Data Processing Agreement

• "Applicable Data Protection Law" means the Digital Personal Data Protection Act, 2023 (India) and, where applicable, the EU GDPR / UK GDPR and other applicable privacy laws.
• "Personal Data" means any data relating to an identified or identifiable natural person processed through the Services.
• "Processing" means collection, storage, use, transmission, disclosure, access, or deletion of Personal Data.
• "Services" means AI voice automation, call handling, recording, transcription, analytics, and related services provided by Processor.
• "Data Fiduciary / Controller" means the entity that determines the purposes and means of Processing.
• "Processor" means the entity that Processes Personal Data on behalf of the Data Fiduciary / Controller.

• 2.1 Customer acts as Data Fiduciary / Controller and determines the purposes and means of Processing.
• 2.2 Processor acts as Data Processor and Processes Personal Data solely on Customer's documented instructions, as necessary to provide the Services, and in accordance with this DPA and Applicable Data Protection Law.
• 2.3 The Agreement and Customer's use of the Services (including configuration of features) constitute Customer's documented instructions to Processor.

Processing is described in Schedule A – Description of Processing. This includes categories of Personal Data, nature of Processing operations, purposes of Processing, and duration of Processing.

• Default hosting is India (AWS Mumbai region). Customer accounts may be provisioned in alternate supported regions upon request.
• Data residency is configured at the regional database cluster level, not per individual physical tenant.
• Primary storage remains aligned to the selected region.
• Backup and disaster recovery may span multiple regions but subject to data residency agreements.

• 5.1 Primary Storage: Primary stored data remains aligned with the selected hosting region (India by default).
• 5.2 AI Inference & Controlled Cross-Border Processing: Customer acknowledges that certain features (including real-time AI inference and voice/language processing) may involve controlled, transient processing of transcripts or request-response data outside India, depending on provider configuration.
• 5.3 Safeguards: Where Applicable Data Protection Law requires safeguards for cross-border transfers, Processor will implement appropriate measures (such as contractual safeguards with vendors and, where applicable, Standard Contractual Clauses).
• 5.4 GDPR Readiness (Optional): Where GDPR applies, additional information may be provided in the GDPR Addendum at https://www.huskyvoice.ai/gdpr

• 6.1 Customer is responsible for responding to Data Subject requests, including access, correction, deletion, restriction, and portability (where applicable).
• 6.2 Processor will provide reasonable assistance to Customer by making available relevant data and supporting deletion/export requests where technically feasible.
• 6.3 Processor will make reasonable efforts to assist within a commercially reasonable timeframe, typically within 30 days of Customer's request, subject to request complexity and verification.
• 6.4 Processor may charge reasonable costs for requests that are extraordinary or require significant engineering effort, where permitted by law.

• 7.1 Processor implements appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, disclosure, alteration, and destruction.
• 7.2 Security measures include: Encryption at rest (e.g., AES-256); Encryption in transit (TLS 1.2+); Access controls (RBAC), least privilege; Administrative authentication safeguards (e.g., MFA for privileged access); Logging and monitoring for security events; Vulnerability management and periodic security testing.
• 7.3 Further details are described in Schedule B – Security Controls and in the Security page at https://www.huskyvoice.ai/security

• 9.1 Processor will provide reasonable information and documentation to demonstrate compliance with this DPA upon request (e.g., security summaries, policies).
• 9.2 Customer may request a documentation-based audit no more than once per year (unless legally required), subject to reasonable notice and confidentiality.
• 9.3 On-site audits require mutual written agreement and may be subject to reasonable limitations to protect security and other customers.

• 10.1 Processor will notify Customer without undue delay upon confirming a Personal Data breach affecting Customer Data.
• 10.2 Notification will include, to the extent available: Nature of the incident; Categories of data affected; Known/estimated impact window; Mitigation steps taken; Recommended customer actions (if any)
• 10.3 Processor will provide reasonable cooperation to enable Customer to meet any applicable notification obligations.

• 11.1 Upon termination of Services, Customer may request export of Customer Data prior to deletion where functionality permits.
• 11.2 Processor will delete Customer Data from primary systems within sixty (60) days following termination, unless retention is required by law or legal hold.
• 11.3 Backups are purged within ninety (90) days on a rolling deletion cycle.
• 11.4 Processor may provide written confirmation of deletion upon reasonable request.

This DPA remains in effect for the duration of the Agreement and continues after termination to the extent necessary to comply with Applicable Data Protection Law. The obligations regarding confidentiality, breach notification, and deletion survive termination as applicable.

Processor may update this DPA to reflect changes in Applicable Data Protection Law or service architecture. Material changes will be communicated to Customer with reasonable notice. If an amendment materially increases risk to Customer Data, Customer may terminate the affected Services as its sole remedy.

• Subject matter and duration: Processing of Personal Data in connection with voice communication, call handling, recordings, transcription, and analytics for the duration of the Agreement.
• Nature and purpose of Processing: Collection, storage, analysis, and reporting related to customer phone calls, call recordings (if enabled), transcriptions (if enabled), and metadata.
• Types of Personal Data: Phone numbers; caller/callee identifiers; call recordings; transcripts; timestamps; call duration; call disposition; routing metadata; workflow outcomes; and Customer-provided contact data.
• Categories of Data Subjects: Callers, call recipients, Customer employees/agents, and other individuals whose data is processed through the Services.
• Intended result: Call handling automation, operational analytics, and configured workflow outcomes.

• Infrastructure: Hosted in enterprise-grade cloud infrastructure (India by default; other regions by provisioning).
• Encryption: AES-256 (or equivalent) at rest; TLS 1.2+ in transit.
• Access Controls: Role-based access control, least privilege, administrative safeguards (e.g., MFA for privileged access), and access logging.
• Monitoring & Response: Security monitoring, alerting, incident response procedures, and auditability.
• Testing: Vulnerability management and periodic security testing (e.g., vulnerability scans and penetration testing as appropriate).
• Backups: Encrypted backups with rolling retention; purge within 90 days post-termination per Section 11.

• DPA / Legal: dpa@huskyvoice.ai
• Privacy: privacy@huskyvoice.ai
• Support: support@huskyvoice.ai