Data Processing Agreement
How Voxy processes personal data on behalf of its customers.
- Last updated:
- July 1, 2026
- Effective:
- July 1, 2026
Data Processing Agreement
Effective date: 1 July 2026 · Last updated: 1 July 2026 · Version: 1.0
This Data Processing Agreement ("DPA") summarises how Voxy ("Voxy", the "Processor") processes personal data on behalf of a customer (the "Controller") when the customer uses Voxy to handle calls and conversations with their own end users. It supplements our Terms of Service and Privacy Policy. A countersigned copy is available on request (see the end of this page).
1. Roles
For account data about the customer (e.g., the person who signs up), Voxy is the controller. For personal data the customer uploads or that is generated when Voxy handles the customer’s calls and conversations (contacts, call audio, transcripts), the customer is the controller and Voxy is the processor acting on the customer’s documented instructions.
2. Details of processing
- Subject matter: provision of the Voxy AI voice + chat platform.
- Duration: for the term of the customer’s subscription plus any legally required retention.
- Nature and purpose: routing and handling inbound/outbound calls and web conversations, transcription, summaries, storage, and analytics, as configured by the Controller.
- Categories of data: contact identifiers, phone numbers, call audio and transcripts, conversation content, and related metadata.
- Categories of data subjects: the Controller’s customers, callers, and other end users.
3. Our obligations as processor
- Process personal data only on the Controller’s documented instructions, including for international transfers, unless required by law.
- Ensure personnel authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (encryption in transit and at rest, access controls, tenant isolation, audit logging).
- Assist the Controller in responding to data-subject requests and in meeting security, breach-notification, and impact-assessment obligations.
- Notify the Controller without undue delay after becoming aware of a personal-data breach.
- Delete or return personal data at the end of the service, subject to legal retention.
- Make available information needed to demonstrate compliance and allow for audits, subject to reasonable confidentiality and notice.
4. Sub-processors
The Controller authorises Voxy to engage sub-processors to provide the service. Current categories include:
- Telephony carrier (call origination/termination and CDRs) — e.g., Telnyx.
- AI model provider for real-time voice and language — e.g., Google Gemini.
- Cloud hosting and encrypted object storage for recordings and uploads.
- Payment processor for billing (PCI-DSS compliant).
- Transactional email delivery.
We will inform the Controller of intended changes to sub-processors and give the Controller a reasonable opportunity to object on legitimate grounds.
5. International transfers
Where personal data is transferred outside the EEA/UK, we rely on an appropriate transfer mechanism such as the European Commission’s Standard Contractual Clauses (and the UK Addendum) together with supplementary measures.
6. Requesting a signed DPA
To execute a countersigned DPA (including SCCs) or to receive the current sub-processor list, contact info@voxyhq.com under jurisdiction England and Wales.