Data Processing Addendum

This Data Processing Addendum (“DPA”) forms part of the VoiceCraft Terms of Service (“Agreement”) between VoiceCraft and the customer (“Customer”) and applies where VoiceCraft processes Personal Data on behalf of the Customer.

This DPA is intended to satisfy the requirements of Article 28 of the General Data Protection Regulation (GDPR) and its UK equivalent (UK GDPR), and the service provider contractual requirements under the California Consumer Privacy Act (CCPA) and its amendments.

By continuing to use the VoiceCraft platform after the effective date of this DPA, the Customer agrees to its terms. If the Customer does not agree, the Customer must discontinue use of the platform.

Capitalized terms used in this DPA have the meanings set out below. Terms not defined here carry the meanings given in the Agreement or in applicable Data Protection Laws.

• Personal Data means any information relating to an identified or identifiable natural person that VoiceCraft processes on behalf of the Customer in connection with the Agreement.
• Data Controller means the Customer, who determines the purposes and means of processing Personal Data.
• Data Processor means VoiceCraft, who processes Personal Data on behalf of the Customer.
• Sub-Processormeans any third-party processor engaged by VoiceCraft to process Personal Data on the Customer's behalf.
• Data Subjectmeans the natural person to whom Personal Data relates, including the Customer's callers, patients, and end-users.
• Processing means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, erasure, or destruction.
• Data Protection Laws means all applicable data protection and privacy laws, including the GDPR, UK GDPR, CCPA, and any supplementary national or state legislation.
• Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by VoiceCraft.

The Customer is the Data Controller for Personal Data collected through the Customer's use of the VoiceCraft platform, including caller phone numbers, names, transcripts, appointment data, and form responses.

VoiceCraft is the Data Processor for Customer Data and processes it solely on the Customer's documented instructions as set out in this DPA and the Agreement.

VoiceCraft acts as an independent Data Controller only for:

• Billing and payment data processed by Stripe under Stripe's own terms and privacy policy.
• Operational and platform telemetry data used internally to operate, secure, and improve the VoiceCraft service, where such data is not attributable to an identified individual.

Each party is independently responsible for compliance with the Data Protection Laws applicable to its own role.

Subject matter

The provision of the VoiceCraft voice AI platform to the Customer.

Duration

The term of the Customer's subscription, plus any retention period specified in Section 13.

Nature and purpose

Operating AI voice agents for inbound and outbound calls, sending SMS and WhatsApp messages, scheduling appointments, syncing with calendar and CRM integrations, and processing voice-commerce orders, all on the Customer's behalf and according to the Customer's agent configuration.

Categories of Personal Data

• Caller phone numbers and names
• Call transcripts and voice recordings
• Appointment dates, times, and associated metadata
• Form responses submitted by end-users
• Order data for voice-commerce interactions
• OAuth tokens for calendar and CRM integrations (encrypted at rest)

Categories of Data Subjects

The Customer's end-users, including callers, patients, clients, and customers who interact with the Customer's VoiceCraft-powered voice agents.

VoiceCraft processes Personal Data only on documented instructions from the Customer. The Customer's instructions include:

• The configuration of the Customer's voice agents, messaging settings, and integration preferences within the VoiceCraft platform.
• The Customer's use of platform features, including agent deployment, form configuration, and catalog management.
• Any additional written instructions provided via support channels.

VoiceCraft may also process Personal Data where required by applicable law. In such cases, VoiceCraft will inform the Customer before processing unless prohibited by law.

If VoiceCraft determines that an instruction violates Data Protection Laws, VoiceCraft will promptly notify the Customer.

VoiceCraft ensures that all personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether by contract or by professional duty.

Access to Customer Personal Data is restricted to personnel who require access for the purposes of performing the Agreement. Access is role-gated within the VoiceCraft platform. All platform staff actions involving Customer Data, including administrative access and impersonation, are recorded in the audit log with the actor identity, action type, and timestamp.

VoiceCraft implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, loss, destruction, or alteration. The full description of these measures is published at voicescraft.app/security.

Key measures include:

• TLS 1.2 or higher for all data in transit between clients, servers, and APIs.
• AES-256-GCM encryption at rest for OAuth tokens and integration credentials.
• bcrypt password hashing with cost factor 12.
• WebAuthn passkey step-up for VoiceCraft platform staff actions.
• Comprehensive audit logging for authentication events and sensitive data operations.
• Multi-tenant isolation enforced at the API layer via organization-scoped session guards.
• Webhook signature verification for all inbound webhook endpoints.

The Customer authorizes VoiceCraft to engage Sub-Processors to assist in providing the VoiceCraft platform. The current list of Sub-Processors is published at voicescraft.app/subprocessors.

VoiceCraft will provide at least 30 days advance notice of any intended addition or replacement of Sub-Processors via email to the OWNER contact on the Customer's organization. The Customer may object to a new Sub-Processor within that 30-day window by contacting privacy@voicescraft.app.

If VoiceCraft cannot accommodate the objection and the Customer does not wish to continue using the affected service feature, the Customer may terminate the affected portion of the subscription with a pro-rata refund for the unused prepaid period.

VoiceCraft imposes data protection obligations on Sub-Processors that are equivalent to those in this DPA and remains liable for the acts and omissions of its Sub-Processors to the extent VoiceCraft would be liable if performing the processing itself.

VoiceCraft will provide reasonable technical and organizational assistance to the Customer to enable the Customer to respond to Data Subject requests to exercise rights under applicable Data Protection Laws, including rights of access, erasure, correction, portability, restriction, and objection.

The Customer is responsible for responding to Data Subjects directly. VoiceCraft will not respond to a Data Subject request without the Customer's prior authorization, except as required by applicable law.

Data Subject requests should be directed by the Customer to privacy@voicescraft.app with the organization ID and the nature of the request.

In the event of a Personal Data Breach affecting Customer Data, VoiceCraft will notify the Customer without undue delay and in any event within 48 hours of becoming aware of the breach. We commit to this 48-hour window, which is faster than the GDPR Article 33 controller-to-supervisory-authority requirement, to give Customer adequate time to meet its own regulatory obligations.

Notification will be sent via email to the OWNER and ADMIN contacts on the Customer's organization and will include, to the extent available at the time of notification:

• A description of the nature of the breach.
• The categories and approximate number of Data Subjects and records affected.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate its effects.

VoiceCraft will cooperate with the Customer and provide further information as it becomes available. The Customer is responsible for notifying supervisory authorities and affected Data Subjects as required by applicable Data Protection Laws.

VoiceCraft processes Personal Data in the United States. For transfers of EU/UK Personal Data to the United States or other countries not recognized as providing an adequate level of data protection, the parties incorporate the EU Standard Contractual Clauses (Module Two: Controller-to-Processor), as adopted by the European Commission on June 4, 2021, by reference into this DPA.

The UK Addendum to the EU Standard Contractual Clauses applies where the transfer involves UK Personal Data. The Customer is the data exporter and VoiceCraft is the data importer.

VoiceCraft will only transfer Personal Data to Sub-Processors that have agreed to appropriate transfer mechanisms under applicable Data Protection Laws.

VoiceCraft will respond to reasonable written inquiries from the Customer regarding VoiceCraft's compliance with this DPA. VoiceCraft will provide relevant information and documentation to the extent practicable and consistent with confidentiality obligations to other customers.

Where available, the Customer may request VoiceCraft's then-current SOC report or equivalent security attestation once per twelve-month period. VoiceCraft is not currently SOC 2 certified but commits to providing a written security overview in lieu of a formal report.

Customer audits are limited to once per 12-month period. On-site audits are permitted only where required by applicable Data Protection Laws or by a regulatory authority. Any on-site audit requires at least 30 days written notice, written agreement on scope, and reimbursement of VoiceCraft's reasonable costs. Audits may not unreasonably interfere with VoiceCraft's business operations.

Upon termination or expiration of the Customer's subscription, VoiceCraft will retain Customer Data for 30 days to allow the Customer to export or retrieve data through the platform dashboard. After this retention period, Customer Data will be permanently and irreversibly deleted from VoiceCraft's systems, including from Cloudflare R2 storage buckets used for call recordings and knowledge documents.

The Customer may request deletion of Customer Data before the end of the 30-day retention period by contacting privacy@voicescraft.app. VoiceCraft will action the request within 10 business days.

Certain data may be retained beyond 30 days where retention is required by applicable law, in which case VoiceCraft will notify the Customer and retain only the minimum data necessary for the required period.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Agreement, except that neither party excludes liability for breaches of data protection obligations to the extent such exclusion is not permitted by applicable Data Protection Laws.

This DPA does not limit either party's liability for any matter for which liability cannot be excluded or limited under applicable Data Protection Laws, including a data subject's statutory rights against either party.

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA will prevail to the extent of the conflict with respect to the processing of Personal Data.

For questions about this DPA, data processing practices, or to submit Data Subject requests, contact VoiceCraft at:

• General privacy inquiries: privacy@voicescraft.app
• Data Protection contact: dpo@voicescraft.app

For information about how VoiceCraft handles personal data more broadly, see our Privacy Policy.

This Annex describes VoiceCraft's commitments regarding AI and machine-learning processing of Customer Content.

1. No training on Customer Content

VoiceCraft does not use Customer Content to train, retrain, or fine-tune AI or machine-learning models for any purpose.

2. Sub-processor obligations

VoiceCraft engages AI sub-processors, currently including Anthropic, Google, OpenAI, Deepgram, ElevenLabs, and Inworld, and contractually requires each to abide by the commercial-terms commitment not to use Customer Content for model training. The current commercial terms of those providers reflect this commitment.

3. Inference data flow

Customer Content is transmitted to AI sub-processors only in the volume necessary to generate a response. AI sub-processors receive call audio for speech recognition, text for language model inference, and text for voice synthesis. They do not receive customer account information or billing data.

4. System prompt configuration

Each call's system prompt to the language model includes Customer-supplied business configuration (business name, hours, services, escalation rules) required for the agent to respond accurately. This configuration is treated as Customer Content and is governed by this DPA.

5. Automated decision-making

The AI voice agent may take limited automated actions during a call, such as booking an appointment, sending a confirmation SMS, or transferring the call to a human. These actions are governed by Customer's instructions in the agent configuration. Callers may at any time request human assistance, and the agent will escalate.