Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Data Controller") and Vocero ("Data Processor") for the provision of AI-powered customer communication services. It governs the processing of personal data by the Processor on behalf of the Controller.

• Personal Data — any information relating to an identified or identifiable natural person
• Processing — any operation performed on personal data
• Data Subject — the individual whose personal data is processed
• Sub-processor — a third party engaged by the Processor to process Personal Data

Categories of Data Subjects:

• Your customers who interact with your AI assistant
• Your employees and team members

Types of Personal Data:

• Contact information (name, phone, email)
• Conversation content and metadata
• Appointment and booking data
• Payment transaction references

Purpose: To provide AI-powered customer communication, scheduling, and payment services.

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorised to process data have committed to confidentiality
• Implement appropriate technical and organisational security measures
• Assist the Controller in responding to Data Subject requests
• Delete or return all Personal Data upon termination of services
• Make available all information necessary to demonstrate compliance

The Controller grants general authorisation for the Processor to engage sub-processors. The Processor will inform the Controller of any changes to sub-processors and provide an opportunity to object. Current sub-processors are listed on our GDPR compliance page.

Personal Data will be processed within the EU/EEA. Any transfer to a third country will only occur with appropriate safeguards as required by Chapter V of the GDPR, including Standard Contractual Clauses where necessary.

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Role-based access controls with principle of least privilege
• Regular security assessments and penetration testing
• Incident response and breach notification procedures
• Employee security training and confidentiality agreements

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of a Personal Data breach. The notification shall include the nature of the breach, categories and number of individuals affected, likely consequences, and measures taken or proposed.

This DPA shall remain in effect for the duration of the main service agreement. Upon termination, the Processor shall delete all Personal Data within 90 days unless retention is required by applicable law.

To request a signed copy of this DPA for your records, contact us at legal@vocero.io.