Skip to content
DialPhone
Start free trial

Data Processing Agreement

Effective: April 1, 2026

This Data Processing Agreement ("DPA") is incorporated into the DialPhone Terms of Service and governs DialPhone Inc.'s ("Processor") processing of personal data on behalf of the customer ("Controller") in connection with the DialPhone Service.

1. Definitions

"Personal Data," "Data Subject," "Processing," and "Supervisory Authority" have the meanings in GDPR. "Customer Data" means Personal Data that Controller submits to the Service. "Sub-processor" means a third party that Processor engages to assist in processing Customer Data.

2. Processing roles

Controller is the Controller of Customer Data. Processor processes Customer Data only on documented instructions from Controller, which include the Terms of Service, configuration in the admin portal, and written instructions from authorized Controller personnel.

3. Subject matter, duration, and scope

  • Subject matter: provision of the DialPhone communications platform
  • Duration: term of the underlying subscription agreement plus any required retention period
  • Nature of processing: hosting, storage, routing, transcription, analytics, support
  • Categories of Data Subjects: Controller's employees, contractors, customers, vendors, and other persons communicating through the Service
  • Categories of Personal Data: contact information, communications content, call metadata, and optional CRM enrichment

4. Processor obligations

  • Process Customer Data only on Controller's documented instructions
  • Ensure personnel processing Customer Data are under written confidentiality obligations
  • Implement technical and organizational security measures appropriate to the risk (see Section 7)
  • Assist Controller with Data Subject Rights requests, DPIAs, and Supervisory Authority inquiries
  • Delete or return Customer Data upon termination per Controller's choice
  • Make available information necessary to demonstrate DPA compliance and allow audits (see Section 9)

5. Sub-processors

Controller authorizes Processor to engage the Sub-processors listed on the public subprocessor registry. Processor provides 30-day advance notice of new or replaced Sub-processors. Controller may object on reasonable grounds related to data protection; the parties will discuss a resolution, failing which Controller may terminate the affected Service.

6. International transfers

  • EU-to-US and similar: governed by the EU Standard Contractual Clauses (SCCs) adopted by the EU Commission in 2021, Module 2 (Controller-to-Processor), which are incorporated by reference
  • UK-to-non-adequacy: UK International Data Transfer Addendum (IDTA) incorporated by reference
  • Swiss-to-non-adequacy: Swiss FADP amendments to the SCCs incorporated by reference
  • Additional safeguards: EU data residency option, encryption at rest, strict subprocessor access controls

7. Security measures

Processor implements and maintains technical and organizational measures including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256-GCM) with hardware-backed key management
  • Access controls (SSO, MFA, role-based permissions, minimum-necessary)
  • SOC 2 Type II audit annually; HIPAA Security Rule compliance for Covered Data
  • Penetration testing annually; bug bounty program
  • Incident response with 24-hour detection SLA and 72-hour breach notification
  • Business continuity and disaster recovery (RTO under 15 minutes, RPO under 5 minutes)
  • Physical security via certified data centers (SOC 2, ISO 27001)

8. Personal Data breach

Upon becoming aware of a Personal Data Breach affecting Customer Data, Processor will notify Controller without undue delay and in any event within 72 hours. Notifications include: nature of breach, approximate number of records, likely consequences, measures taken, and contact point for further information.

9. Audits

Controller may audit Processor's compliance once per year upon 30 days' written notice. Processor's SOC 2 Type II report (available under NDA) satisfies audit obligations for most customers. Regulated-industry customers may conduct onsite audits at their expense, subject to confidentiality.

10. Data Subject Rights

Processor will assist Controller, at Controller's expense, with: access requests, rectification, erasure, restriction, portability, and objection. Tools inside the admin portal enable Controller to execute most requests directly.

11. Return or deletion

At Controller's choice, Processor will return or delete Customer Data within 30 days of termination, except where retention is required by law. Certificates of deletion available on request.

12. CCPA service-provider terms

To the extent Processor processes personal information of California consumers, Processor acts as a "service provider" under the CCPA/CPRA. Processor will not sell or share such information, retain it for purposes outside the Service, or combine it with data from other sources except as permitted.

13. HIPAA BAA

For Controllers subject to HIPAA, a separate Business Associate Agreement (BAA) is provided at no additional cost on Advanced plans and above. See the HIPAA compliance page.

14. Liability and indemnification

Liability under this DPA is subject to the limitation of liability in the underlying Terms of Service.

15. Order of precedence

In case of conflict, the order is: SCCs / IDTA, this DPA, Terms of Service. Enterprise customers with a Master Service Agreement: that MSA supersedes.

16. Contact

Privacy: privacy@dialphone.com · DPO: dpo@dialphone.com · EU Representative: appointed per GDPR Art. 27, details on request.

This DPA is automatically accepted on signup for EU/UK/Swiss customers. US customers may execute a countersigned copy on request via the customer portal.

Call sales Start free trial