Data Processing Agreement

For the purposes of this DPA:

• "Controller" means the entity that determines the purposes and means of processing personal data (you, our customer).
• "Processor" means the entity that processes personal data on behalf of the Controller (BuzzrdAI).
• "Sub-processor" means any third party engaged by BuzzrdAI to process personal data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed.
• "Processing" means any operation performed on personal data, including collection, storage, use, and deletion.

Subject Matter: BuzzrdAI processes personal data to provide AI-powered phone answering and lead capture services.

Duration: Processing continues for the duration of your subscription, plus any retention period required for legal compliance.

Nature and Purpose: Receiving and answering phone calls, recording conversations, generating transcripts and summaries, and delivering notifications about calls and leads.

Categories of Personal Data:

• Caller contact information (name, phone number, email if provided)
• Voice recordings of phone calls
• Call transcripts and AI-generated summaries
• Caller inquiries and messages
• Call metadata (date, time, duration)

Categories of Data Subjects:

• Individuals who call your business
• Your employees or representatives who access call data

Processing Activities:

• Receiving and answering phone calls via AI
• Recording calls for quality assurance and transcript generation
• Generating and storing call transcripts and summaries
• Sending notifications via email and SMS
• Storing and organizing lead information

BuzzrdAI agrees to:

• Process on instructions: Process personal data only on your documented instructions, unless required by law
• Ensure confidentiality: Ensure that persons authorized to process personal data are bound by confidentiality obligations
• Implement security measures: Implement appropriate technical and organizational measures to ensure data security
• Respect sub-processor requirements: Engage sub-processors only with your authorization and under written agreements
• Assist with data subject rights: Assist you in responding to data subject requests
• Delete or return data: Delete or return personal data at the end of the service relationship, upon your request

BuzzrdAI uses the following sub-processors to provide our services:

By accepting this DPA, you authorize us to use these sub-processors. We will notify you of any changes to sub-processors and give you an opportunity to object.

We will assist you in responding to requests from data subjects exercising their rights under applicable data protection laws, including:

• Right of access to personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

If we receive a request directly from a data subject, we will promptly notify you and will not respond to the request without your authorization, except to inform the data subject that we are a processor acting on your behalf.

BuzzrdAI implements the following technical and organizational measures to protect personal data:

• Encryption in transit: All data transmitted between users and our servers is encrypted using TLS 1.3
• Encryption at rest: All personal data stored in our databases is encrypted using AES-256
• Access controls: Role-based access controls limit access to personal data to authorized personnel only
• Authentication: Secure authentication with email verification is required for all user accounts
• Monitoring: We monitor our systems for security threats and suspicious activity
• Backups: Automated daily backups ensure data can be recovered in case of data loss
• Vendor security: Our sub-processors are selected based on their security practices and compliance certifications

Our breach notification will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

BuzzrdAI and its sub-processors are based in the United States. For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the US, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• The EU-US Data Privacy Framework, where applicable
• Other lawful transfer mechanisms as appropriate

Upon request, we can provide copies of relevant transfer mechanism documentation.

We will make available to you information necessary to demonstrate compliance with our obligations under this DPA. You may, at your expense and with reasonable advance notice:

• Request documentation of our security practices and compliance measures
• Conduct or commission audits of our processing activities, subject to confidentiality obligations and reasonable scope limitations

We may satisfy audit requirements by providing third-party audit reports, certifications, or other documentation demonstrating our compliance.

Upon termination of your BuzzrdAI subscription:

• Export period: You have 30 days to export any personal data you require
• Deletion: After 30 days, we will delete personal data from our active systems
• Backup retention: Data may persist in backups for a short additional period before being permanently deleted
• Legal retention: We may retain data as required by law (e.g., billing records for tax purposes)

Upon your written request, we will provide written confirmation of data deletion.

We may update this DPA from time to time to reflect changes in our processing activities, legal requirements, or industry best practices. Material changes will be notified to you via email at least 30 days before they take effect.

Your continued use of BuzzrdAI after changes become effective constitutes acceptance of the updated DPA.