Data Processing Agreement (DPA)

1. Subject matter and scope

1.1 This DPA governs the processing of personal data that Ringroxy carries out on behalf of the Customer in connection with the provision of its AI-based receptionist and voice handling service.

1.2 Ringroxy processes personal data only in accordance with the Customer's documented instructions and applicable data protection legislation, including the GDPR.

2. Categories of data subjects and personal data

Data subjects: Callers, the Customer's own employees and contacts.

Categories of personal data:

• Voice recordings and transcriptions
• Phone numbers and caller metadata
• AI-generated summaries and action items
• Booking details (name, time, contact information)
• Account information (name, email, company data)

3. Processing purposes

Personal data is processed solely to deliver the Ringroxy service: receiving and handling calls, making bookings, generating call summaries, sending notifications, and providing analytics to the Customer.

4. Retention and deletion

Default retention periods:

• Voice recordings: 30 days
• Transcriptions: 90 days
• AI summaries: anonymised after 12 months

The Customer may request shorter retention periods. Upon termination of the agreement, Ringroxy will delete all personal data within 90 days unless retention is required by law.

5. Security measures

Ringroxy implements appropriate technical and organisational measures, including encryption in transit (TLS) and at rest, access control, logging, backup, and incident response procedures.

6. Sub-processors

Ringroxy engages sub-processors to deliver the service. The Customer grants general authorisation for sub-processor changes, with at least 30 days' notice before a new sub-processor begins processing.

7. Data breach notification

Ringroxy will notify the Customer of a personal data breach without undue delay and assist the Customer in meeting notification obligations to the relevant supervisory authority (within 72 hours) and to affected data subjects.

8. Audits

Ringroxy will make available information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by the Customer or an independent auditor mandated by the Customer.

9. International transfers

Personal data is processed and stored within the EU/EEA. If transfer outside the EU/EEA becomes necessary, Ringroxy will ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses).