Data processing addendum

1. Definitions

Capitalized terms used in this DPA have the meanings given in the Agreement and in the EU General Data Protection Regulation (Regulation 2016/679), the UK Data Protection Act 2018, and the California Consumer Privacy Act, as amended ("CCPA"). For purposes of this DPA, "Personal Data" means personal data that Dials processes on Customer's behalf under the Agreement.

2. Roles

With respect to Personal Data submitted to the Service by Customer or its users: Customer is the controller (and, where relevant, a business under the CCPA); Dials is the processor (and a service provider under the CCPA). Dials processes Personal Data only on documented instructions from Customer, including the Agreement, the Service configuration, and any further written instructions Customer reasonably provides.

3. Subject matter, duration, nature, and purpose

The subject matter of processing is the provision of the Service. The duration of processing is the term of the Agreement plus any retention period required by law. The nature of processing includes hosting, transmission, routing, signing, recording, retrieval, deletion, and audit. The purpose is to provide, secure, and audit the Service for Customer.

Categories of Personal Data may include identifiers, contact details, calling and called numbers, message and call content, recordings, transcripts, consent records, authentication material, and technical telemetry. Categories of data subjects include Customer's personnel, end users, and the recipients of Customer's communications.

4. Customer obligations

Customer warrants that it has obtained and will maintain all consents, authorizations, and lawful bases necessary for Dials to process Personal Data under the Agreement. Customer is responsible for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired it. Customer must not instruct Dials to engage in processing that violates applicable law.

5. Confidentiality

Dials ensures that personnel authorized to process Personal Data are bound by confidentiality obligations and receive appropriate training. Access is granted on a least-privilege basis, logged, and reviewed.

6. Security

Dials implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, including (without limitation):

• AES-256-GCM encryption at rest and TLS 1.3 in transit;
• SRTP for real-time media and STIR/SHAKEN signing on outbound calls;
• Hardware-isolated key management, with customer-managed keys available on Enterprise;
• Scoped session tokens, fail-closed authorization, and per-action audit;
• Continuous vulnerability scanning, dependency auditing, and SAST/DAST in CI;
• Network segmentation, endpoint protection, and just-in-time access for production;
• A 24/7 on-call rotation, with documented incident-response runbooks and tabletop exercises.

Additional detail is available in the Trust Center. Dials may update its security measures from time to time, provided the overall level of protection is not materially diminished.

7. Sub-processors

Customer authorizes Dials to engage the sub-processors listed at /legal/sub-processors. Dials imposes obligations on each sub-processor that are at least as protective as those in this DPA and remains liable for the acts and omissions of its sub-processors as if they were its own.

Dials will give Customer at least thirty (30) days' advance notice (by updating the sub-processor page and emailing account owners on the notification list) of any new sub-processor. Customer may object on reasonable data-protection grounds; if Dials cannot accommodate the objection, Customer may terminate the affected portion of the Service for cause and receive a pro-rata refund of pre-paid fees.

8. International transfers

Where Dials transfers Personal Data outside the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, Dials enters into the European Commission's Standard Contractual Clauses (Module 2 or Module 3, as applicable) and, for transfers from the UK, the UK International Data Transfer Addendum. The Clauses are deemed executed by the parties on the Agreement's effective date. Customer may elect a specific data-residency region in its tenant configuration.

9. Data-subject requests

Taking into account the nature of the processing, Dials assists Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising data-subject rights (access, rectification, erasure, restriction, portability, objection). If Dials receives a request directly from a data subject, Dials will forward the request to Customer without responding to the substance, unless Customer has authorized otherwise.

10. Personal-data breach

Dials notifies Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware, of a Personal Data Breach affecting Customer's Personal Data. Notification includes the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed.

11. DPIA and prior consultation

Dials provides reasonable assistance to Customer with any data-protection impact assessment and any prior consultation with a supervisory authority that relate to Customer's use of the Service, taking into account the nature of the processing and the information available to Dials.

12. Deletion or return

On termination of the Agreement and at Customer's election, Dials will delete or return all Personal Data within thirty (30) days, except where retention is required by law. Dials will not be required to delete Personal Data from routine backup media until those backup media are rotated in the ordinary course.

13. Audits

Dials provides Customer with information necessary to demonstrate compliance with this DPA, including independent audit reports (such as SOC 2 once issued). Customer may conduct an audit no more than once every twelve (12) months, subject to reasonable notice, confidentiality obligations, and limitations to protect the security of other customers' data; provided that audits may be conducted more frequently as required by a supervisory authority.

14. Liability

Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement.

15. CCPA

Dials processes Personal Data on Customer's behalf as a "service provider" within the meaning of the CCPA. Dials will not (a) sell or share Personal Data, (b) retain, use, or disclose Personal Data outside the direct business relationship between the parties, or (c) combine Personal Data received from Customer with personal information from other sources, except as permitted by the CCPA.

16. Order of precedence

In the event of a conflict between this DPA and the Agreement on a matter governed by data-protection law, this DPA controls. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Clauses control to the extent of the conflict.