Voicematrix.ai

Legal

Data Processing Agreement

Last updated: April 21, 2026

This DPA forms part of the agreement between Voicematrix.ai (Processor) and the Customer (Controller) where Voicematrix.ai processes personal data on the Customer's behalf.

1. Subject matter & duration

The Processor will process personal data on behalf of the Controller for the term of the Service Agreement and any post-termination transition period required by law.

2. Nature & purpose of processing

Processing is carried out for the purpose of providing the Voicematrix.ai voice-agent platform — including capture, transcription, storage, retrieval and deletion of call audio and metadata.

3. Categories of data subjects

  • The Customer's end-users who interact with deployed voice agents.
  • The Customer's employees and contractors who administer the platform.

4. Categories of personal data

  • Identifiers (phone number, email, customer ID).
  • Audio recordings and machine-generated transcripts.
  • Conversation metadata (timestamps, intents, sentiment, outcomes).
  • Technical data (IP address, device, network metadata).

5. Processor obligations

  • Process personal data only on the Controller's documented instructions.
  • Ensure confidentiality undertakings from all personnel with access.
  • Implement appropriate technical and organisational measures (Annex II).
  • Assist the Controller with data-subject requests, DPIAs and breach notifications.
  • Delete or return personal data at the end of the service, at the Controller's choice.

6. Sub-processors

The Controller authorises the use of the sub-processors listed below. We will notify the Controller of changes 30 days in advance and provide a right of objection.

  • Amazon Web Services (EU/US) — cloud infrastructure.
  • Cloudflare (Global) — edge networking, DDoS protection.
  • OpenAI / Anthropic / Google — LLM inference, only when the Controller selects the relevant model.
  • Twilio (US/EU) — telephony carriage, only for numbers provisioned through Voicematrix.
  • Stripe (US/EU) — billing.
  • Sentry (US/EU) — error monitoring.
  • ZeptoMail (EU) — transactional email.

7. International transfers

Where transfers occur outside the EEA, the parties incorporate the EU Standard Contractual Clauses (Module 2 — Controller to Processor, 2021) and the UK IDTA, including all Annexes.

8. Annex I — Description of processing

Set out in sections 2–4 above and the Service Agreement.

9. Annex II — Technical & organisational measures

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Role-based access controls, MFA enforced for all staff.
  • Quarterly access reviews and least-privilege provisioning.
  • Network segregation, hardened images, automated patching.
  • 24/7 logging and alerting; immutable audit trail kept for 12 months.
  • Annual penetration testing by an independent third party.
  • Documented business continuity and disaster recovery plans tested annually.

10. Signing this DPA

If you require a counter-signed copy, email legal@voicematrix.ai with your entity name and we'll return an executed PDF within 48 hours.