This Data Processing Addendum ("DPA") forms part of the Terms of Service between DialEcho LLC ("DialEcho," "we," "us") and the customer that uses the Service ("Customer," "you"). It applies whenever DialEcho processes Personal Data contained in Customer Data on your behalf, and is incorporated by reference into the Terms. If this DPA conflicts with the Terms, this DPA controls for data-protection matters.
1. Roles and scope
For Personal Data in Customer Data (including Contact Data about your prospects and contacts), you are the controller / "business" and DialEcho is the processor / "service provider." DialEcho processes that data only on your documented instructions: to provide, secure, and support the Service as described in the Terms, this DPA, and your configuration of the Service. This DPA does not apply to data DialEcho handles as a controller (e.g., your account information), which is governed by our Privacy Policy.
2. Definitions
"Data Protection Laws" means all laws applicable to the processing of Personal Data under this DPA, including (as applicable) the CCPA/CPRA and other U.S. state privacy laws, the EU and UK GDPR, and the TCPA and other communications laws. "Personal Data," "processing," "controller," "processor," "business," "service provider," "sell," and "share" have the meanings given by the applicable Data Protection Laws.
3. Details of processing
- Subject matter and duration: processing of Customer Data to provide the Service for the term of the Terms, plus the wind-down period in Section 9.
- Nature and purpose: hosting and storing Customer Data; placing and receiving calls; sending and receiving SMS/MMS and email at your direction; recording, transcribing, and summarizing communications you initiate; organizing and managing contacts, pipeline, calendar, and consent records; and providing support.
- Categories of data subjects: your prospects, contacts, customers, and users.
- Categories of Personal Data: names, phone numbers, email addresses, company and role information, pipeline stage, notes, tags, custom fields, consent and opt-out status, and the content and metadata of calls, messages, and email processed through the Service.
4. Customer instructions
We will process Customer Data only per Section 1 and your lawful written instructions, unless required otherwise by law (in which case we will inform you unless legally prohibited). We will tell you if we believe an instruction violates Data Protection Laws. You are responsible for the lawfulness of the Customer Data and of your instructions, including all consents required for your outreach (see Terms, Section 5).
5. Confidentiality and personnel
Personnel authorized to process Customer Data are bound by written or statutory confidentiality obligations and receive appropriate privacy and security training.
6. Security
We implement appropriate technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access - including encryption in transit, access controls and least-privilege permissions, logical tenant isolation, logging and monitoring, and vendor due diligence. We may update these measures so long as security is not materially degraded.
7. Subprocessors
You authorize DialEcho to engage subprocessors to provide the Service, including: Supabase (cloud hosting and database), Telnyx and Twilio (telephony/SMS carriers), LiveKit (real-time voice infrastructure), AI/LLM and speech providers, email-delivery providers, and payment processors. We will bind subprocessors to data-protection obligations no less protective than this DPA and remain responsible for their performance. For the current list, or to receive notice of changes (with the right to object on reasonable data-protection grounds), email info@dialecho.ai.
8. Assistance
Taking into account the nature of the processing, we will reasonably assist you with: responding to data subject / consumer requests (access, correction, deletion, portability, opt-out) - if a data subject contacts us directly about your outreach, we will direct them to you; security, breach-notification, and impact-assessment obligations; and honoring opt-outs and do-not-contact records maintained in the Service.
9. Personal data breach
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably required for your notification obligations as it becomes available, and take reasonable steps to contain and remediate the breach.
10. Deletion and return
Upon termination of the Terms, we will make Customer Data available for export for 30 days, then delete it within a reasonable period, except where retention is required by law or for legal holds (in which case the data remains protected under this DPA and is deleted when the requirement ends).
11. Audits
We will make available information reasonably necessary to demonstrate compliance with this DPA (e.g., security documentation and summaries of assessments) and, where required by Data Protection Laws and subject to confidentiality, allow for and contribute to audits no more than once per year, at your expense, with reasonable advance notice and without disrupting the Service.
12. International transfers
Where Customer Data protected by EU/UK Data Protection Laws is transferred to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Module 2, controller-to-processor) and, for the UK, the UK International Data Transfer Addendum, with DialEcho as data importer and you as data exporter; details of processing are as set out in Section 3.
13. CCPA / U.S. state privacy terms
DialEcho acts as your service provider / processor. We will not: sell or share Customer Data; retain, use, or disclose it for any purpose other than providing the Service (including not retaining, using, or disclosing it outside the direct business relationship with you); or combine it with Personal Data from other sources except as permitted for service providers. We certify that we understand and will comply with these restrictions, will notify you if we can no longer meet our obligations, and grant you the right to take reasonable steps to stop and remediate unauthorized use of Personal Data.
14. Liability and precedence
Each party's liability under this DPA is subject to the limitations of liability in the Terms. This DPA replaces any prior data-processing terms between the parties for the Service.
15. Contact
DialEcho LLC - info@dialecho.ai