Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Faktia Global Technologies Limited, a company incorporated in Ireland (Company Registration Number: 760123), trading as Beeslee ("Processor," "we," "us") and you ("Controller," "Customer") and governs the processing of personal data by the Processor on behalf of the Controller.

This DPA is designed to ensure compliance with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion
• "Data Subject" means the individual whose Personal Data is processed
• "Controller" means the entity that determines the purposes and means of processing Personal Data (you)
• "Processor" means the entity that processes Personal Data on behalf of the Controller (us)
• "Sub-processor" means any third party engaged by the Processor to process Personal Data
• "Services" means the AI voice receptionist services provided under the Terms of Service

Scope of Processing

The Processor will process Personal Data only as necessary to provide the Services, which includes:

• Processing incoming phone calls through AI voice agents
• Recording and transcribing calls as configured by the Controller
• Storing caller information and appointment data
• Providing analytics and reporting on call activity

Categories of Data Subjects

• Controller's customers and prospective customers
• Callers to Controller's phone numbers
• Controller's employees and representatives

Types of Personal Data

• Contact information (name, phone number, email)
• Voice recordings and transcripts
• Appointment and scheduling information
• Information voluntarily provided during calls

Telecommunications Data

In addition to the above, the following telecommunications data is processed as part of providing phone number services:

• Caller phone numbers (ANI/Caller ID) and called numbers (DNIS)
• Call detail records (CDRs) including call timestamps, duration, and routing information
• SIP signaling data and call metadata
• STIR/SHAKEN attestation data (caller ID verification)
• Network routing and quality metrics

Note: Telecommunications data is inherently shared with carrier networks to route and complete calls. This is a technical requirement of telephone services.

The Processor agrees to:

• Process Personal Data only on documented instructions from the Controller
• Ensure persons authorized to process Personal Data are bound by confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with security, breach notification, and impact assessment obligations
• Delete or return all Personal Data upon termination of the Services
• Make available information necessary to demonstrate compliance with this DPA
• Immediately inform the Controller if an instruction infringes data protection laws

The Controller agrees to:

• Ensure a lawful basis exists for processing Personal Data
• Provide clear instructions regarding data processing
• Ensure compliance with Data Subject rights
• Comply with call recording consent requirements
• Maintain appropriate records of processing activities
• Notify the Processor promptly of any changes to processing instructions

The Controller authorizes the Processor to engage the following categories of Sub-processors:

• Cloud infrastructure providers: For hosting and data storage
• Telephony providers (Telnyx): For phone number provisioning and call routing
• AI service providers (Retell AI): For voice agent processing
• Payment processors (Stripe): For billing and payment processing

Telecommunications Sub-processors

Phone number services require the use of telecommunications carriers. The following telecommunications sub-processors are engaged:

Upstream Carriers

Telnyx routes calls through various upstream telecommunications carriers to complete calls. These carriers are:

• Selected by Telnyx based on call routing requirements
• Subject to Telnyx's data processing agreements
• Receive only the data necessary to route and complete calls (phone numbers, call signaling)
• May vary based on call destination and network conditions

Important: The use of upstream carriers is inherent to telecommunications services and cannot be avoided. Carrier selection is determined by Telnyx's routing algorithms and regulatory requirements.

Sub-processor Obligations

The Processor will:

• Maintain an up-to-date list of Sub-processors
• Notify the Controller of any intended changes to Sub-processors
• Ensure Sub-processors are bound by data protection obligations no less protective than this DPA
• Remain liable for the acts and omissions of Sub-processors

The Controller may object to a new Sub-processor within 30 days of notification. If the objection is not resolved, the Controller may terminate the Services.

Telecommunications Exception: Due to the nature of telecommunications routing, the Processor cannot provide advance notice of changes to upstream carriers used by Telnyx. By using the Service, the Controller acknowledges and accepts that call routing may involve various telecommunications carriers as determined by Telnyx.

The Processor implements the following security measures:

Technical Measures

• Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
• Access controls and authentication mechanisms
• Network security and firewalls
• Regular security testing and vulnerability assessments
• Automated monitoring and alerting

Organizational Measures

• Employee background checks and confidentiality agreements
• Security awareness training
• Incident response procedures
• Business continuity and disaster recovery plans
• Regular review and update of security policies

Telecommunications Security

• SIP/TLS: Voice signaling encrypted using Transport Layer Security
• SRTP: Call audio encrypted using Secure Real-time Transport Protocol where supported by the call path
• STIR/SHAKEN: Caller ID authentication to prevent spoofing and verify call origin
• Per-tenant SIP credentials: Unique authentication credentials for each tenant, securely generated and stored
• Carrier security: Sub-processors (Telnyx, upstream carriers) maintain their own security certifications and compliance programs

The Processor will assist the Controller in responding to requests from Data Subjects to exercise their rights under applicable data protection laws, including:

• Right of access to Personal Data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

The Processor will promptly notify the Controller of any requests received directly from Data Subjects.

In the event of a Personal Data breach, the Processor will:

• Notify the Controller without undue delay (and in any event within 48 hours) after becoming aware of the breach
• Provide information about the nature of the breach, categories and approximate number of Data Subjects affected, and likely consequences
• Describe measures taken or proposed to address the breach
• Cooperate with the Controller's investigation and remediation efforts
• Document the breach and maintain records of all related facts

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA). For such transfers, the Processor ensures appropriate safeguards are in place:

• Standard Contractual Clauses approved by the European Commission
• Transfers to countries with an adequacy decision
• Other approved transfer mechanisms as applicable

Telecommunications Data Transfers

Phone calls are routed through global telecommunications networks. This inherently involves international data transfers:

• Call routing: Call signaling and metadata transit through networks in multiple jurisdictions as technically required to complete calls
• Primary carrier (Telnyx): Headquartered in the United States; processes call data in the US
• Upstream carriers: May be located in various jurisdictions depending on call destinations and routing

Important: International data transfers through telecommunications networks are governed by international telecommunications agreements and regulations, in addition to data protection laws. The technical nature of call routing means that telecommunications data transfers cannot be limited to specific jurisdictions.

Upon request, the Processor will provide information about the transfer mechanisms used.

The Controller has the right to audit the Processor's compliance with this DPA:

• The Controller may request relevant audit reports and certifications
• The Controller may conduct audits with reasonable prior notice (at least 30 days)
• Audits must be conducted during normal business hours and not unreasonably interfere with operations
• The Controller bears the costs of any audit it initiates
• Audit findings and all related information must be treated as confidential

Upon termination or expiration of the Services:

• The Processor will cease processing Personal Data
• At the Controller's choice, the Processor will return or delete all Personal Data
• The Processor will provide certification of data deletion upon request
• Certain data may be retained as required by law or for legitimate business purposes

The Controller has 30 days after termination to request data export.

For questions about this Data Processing Agreement or to exercise rights under this DPA:

• Company: Faktia Global Technologies Limited
• Registered Address: Unit 2, 2 Bridge Street, Athlone, Westmeath, Ireland N37 F1W4
• Company Registration: 760123 (Ireland)
• Email: dpo@beeslee.com
• Data Protection Officer: dpo@beeslee.com