Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the contract between B-WYSE BV (“Processor”) and the Customer (“Controller”) and satisfies the requirements of Article 28 of Regulation (EU) 2016/679 (GDPR). It applies to all personal data processed by VibeVoice on behalf of the Customer.

1. Definitions

Terms used in this DPA have the meanings given in Article 4 of the GDPR. In addition:

• “Controller” means the Customer that determines the purposes and means of processing personal data using the VibeVoice Service
• “Processor” means B-WYSE BV, operating the VibeVoice platform
• “Sub-processor” means any third party engaged by the Processor to process personal data on behalf of the Controller
• “Personal Data” means any personal data processed by the Processor on behalf of the Controller in connection with the Service
• “Service” means the VibeVoice AI voice receptionist platform described in the Subscription Agreement

2. Subject Matter

The Processor agrees to process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law; in which case the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information.

Nature of processing: collection, storage, transmission, analysis, and deletion of call recordings, transcripts, and associated metadata.

Purpose: provision of the VibeVoice AI voice receptionist service as contracted.

Categories of data subjects: callers (individuals who telephone the Controller’s business number); Controller’s employees to the extent their data appears in call logs.

Types of personal data: voice recordings, speech transcripts, caller telephone numbers (where provided by carrier), call metadata (timestamp, duration, intent classification, outcome).

Duration: for the term of the Subscription Agreement and as required for deletion.

3. Obligations of the Processor

The Processor shall:

• Process personal data only on documented instructions from the Controller
• Ensure that personnel authorised to process data are bound by confidentiality obligations
• Implement appropriate technical and organisational security measures (see section 5)
• Assist the Controller in fulfilling its obligations to respond to data subject requests (see section 6)
• Assist the Controller with data breach notification obligations under Articles 33–34 GDPR
• Assist the Controller with data protection impact assessments (DPIAs) where required
• Delete or return all personal data at the end of the service relationship (see section 7)
• Provide all information necessary to demonstrate compliance with Article 28 GDPR
• Notify the Controller without undue delay (and within 72 hours) of becoming aware of a personal data breach

4. Sub-processors

The Controller grants the Processor general authorisation to engage sub-processors. The Processor shall maintain an up-to-date list of sub-processors (available at our Privacy Policy) and shall inform the Controller of any intended changes to that list with at least 14 days’ advance notice. The Controller may object to a new sub-processor within that period on reasonable grounds related to data protection.

Where the Processor engages sub-processors, it shall impose data protection obligations equivalent to those in this DPA by contract. The Processor remains liable to the Controller for the performance of sub-processors’ obligations.

5. Security Measures

The Processor has implemented the following technical and organisational measures in accordance with Article 32 GDPR:

• Encryption in transit: TLS 1.3 for all data transmission
• Encryption at rest: AES-256 for all stored data
• Access controls: role-based access; principle of least privilege; MFA required for all internal systems
• Network security: firewalls, intrusion detection, regular vulnerability scanning
• Incident response: documented incident response plan; designated security contact
• Physical security: data hosted in ISO 27001-certified data centres (via Supabase/Vercel)
• Audit logging: all access to production data is logged and retained for 90 days
• Pseudonymisation: call metadata is pseudonymised where technically feasible

6. Data Subject Rights

Where data subjects exercise rights under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection) with respect to data processed by VibeVoice on the Controller’s behalf, the Controller is the primary point of contact. The Processor shall:

• Forward any data subject requests received directly to the Controller within 5 business days
• Provide reasonable technical assistance to enable the Controller to respond to requests
• Execute verifiable data deletion or export requests within 30 days of instruction from the Controller

7. Return & Deletion of Data

Upon termination or expiry of the Subscription Agreement, the Processor shall, at the Controller’s choice:

• Delete all personal data within 30 days of termination, and provide written confirmation; or
• Return a machine-readable export of the data to the Controller within 30 days

The Processor may retain personal data beyond 30 days only to the extent required by Union or Member State law, in which case the Processor shall notify the Controller and limit processing to the legally required purpose only.

8. Audit Rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and shall allow for and contribute to audits and inspections, including:

• Annual provision of a summary compliance report or relevant third-party audit reports (SOC 2, ISO 27001 where applicable)
• On-request audits with a minimum of 30 days’ written notice, conducted at the Controller’s expense
• Questionnaire-based assessments as an alternative to on-site audits, at the Processor’s discretion

To request a signed DPA or our compliance documentation, email privacy@vibevoice.nl.