Data Processing Addendum (DPA)
Last updated: 29 May 2026
This Data Processing Addendum (DPA) forms part of the Terms of Service between VoxApp Ltd, a company registered in New Zealand (VoxApp, we or us), and the customer that accepts those Terms (Customer, you). It applies whenever VoxApp processes Personal Data on the Customer's behalf in providing the Service, and is incorporated into the Terms automatically when the Customer accepts them. No signature is required; an Enterprise customer may request a counter-signed copy.
1. Definitions
Capitalised terms not defined here have the meaning given in the Terms. Applicable Data Protection Law means every Privacy Law applicable to the processing under this DPA, including the EU General Data Protection Regulation (EU GDPR), the UK GDPR and Data Protection Act 2018, the Privacy Act 2020 (NZ), and the Privacy Act 1988 (Cth) (AU). Controller, processor, data subject, processing and personal data breach have the meanings given in the EU GDPR. SCCs means the Standard Contractual Clauses approved by the European Commission on 4 June 2021. UK Addendum means the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner. Sub-processor means a third party engaged by VoxApp to process Personal Data on the Customer's behalf.
2. Roles and scope
2.1 For Personal Data relating to the Customer's Contacts and the Customer's own users that VoxApp processes in providing the Service, the Customer is the controller and VoxApp is the processor. Where the Customer is itself a processor for its own customer, VoxApp is a sub-processor and this DPA applies accordingly.
2.2 The subject matter, duration, nature and purpose of the processing, the types of Personal Data, and the categories of data subjects are set out in Annex 1.
2.3 This DPA does not apply to data for which VoxApp is the controller (such as account, billing and website-visitor data), which is governed by our Privacy Policy.
3. Processing instructions
3.1 VoxApp will process Personal Data only on the Customer's documented instructions, including as set out in the Terms, this DPA, and the Customer's configuration and use of the Service, unless required to do otherwise by law (in which case VoxApp will inform the Customer unless legally prohibited).
3.2 VoxApp will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
3.3 The Customer warrants that it has a lawful basis and all necessary notices and consents for the Personal Data it processes through the Service, and that its instructions comply with Applicable Data Protection Law.
4. Confidentiality
VoxApp ensures that personnel authorised to process Personal Data are bound by appropriate obligations of confidentiality and are trained in their data-protection responsibilities.
5. Security
Taking account of the state of the art, the costs of implementation and the nature, scope and purposes of processing, VoxApp implements appropriate technical and organisational measures to protect Personal Data, as described in Annex 2 and on our security page.
6. Sub-processors
6.1 The Customer gives VoxApp general written authorisation to engage the sub-processors listed at voxapp.com/subprocessors to process Personal Data in providing the Service.
6.2 VoxApp imposes data-protection obligations on each sub-processor that are substantially the same as those in this DPA, and remains responsible to the Customer for each sub-processor's performance.
6.3 VoxApp will give the Customer at least 30 days' notice (by updating the sub-processor page and, where the Customer has subscribed to notifications, by email) before adding or replacing a sub-processor. The Customer may object on reasonable data-protection grounds during that period; if the parties cannot resolve the objection, the Customer may terminate the affected part of the Service.
7. Data subject rights
Taking into account the nature of the processing, VoxApp will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests by data subjects to exercise their rights. Where VoxApp receives a request directly from a data subject relating to Personal Data it processes for the Customer, it will, unless legally required to act, refer the request to the Customer.
8. Personal data breach
VoxApp will notify the Customer without undue delay, and in any event within 24 hours of confirming a personal data breach affecting the Customer's Personal Data. The notification will describe the nature of the breach, its likely consequences and the measures taken or proposed, to the extent known, and VoxApp will reasonably assist the Customer with its own notification obligations.
9. International transfers
9.1 VoxApp stores Customer Personal Data at rest in AWS Australia (Sydney) or the European Union depending on the Customer's region, and uses EU-resident processing endpoints for EU customers where its sub-processors support them.
9.2 Where providing the Service involves transferring Personal Data to a country that does not have an adequacy decision (including transfers to certain sub-processors in the United States), VoxApp relies on appropriate safeguards, namely: the SCCs (Module Two for controller-to-processor transfers, and Module Three where VoxApp transfers to a sub-processor) for EU data; the UK Addendum for UK data; and the EU-US, UK Extension and Swiss-US Data Privacy Framework where the recipient is certified. The SCCs are incorporated into this DPA by reference and completed using the information in the Annexes.
9.3 Where there is any conflict between the SCCs/UK Addendum and the rest of this DPA in relation to a restricted transfer, the SCCs/UK Addendum prevail.
10. Data protection impact assessments
VoxApp will provide the Customer with reasonable assistance and information for any data protection impact assessment and prior consultation with a supervisory authority that the Customer is required to carry out under Applicable Data Protection Law, taking into account the nature of the processing and the information available to VoxApp.
11. Return and deletion
On termination of the Service, VoxApp will delete Customer Personal Data within 30 days, except to the extent retention is required by law or permitted under clause 10 of the Terms. It is the Customer's responsibility to export any data it wishes to retain before termination. On request, VoxApp will certify deletion.
12. Audit
VoxApp will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor it mandates. Audits are subject to reasonable advance notice, confidentiality obligations, and a frequency of no more than once per year unless required by a supervisory authority or following a personal data breach. Where available, VoxApp may satisfy this obligation by providing third-party reports or certifications.
13. Liability and precedence
Each party's liability under this DPA is subject to the limitations and exclusions in clause 15 of the Terms. In the event of any conflict between this DPA and the Terms in relation to the processing of Personal Data, this DPA prevails. This DPA is governed by the law stated in the Terms, except where Applicable Data Protection Law or the SCCs require otherwise.
Annex 1 — Details of processing
| Parties | Controller: the Customer. Processor: VoxApp Ltd (New Zealand). |
|---|---|
| Subject matter | Provision of the VoxApp AI voice and messaging platform. |
| Duration | For the term of the Customer's account, plus the retention and deletion periods in clause 11 and clause 10 of the Terms. |
| Nature and purpose | Conducting and recording (where enabled) AI-led voice, video, chat and messaging interactions; transcription; generating summaries and structured outputs; storage; and related support and security. |
| Types of personal data | Contact identifiers (name, phone number, email); conversation audio, video and transcripts; structured outputs derived from conversations; conversation metadata; and account-user identity data. Special-category and other prohibited data must not be processed except as agreed under clause 8.6 of the Terms. |
| Categories of data subjects | The Customer's Contacts (individuals it engages through the Service) and the Customer's own users and personnel. |
Annex 2 — Technical and organisational measures
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256).
- Role-based, least-privilege access control; unique credentials; administrative actions audit-logged.
- Logical tenant isolation so one customer's data is not accessible to another.
- Network controls, monitoring and vulnerability management.
- Personnel confidentiality obligations and security training.
- Backup, resilience and incident-response procedures, including breach notification within 24 hours of confirmation.
- Data-minimisation and retention controls, including default deletion periods and configurable shorter retention.
Our security controls are modelled on recognised information-security standards. The current detail is maintained on our security page.
Annex 3 — Sub-processors
The current list of authorised sub-processors, including each one's role and location, is published and kept up to date at voxapp.com/subprocessors.
Contact
To raise an audit, ask about a sub-processor, request a counter-signed copy, or any other DPA query: privacy@voxapp.com.