Legal

Data Processing Agreement

Last updated: May 2026. This DPA forms part of your agreement with KaiVox AI.

Who this applies to: This DPA applies when you use KaiVox AI to process personal data of individuals in the EU/EEA, UK, or any jurisdiction where a data processing agreement is required by law. To request a signed DPA, email legal@kaivoxai.com.

1. Definitions

Controller means the entity that determines the purposes and means of processing Personal Data (you, the customer).

Processor means the entity that processes Personal Data on behalf of the Controller (KaiVox AI).

Personal Data means any information relating to an identified or identifiable natural person.

Processing means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.

2. Scope of Processing

KaiVox AI processes Personal Data on your behalf as follows:

  • Call recordings and transcripts — voice data from inbound and outbound calls
  • Customer data — names, phone numbers, email addresses, appointment history
  • Appointment data — booking details, staff assignments, service records
  • Message data — SMS, WhatsApp, and email communication records

3. Instructions

KaiVox AI shall process Personal Data only on your documented instructions and for the purposes set out in this DPA. We will not process Personal Data for any other purpose without your prior written consent, unless required by applicable law.

4. Sub-processors

KaiVox AI uses the following sub-processors to provide the service:

Sub-processor Purpose Data
OpenAIAI conversation processingCall transcripts (anonymized)
TwilioVoice, SMS, WhatsApp deliveryPhone numbers, message content
VobizIndian telephony (DID numbers)Call metadata, phone numbers
StripePayment processing (global)Billing name, email, transaction ID
RazorpayPayment processing (India)Billing name, email, transaction ID
HostingerCloud hosting and storageAll platform data (encrypted at rest)

5. Security Measures

KaiVox AI implements the following technical and organisational security measures:

  • Encryption in transit using TLS 1.3 for all data transmissions
  • Encryption at rest for all database content and backups
  • Role-based access controls (RBAC) — principle of least privilege
  • Full audit logging of all access, changes, and exports
  • Security HTTP headers (HSTS, X-Frame-Options, CSP, X-XSS-Protection)
  • Multi-tenant data isolation — no cross-tenant data access possible

6. Data Breaches

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, KaiVox AI will notify you without undue delay and within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach, categories of data affected, approximate number of individuals affected, likely consequences, and measures taken or proposed.

7. Data Subject Rights

KaiVox AI will provide reasonable assistance to help you fulfill your obligations to respond to data subject requests, including rights of access, rectification, erasure, restriction, portability, and objection. All customer data can be exported in CSV format from Settings → Security. Individual records can be deleted from the customer dashboard at any time.

8. Termination and Data Deletion

Upon termination of the agreement, KaiVox AI will, at your choice, delete or return all Personal Data within 30 days, unless retention is required by applicable law. Confirmation of deletion will be provided in writing upon request. Backups are purged on a rolling 30-day schedule after account closure.

Need a signed DPA?

For GDPR compliance, enterprise contracts, or legal requirements — we will provide a signed DPA within 5 business days.

Request Signed DPA — legal@kaivoxai.com