Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between VoiceTick ("Processor") and the customer ("Controller") and governs the processing of personal data in connection with the VoiceTick voice-to-ticket platform.

This DPA applies to the extent that VoiceTick processes personal data on behalf of the Controller in the course of providing the Service, and such processing is subject to applicable data protection laws including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other relevant regulations.

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by VoiceTick in connection with the Service.

"Processing" means any operation performed on personal data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

"Sub-processor" means any third party engaged by VoiceTick to process personal data on behalf of the Controller.

"Data Subject" means the identified or identifiable natural person to whom the personal data relates.

Nature and Purpose: VoiceTick processes personal data for the purpose of providing the voice-to-ticket Service, including voice recording, transcription, AI-powered task structuring, and submission to third-party platforms.

Types of Personal Data: Voice recordings, transcription text, user account information (name, email), OAuth tokens for third-party integrations, usage logs, and structured task data.

Categories of Data Subjects: Users of the Service and any individuals whose personal data may be contained within voice recordings or generated tasks.

Duration: Personal data is processed for the duration of the Service agreement and retained in accordance with our data retention policies.

VoiceTick, as the Processor, shall:

• Process personal data only on documented instructions from the Controller
• Ensure that persons authorized to process personal data have committed to confidentiality
• Implement appropriate technical and organizational security measures
• Not engage sub-processors without prior authorization from the Controller
• Assist the Controller in fulfilling data subject rights requests
• Assist the Controller in ensuring compliance with data protection impact assessments
• Delete or return all personal data upon termination of the Service
• Make available all information necessary to demonstrate compliance

The Controller authorizes VoiceTick to engage the following sub-processors:

VoiceTick will notify the Controller of any intended changes to sub-processors at least 30 days in advance. The Controller may object to such changes within 14 days of notification.

VoiceTick implements the following technical and organizational measures to ensure the security of personal data:

• Encryption of data in transit using TLS 1.3
• Encryption of data at rest using AES-256
• OAuth 2.0 for third-party platform integrations
• Regular security audits and penetration testing
• Access controls and role-based permissions
• Automated backup and disaster recovery procedures
• Incident response and breach notification procedures
• Employee security training and confidentiality agreements

In the event of a personal data breach, VoiceTick will notify the Controller without undue delay and in any event no later than 72 hours after becoming aware of the breach. The notification will include:

• The nature of the personal data breach
• The categories and approximate number of data subjects affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach

Where personal data is transferred outside the European Economic Area (EEA), VoiceTick ensures that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Supplementary technical measures as needed

VoiceTick will assist the Controller in responding to data subject requests, including requests for access, rectification, erasure, restriction of processing, data portability, and objection to processing.

VoiceTick will respond to such assistance requests within 5 business days. Any costs associated with providing such assistance beyond standard support will be agreed upon in advance.

The Controller has the right to audit VoiceTick's compliance with this DPA. VoiceTick will make available all information necessary to demonstrate compliance and allow for audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.

Audits will be conducted with reasonable notice (at least 30 days) and during normal business hours. The Controller shall bear the costs of any audit unless the audit reveals material non-compliance by VoiceTick.

This DPA shall remain in effect for the duration of VoiceTick's processing of personal data on behalf of the Controller. Upon termination or expiration of the Service agreement, VoiceTick shall, at the Controller's choice, delete or return all personal data within 30 days, unless retention is required by applicable law.

For questions or concerns about this DPA or our data processing practices, contact our Data Protection Officer at dpo@voicetick.app.