Data Processing Agreement
Last updated: April 3, 2026
1. Parties
Data Controller: You ("Customer") — the AI deployer, agency, or platform using Audact services.
Data Processor: Audact Ltd ("Audact") — processing interaction metadata on your behalf.
2. Scope of Processing
Data categories: Call metadata (timestamps, jurisdiction identifiers, policy decisions, validation results, evidence hashes, consent records).
Not processed: Conversation content, audio recordings, PII beyond what is necessary for compliance validation. All PII is encrypted with per-subject keys and subject to crypto-shredding on erasure request.
Purpose: Compliance validation, evidence generation, and audit trail maintenance as instructed by the Customer.
3. Sub-processors
All third parties that process data on behalf of Audact or our clients. This list is maintained as required under GDPR Article 28.
| Sub-processor | Purpose | Data processed | Location |
|---|---|---|---|
| AWS (Frankfurt) | Infrastructure hosting | All platform data | EU (Frankfurt) |
| Cloudflare | CDN, DNS, DDoS protection | Request metadata | EU + global edge |
| Telnyx | SIP telephony | Call audio in transit, telephony metadata | EU PoPs — SCCs |
| LiveKit Cloud | WebRTC transport, turn detection | Audio in transit (no retention) | EU region |
| Deepgram Nova-3 | Speech-to-text (default) | Audio in transit (no retention configured) | US (EU endpoint) — SCCs |
| ElevenLabs Flash | Text-to-speech (default) | LLM-generated text | US/EU — SCCs |
| OpenAI / Anthropic | LLM inference (GPT-4o-mini default, Claude Sonnet premium) | Conversational text (no retention configured) | US (EU endpoint where available) — SCCs |
| Google Workspace | Email, docs | Business communications | US/EU — SCCs |
| Slack | Internal communications | Internal messages | US — SCCs |
| Notion | Wiki / project management | Internal operational data | US — SCCs |
| 1Password | Credential management | Encrypted credentials | Canada/EU |
| Stripe (when live) | Payment processing | Billing data | US/IE — SCCs |
US-based sub-processors operate under Standard Contractual Clauses (SCCs) as the transfer mechanism in accordance with GDPR Chapter V.
We will notify you 30 days before adding or replacing a sub-processor. You may object within 14 days.
Last updated: April 12, 2026
4. Data Residency
All Customer compliance data (interaction metadata, evidence chains, audit logs) is stored and processed exclusively within the European Economic Area (EEA) on AWS eu-central-1 (Frankfurt).
Certain sub-processors listed above are based in the US and process limited operational data under Standard Contractual Clauses (SCCs). No Customer compliance data leaves the EEA.
5. Security Measures (GDPR Art. 32)
- Encryption at rest (AES-256) and in transit (TLS 1.3)
- Per-subject encryption keys for PII (crypto-shredding capability)
- SHA-256 hash chains for evidence integrity
- Role-based access control (RBAC)
- SOC 2 Type II planned 2027
- Regular penetration testing and vulnerability scanning
6. Data Subject Rights
Audact assists the Customer in fulfilling data subject requests (access, rectification, erasure, portability) within 72 hours of notification. Erasure is implemented via crypto-shredding: the per-subject encryption key is destroyed, rendering personal data permanently unreadable while preserving evidence chain integrity.
7. Breach Notification
Audact will notify the Customer of any personal data breach within 36 hours of becoming aware. Notification includes: nature of the breach, categories of data affected, approximate number of records, likely consequences, and measures taken.
8. Term & Termination
This DPA is effective for the duration of the service agreement. Upon termination, Audact will delete or return all Customer data within 30 days, except where retention is required by law (EU AI Act evidence requirements).
9. Contact
DPA inquiries: dpo@audact.ai