Data Processing Agreement

Version:v1-0  | Effective Date:16 May 2026  | Last Modified:16 May 2026  | Version history

1. Definitions

Capitalised terms not defined here have the meanings given in the Zvani Terms of Service or in applicable data protection law. Specifically:

• Applicable Data Protection Lawmeans the Digital Personal Data Protection Act, 2023 (DPDP) and the rules issued thereunder; the EU General Data Protection Regulation 2016/679 (GDPR); the UK Data Protection Act 2018 and UK GDPR; and any other data protection law applicable to the Customer’s use of the Service.
• Customer Data means personal data that the Customer or its end users provide to, or that Zvani processes on behalf of the Customer through, the Service.
• Data Subject means an identified or identifiable natural person whose personal data is included in Customer Data, including callers and message recipients.
• Sub-processormeans any third party that processes Customer Data on Zvani’s behalf.

2. Subject matter, duration, nature, and purpose

• Subject matter:Zvani’s processing of Customer Data to provide the Service to the Customer.
• Duration: the term of the underlying Zvani agreement, plus any post-termination period needed for export, deletion, or backup roll-off.
• Nature and purpose:running AI voice and messaging on the Customer’s behalf, including call recording, transcription, intent extraction, integration with the Customer’s connected systems, and storage of the resulting data for the Customer’s review.

3. Types of personal data and categories of Data Subjects

Categories of Data Subjects:the Customer’s employees and agents who use the Zvani dashboard; end users (callers and message recipients) who interact with the Service on the Customer’s behalf; any other individuals whose data the Customer routes through the Service.

Types of personal data include identifiers (name, phone number, email, account identifiers); voice recordings; conversation content and transcripts; metadata (timestamp, duration, direction, language, intent labels); message bodies and attachments; integration tokens authorised by the Customer; and any other personal data the Customer chooses to provide.

4. Customer obligations as Fiduciary / Controller

The Customer represents, warrants, and agrees that it shall:

1. Determine and maintain a lawful basis under Applicable Data Protection Law for collecting and processing Customer Data and for instructing Zvani to do so.
2. Obtain all consents, provide all notices, and complete all impact assessments required by law in connection with the Customer Data and the Service, including caller consent for recording where required.
3. Keep the in-call notice provided by Zvani enabled at or above the legal minimums for each jurisdiction where the Service is used.
4. Respond to Data Subject rights requests as the primary controller, with Zvani’s assistance as set out in Section 7.
5. Use the Service only for lawful purposes and in accordance with the Acceptable Use Policy.
6. Provide accurate, current, and lawful instructions and content (FAQs, prices, knowledge bases) used by the Service to respond to Data Subjects.
7. Maintain the security of its own credentials, integration tokens, and any data exported from Zvani.

5. Zvani obligations as Processor

Zvani shall:

1. Process Customer Data only on documented instructions from the Customer, including with regard to transfers to third countries, except where required to do otherwise by law. Use of the Service and the Customer’s configuration constitute documented instructions.
2. Ensure that personnel authorised to process Customer Data are bound by confidentiality obligations.
3. Implement appropriate technical and organisational measures, as set out in Annex 2, to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to such data.
4. Engage Sub-processors only under the conditions of Section 6 below.
5. Assist the Customer in fulfilling its obligations to respond to Data Subject rights requests and, taking into account the nature of processing and the information available to Zvani, in ensuring compliance with the Customer’s security, breach notification, and DPIA obligations.
6. Notify the Customer of personal data breaches without undue delay and in any event within 48 hours of confirmation, as set out in Section 8.
7. At the Customer’s choice, delete or return all Customer Data after the end of the provision of the Service, subject to Section 9.
8. Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 10.

6. Sub-processors

The Customer provides general authorisation for Zvani to engage the Sub-processors listed at /subprocessors and to engage new Sub-processors subject to the procedure below.

1. Zvani will give the Customer at least 30 days notice before authorising a new Sub-processor to process Customer Data, except where a shorter notice is required for security or legal reasons.
2. The Customer may object on reasonable data protection grounds within the notice period. The parties will work in good faith to resolve the objection. If unresolved, the Customer may terminate the affected service component without penalty for the unused portion of the term.
3. Zvani enters into written agreements with each Sub-processor imposing data protection obligations no less onerous than those in this DPA.
4. Zvani remains liable to the Customer for the performance of its Sub-processors’ obligations.

7. Data Subject rights assistance

Taking into account the nature of processing, Zvani will assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling the Customer’s obligation to respond to requests for exercising Data Subject rights (access, rectification, erasure, restriction, portability, and objection). Self- service tooling is provided in the Customer dashboard where available.

Where Zvani receives a Data Subject rights request addressed to the Customer, Zvani will route the request to the Customer without responding to its substance, unless otherwise instructed in writing.

8. Personal data breach notification

Zvani will notify the Customer of a confirmed personal data breach affecting Customer Data within 48 hours of confirmation. The notification will, to the extent known, describe:

• The nature of the breach, including categories and approximate number of Data Subjects and records affected.
• The likely consequences of the breach.
• The measures taken or proposed to address the breach and mitigate adverse effects.
• The Zvani point of contact for follow-up.

Zvani will provide further information as it becomes available and will cooperate with the Customer’s regulatory notifications.

9. Return or deletion of Customer Data

On termination or expiry of the Customer’s Zvani agreement:

1. Zvani provides a 30-day export window during which the Customer may extract Customer Data via the dashboard or API.
2. After the export window, Zvani deletes Customer Data from active systems within 30 days, and from encrypted backups within a further 90 days via standard backup roll-off.
3. Zvani may retain Customer Data only to the extent and for the period required by law, on its own initiative or as agreed with the Customer.
4. On the Customer’s request, Zvani provides written confirmation that deletion is complete.

10. Audits and records

1. Zvani makes available to the Customer the information reasonably necessary to demonstrate compliance with this DPA, including its current technical and organisational measures, sub-processor list, and (when available) third-party attestations such as SOC 2 or ISO 27001 reports.
2. The Customer may request an audit no more than once per calendar year, on at least 30 days’ written notice, of Zvani’s compliance with this DPA. Audits will be conducted during business hours, will not unreasonably interfere with Zvani’s business, and will be subject to confidentiality obligations.
3. For non-Customer-specific audits, third-party attestations are provided in lieu of on-site audit.

11. International data transfers

Where Customer Data is transferred to a country outside the Customer’s jurisdiction, the parties rely on the following safeguards, as applicable:

• EU / UK transfers: the EU Standard Contractual Clauses (Module 2 or 3 as applicable) and the UK Addendum, incorporated into this DPA by reference.
• India transfers: compliance with the DPDP Act and any restrictions notified by the Central Government under §16 of the DPDP Act.
• Other regions: contractual safeguards equivalent to the above where required by local law.

On request, customers on the India-resident processing tier are routed to India-region infrastructure and India-resident model providers only.

12. Liability and indemnity

Liability under this DPA is subject to the limitation of liability and exclusions set out in the Customer’s Zvani Terms of Service. The Customer’s indemnification obligations under the Terms of Service apply to claims arising from the Customer’s breach of its obligations under Section 4 of this DPA, including failure to obtain valid caller consent, unlawful use of the Service, and inaccurate or unlawful content the Customer provides to Zvani.

13. Governing law and jurisdiction

This DPA is governed by the laws of India. The exclusive jurisdiction for disputes is the courts of Mumbai, save that nothing in this clause limits a Data Subject’s right to bring a complaint before the Data Protection Board of India or another competent supervisory authority.

14. Annexes

The following annexes form part of this DPA and may be updated by Zvani by publishing a new version at the URL indicated.

Annex 1 — Description of processing

• Categories of Data Subjects: as set out in Section 3.
• Categories of personal data: as set out in Section 3.
• Special categories of data: none intentionally collected; callers may incidentally share health, financial, or other sensitive information during conversations and Customers in regulated sectors are responsible for the lawful basis for such processing.
• Nature and purpose of processing: as set out in Section 2.
• Duration of processing: as set out in Section 2 and the retention table at /privacy#retention.

Annex 2 — Technical and organisational measures

The current technical and organisational measures implemented by Zvani are described at /security. On request, Zvani provides its full Technical and Organisational Measures (TOM) document under confidentiality.

Annex 3 — Sub-processor list

The current Sub-processor list is published at /subprocessors and changes are notified by email to subscribers as set out in Section 6.

Annex 4 — Standard Contractual Clauses (EU / UK)

Where EU or UK Standard Contractual Clauses are required, the parties incorporate by reference the latest version published by the European Commission and the UK Information Commissioner’s Office. The required selections (data exporter and importer roles, optional clauses, governing law and forum) are set out in a side letter or in the Customer’s order form.

15. Contact

For DPA-related queries, including signed versions for enterprise customers, contact privacy@zvaniai.com. For DPDP grievances, see /grievance.