Data Processing Agreement
Controller ("Customer"): [Your organization]
Processor: Auspex Streamline S.L., C.I.F.: B56341829, Calle Velarde 13, 4B, 35010 Las Palmas de Gran Canaria, Canarias, Spain ("AICA")
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Controller and Processor for the use of AICA — AI Communication Analyzer ("Services").
1. Definitions
- "Data Protection Laws" — GDPR (Regulation (EU) 2016/679), and applicable national data protection laws including CCPA, UK GDPR, LGPD.
- "Personal Data" — Any information relating to an identified or identifiable natural person, processed by Processor on behalf of Controller.
- "Sub-processor" — Any third party engaged by Processor to process Personal Data on behalf of Controller.
- "Standard Contractual Clauses" ("SCCs") — The clauses approved by European Commission Implementing Decision (EU) 2021/914.
2. Scope and Purpose of Processing
| Processing Activity | Data Categories | Purpose |
|---|---|---|
| Audio transcription | Audio recordings (voice data), caller metadata | Convert speech to text using ASR providers |
| AI analysis | Transcripts, conversation metadata | Quality scoring, sentiment analysis, key point extraction |
| Data storage | Audio, transcripts, analyses, metadata | Secure storage for Controller's access and retrieval |
| CRM delivery | Analysis results, scores, key points | Deliver insights to Controller's CRM system |
| Alerting | Analysis metrics, thresholds | Notify Controller about significant events |
Processor shall not process Personal Data for any purpose other than as documented in this DPA and Controller's instructions.
3. Data Categories and Data Subjects
Data Subjects: Call participants (customers, prospects), call agents (employees, contractors), platform users (staff with AICA access).
| Category | Examples | Sensitivity |
|---|---|---|
| Voice data | Audio recordings of calls | High (potential biometric) |
| Conversation content | Transcripts, spoken words | High |
| Communication metadata | Phone numbers, call duration, timestamps | Medium |
| Analysis results | Quality scores, sentiment, key points | Medium |
| User account data | Names, email addresses of platform users | Standard |
4. Obligations of the Processor
- Documented Instructions. Processor shall process Personal Data only on documented instructions from Controller.
- Confidentiality. All personnel authorized to process Personal Data have committed to confidentiality.
- Security Measures (Art. 32). Processor implements appropriate technical and organizational measures:
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all API communications |
| Encryption at rest | Cloudflare R2 SSE (AES-256-GCM, active by default); Neon database native encryption |
| Access control | Role-based access (RBAC) with organization isolation |
| Tenant isolation | Organization-level data segregation; cross-org detection |
| Authentication | Multi-factor via Clerk; session management |
| Audit logging | Comprehensive audit trail for data access and modifications |
| PII redaction | PII redaction applied before LLM processing |
| Rate limiting | Per-user sliding window rate limiting |
| Webhook security | HMAC-SHA256 signature verification |
- Data Subject Rights. Processor provides API endpoints for data access (export), erasure (cascade deletion), rectification, and objection to AI analysis.
- DPIA Assistance. Processor assists Controller in conducting Data Protection Impact Assessments.
- Deletion. At Controller's choice, Processor shall delete or return all Personal Data after end of Services.
- Audit Rights. Processor allows Controller audits and inspections to demonstrate compliance.
5. Obligations of the Controller
- Obtaining consent from call participants where required by applicable law
- Informing Data Subjects about recording, transcription, and AI analysis
- Maintaining records of consent where applicable
- Responding to Data Subject rights requests using the AICA API
- Configuring the appropriate consent mode and jurisdiction settings before processing
6. Sub-Processors
Controller provides general authorization for the sub-processors listed in the Sub-Processor List. Processor shall notify Controller at least 30 days before adding a new sub-processor. Controller may object on reasonable data protection grounds. If no resolution is reached, Controller may terminate the affected Services without penalty.
7. International Transfers
Processor is established in Spain (EU). For transfers to the US:
| Mechanism | When Applied |
|---|---|
| EU-US Data Privacy Framework (DPF) | US sub-processor is DPF-certified |
| Standard Contractual Clauses (2021) | US sub-processor without DPF |
| Adequacy Decision | Sub-processor in country with EU adequacy decision |
For UK transfers, the International Data Transfer Addendum to the EU SCCs (issued by the ICO) is incorporated.
8. Data Breach Notification
Processor notifies Controller within 48 hours of becoming aware of a Personal Data breach. The notification includes: nature of breach, categories and number of records affected, likely consequences, and measures taken.
9. Data Retention and Deletion
| Data Type | Default Retention | Configurable Range |
|---|---|---|
| Audio recordings | 90 days | 30–365 days |
| Transcripts | 365 days | 90 days–unlimited |
| AI analyses | Follows transcript | Follows transcript |
| Metadata | Follows transcript | Follows transcript |
| User accounts | Duration of service | — |
Processor automatically deletes data exceeding configured retention. Upon termination, Controller has 30 days to export, then all data is deleted within 30 days.
10. Term and Termination
This DPA remains in effect for the duration of the Services agreement and automatically terminates upon termination of Services, subject to post-termination data handling.
11. Liability
Each party's liability under this DPA is subject to the limitations in the Services agreement. Nothing limits liability for breaches of Data Protection Laws to the extent such limitation is not permitted by applicable law.
Document ID: DPA-AICA-2026-001 · Version: 1.1