Data Processing Agreement (DPA)
Document: Data Processing Agreement (Art. 28 GDPR) Last updated: 27 June 2026 Version: v1.0
Service: "Voice Edge", available at ellisce.com. Provided by [RAZÓN SOCIAL DEL PROVEEDOR], holding tax ID [CIF] and with registered office at [DOMICILIO SOCIAL] (the "Provider"). Data protection matters: [EMAIL DE PRIVACIDAD]. Data Protection Officer: [DPO si aplica].
This Data Processing Agreement (the "Agreement" or "DPA") gives effect to Article 28 of Regulation (EU) 2016/679 (the "GDPR") and to Spanish Organic Law 3/2018 on the Protection of Personal Data and the Guarantee of Digital Rights ("LOPDGDD"). It forms part of the service agreement entered into between the Customer and the Provider (the "Main Agreement") and governs the processing of Personal Data that the Provider carries out on behalf of the Customer when providing the Service. In the event of conflict on data protection matters, this Agreement prevails over the Main Agreement.
1. Definitions
1.1. Capitalized terms not defined in this Agreement have the meaning given to them in the Main Agreement or, failing that, in the GDPR.
1.2. "the Service": the cloud telephone system (PBX) and contact center that the Provider operates under the Voice Edge brand over the SIP and WebRTC protocols, including inbound and outbound calls, call flows and IVR, queues and agents, in-browser webphone, call recording with configurable retention, voice transcription, voice synthesis (TTS), AI-assisted quality assurance (QA), an AI assistant for call flows, a contacts CRM, campaigns and an outbound telemarketing dialer, exclusion lists (DNC), callbacks, reports and call detail records (CDR).
1.3. "the Customer": the natural or legal person that contracts the Service and determines the purposes and means of the processing of Customer Data.
1.4. "Authorized User": the person to whom the Customer grants access to the Service (administrators, supervisors and agents), identified by their credentials.
1.5. "Customer Data": the Personal Data that the Customer or its Authorized Users enter into the Service, or that the Service generates on the Customer's behalf. It includes, without limitation: the contacts and lists that the Customer uploads or creates (including tags and custom fields); call voice recordings; transcriptions of those recordings; call metadata and call detail records (CDR); and the notes and data associated with those calls and contacts. Customer Data does not include Account Data.
1.6. "Account Data": the data of Authorized Users (name, email, password hash, IP address, sessions, approximate IP-based geolocation, security logs and two-factor data) and the Customer's billing data. With respect to Account Data, the Provider acts as Controller; its processing is governed by the Provider's Privacy Policy and falls outside the scope of this Agreement.
1.7. "Personal Data", "processing", "data subject", "Controller", "Processor" and "personal data breach" (in this Agreement, "security breach") have the meaning set out in Article 4 GDPR.
1.8. "Sub-processor": a third party engaged by the Provider that processes Customer Data in order to provide the Service.
1.9. "Data Region": the geographic region in which the Customer's account data is hosted and processed. As at the date of this Agreement, the Provider operates a single Data Region, the European Union. The Data Region is set when the account is created and does not change during its term. The Provider may enable additional regions in the future; they are not available as at the date of this Agreement.
1.10. "Call Party": the natural person who takes part in a call placed or received by the Customer through the Service, other than an Authorized User.
2. Roles of the parties and subject matter
2.1. With respect to Customer Data, the Customer is the Controller and the Provider is the Processor. The Provider processes Customer Data only on the Customer's behalf and in accordance with its documented instructions.
2.2. With respect to Account Data, the Provider is the Controller. That relationship is not governed by this Agreement.
2.3. The subject matter of this Agreement is to set out the terms under which the Provider processes Customer Data when providing the Service, in compliance with Article 28 GDPR.
2.4. The Provider does not provide legal advice. Determining the lawfulness of any processing the Customer chooses to carry out through the Service is the Customer's responsibility.
2.5. If the Provider determines the purposes and means of processing Customer Data otherwise than on the Customer's documented instructions, it will be considered Controller in respect of that processing, in accordance with Article 28(10) GDPR.
3. Duration
3.1. This Agreement takes effect upon acceptance of the Main Agreement and remains in force for as long as the Provider processes Customer Data, that is, for the duration of the Service.
3.2. The obligations of confidentiality, those concerning deletion or return of data on termination (clause 7.8), and those relating to audit of processing already carried out survive termination of the Main Agreement to the extent necessary for their performance.
4. Nature, purpose and scope of the processing
4.1. The nature of the processing is the operation of a cloud telephony and contact center service: setting up, routing and recording calls; recording and, where applicable, transcribing calls and synthesizing voice (TTS) for call-flow prompts; managing contacts and outbound calling campaigns; applying exclusion lists; analyzing quality by means of artificial intelligence; and generating reports.
4.2. The purpose of the processing is solely to provide the Service to the Customer in accordance with the Main Agreement and the Customer's instructions. The Provider does not process Customer Data for its own purposes, nor does it disclose such data to third parties, save to the Sub-processors set out in clause 7.4 and Annex III, or where required by Union or Member State law to which the Provider is subject, in which case it will inform the Customer in advance unless legally prohibited.
4.3. Details of the processing (operations, categories of data subjects and of data) are set out in Annex I.
5. Categories of data subjects and of data
5.1. Categories of data subjects:
5.1.1. The Customer's contacts: the natural persons included in the lists, imports and contact records that the Customer manages in the Service.
5.1.2. Call Parties: the natural persons who take part in the calls that the Customer places or receives through the Service.
5.2. Categories of Personal Data:
5.2.1. Contact and identifying data: name, telephone number, email, tags and custom fields associated with the contact.
5.2.2. Call voice recordings.
5.2.3. Transcriptions of those recordings and derived analyses (including AI-assisted quality assurance).
5.2.4. Communication metadata and call detail records (CDR): origin and destination numbers, date and time, duration, direction, routing, outcome and associated notes.
5.3. Special categories of data. The Customer acknowledges that a recording or a transcription may contain, incidentally and at the Call Party's own initiative, data falling within the special categories of Article 9 GDPR (for example, health data) if the Call Party discloses them during the conversation. The Service is neither designed nor intended for the systematic processing of such categories. Determining the lawfulness of processing that data, and the applicable legal basis, is the Customer's responsibility as Controller.
6. Controller's instructions
6.1. The Provider processes Customer Data only in accordance with the Customer's documented instructions, including with regard to international transfers. The following constitute documented instructions: this Agreement, the Main Agreement, the configuration that the Customer applies within the Service (among others, recording retention, call flows, exclusion lists and the choice of AI provider or model) and any further instructions the Customer issues in writing.
6.2. If the Provider considers that an instruction from the Customer infringes the GDPR, the LOPDGDD or other Union or Member State data protection law, it will inform the Customer without delay. The Provider may suspend execution of the affected instruction until the Customer confirms, amends or withdraws it.
7. Processor's obligations
7.1. Confidentiality. The Provider ensures that the persons authorized to process Customer Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Access by the Provider's personnel to Customer Data is limited to what is necessary to provide and maintain the Service.
7.2. Security. The Provider implements the appropriate technical and organizational measures required by Article 32 GDPR to ensure a level of security appropriate to the risk. Those measures are described in Annex II. The Provider may update them provided the agreed level of security is not reduced.
7.3. General authorization of Sub-processors. The Customer gives the Provider general authorization to engage Sub-processors in order to provide the Service. The Sub-processors in force as at the date of this Agreement are listed in Annex III.
7.4. Sub-processor regime. The Provider:
7.4.1. imposes on each Sub-processor, by contract, data protection obligations equivalent to those in this Agreement, in particular the security obligations of Article 32 GDPR;
7.4.2. remains liable to the Customer for the Sub-processor's performance of its obligations; and
7.4.3. selects Sub-processors that offer sufficient guarantees in respect of data protection.
7.5. Changes to Sub-processors. The Provider will inform the Customer of any addition or replacement of Sub-processors with reasonable prior notice, by notice to the account's administration email or by publication in the Service panel. The Customer may object on reasonable data protection grounds within thirty (30) days of the notice. If the objection cannot be resolved, the Customer may terminate the part of the Service that cannot be provided without the objected-to Sub-processor, as its sole remedy.
7.6. Assistance to the Controller. Taking into account the nature of the processing, the Provider assists the Customer, by appropriate technical and organizational measures and insofar as this is possible:
7.6.1. in responding to requests for the exercise of data subject rights (access, rectification, erasure, restriction, portability and objection), by making available the Service features that allow Customer Data to be located, exported, rectified or deleted, including the export of contacts and the deletion of recordings, transcriptions and records;
7.6.2. in ensuring compliance with the security obligations of Article 32, the security-breach notification obligations of Articles 33 and 34, and the data protection impact assessment and prior consultation obligations of Articles 35 and 36, by providing the information available to it about the processing it carries out.
7.7. Notification of security breaches. The Provider will notify the Customer, without undue delay after becoming aware of it, of any security breach affecting Customer Data. The notification will include, to the extent available to the Provider, the nature of the security breach, the categories and approximate number of data subjects and records affected, the likely consequences and the measures taken or proposed. The Provider will cooperate reasonably with the Customer. The Provider's notification does not constitute an admission of fault or liability.
7.8. Deletion or return. On termination of the Service, and at the Customer's choice, the Provider will delete or return the Customer Data and delete existing copies, unless Union or Member State law requires their retention. During the term of the Service, the automatic deletion of recordings is governed by the retention period that the Customer configures, as described in Annex II. Return is carried out in the export formats offered by the Service.
7.9. Information and audit. The Provider makes available to the Customer the information necessary to demonstrate compliance with the obligations of Article 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Customer or an auditor mandated by it. Audits are arranged with reasonable prior notice, conducted during business hours, no more than once a year unless there is a security breach or a request from a supervisory authority, without affecting the security of other customers and under a duty of confidentiality. The Provider may discharge this obligation, in the first instance, by means of its security documentation and any third-party certifications or reports available to it.
7.10. Costs of assistance and audits. The assistance under clause 7.6 and the audits under clause 7.9 that the Customer can carry out using the self-service features of the Service and, in the case of audits, within the agreed annual frequency, are included in the Service. The Provider may charge the Customer a reasonable fee, at its then-current rates, for assistance or audits that go beyond those features or that frequency, including data protection impact assessments, on-site audits and extended handling of data subject requests. The Provider will provide an estimate before incurring such costs.
8. International transfers and Data Region
8.1. The Provider hosts and processes Customer Data in the account's Data Region. As at the date of this Agreement, the only Data Region available is the European Union, which is set when the account is created. The enabling of additional regions and the migration of data between regions are not available as at the date of this Agreement; the Provider will communicate when they become available.
8.2. Customer Data is hosted and processed in the European Union. The only flows of Customer Data outside the European Economic Area are the transfers to the Sub-processors identified in Annex III, which are governed by clause 8.3.
8.3. Where provision of the Service entails a transfer of Customer Data to a third country or international organization outside the European Economic Area, in particular to the Sub-processors in Annex III located outside it, the Provider will carry it out only where a valid mechanism under Chapter V GDPR applies: an adequacy decision or appropriate safeguards. Where the safeguard is the standard contractual clauses, the Standard Contractual Clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 are incorporated into this Agreement by reference. The applicable Module is determined by the role of the parties to each transfer: Module Three (processor to processor) for transfers from the Provider to a Sub-processor outside the European Economic Area, and Module Two (controller to processor) where the clauses govern the transfer between the Customer and the Provider. Their appendices are completed by reference to Annex I (parties and details of the processing), Annex II (security measures) and Annex III (Sub-processors) of this Agreement. Where the Provider relies on standard contractual clauses already concluded with a Sub-processor, those clauses govern the corresponding transfer. The Customer authorizes the transfers to the Sub-processors in Annex III under these mechanisms.
8.4. The Customer acknowledges that the choice of AI provider or model and of the transcription and language-model endpoints determines where, and under what retention conditions, certain Customer Data is processed. The Provider offers controls to confine that processing, among them the option of a transcription endpoint in the European Union and, where the gateway supports it, zero-data-retention routing. Some providers do not support that mode. The choice of provider and model, and its adequacy, are the Customer's responsibility.
8.5. Authority requests. If the Provider or a Sub-processor receives a legally binding request from a public authority, including a judicial authority, to access or disclose Customer Data, the Provider will, unless legally prohibited: (a) notify the Customer without undue delay; (b) review the legality of the request and challenge it where it is manifestly unlawful or disproportionate under applicable law; and (c) disclose only the minimum Customer Data necessary to comply. The Provider will keep a record of such requests available to the Customer.
9. Customer's obligations and warranties as Controller
9.1. The Customer warrants that it has a legal basis for the processing of Customer Data and that it has informed data subjects in accordance with Articles 13 and 14 GDPR.
9.2. The Customer warrants that, where applicable, it has obtained consent to contact each person on its lists for commercial communication or direct marketing purposes, in accordance with Directive 2002/58/EC (ePrivacy), Spanish Law 34/2002 (LSSI-CE) and Law 11/2022, the General Telecommunications Act, and that it respects advertising exclusion lists, including the Lista Robinson in Spain. In other jurisdictions, the Customer complies with local telemarketing rules and equivalent exclusion registers; in the United States, among others, with the applicable prior-consent requirements and DNC registers. The Customer knows and applies the rules of its own jurisdiction and those of the Call Parties.
9.3. The Customer is responsible for the lawfulness of recording calls in the jurisdiction of the parties and for duly informing Call Parties that the call may be recorded.
9.4. The Customer is responsible for ensuring that its use of AI features (transcription, quality assurance, flow assistant) complies with the GDPR and applicable law. The Provider makes information and controls available (selection of provider or model and, where the gateway supports it, zero-data-retention routing); the decision and compliance are the Customer's responsibility.
9.5. The Customer's instructions to the Provider are lawful. The Customer will not enter into the Service any Personal Data that it is not entitled to process.
10. Liability and indemnity
10.1. The allocation of liability between the parties is governed by Article 82 GDPR and by the liability regime of the Main Agreement, including its limitations and exclusions.
10.2. The Customer will hold the Provider harmless against third-party claims, penalties from supervisory authorities and damages arising from the Customer's breach of its obligations as Controller under this Agreement, in particular from processing Customer Data without a legal basis or without consent, from placing calls without consent or against exclusion lists, and from the unlawful recording of calls.
11. Final provisions
11.1. This Agreement is incorporated into and construed together with the Main Agreement. On matters not addressed here, the Main Agreement governs and, on data protection matters, the GDPR and the LOPDGDD.
11.2. This Agreement is governed by Spanish law. The competent supervisory authority in Spain is the Spanish Data Protection Agency (AEPD).
11.3. The invalidity of any clause does not affect the validity of the remaining clauses.
Annex I — Details of the processing
Controller: the Customer. Processor: the Provider, [RAZÓN SOCIAL DEL PROVEEDOR].
Subject matter: provision of the Voice Edge cloud PBX and contact center Service.
Duration: for the duration of the Service, plus the deletion or return period under clause 7.8.
Nature and processing operations: collection, recording, storage, structuring, call routing, recording, transcription, voice synthesis (TTS), AI-based quality analysis, consultation, export, deletion and automatic deletion by retention.
Purpose: to set up, route and record the Customer's communications; to record and, where applicable, transcribe and analyze calls; to manage contacts and outbound calling campaigns; to apply exclusion lists; and to generate reports and call detail records (CDR).
Categories of data subjects: the Customer's contacts and the Call Parties of its calls.
Categories of Personal Data: contact and identifying data (name, telephone, email, tags and custom fields); voice recordings; transcriptions and derived analyses; communication metadata and call detail records (CDR); notes associated with calls and contacts.
Special categories (if any): Article 9 GDPR data that a Call Party may incidentally disclose during a conversation. This is not a purpose of the processing; its lawfulness is the Customer's responsibility.
Frequency of processing: continuous, for as long as the Customer uses the Service.
Annex II — Technical and organizational security measures (Art. 32 GDPR)
The Provider applies, as a minimum, the following measures:
-
Encryption in transit. Communications with the panel and the webphone are encrypted using TLS. Call signaling and media are carried over the secure channels native to SIP and WebRTC.
-
Access control and authentication. Authorized Users' passwords are stored using a salted key-derivation function (argon2id); never in clear text. Sessions are managed against the database and expire. Two-factor authentication (TOTP, RFC 6238) is available on a per-user basis.
-
Authorization control (RBAC). Access to the Service's features and data is governed by roles and by section-level permissions, so that each Authorized User accesses only what their role allows within their organization.
-
Multi-tenant isolation. Each Customer's data is logically segregated by organization; access to Customer Data is confined to the organization it belongs to, preventing cross-customer access.
-
Audit logs. The Service records relevant security and administration events (among others, logins, configuration changes and administrative actions), retained for review.
-
Configurable retention and deletion. The Customer configures the retention period for recordings (14, 30, 90, 180 or 365 days, or unlimited retention). Where the Customer sets a period, an automatic process periodically sweeps and deletes recordings whose period has expired; where the Customer chooses unlimited retention, no automatic deletion applies. The Customer can delete recordings, transcriptions and records on demand.
-
Storage of and access to recordings. Call recordings and their copies are held on access-controlled storage infrastructure within the Data Region. Access is confined to the Customer's organization through the authorization controls in point 3 and to Provider personnel strictly as necessary to operate the Service. The encryption in transit of point 1 protects transmission; at rest, recordings are protected by those access controls.
-
Minimization in AI processing. Where the selected provider and model support it — for example, the zero-data-retention routing of the OpenRouter gateway, which the Service requests by default for that gateway — language-model processing is directed to providers that do not retain or train on the content of requests. Other providers and models do not apply that restriction; in particular, quality assurance (QA) and the flow assistant may run by default on providers (such as Groq) that do not honor that mode. The choice of provider and model, and its retention consequences, are the Customer's responsibility (clauses 6.1 and 8.4). Transcription supports a European Union endpoint to keep the audio within the region.
-
Resilience and recovery. The Provider maintains backup and recovery measures aimed at restoring the availability of and access to data in the event of a physical or technical incident.
-
Operational hardening. Internal components (among others, the media engine and the administration interfaces) are exposed only on private or protected networks, not on the open internet.
The Provider may modify these measures provided the level of security does not fall below that described here.
Annex III — List of Sub-processors
| Sub-processor | Purpose | Location / Region |
|---|---|---|
| Deepgram | Voice transcription (STT) and, where applicable, voice synthesis (TTS) of calls | United States, with the option of a European Union endpoint (api.eu.deepgram.com) |
| Groq | Language models for quality assurance (QA) and the flow assistant (default provider) | United States; zero-data-retention mode does not apply |
| [OpenRouter or other LLM gateway] | Language models for QA and the assistant where the Customer configures it; allows routing to providers in zero-data-retention mode, which the Service requests by default on that gateway | Depending on the model provider; region: [to be specified] |
| [PROVEEDOR DE HOSTING / INFRAESTRUCTURA] | Hosting of the Service's compute, database and network | European Union |
| [PROVEEDOR DE EMAIL TRANSACCIONAL] | Sending of service emails (account verification, password reset, support notices) | [Region to be specified] |
| [ALMACENAMIENTO DE COPIAS DE GRABACIONES] | Backup and storage of call recordings | European Union |
The Provider keeps this list up to date and notifies changes in accordance with clause 7.5.