Controller provides a general written authorization for the Processor to engage sub-processors to assist in providing the Service, subject to the conditions set forth in this section. The current list of authorized sub-processors is set forth in Annex C.

6.2 Obligations Regarding Sub-Processors

Where the Processor engages a sub-processor:

The Processor shall impose the same data protection obligations as set out in this DPA on the sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.
The Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.
The sub-processor agreement shall include equivalent provisions to those in this DPA, including with respect to confidentiality, security, and audit rights.

6.3 Notification of Changes

The Processor shall notify the Controller at least 30 days in advance of any intended changes concerning the addition or replacement of sub-processors, providing the Controller with the opportunity to object to such changes.

6.4 Right to Object

If the Controller has reasonable grounds to object to the engagement of a new sub-processor, the Controller shall notify the Processor within 14 days of receiving the notification. The parties shall discuss the Controller's concerns in good faith. If the parties cannot reach a resolution, the Controller may terminate the affected services without penalty by providing written notice.

7. Security Measures

The Processor shall implement and maintain the technical and organizational security measures described in Annex B, which include at a minimum:

7.1 Encryption

Encryption of Personal Data in transit using TLS 1.2 or higher.
Encryption of Personal Data at rest using AES-256 or equivalent.
Encryption of call recordings at rest.

7.2 Access Control

Role-based access control (RBAC) with the principle of least privilege.
Multi-factor authentication (MFA) for administrative and production system access.
Unique user accounts for all personnel; no shared credentials.
Regular access reviews (at least quarterly).
Automated deprovisioning upon personnel departure.

7.3 Infrastructure Security

Hosting on infrastructure with SOC 2 Type II and/or ISO 27001 certifications.
Network segmentation and firewall protection.
Regular vulnerability scanning and penetration testing.
Timely application of security patches.
DDoS protection.

7.4 Monitoring and Logging

Centralized logging of access to Personal Data.
Real-time monitoring and alerting for security events.
Log retention for a minimum of 12 months.

7.5 Personnel

Confidentiality agreements with all personnel who access Personal Data.
Security awareness training for all personnel.
Background checks for personnel with access to production systems (where permitted by law).

7.6 Business Continuity

Regular backups of Customer Data with tested restoration procedures.
Disaster recovery procedures with defined recovery time objectives.
Redundant infrastructure for critical components.

7.7 Ongoing Evaluation

The Processor shall regularly evaluate and update the security measures to ensure they remain appropriate to the risks associated with the processing. The Processor shall not materially decrease the overall level of security during the term of this DPA.

8. Data Breach Notification

8.1 Notification to Controller

The Processor shall notify the Controller of a Personal Data Breach without undue delay and in any event within 72 hours after becoming aware of it. The notification shall be sent to the email address associated with the Controller's account and shall include, to the extent available:

A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned.
The name and contact details of a contact point within the Processor.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its adverse effects.

8.2 Processor Obligations

Upon becoming aware of a Personal Data Breach, the Processor shall:

Take immediate steps to contain the breach and minimize its impact.
Investigate the breach and provide the Controller with updated information as it becomes available.
Cooperate with the Controller and provide reasonable assistance in the Controller's fulfillment of its breach notification obligations under Articles 33 and 34 GDPR.
Document the breach, including the facts, effects, and remedial actions taken.

8.3 Controller Notification to Supervisory Authority

The Controller is responsible for determining whether the Personal Data Breach must be reported to a supervisory authority and/or Data Subjects under Articles 33 and 34 GDPR. The Processor shall provide all reasonable cooperation and assistance to the Controller in making such determinations and fulfilling such obligations.

9. Data Subject Requests

9.1 Assistance

The Processor shall, taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Controller's obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR, including:

Right of access (Article 15)
Right to rectification (Article 16)
Right to erasure (Article 17)
Right to restriction of processing (Article 18)
Notification obligation (Article 19)
Right to data portability (Article 20)
Right to object (Article 21)

9.2 Notification

If the Processor receives a request directly from a Data Subject, the Processor shall promptly (and in any event within 5 business days) redirect the Data Subject to the Controller and notify the Controller of the request. The Processor shall not respond to such a request directly unless authorized by the Controller or required by law.

9.3 Data Export

The Processor provides functionality through the Service dashboard for the Controller to export Customer Data in commonly used machine-readable formats (JSON, CSV). The Controller may use these tools to fulfill data portability requests.

10. Data Protection Impact Assessment

The Processor shall provide reasonable assistance to the Controller in conducting data protection impact assessments ("DPIAs") and prior consultations with supervisory authorities under Articles 35 and 36 GDPR, where required in relation to the processing of Personal Data through the Service. Such assistance shall include providing information about the Processor's processing activities, technical and organizational measures, and sub-processor arrangements.

11. International Transfers

11.1 Primary Storage

The Processor stores Customer Data, including Personal Data, primarily within the European Economic Area (EEA), specifically in Supabase infrastructure located in the Frankfurt (EU) region.

11.2 Transfers to Third Countries

Certain sub-processors engaged by the Processor are located in the United States. Where Personal Data is transferred to a country outside the EEA that has not received an adequacy decision from the European Commission, the following safeguards are applied:

Standard Contractual Clauses (SCCs): The Processor has entered into SCCs (Commission Implementing Decision (EU) 2021/914) with each sub-processor located outside the EEA, using the Module 3 (processor to sub-processor) clauses.
EU-U.S. Data Privacy Framework: Where applicable, the Processor relies on the sub-processor's certification under the EU-U.S. Data Privacy Framework as an additional safeguard.
Supplementary Measures: In accordance with the EDPB Recommendations 01/2020, the Processor implements supplementary technical, organizational, and contractual measures, including:
- Encryption of Personal Data in transit and at rest.
- Minimization of data transferred (e.g., real-time streaming rather than bulk transfers where possible).
- Contractual commitments from sub-processors to challenge disproportionate government access requests.
- Regular transfer impact assessments.

11.3 Transfer Impact Assessments

The Processor shall conduct and maintain transfer impact assessments for each international transfer, evaluating the legal framework of the recipient country and the effectiveness of the safeguards in place. These assessments shall be made available to the Controller upon request.

12. Audit Rights

12.1 Information

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA.

12.2 Audit

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, subject to the following conditions:

The Controller shall provide at least 30 days' prior written notice of an audit, specifying the scope and duration.
Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
The Controller and its auditors shall comply with the Processor's reasonable security and confidentiality requirements.
The auditor shall enter into a non-disclosure agreement with the Processor before commencing the audit.
The Controller shall bear the costs of any audit, except where the audit reveals a material breach of this DPA by the Processor.
Audits shall be limited to one per calendar year, unless required by a supervisory authority or following a Personal Data Breach.

12.3 Certifications and Reports

Where available, the Processor may provide relevant certifications, audit reports (e.g., SOC 2 Type II reports), or summaries of independent third-party audits to satisfy the Controller's audit requirements. The Controller agrees to consider such documentation in lieu of a physical audit where it reasonably addresses the Controller's concerns.

13. Data Deletion and Return

13.1 Upon Termination

Upon termination or expiration of the agreement between the Controller and the Processor:

The Controller may request the return of Customer Data (including Personal Data) in a commonly used, machine-readable format within 30 days of termination.
After the 30-day period (or immediately upon the Controller's written instruction), the Processor shall delete all Customer Data and existing copies, unless Union or Member State law requires storage of the Personal Data.
The Processor shall provide written confirmation of deletion upon request.

13.2 Retention Exceptions

The Processor may retain Personal Data after termination only where:

Required by applicable law (e.g., Dutch fiscal retention obligations for billing data · 7 years).
The data is contained in backup systems and will be deleted in accordance with the Processor's regular backup rotation schedule (not to exceed 90 days).

In each case, the Processor shall continue to protect such retained data in accordance with this DPA and shall limit processing to the purposes required by law.

13.3 During the Term

During the term of the agreement, the Controller may request deletion of specific Customer Data through the Service dashboard or by written request to the Processor. The Processor shall comply with such requests within 30 days, subject to technical feasibility and legal retention obligations.

14. Liability

14.1 Allocation of Liability

Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Article 82 GDPR:

The Controller shall be liable for damages caused by processing that does not comply with the GDPR or with instructions that are unlawful.
The Processor shall be liable for damages caused by processing where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside or contrary to lawful instructions of the Controller.

14.2 Limitation of Liability

The total aggregate liability of either party under this DPA shall be subject to the limitations of liability set forth in the Terms of Service, except that such limitations shall not apply to:

Liability to Data Subjects under Article 82 GDPR.
Fines and penalties imposed by supervisory authorities.
Liability arising from a party's gross negligence or willful misconduct regarding its data protection obligations.

14.3 Indemnification

Each party shall indemnify the other party against any costs, claims, damages, or expenses incurred as a result of the indemnifying party's breach of this DPA or its obligations under the GDPR, provided that the party seeking indemnification promptly notifies the other party and provides reasonable cooperation.

15. Term and Termination

15.1 Term

This DPA shall commence on the date the Controller first uses the Service and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller.

15.2 Survival

The obligations of the Processor under this DPA shall survive the termination of the agreement to the extent necessary to fulfill its obligations regarding the return or deletion of Personal Data and any ongoing confidentiality obligations.

16. General Provisions

16.1 Governing Law

This DPA shall be governed by and construed in accordance with the laws of the Netherlands, without regard to its conflict of laws principles. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the competent courts in Amsterdam, the Netherlands.

16.2 Severability

If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The invalid provision shall be replaced with a valid provision that most closely reflects the original intent.

16.3 Amendments

This DPA may be amended by the Processor to reflect changes in applicable law or the Processor's data processing practices. Material changes shall be notified to the Controller at least 30 days in advance. Continued use of the Service after such notice constitutes acceptance of the amended DPA.

16.4 Entire Agreement

This DPA, together with the Terms of Service, Privacy Policy, and any applicable Order Forms, constitutes the entire agreement between the parties regarding the subject matter hereof.

16.5 Contact

Questions regarding this DPA should be directed to: privacy@vocito.ai

Annex A: Details of Processing

A.1 Subject Matter and Duration

Subject matter	Processing of Personal Data through the Vocito AI voice receptionist platform
Duration	For the duration of the agreement between Controller and Processor, plus applicable retention periods

A.2 Nature and Purpose of Processing

Processing Activity	Purpose
Receiving inbound phone calls	Answering calls on behalf of the Controller's business via AI voice agent
Call recording	Recording conversations for the Controller's review, quality assurance, and record-keeping
Call transcription	Converting voice recordings to text for review, search, and lead extraction
AI conversation processing	Using LLMs to understand caller intent, generate responses, and extract structured information
SMS messaging	Sending follow-up text messages to callers on behalf of the Controller
Lead management	Capturing, storing, and organizing lead information from calls
Booking and scheduling	Creating appointments and calendar entries on behalf of the Controller
Email integration	Sending notifications and managing email communications via Gmail/Microsoft 365
CRM data management	Storing and organizing customer relationship data
Analytics and reporting	Generating usage statistics, call analytics, and performance reports
Data storage	Storing Customer Data in EU-based infrastructure

A.3 Types of Personal Data

Names (first name, last name, business name)
Phone numbers
Email addresses
Postal/business addresses
Voice recordings (call audio)
Call transcripts (text of conversations)
SMS message content
Email content (subject lines, body text)
Lead and inquiry details (services requested, questions asked)
Booking and appointment data (dates, times, service types)
Call metadata (caller ID, duration, timestamps, call status)
IP addresses and device information (for dashboard users)

A.4 Categories of Data Subjects

End users (callers who contact the Controller's business via the AI Agent)
The Controller's customers and prospects
The Controller's employees and representatives (who use the dashboard)
Third parties whose contact information is provided by callers or the Controller

Annex B: Technical and Organizational Measures

The Processor implements the following technical and organizational measures pursuant to Article 32 GDPR:

B.1 Encryption

Measure	Implementation
Encryption in transit	TLS 1.2+ for all data transmissions, including API calls, dashboard access, and sub-processor communications
Encryption at rest	AES-256 encryption for all stored Personal Data, including call recordings, database records, and file storage
Key management	Encryption keys managed through secure key management services with separation of duties

B.2 Access Control

Measure	Implementation
Authentication	Strong password policies; MFA for all administrative and production access
Authorization	Role-based access control (RBAC) with principle of least privilege; customer data isolation
Access reviews	Quarterly review of all access permissions; immediate revocation upon role change or departure
Customer data isolation	Logical separation of Customer Data using row-level security (RLS) in Supabase PostgreSQL

B.3 Infrastructure and Network Security

Measure	Implementation
Hosting	EU-region hosting on Railway and Supabase with SOC 2 / ISO 27001 certified infrastructure
Network security	Firewall protection, network segmentation, DDoS mitigation
Vulnerability management	Regular vulnerability scanning; prompt patching of critical vulnerabilities
Penetration testing	Annual third-party penetration testing

B.4 Monitoring, Logging, and Incident Response

Measure	Implementation
Security monitoring	Continuous monitoring for security events, anomalies, and unauthorized access attempts
Audit logging	Logging of access to Personal Data, administrative actions, and security events; logs retained for 12 months minimum
Incident response	Documented incident response plan with defined roles, escalation paths, and communication procedures; 72-hour breach notification

B.5 Data Minimization and Retention

Measure	Implementation
Data minimization	Processing limited to Personal Data necessary for the specified purposes; real-time streaming to AI providers rather than bulk data transfers
Retention management	Automated data retention policies with configurable retention periods; automated deletion of expired data
Deletion procedures	Secure deletion of Personal Data upon request or expiry of retention period, including from backups within 90 days

B.6 Business Continuity and Disaster Recovery

Measure	Implementation
Backups	Regular automated backups of Customer Data; encrypted backup storage; tested restoration procedures
Redundancy	Redundant infrastructure for critical services; failover capabilities
Recovery objectives	Defined Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for critical systems

B.7 Personnel Measures

Measure	Implementation
Confidentiality	All personnel sign confidentiality agreements covering Personal Data
Training	Security and data protection awareness training for all personnel upon onboarding and annually thereafter
Background checks	Background checks for personnel with access to production systems (where permitted by law)

Annex C: List of Sub-Processors

As of May 2026, the Processor engages the following sub-processors:

Sub-Processor	Legal Entity	Purpose	Data Processed	Location	Transfer Mechanism
Twilio	Twilio Inc.	Telephony infrastructure, voice call routing, SMS delivery	Phone numbers, call audio (real-time), call metadata, SMS content	USA	SCCs + DPF
ElevenLabs	ElevenLabs Inc.	AI voice synthesis, real-time voice generation	Call audio (real-time streaming)	USA	SCCs
Anthropic	Anthropic PBC	Large language model (Claude) for conversation understanding and response generation	Call transcripts (real-time), conversation context	USA	SCCs
Google	Google LLC	Large language model (Gemini) for conversation processing	Call transcripts (real-time), conversation context	USA / EU	SCCs + DPF
OpenAI	OpenAI Inc.	Large language model (GPT) for conversation processing	Call transcripts (real-time), conversation context	USA	SCCs + DPF
Supabase	Supabase Inc.	PostgreSQL database hosting, file storage (call recordings), authentication	All Customer Data (account data, call recordings, transcripts, leads, CRM data)	EU (Frankfurt)	Data stored in EEA; SCCs with parent entity
Railway	Railway Corp.	Backend application hosting and execution	Application data in transit and during processing	EU region	Data processed in EEA; SCCs with parent entity

This list is maintained and updated by the Processor. The Controller will be notified at least 30 days in advance of any additions or changes to this list.