Data Processing Agreement
Effective Date: March 3, 2026
This Data Processing Agreement ("DPA") is entered into between the business entity subscribing to Calltide ("Controller," "Client," or "you") and Calltide LLC ("Processor," "Calltide," "we," or "us"). This DPA forms part of and supplements the Terms of Service.
This DPA reflects the parties' commitment to abide by applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable privacy regulations.
1. Definitions
• "Personal Data" means any information relating to an identified or identifiable natural person, as defined by applicable data protection law.
• "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
• "Data Subject" means the identified or identifiable person to whom Personal Data relates.
• "Sub-Processor" means any third party engaged by Calltide to process Personal Data on behalf of the Controller.
• "Security Incident" means any unauthorized access, disclosure, alteration, or destruction of Personal Data.
2. Scope and Roles
2.1 Controller and Processor
The Client acts as the Controller of the Personal Data of its customers (callers). Calltide acts as the Processor, processing Personal Data on behalf of the Controller solely to provide the Calltide platform.
2.2 Processing Details
| Element | Description |
|---|---|
| Subject Matter | Provision of AI-powered virtual receptionist services |
| Duration | For the term of the Client's subscription, plus any applicable retention periods |
| Nature of Processing | Automated voice call handling, speech-to-text transcription, AI-powered call summarization, appointment booking, SMS notifications, CRM record creation |
| Purpose | Answering inbound phone calls, booking appointments, sending notifications, generating call analytics, and related services as described in the Terms of Service |
| Categories of Personal Data | Phone numbers, caller names, voice recordings, call transcripts, appointment details, service requests, SMS content, email addresses |
| Categories of Data Subjects | Callers to the Client's business phone number, Client employees and representatives |
3. Processor Obligations
Calltide shall:
3.1 Lawful Processing
Process Personal Data only on documented instructions from the Controller (as set forth in this DPA and the Terms of Service), unless required to do so by applicable law. In such case, Calltide shall inform the Controller of that legal requirement before processing, unless prohibited by law.
3.2 Confidentiality
Ensure that all personnel authorized to process Personal Data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
3.3 Security Measures
Implement and maintain appropriate technical and organizational security measures, including:
• Encryption of Personal Data in transit (TLS 1.2+) and at rest
• Passwordless authentication (magic links) for Client access
• Role-based access controls with separation between Client and admin functions
• Rate limiting on all API endpoints (200 requests per 60 seconds on dashboard routes)
• Input validation and sanitization on all user inputs, including prompt injection protection
• Automated error monitoring and alerting
• Regular security audits and vulnerability assessments
• Voicemail fallback system for business continuity
3.4 Sub-Processors
Calltide uses the Sub-Processors listed at /legal/sub-processors. Calltide shall:
• Impose data protection obligations on each Sub-Processor that are no less protective than those in this DPA.
• Remain fully liable for the acts and omissions of its Sub-Processors.
• Notify the Controller at least 30 days before adding or replacing a Sub-Processor, providing the Controller with an opportunity to object. If the Controller objects on reasonable grounds, the parties will work in good faith to resolve the concern. If no resolution is reached, the Controller may terminate the affected service.
3.5 Data Subject Rights
Calltide shall assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, or objection) by:
• Providing a DSAR (Data Subject Access Request) handling system accessible through the admin dashboard.
• Responding to Controller's data subject fulfillment requests within 10 business days.
• Supporting atomic batch deletion across all database tables when processing erasure requests.
3.6 Security Incident Notification
In the event of a Security Incident involving Personal Data, Calltide shall:
• Notify the Controller without undue delay and no later than 48 hours after becoming aware of the incident.
• Provide sufficient information to enable the Controller to meet its breach notification obligations (within 72 hours under GDPR).
• Cooperate with the Controller's investigation and remediation efforts.
• Document the incident, including its effects and the corrective actions taken.
Notification shall include: (a) the nature of the incident; (b) the categories and approximate number of Data Subjects affected; (c) the likely consequences; and (d) the measures taken or proposed to address the incident.
3.7 Data Protection Impact Assessments
Calltide shall provide reasonable assistance to the Controller in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under applicable law.
3.8 Audit Rights
Upon the Controller's written request (no more than once per 12-month period), Calltide shall make available information necessary to demonstrate compliance with this DPA. This may be satisfied through:
• Provision of a current SOC 2 Type II report or equivalent third-party audit report, if available.
• Written responses to the Controller's reasonable audit questionnaire.
• In the absence of the above, a remote or on-site audit conducted by the Controller or a mutually agreed-upon third-party auditor, at the Controller's expense, with at least 30 days' written notice.
4. Data Retention and Deletion
4.1 Retention Periods
Calltide retains Personal Data according to the following schedule:
| Data Type | Retention Period |
|---|---|
| Call recordings and transcripts | 12 months from call date |
| Call metadata | 24 months from call date |
| SMS content | 6 months from message date |
| Consent records | 7 years |
| Account data | Duration of subscription + 30 days |
4.2 Deletion on Termination
Upon termination of the Client's subscription:
• Calltide will retain Client Data for 30 days to allow for data export.
• After the 30-day period, Calltide will permanently delete all Client Personal Data from active systems within 30 days.
• Backup copies will be deleted within 90 days of termination.
• Calltide may retain anonymized, aggregated data that does not identify individuals.
• Data subject to legal retention requirements (e.g., consent records, billing records) will be retained for the required period and then deleted.
4.3 Return of Data
Upon written request prior to deletion, Calltide will provide the Controller with a copy of its Personal Data in a structured, commonly used, machine-readable format (JSON or CSV).
5. International Data Transfers
5.1 Processing Locations
All Personal Data is processed and stored within the United States. Calltide's Sub-Processors are all U.S.-based entities.
5.2 Transfer Mechanisms
For transfers of Personal Data from the EU/EEA to the United States, Calltide relies on the EU-U.S. Data Privacy Framework where applicable, and Standard Contractual Clauses (SCCs) — Module Two (Controller to Processor) — as adopted by the European Commission in June 2021.
5.3 Supplementary Measures
Calltide implements the following supplementary technical measures to protect transferred data:
• End-to-end encryption for data in transit
• Encryption at rest for all stored data
• Access controls limiting data access to authorized personnel
• Prompt deletion of data in accordance with retention schedules
6. CCPA/CPRA Specific Provisions
For purposes of the CCPA/CPRA:
• Calltide is a Service Provider as defined under the CCPA.
• Calltide shall not sell or share Personal Information received from the Controller.
• Calltide shall not retain, use, or disclose Personal Information for any purpose other than providing the Service, or as otherwise permitted by the CCPA.
• Calltide shall not combine Personal Information received from the Controller with Personal Information received from or on behalf of another person, except as permitted by the CCPA.
7. Liability
Each party's liability under this DPA shall be subject to the limitations of liability set forth in the Terms of Service.
8. Term
This DPA shall remain in effect for the duration of the Controller's subscription to Calltide. Provisions relating to data deletion, confidentiality, and audit rights shall survive termination.
9. Contact
For questions about this DPA or data processing:
Calltide LLC
Data Protection inquiries: privacy@calltide.app
General: support@calltide.app
Phone: (830) 521-7133