Data Processing Agreement (DPA)

1. Definitions

2. Scope and Applicability

2.1 Scope of Processing

This DPA applies to all Personal Data processed by CloudFran through the Service, including:

• Customer contact information (names, phone numbers, email addresses)
• Communication content (SMS messages, voice transcripts, chat logs)
• Appointment and scheduling data
• Campaign performance and engagement metrics
• Any other data submitted by the Controller through the Service

2.2 Duration

This DPA remains in effect for the duration of the service agreement and continues until all Personal Data has been deleted or returned to the Controller.

3. Roles and Responsibilities

3.1 Controller Obligations

The Controller (you) shall:

• Ensure lawful basis for processing under applicable Data Protection Laws
• Obtain necessary consents from Data Subjects before submitting Personal Data to the Service
• Provide accurate and complete processing instructions to the Processor
• Comply with Data Subject rights requests (access, deletion, rectification, etc.)
• Maintain records of processing activities as required by law
• Notify the Processor immediately of any data breaches or unauthorized access

3.2 Processor Obligations

CloudFran (the Processor) shall:

• Process Personal Data only on documented instructions from the Controller
• Implement appropriate technical and organizational security measures
• Ensure confidentiality of persons authorized to process Personal Data
• Assist the Controller in responding to Data Subject requests
• Notify the Controller of any data breaches within 72 hours of discovery
• Delete or return Personal Data upon termination of services, unless retention is required by law
• Make available all information necessary to demonstrate compliance with this DPA

4. Nature and Purpose of Processing

4.1 Purpose

Personal Data will be processed for the following purposes:

• Sending SMS and voice messages to customers on behalf of the Controller
• Generating AI-powered responses and campaign content
• Scheduling and managing customer appointments
• Providing analytics and performance reporting
• Maintaining security and preventing fraud

4.2 Type of Personal Data

• Contact details (names, phone numbers, email addresses)
• Communication preferences and opt-in/opt-out status
• Conversation history and engagement data
• Appointment details and scheduling preferences
• Device and usage information (IP addresses, timestamps)

4.3 Categories of Data Subjects

• The Controller's customers and prospective customers
• Individuals who have consented to receive communications
• Appointment booking contacts

4.4 Processing Operations

• Collection, storage, and organization of Personal Data
• Transmission of SMS/voice messages
• AI-powered analysis and content generation
• Retrieval, consultation, and use for reporting
• Deletion or destruction upon instruction

5. Sub-processors

5.1 Authorized Sub-processors

The Controller authorizes the Processor to engage the following Sub-processors:

5.2 Sub-processor Obligations

The Processor ensures that all Sub-processors are bound by data protection obligations equivalent to those in this DPA. The Processor remains fully liable for Sub-processor performance.

5.3 Changes to Sub-processors

The Processor will notify the Controller of any intended changes to Sub-processors at least 30 days in advance. The Controller may object to new Sub-processors on reasonable data protection grounds within 14 days of notification.

6. Security Measures

6.1 Technical Measures

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Access Control: Role-based access controls, multi-factor authentication
• Network Security: Firewalls, intrusion detection systems, DDoS protection
• Monitoring: 24/7 security monitoring and logging
• Vulnerability Management: Regular security patches and updates

6.2 Organizational Measures

• Policies: Documented security policies and procedures
• Training: Regular security awareness training for all personnel
• Access Management: Principle of least privilege, regular access reviews
• Incident Response: Documented incident response plan
• Audits: Annual third-party security audits and penetration testing

6.3 Certifications

CloudFran maintains the following security certifications:

• SOC 2 Type II (in progress)
• ISO 27001 (planned)
• GDPR compliance framework

7. Data Subject Rights

The Processor shall assist the Controller in fulfilling Data Subject requests, including:

7.1 Right of Access

Providing copies of Personal Data upon request

7.2 Right to Rectification

Correcting inaccurate or incomplete Personal Data

7.3 Right to Erasure

Deleting Personal Data when no longer necessary or upon withdrawal of consent

7.4 Right to Restrict Processing

Limiting processing when accuracy is contested or processing is unlawful

7.5 Right to Data Portability

Providing Personal Data in a structured, machine-readable format

7.6 Right to Object

Ceasing processing when the Data Subject objects

7.7 Response Time

The Processor will provide reasonable assistance to the Controller within 7 business days of request to enable timely response to Data Subjects (within 30 days as required by GDPR).

8. Data Breach Notification

8.1 Notification Obligation

The Processor shall notify the Controller without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach.

8.2 Breach Information

The notification shall include:

• Nature of the breach and categories of Personal Data affected
• Approximate number of Data Subjects and data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for further information

8.3 Cooperation

The Processor shall cooperate with the Controller in investigating and remediating the breach, including providing documentation and access to affected systems as needed.

9. Data Transfers

9.1 Transfer Mechanism

Personal Data may be transferred to and processed in the United States. CloudFran implements Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EU/EEA.

9.2 Safeguards

Additional safeguards for international transfers include:

• Encryption of data in transit and at rest
• Contractual obligations on Sub-processors
• Regular privacy impact assessments
• Adherence to Privacy Shield principles (where applicable)

10. Audits and Inspections

10.1 Audit Rights

The Controller may audit the Processor's compliance with this DPA once per year, subject to reasonable notice (30 days) and confidentiality obligations.

10.2 Documentation

The Processor shall make available all information necessary to demonstrate compliance, including security policies, audit reports, and certifications.

10.3 Third-Party Audits

The Controller may accept third-party audit reports (SOC 2, ISO 27001) in lieu of conducting its own audit.

11. Data Deletion and Return

11.1 Upon Termination

Upon termination of the service agreement, the Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days.

11.2 Certification of Deletion

Upon request, the Processor will provide written certification of secure deletion of Personal Data.

11.3 Legal Retention

The Processor may retain copies of Personal Data to the extent required by applicable law, subject to continued confidentiality and security obligations.

12. Limitation of Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the CloudFran Agents Terms of Service, except that liability for data protection violations shall not be limited to the extent prohibited by Data Protection Laws.

13. Governing Law and Jurisdiction

This DPA is governed by the same law as the CloudFran Agents Terms of Service. In the event of conflict between this DPA and the Terms, this DPA shall prevail with respect to data processing matters.

14. Contact Information