What is this? This Data Processing Agreement ("DPA") supplements our
Terms & Conditions and governs how Vocito AI processes personal data on your behalf as a data processor under GDPR Article 28.
GDPR CompliantFull compliance with EU privacy law
EU ServersData stored in Frankfurt, Germany
EncryptedAES-256 at rest, TLS 1.3 in transit
Configurable RetentionYou control how long data is kept
1. Parties
Data Controller ("Controller"): The Customer who subscribes to Vocito AI services.
Data Processor ("Processor"): HSR Agency, operating as Vocito.ai, sole proprietorship registered in the Netherlands.
This DPA is effective from the date the Controller creates an account and remains in effect for the duration of the service agreement.
2. Scope & Purpose of Processing
The Processor processes personal data solely for the purpose of providing the Vocito AI platform services, including:
- Answering and routing inbound phone calls on behalf of the Controller
- Speech-to-text transcription of calls
- AI-powered call analysis (summaries, classifications, sentiment, lead qualification)
- Appointment scheduling and calendar integration
- Call recording (if enabled by the Controller)
- Follow-up communications (SMS, WhatsApp) if configured
The Processor shall not process personal data for any purpose other than as instructed by the Controller, unless required by EU or member state law.
3. Categories of Data Subjects
- Callers (customers, patients, prospects) who contact the Controller via phone
- The Controller's employees and authorized users of the platform
4. Categories of Personal Data
| Category | Examples |
|---|
| Contact data | Name, phone number, email address |
| Call metadata | Timestamp, duration, direction, caller ID |
| Call content | Recordings (if enabled), transcripts, AI summaries |
| Appointment data | Date, time, type, associated contact |
| Technical data | IP address, device info, usage logs |
Special categories of data: The Processor does not intentionally collect special category data (Art. 9 GDPR). If callers disclose health, religious, or other sensitive information during a call, this may be captured in recordings or transcripts. The Controller is responsible for assessing whether processing of such data is lawful.
5. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller
- Ensure that all personnel with access to personal data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures (see Section 7)
- Not engage sub-processors without prior written authorization from the Controller (see Section 6)
- Assist the Controller in responding to data subject rights requests
- Assist the Controller in meeting obligations under Articles 32–36 GDPR (security, breach notification, DPIA)
- Delete or return all personal data upon termination, at the Controller's choice, within 30 days
- Make available all information necessary to demonstrate compliance with Art. 28 obligations
6. Sub-processors
The Controller provides general written authorization for the following sub-processors:
| Sub-processor | Purpose | Location | Safeguards |
|---|
| Twilio | Telephony (SIP, numbers) | US (EU data region) | SCCs, DPF |
| Twilio Verify | SMS phone verification | US | DPA, EU-US DPF |
| OpenAI | AI language models | US | DPA, SCCs |
| ElevenLabs | Voice synthesis (TTS) | US/EU | DPA, SCCs |
| Google Cloud | AI audio models | EU | DPA, SCCs |
| Supabase | Database & auth | EU (Frankfurt) | DPA |
| Stripe | Payments | US/EU | PCI-DSS, SCCs |
The Processor shall notify the Controller at least 14 days before adding or replacing a sub-processor. If the Controller objects, they may terminate the affected services without penalty.
The Processor shall ensure that all sub-processors are bound by equivalent data protection obligations.
7. Technical & Organizational Measures
- Encryption: TLS 1.3 in transit; AES-256 at rest
- Access control: Role-based access, multi-factor authentication for admin accounts
- Logging: Audit trails for all data access and administrative actions
- Network security: Firewalls, DDoS protection, intrusion detection
- Data isolation: Customer data is logically separated per tenant
- Backups: Encrypted daily backups with geographic redundancy within the EU
- Personnel: Background checks, confidentiality agreements, regular training
- Testing: Annual penetration testing and regular vulnerability assessments
8. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach. The notification shall include:
- Nature of the breach, including affected categories and approximate number of data subjects
- Name and contact details of the point of contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach
The Processor shall cooperate with the Controller to fulfill the Controller's notification obligations under Art. 33 and 34 GDPR.
9. Data Retention & Deletion
- Call recordings and transcripts: retention period is configured by the Controller (default: 90 days)
- Call metadata: retained for the duration of the service agreement + 12 months
- Account data: retained for the duration of the agreement + 12 months
- Billing data: 7 years (Dutch fiscal obligation, Art. 52 Algemene wet inzake rijksbelastingen)
Upon termination, the Processor shall delete all personal data within 30 days, unless retention is required by law. The Controller may request data export in a structured, machine-readable format before deletion.
10. International Transfers
Where personal data is transferred outside the EEA, the Processor ensures adequate safeguards through:
- EU–US Data Privacy Framework certification (where applicable)
- Standard Contractual Clauses (SCCs) adopted by the European Commission (June 2021)
- Transfer Impact Assessments as required
- Supplementary technical measures (encryption, pseudonymization)
11. Data Subject Rights
The Processor shall assist the Controller in fulfilling data subject requests (access, rectification, erasure, restriction, portability, objection) within the timeframes required by GDPR. The Processor shall refer any data subject request received directly to the Controller without undue delay.
12. Audits
The Controller (or an independent auditor) may audit the Processor's compliance with this DPA once per year, subject to reasonable advance notice (minimum 30 days) and confidentiality obligations. The Processor shall cooperate and provide all necessary documentation. Audit costs shall be borne by the Controller unless the audit reveals material non-compliance.
13. Liability
The liability of each party under this DPA is subject to the limitations set forth in the Terms & Conditions.
14. Term & Termination
This DPA commences upon account creation and terminates when the service agreement ends. Sections 8, 9, and 13 survive termination.
15. Contact
Complaints may be lodged with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) or your local supervisory authority.
Wat is dit? Deze Verwerkersovereenkomst ("DPA") is een aanvulling op onze
Algemene Voorwaarden en regelt hoe Vocito AI persoonsgegevens namens u verwerkt als verwerker onder AVG Artikel 28.
AVG-compliantVolledige naleving Europese privacywetgeving
EU-serversData opgeslagen in Frankfurt, Duitsland
VersleuteldAES-256 at rest, TLS 1.3 in transit
ConfigureerbaarU bepaalt hoe lang data bewaard wordt
1. Partijen
Verwerkingsverantwoordelijke ("Verantwoordelijke"): De Klant die Vocito AI-diensten afneemt.
Verwerker: HSR Agency, handelend als Vocito.ai, eenmanszaak geregistreerd in Nederland.
2. Doel van verwerking
De Verwerker verwerkt persoonsgegevens uitsluitend voor het leveren van het Vocito AI-platform, waaronder:
- Beantwoorden en doorschakelen van inkomende gesprekken namens de Verantwoordelijke
- Spraak-naar-tekst transcriptie
- AI-analyse (samenvattingen, classificaties, sentimentanalyse, leadkwalificatie)
- Afspraken inplannen en agenda-integratie
- Gespreksopname (indien door de Verantwoordelijke ingeschakeld)
- Vervolgcommunicatie (SMS, WhatsApp) indien geconfigureerd
3. Categorieën persoonsgegevens
| Categorie | Voorbeelden |
|---|
| Contactgegevens | Naam, telefoonnummer, e-mailadres |
| Gespreksmetadata | Tijdstip, duur, richting, beller-ID |
| Gespreksinhoud | Opnames (indien ingeschakeld), transcripties, AI-samenvattingen |
| Afspraakgegevens | Datum, tijd, type, gekoppeld contact |
| Technische gegevens | IP-adres, apparaatinfo, gebruikslogs |
4. Verplichtingen verwerker
- Persoonsgegevens uitsluitend verwerken op gedocumenteerde instructies van de Verantwoordelijke
- Alle medewerkers binden aan geheimhoudingsverplichtingen
- Passende technische en organisatorische beveiligingsmaatregelen implementeren
- Geen subverwerkers inschakelen zonder voorafgaande toestemming
- Bijstand verlenen bij verzoeken van betrokkenen en verplichtingen onder Art. 32-36 AVG
- Alle persoonsgegevens verwijderen of retourneren binnen 30 dagen na beëindiging
5. Subverwerkers
Twilio (telefonie, VS/EU), Twilio Verify (SMS-telefoonverificatie, VS, EU-US DPF), OpenAI (AI-taalmodel, VS), ElevenLabs (spraaksynthese, VS/EU), Google Cloud (AI-audio, EU), Supabase (database, EU Frankfurt), Stripe (betalingen, VS/EU). Alle gebonden aan verwerkersovereenkomsten en SCC's.
De Verwerker stelt de Verantwoordelijke minimaal 14 dagen vooraf op de hoogte bij het toevoegen of vervangen van een subverwerker.
6. Beveiliging
- TLS 1.3-encryptie in transit; AES-256 at rest
- Rolgebaseerde toegangscontrole, MFA voor beheerders
- Audittrails voor alle datatoegang
- Dagelijkse versleutelde back-ups binnen de EU
- Jaarlijkse penetratietests
7. Datalekmelding
De Verwerker meldt datalekken binnen 48 uur na ontdekking aan de Verantwoordelijke, inclusief aard van het lek, betrokken categorieën, gevolgen en genomen maatregelen.
8. Bewaartermijnen
- Opnames en transcripties: door de Verantwoordelijke geconfigureerd (standaard: 90 dagen)
- Gespreksmetadata: duur van de overeenkomst + 12 maanden
- Factuurgegevens: 7 jaar (fiscale bewaarplicht)
Na beëindiging: verwijdering binnen 30 dagen, tenzij wettelijk verplicht om te bewaren.
9. Rechten betrokkenen
De Verwerker verwijst verzoeken van betrokkenen direct door naar de Verantwoordelijke en verleent bijstand bij het afhandelen ervan.
10. Internationale doorgifte
Doorgifte buiten de EER wordt beveiligd via EU-VS Data Privacy Framework, Standaard Contractbepalingen (SCC's) en aanvullende technische maatregelen.
11. Contact & klachten
Klachten: Autoriteit Persoonsgegevens.
Was ist das? Dieser Auftragsverarbeitungsvertrag ("AVV") ergänzt unsere
AGB und regelt, wie Vocito AI personenbezogene Daten in Ihrem Auftrag gemäß Art. 28 DSGVO verarbeitet.
DSGVO-konformVolle Einhaltung des EU-Datenschutzrechts
EU-ServerDaten in Frankfurt, Deutschland
VerschlüsseltAES-256 at rest, TLS 1.3 in transit
KonfigurierbarSie bestimmen die Aufbewahrungsdauer
1. Parteien
Verantwortlicher: Der Kunde. Auftragsverarbeiter: HSR Agency (Vocito.ai), Niederlande.
2. Verarbeitungszweck
Verarbeitung ausschließlich zur Bereitstellung der Vocito-AI-Plattform: Anrufannahme, Transkription, KI-Analyse, Terminplanung, Aufzeichnung (falls aktiviert) und Folgekommunikation.
3. Datenkategorien
Kontaktdaten, Anrufmetadaten, Anrufinhalte (Aufnahmen, Transkripte, KI-Zusammenfassungen), Termindaten, technische Daten.
4. Pflichten des Auftragsverarbeiters
- Verarbeitung nur auf dokumentierte Weisung des Verantwortlichen
- Vertraulichkeitsverpflichtungen für alle Mitarbeiter
- Technische und organisatorische Maßnahmen (TLS 1.3, AES-256, RBAC, MFA, jährliche Pentests)
- Keine Unterauftragsverarbeiter ohne vorherige Genehmigung (14 Tage Vorankündigung)
- Unterstützung bei Betroffenenanfragen und Meldepflichten
- Löschung aller Daten innerhalb von 30 Tagen nach Vertragsende
5. Unterauftragsverarbeiter
Twilio, OpenAI, ElevenLabs, Google Cloud, Supabase (EU Frankfurt), Stripe. Alle durch AVV und SCCs abgesichert.
6. Meldung von Datenschutzverletzungen
Benachrichtigung des Verantwortlichen innerhalb von 48 Stunden.
7. Aufbewahrung
Aufnahmen: vom Kunden konfigurierbar (Standard: 90 Tage). Metadaten: Vertragsdauer + 12 Monate. Rechnungsdaten: 7 Jahre.
8. Internationale Transfers
Absicherung durch EU-US DPF, SCCs und ergänzende technische Maßnahmen.
9. Kontakt
privacy@vocito.ai | Beschwerden: zuständige Aufsichtsbehörde.
De quoi s'agit-il ? Cet Accord de traitement des données complète nos
Conditions Générales et régit le traitement de vos données personnelles par Vocito AI en tant que sous-traitant conformément à l'Art. 28 RGPD.
Conforme RGPDPleine conformité au droit européen
Serveurs UEDonnées stockées à Francfort
ChiffréAES-256 au repos, TLS 1.3 en transit
ConfigurableVous contrôlez la durée de conservation
1. Parties
Responsable du traitement : Le client. Sous-traitant : HSR Agency (Vocito.ai), Pays-Bas.
2. Finalité du traitement
Traitement exclusivement pour la fourniture de la plateforme Vocito AI : gestion des appels, transcription, analyse IA, prise de rendez-vous, enregistrement (si activé) et communications de suivi.
3. Catégories de données
Coordonnées, métadonnées d'appels, contenu des appels (enregistrements, transcriptions, résumés IA), données de rendez-vous, données techniques.
4. Obligations du sous-traitant
- Traitement uniquement sur instructions documentées
- Obligations de confidentialité pour tout le personnel
- Mesures techniques et organisationnelles (TLS 1.3, AES-256, RBAC, MFA, tests annuels)
- Pas de sous-traitants ultérieurs sans autorisation préalable (14 jours de préavis)
- Assistance pour les demandes des personnes concernées
- Suppression de toutes les données dans les 30 jours suivant la fin du contrat
5. Sous-traitants ultérieurs
Twilio, OpenAI, ElevenLabs, Google Cloud, Supabase (UE Francfort), Stripe. Tous liés par des accords de traitement et des CCT.
6. Notification de violation
Notification au responsable du traitement dans les 48 heures.
7. Conservation
Enregistrements : configurable par le client (défaut : 90 jours). Métadonnées : durée du contrat + 12 mois. Facturation : 7 ans.
8. Transferts internationaux
Protégés par EU-US DPF, CCT et mesures techniques complémentaires.
9. Contact
privacy@vocito.ai | Réclamations : autorité de contrôle compétente.
