Data Processing Agreement (DPA) for AICaller.io

Effective Date: 11/06/2025

This Data Processing Agreement ("Agreement" or "DPA") is entered into by and between the Customer ("Controller") and AICaller.io ("Processor") and is incorporated by reference into the Terms of Service governing the Customer's use of the AICaller.io platform.

1. Purpose and Scope

This Agreement governs the processing of personal data by AICaller.io on behalf of the Customer in connection with the provision of AI-powered calling and automation services. The Parties acknowledge that the Customer acts as the "data controller" and AICaller.io acts as the "data processor" under applicable data protection laws. We will process personal data on behalf of the Customer (the data controller) as required under applicable data protection laws including GDPR, UK GDPR, CCPA, and others.

2. Definitions

Personal Data: Any information relating to an identified or identifiable natural person.
Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means.
Applicable Law: All applicable data protection and privacy legislation, including but not limited to the General Data Protection Regulation (EU) 2016/679 ("GDPR"), UK GDPR, the California Consumer Privacy Act ("CCPA"), and the Telephone Consumer Protection Act ("TCPA").

3. Roles and Responsibilities

Customer (Controller): Determines the purpose and means of processing Personal Data, including the legality of all contact lists and campaign activity.
AICaller.io (Processor): Processes Personal Data only on the documented instructions of the Controller.

The Controller confirms that it has obtained all necessary consents and has a lawful basis for processing the Personal Data, including compliance with:

  • GDPR (if applicable)
  • TCPA and CAN-SPAM (for U.S. recipients)
  • Local telecommunications and consumer protection laws in the regions called

4. Processing Details

Nature and Purpose: Processing of contact information, call metadata, transcripts, and user-uploaded scripts for the purposes of call execution, analysis, and delivery of automation services.
Duration: For the duration of the Controller's subscription and as necessary to fulfill service obligations.
Data Subjects: Individuals who receive communications initiated by the Controller through AICaller.io.
Types of Data: Phone numbers, call content, metadata (e.g., time, status), AI responses, and optional audio recordings (if enabled).

5. Processor Obligations

AICaller.io shall:

  • Process Personal Data only on the Customer's instructions
  • Implement appropriate technical and organizational security measures
  • Ensure personnel authorized to process data are subject to confidentiality obligations
  • Assist the Controller in responding to data subject rights requests
  • Promptly notify the Controller of any Personal Data breach
  • Maintain a record of processing activities

Call Recording Compliance
Where call recording is enabled by the Controller, the Controller is solely responsible for ensuring that appropriate legal disclosures and consents are provided to the data subjects. The Processor provides the technical capability for recording but has no role in determining whether recording is lawful under the applicable laws of the jurisdictions involved.

6. Sub-Processors

AICaller.io uses Sub-Processors to provide parts of its infrastructure and services. AICaller.io will notify the Controller of material changes to its Sub-Processor list and will ensure that Sub-Processors are bound by equivalent privacy and security obligations under written contracts. These may include:

  • Twilio (telephony services)
  • Plivo (telephony services)
  • Telnyx (telephony services)
  • Amazon Web Services (AWS) (cloud hosting)
  • Google Cloud (speech-to-text and AI services)
  • Deepgram (speech-to-text and AI services)
  • Elevenlabs (speech-to-text and AI services)
  • Rime (speech-to-text and AI services)
  • OpenAI (speech-to-text and AI services)
  • Microsoft (speech-to-text and AI services)
  • MongoDB (Database)
  • Lemon Squeezy (Payment Processing)

AICaller.io ensures Sub-Processors are contractually bound to implement equivalent privacy and security protections. A current list is available upon request.

7. Data Storage and Hosting Location

The Processor utilizes Amazon Web Services (AWS), with primary infrastructure located in the United States, for data storage and processing. The Controller acknowledges and agrees to the storage and processing of data in the U.S., and where applicable, the Processor shall implement appropriate safeguards to ensure the transfer complies with Articles 44–49 of the GDPR and equivalent laws in other jurisdictions.

8. International Data Transfers

Personal Data may be transferred outside of the country in which it was collected. AICaller.io will ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Compliance with international transfer requirements under GDPR, UK GDPR, or other relevant laws

9. Data Subject Rights Assistance

AICaller.io will provide reasonable assistance to the Controller for:

  • Responding to requests for access, correction, deletion, or portability
  • Objecting to or restricting processing
  • Fulfilling any other obligations under GDPR, CCPA, or equivalent laws

Requests must be submitted in writing to [email protected].

10. Security Measures

AICaller.io employs industry-standard security practices including:

  • Encryption in transit and at rest
  • Role-based access control
  • Multi-factor authentication
  • Monitoring and auditing of systems

Details of our security program are available upon request for enterprise customers.

11. Breach Notification

In the event of a confirmed Personal Data breach, AICaller.io shall:

  • Notify the Controller without undue delay
  • Provide all relevant details required for the Controller’s regulatory or data subject notification duties
  • Cooperate fully with remediation and investigation efforts

12. Return or Deletion of Data

Upon expiration or termination of services, AICaller.io will, at the Controller’s request:

  • Return all Personal Data processed on behalf of the Controller
  • Permanently delete all Personal Data, unless required by law to retain

13. Liability and Indemnification

The Controller is solely responsible for:

  • Ensuring that data subjects have received legally adequate notice and provided consent (where required)
  • All compliance with TCPA, GDPR, and any applicable local laws

AICaller.io assumes no liability for violations arising from the Controller’s actions or omissions. The Controller agrees to indemnify and hold harmless AICaller.io from any claims, losses, or penalties resulting from their use of the Service.

14. Governing Law and Jurisdiction

This Agreement shall be governed by the same laws and jurisdiction set forth in the primary Terms of Service unless otherwise required by applicable data protection laws.

15. Contact Information

If you have questions about this Agreement or data processing practices, please contact:
AICaller.io
Email: [email protected]